berbew | 90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671

Analysis

max time kernel
26s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe
Size

71KB
MD5

efb6cd92fadbe0ffc532f9fe865368f0
SHA1

ef07d99a6c4457c8d8fc484b8bc42cfa1809d901
SHA256

90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671
SHA512

3b7f9275548b4c7a623ec4aada429c1911f4e0d1fd7bc19e5167aa8ddf44c3c3bcf2fa03ef79cbff02144ed50fbb082b989a393d604603cdf5205536e818c46a
SSDEEP

1536:3wBqS6P9PcSG3xDjhZRcyimhYc1f+eIj3RQhDbEyRCRRRoR4RkG:gB0VPGhNZviWYTeAeNEy032yaG

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2720	Oghopm32.exe
3048	Oopfakpa.exe
2700	Ohhkjp32.exe
2660	Ojigbhlp.exe
592	Oqcpob32.exe
580	Ocalkn32.exe
2404	Pkidlk32.exe
816	Pngphgbf.exe
2956	Pdaheq32.exe
2308	Pgpeal32.exe
2876	Pnimnfpc.exe
2940	Pqhijbog.exe
1756	Pgbafl32.exe
2016	Pjpnbg32.exe
308	Pomfkndo.exe
2324	Pbkbgjcc.exe
1056	Pjbjhgde.exe
1944	Pmagdbci.exe
1328	Pckoam32.exe
1816	Pfikmh32.exe
1712	Pmccjbaf.exe
928	Poapfn32.exe
1292	Qflhbhgg.exe
2128	Qeohnd32.exe
2164	Qkhpkoen.exe
1596	Qodlkm32.exe
2804	Qeaedd32.exe
2796	Qkkmqnck.exe
1244	Aniimjbo.exe
476	Aecaidjl.exe
1048	Acfaeq32.exe
2988	Ajpjakhc.exe
2108	Aajbne32.exe
2968	Agdjkogm.exe
468	Afgkfl32.exe
2868	Annbhi32.exe
2776	Apoooa32.exe
1444	Ajecmj32.exe
2008	Aigchgkh.exe
1580	Apalea32.exe
1080	Afkdakjb.exe
1608	Amelne32.exe
2400	Alhmjbhj.exe
960	Apdhjq32.exe
1804	Acpdko32.exe
2196	Bmhideol.exe
852	Blkioa32.exe
1864	Bhajdblk.exe
2800	Blmfea32.exe
2624	Bnkbam32.exe
2756	Bajomhbl.exe
2644	Biafnecn.exe
2328	Bhdgjb32.exe
956	Bonoflae.exe
400	Bbikgk32.exe
2508	Bdkgocpm.exe
2688	Bhfcpb32.exe
2092	Bjdplm32.exe
1440	Boplllob.exe
2212	Baohhgnf.exe
1108	Bejdiffp.exe
1900	Bfkpqn32.exe
1812	Bobhal32.exe
2144	Bmeimhdj.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe
2884	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe
2720	Oghopm32.exe
2720	Oghopm32.exe
3048	Oopfakpa.exe
3048	Oopfakpa.exe
2700	Ohhkjp32.exe
2700	Ohhkjp32.exe
2660	Ojigbhlp.exe
2660	Ojigbhlp.exe
592	Oqcpob32.exe
592	Oqcpob32.exe
580	Ocalkn32.exe
580	Ocalkn32.exe
2404	Pkidlk32.exe
2404	Pkidlk32.exe
816	Pngphgbf.exe
816	Pngphgbf.exe
2956	Pdaheq32.exe
2956	Pdaheq32.exe
2308	Pgpeal32.exe
2308	Pgpeal32.exe
2876	Pnimnfpc.exe
2876	Pnimnfpc.exe
2940	Pqhijbog.exe
2940	Pqhijbog.exe
1756	Pgbafl32.exe
1756	Pgbafl32.exe
2016	Pjpnbg32.exe
2016	Pjpnbg32.exe
308	Pomfkndo.exe
308	Pomfkndo.exe
2324	Pbkbgjcc.exe
2324	Pbkbgjcc.exe
1056	Pjbjhgde.exe
1056	Pjbjhgde.exe
1944	Pmagdbci.exe
1944	Pmagdbci.exe
1328	Pckoam32.exe
1328	Pckoam32.exe
1816	Pfikmh32.exe
1816	Pfikmh32.exe
1712	Pmccjbaf.exe
1712	Pmccjbaf.exe
928	Poapfn32.exe
928	Poapfn32.exe
1292	Qflhbhgg.exe
1292	Qflhbhgg.exe
2128	Qeohnd32.exe
2128	Qeohnd32.exe
2164	Qkhpkoen.exe
2164	Qkhpkoen.exe
1596	Qodlkm32.exe
1596	Qodlkm32.exe
2804	Qeaedd32.exe
2804	Qeaedd32.exe
2796	Qkkmqnck.exe
2796	Qkkmqnck.exe
1244	Aniimjbo.exe
1244	Aniimjbo.exe
476	Aecaidjl.exe
476	Aecaidjl.exe
1048	Acfaeq32.exe
1048	Acfaeq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Apalea32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Apoooa32.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Qkhpkoen.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Ohhkjp32.exe	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Chdqghfp.dll	Ohhkjp32.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Pckoam32.exe
File opened for modification	C:\Windows\SysWOW64\Qkkmqnck.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	Oghopm32.exe
File created	C:\Windows\SysWOW64\Oqcpob32.exe	Ojigbhlp.exe
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Ejaekc32.dll	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Plfmnipm.dll	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Jgafgmqa.dll	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Acpdko32.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Oflcmqaa.dll	Oghopm32.exe
File opened for modification	C:\Windows\SysWOW64\Ojigbhlp.exe	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Apoooa32.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Nlpdbghp.dll	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Jbbpnl32.dll	Ojigbhlp.exe
File created	C:\Windows\SysWOW64\Pmccjbaf.exe	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Pjpnbg32.exe	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	2640	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigbhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnahcn32.dll"	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pckoam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgljgoi.dll"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2720	2884	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe	30
PID 2884 wrote to memory of 2720	2884	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe	30
PID 2884 wrote to memory of 2720	2884	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe	30
PID 2884 wrote to memory of 2720	2884	90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe	30
PID 2720 wrote to memory of 3048	2720	Oghopm32.exe	31
PID 2720 wrote to memory of 3048	2720	Oghopm32.exe	31
PID 2720 wrote to memory of 3048	2720	Oghopm32.exe	31
PID 2720 wrote to memory of 3048	2720	Oghopm32.exe	31
PID 3048 wrote to memory of 2700	3048	Oopfakpa.exe	32
PID 3048 wrote to memory of 2700	3048	Oopfakpa.exe	32
PID 3048 wrote to memory of 2700	3048	Oopfakpa.exe	32
PID 3048 wrote to memory of 2700	3048	Oopfakpa.exe	32
PID 2700 wrote to memory of 2660	2700	Ohhkjp32.exe	33
PID 2700 wrote to memory of 2660	2700	Ohhkjp32.exe	33
PID 2700 wrote to memory of 2660	2700	Ohhkjp32.exe	33
PID 2700 wrote to memory of 2660	2700	Ohhkjp32.exe	33
PID 2660 wrote to memory of 592	2660	Ojigbhlp.exe	34
PID 2660 wrote to memory of 592	2660	Ojigbhlp.exe	34
PID 2660 wrote to memory of 592	2660	Ojigbhlp.exe	34
PID 2660 wrote to memory of 592	2660	Ojigbhlp.exe	34
PID 592 wrote to memory of 580	592	Oqcpob32.exe	35
PID 592 wrote to memory of 580	592	Oqcpob32.exe	35
PID 592 wrote to memory of 580	592	Oqcpob32.exe	35
PID 592 wrote to memory of 580	592	Oqcpob32.exe	35
PID 580 wrote to memory of 2404	580	Ocalkn32.exe	36
PID 580 wrote to memory of 2404	580	Ocalkn32.exe	36
PID 580 wrote to memory of 2404	580	Ocalkn32.exe	36
PID 580 wrote to memory of 2404	580	Ocalkn32.exe	36
PID 2404 wrote to memory of 816	2404	Pkidlk32.exe	37
PID 2404 wrote to memory of 816	2404	Pkidlk32.exe	37
PID 2404 wrote to memory of 816	2404	Pkidlk32.exe	37
PID 2404 wrote to memory of 816	2404	Pkidlk32.exe	37
PID 816 wrote to memory of 2956	816	Pngphgbf.exe	38
PID 816 wrote to memory of 2956	816	Pngphgbf.exe	38
PID 816 wrote to memory of 2956	816	Pngphgbf.exe	38
PID 816 wrote to memory of 2956	816	Pngphgbf.exe	38
PID 2956 wrote to memory of 2308	2956	Pdaheq32.exe	39
PID 2956 wrote to memory of 2308	2956	Pdaheq32.exe	39
PID 2956 wrote to memory of 2308	2956	Pdaheq32.exe	39
PID 2956 wrote to memory of 2308	2956	Pdaheq32.exe	39
PID 2308 wrote to memory of 2876	2308	Pgpeal32.exe	40
PID 2308 wrote to memory of 2876	2308	Pgpeal32.exe	40
PID 2308 wrote to memory of 2876	2308	Pgpeal32.exe	40
PID 2308 wrote to memory of 2876	2308	Pgpeal32.exe	40
PID 2876 wrote to memory of 2940	2876	Pnimnfpc.exe	41
PID 2876 wrote to memory of 2940	2876	Pnimnfpc.exe	41
PID 2876 wrote to memory of 2940	2876	Pnimnfpc.exe	41
PID 2876 wrote to memory of 2940	2876	Pnimnfpc.exe	41
PID 2940 wrote to memory of 1756	2940	Pqhijbog.exe	42
PID 2940 wrote to memory of 1756	2940	Pqhijbog.exe	42
PID 2940 wrote to memory of 1756	2940	Pqhijbog.exe	42
PID 2940 wrote to memory of 1756	2940	Pqhijbog.exe	42
PID 1756 wrote to memory of 2016	1756	Pgbafl32.exe	43
PID 1756 wrote to memory of 2016	1756	Pgbafl32.exe	43
PID 1756 wrote to memory of 2016	1756	Pgbafl32.exe	43
PID 1756 wrote to memory of 2016	1756	Pgbafl32.exe	43
PID 2016 wrote to memory of 308	2016	Pjpnbg32.exe	44
PID 2016 wrote to memory of 308	2016	Pjpnbg32.exe	44
PID 2016 wrote to memory of 308	2016	Pjpnbg32.exe	44
PID 2016 wrote to memory of 308	2016	Pjpnbg32.exe	44
PID 308 wrote to memory of 2324	308	Pomfkndo.exe	45
PID 308 wrote to memory of 2324	308	Pomfkndo.exe	45
PID 308 wrote to memory of 2324	308	Pomfkndo.exe	45
PID 308 wrote to memory of 2324	308	Pomfkndo.exe	45

C:\Users\Admin\AppData\Local\Temp\90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe
"C:\Users\Admin\AppData\Local\Temp\90450ee7af1c6268621a664d46765781032b92d623b1cf69605215354aca3671N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Oghopm32.exe
  C:\Windows\system32\Oghopm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Oopfakpa.exe
    C:\Windows\system32\Oopfakpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Ohhkjp32.exe
      C:\Windows\system32\Ohhkjp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:476
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 140
        71⤵
        Program crash
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
71KB

MD5
160d08e4bf4932cc3e1e23992cfc95e7

SHA1
80c031356cf4591223dcc47e74f4c44784ac94c0

SHA256
f42f2d90ad62bfbe04b346f77f3d567183dbeb314db8f64b1906691bb8eb9ec8

SHA512
03e1081a6810e1c96f3ea82b89ab75e09d5e1d79cafa29d17a5ed49ed8668a46c6aa1a92819ed60448c4eaebb6110a90792e08bb39d6b95ade9380d6107c50b1

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
71KB

MD5
26563d3c80cc48a9467b60af78a84d46

SHA1
d4d83a45256b6a39aa078b9c1f4026d431f2ba96

SHA256
2324521583938dd08b51f12282c6d4e933b0fef79f96c511656bde05ae791cd2

SHA512
a24a831a9c0a94325e50eacd38d66285ee294783a4159c464f19591405f68b67e39812b450397e3674802e11bb43c8b37651a659b918e67782acc7012eebfba0

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
71KB

MD5
645eedad01574758795d94102a6a736b

SHA1
7494040ae1b4e5b8b50c9d4e3ea0b5500c71b921

SHA256
73274b5ec43be11ae5c683f29cfe74c9878c508afeb292523edbd9e897aac071

SHA512
5300f974e2eef24107567252a14e7d0865633a3c2e42e994169bd16e01fd3981e1313f188796d05a78638aacf663b17a7cecac30a66f36e6c1478911f4caeda7

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
71KB

MD5
a07f814ee354bc459ee39cd8d3cb4a35

SHA1
1ee6f4e02735d520be8138989bc197def685e95c

SHA256
d5fd88ac9a4dc2b45a761080d73d947209ec69aa18e639613401728ee05cdf43

SHA512
38cd1f8d1233ff70306ff40cfb2824aea1d823dc1bce55157ebdb069556e1300600e8aaec14de72f29fdbe1c78b755a3f1b16aaba61da73cd2cba7fa41ab6bfd

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
71KB

MD5
d7a91fa22420708dd7179219298eabbb

SHA1
b6629260b72e9d752428108d2a5a43d39edf3510

SHA256
422f1c2b30b90398e0832f57d51c4487db5bd442e3392775ab4316ba4d0c7094

SHA512
4787726a6858128b81d396e2231d7656f9112a608bff7a2ab0974f71ea46bb2f99ab212492b2aaee88bc36193da7f909fad03547a60e460f54ad144eeb0fa60c

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
71KB

MD5
b4ff1bf70329e2f6d29723ed15bcc7cf

SHA1
7978519c334aed5f8ab0385f89eef5e217b5e8ce

SHA256
f8fe5ee37c235aa4f95f1a64c6c002ceb284b33fb7980537b21ea1bacd49c763

SHA512
64bc1fc4ab19a82c18156c1a952324719b61ef816095114895d15e26bb8ea3fd2a2a22cb5797757f5258f87157c6ab09e8c5bbfa21a544fcf50d616f29c47467

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
71KB

MD5
93c5355afaa7580debb52cda5a4caef8

SHA1
d5c1be0006423e57c7785587b91a90460bf31461

SHA256
9543d947c91afef45c7eec013317cc434f5837d292b10adee0ef3f6b0b4e6cdc

SHA512
e37cc75f7ad798e28a438dccbbdbb9f459ca68ba4399c8d245219426fe260c606b9db67def8b07869f8a07f6c4cf90fb0c13b5c1e2249070dc3dceaa929fbfb4

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
71KB

MD5
58745ee377147a26c95a89353fdbbab2

SHA1
459e005257b424a2f345ad97378257f722d3da67

SHA256
213dd29e922b121208c6c7d779e1e70815808af4d1c6a002b29199d2b7212391

SHA512
56427897da0ddfe718db0df14f9f4c5cccd4bffd0b2a3f26627a2cd257d62f7a002d7df58831448abed7d1d931252d1dd33c398e490329d38e1b31f1498ed715

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
71KB

MD5
3cb3709941bba6aae4b310ba4db14a3f

SHA1
67f8e5159c3e54b268b4379f466f92ea04ffa23a

SHA256
5862aa769c21c1fd2fbe9e122048119fd273405ea2c8604488e20448b06a42fe

SHA512
792ae3b4b64cb83098b5f42d16c97bfbfbd68ee80b5f3538c3abed6f1f991a6d0e0094b22560252c99749ed4791b2a0560a2fad1d4205ab6dd0eaede8ca40e03

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
71KB

MD5
d055f60fa1a535fe704b71d499e725f8

SHA1
103c5b956970e09052d8c73f829c013c7f579891

SHA256
22adc292a837bc6fc8e994967b5e8f014f82b2a300be123290915c0bf4a0d62a

SHA512
ef3b26e1860a4a4ed69e56d485b4a73315bb7c10373c444dc83fdb76dcb2813b57075254a311b6692de6667073cb154a94dc50188253c019a4bce6e7866ed23f

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
71KB

MD5
5f451b6822e460c29c725ab05d2fd6d5

SHA1
31ec2f16cc8df6bbca1ded91b1452bf1bc14704e

SHA256
66b29983bdbe5ba56c4dc9a7c4698c6eaf1a4db21de3b5e1ec8780ca7b9f3de0

SHA512
d73f46ea633b2c3ca7329f600ab8f2b404c43b31e87765b3adf04fbc8c05e7e6bbc41fed33acda1866699a330df95566f18a6e497208890a480299a17ff16d37

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
71KB

MD5
6d267862628647de4b789f18691399ff

SHA1
6568c2f810b0a77f6b50190f47c7ddd1b1e859de

SHA256
3ff2ca8c4912a1862d96848a69483ce50fea834e4307920399302dcd6d66179a

SHA512
c4c96d3c03f66dfd8fb683112c794afc6a607fcca76b3afe5e785a4a7aebb3909649f499d5f74a1d4102aca979a59bed0d1877adca78765a636c3d144c8fc4d7

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
71KB

MD5
49b644775bd691b20091b43c517af9b1

SHA1
29c435fbbd4907f49ae2c94a821f531d24c01465

SHA256
30cbe2f4cdabf30b38679b3ee7ee448bb13cb9ac936ac81a41f8d8abf0f5b751

SHA512
f0d6e3bc408a3cc2b4854494e4d344c4fc7b78945751b1e4389666d73c41a6c6226ccef9e03d5ad15fa31b1fb4ee15bf19be913a2f3f79d85e11cbc82cbad5b0

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
71KB

MD5
736a8575d473fd0827d3fe427954ed9c

SHA1
c31fd3b34d103a7d4432b91ffa0c6ae398f0aeb4

SHA256
385e13de5e226353d26b6a9c9d1d6608cc4ad05fa17e6dccf87252a3c074c4ca

SHA512
add539ec28e8bc03a3bded647f15cc964820572184f54fe43e17009302a75d642db1b71922303c63a621f731e8081ee3f8c04db786f979eb606de8827e80e29c

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
71KB

MD5
dd1b7ac94abb73a9c17a53243f8d58ab

SHA1
ef49383d123e82022d1b49ccd37a5ef63573c1e9

SHA256
dccc20969519a20accd72fbe7b66a31f749f0b3438a9d929417bd020a190498b

SHA512
d5eda381f2037e69185eeb76b6fd8167face5e263c1c1a01fbedd14206233a13fd1c240bf7b88a1b51201d8ee90ad320ba9084abbc1eb5cb5f2b481089761860

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
71KB

MD5
6a8e64d997497831dadb6d27be724039

SHA1
73c1966390e817d14b3d904cbe65d1885851d8ec

SHA256
1136a7c48be368f957c6ad97a20997d6657804404a9093c3e3d53448808c8606

SHA512
545901140190c6fc4fc5c35c86bf6049e5e249ebdf945fb25e36f350267f7adbefb3be5d3f3a4c2c708764faa5af61cb17bb27a74bac910e982c386db9e2cae3

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
71KB

MD5
d0b48b46e6f7feb08205eba77cf5fa5a

SHA1
9ee75b5fcf91cd56492c17106633561f60103045

SHA256
55a0cdbd8c5b26bd7ee718e77ce123e1a169d4fdb33527e94f1d4c77410ac357

SHA512
828400b7893943cdf98f361e8d8d89b085da6f55ec15047d75781a1a9fb0637ac1692fd930511f25afca051bb234c4dcb75108efb550197f8e67647959bd9398

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
71KB

MD5
904563897432dbbf5f2644a3f2bec5d5

SHA1
b20885ba5f58556c696ee36eed62b05ae1974303

SHA256
a774d78cb071053ce7099c8d8a5421c8dd4cf07e290c658158c40bad3c22c4f3

SHA512
6443749a84cfb808b68a2967831aa064c7081006f0fa395452a9019ec712fc31fc2c29e05d7ae1aac488d31e7bf6d0d6b4d9041173e41a2da687f66e52c717e8

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
71KB

MD5
7855ee56f2f96a0f5e57dcc364432f6b

SHA1
4dc6d477078a28018c153419b5972eee6afc4159

SHA256
bb8157644b3f0dac4bb673f2e75fbdec0438eb382a3bf8e49f887813bf338034

SHA512
28de2a297b050c889a8dbf5a2898fbd360525996e73264f577b63a025a81365dc8d970dbd8e455da80f78027ead9d4a44a7737a4286598736c79f7f98b20b098

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
71KB

MD5
d4d553e463f657eabca5f611cdd0a637

SHA1
de00c83f9cb1ea457fc6afd00ea19ab1253fa3a9

SHA256
f14389d5c8c8bb3f93de9db4d433ee669e121f227e12f32b52bbb67b1a3024fe

SHA512
8ef6705364319e32f53190ae1c582c9f463a817233b9dbde5b45360789834bc16bd3ed5ea2263bd8232f599f5de82fa078dd0b56c646c9153a4d8a4b24174eb2

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
71KB

MD5
6f9d7c3f83471978a7e8ab78d616a91f

SHA1
cfb2084f21135401821255af871def403483d573

SHA256
013de7e4871e9d4d815a1cf34027d156dfa4172917f7c56aca0ae61bbd9446bf

SHA512
a338aef297bbf2698082be98da519842857bb773dbef7713a72a067bcc1a8ddb64fdd5396d7af39aab05e67e9be964d0efa169bcc5f318e574d09d67c2094c94

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
71KB

MD5
08cea3c17ba326cc76e0b741235a3d6e

SHA1
de81bcb506fdd6f90209e26cd988e1c5b5775f8d

SHA256
7ef7ae9a1e514ad408add4197da552d11e3a4348e7fb4050e4c2c0ae2dad2189

SHA512
b998a123574274f76d1cf3760d4daecb5d7fe5f9b8a5e608c1c3b00b155dbb2ac0961d2e4754eb114ae37c2aaa89fb8ed6cc318bb542ed392bca2775e9833a42

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
71KB

MD5
69a15aa4a71f89e43b0ccb74fc72411d

SHA1
6c1efc5ebbe9e6a9c1c9280ce483f2f2485f8478

SHA256
89f51e02e054a99aa7d9fbe84efbf76f2c73e58c071ee104e821c79ceaea2bec

SHA512
a761b09981302d9eab73e023e72a89412ec1e4a2afaeb4bc87f3826a07be2c266168b760835dbc1251a6cfb6adae397da8b4bd01b23302ea86fab1890863cb81

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
71KB

MD5
d1be1a873063bca36220afe2369623b7

SHA1
36b50144e9892a3c486929fb3b0d819301b2732f

SHA256
7df482aee98908772eb1835423005dbea2d776f1eba51294ae02778c946f005a

SHA512
b5aea94b7cd329bce85aebcdb55638f69574720d5d27407915594ea59a22335f0cd0387c65f5b7a9306800dd8342142c8cfbf93e1a8ca1a775bb9b6d684f543e

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
71KB

MD5
7039ed062afb0617abce76f4f17c6da9

SHA1
b9fda5584a5f742e1c1222a2fd91fc3f9a80f2ad

SHA256
6cdf6c12899ed810fc6eb7c80cea6cfd01468750201aa522ef658df2e32469a1

SHA512
b588c7286eb79c6740d9250aea2ba30e3bfc329b8a726af98636524b2681d9f9dbaeed3678f189589cdfb5685f16ef990f761c37ce1fd7e0f82e8617c02d43ea

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
71KB

MD5
b9629c3d4ef352a74df08a6049b3722b

SHA1
683a8a5f797aa266eb0186fffb06498a3669803a

SHA256
49c3dc99ae85f444ceb231e6954cfca917e18fc0e91ce7557af7a2593d6a0c1c

SHA512
ee9aa7490ce625552437cb05972a257c84920eaf525cdb063b98dce274cd6454367b5cb5899bd7ed4fefe7f2afe67c327512cec6ceb47249938501cc1fd5ab5c

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
71KB

MD5
7e1c8f2838d0adb4ebbf58ba4e2ccd32

SHA1
1bbee05c966532ff65105553b6befb0b004eb605

SHA256
a0190d83a610ab46b62ec5fca7f2199e3f517696d5d0a2701fc759de82582c87

SHA512
835282ecf3cef657f522234c4f20839813bfb2e90e71bff0e4c391eb3803c9418d191aa7744fa6661790227aef9beedacdeecd6ffd88c8e20a45983e3ae6c7aa

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
71KB

MD5
88bf7bc4b882d195623d5e9cd810ebf2

SHA1
360453b7f0f0b645dfa5823522cb42da94b4d4ed

SHA256
f3ab705e21d43509cfe411ec715d57f39934ae5adb6c65610f9f004846214f7f

SHA512
6bda49682bf92244bd513b75d7fa8c43242bccabd959b16119774f55a7511c1e97593f7242b98da185bb3637fb40d536d77fb9dc68250f9a64b8232e6bdc53bc

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
71KB

MD5
1d12a27f7c6e7c065c258b74ad6fefea

SHA1
eabc53c179ed0a2e543bcb58d3c8c0d893b6d761

SHA256
da09606fe3baada02ff25adb2e78e8dc8385b9176cb2835a71dd28c9169e6ca2

SHA512
2c19cb35f17200f78ef4ff9977fcbfcea03f64906e06299698787cf9c868acd442f82586a52fd8e637d6a4c19ee80e834af906feeaf13b302f3107f43211cda3

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
71KB

MD5
46dbd8c4ca1573efdc439526ef6a7c1b

SHA1
934f91290989d99fad4ca125095b8d58d1ce90cf

SHA256
a8b00e9cc3f3b04d652966c9a5317c0ad0983bdd78ae23f2799fd672173b6f47

SHA512
6e327ca32126813469ed271ceb366a2b3ae49e011eda831618f71c0dce439000b3a542df6aa10ad71f9559cefee037571ee25d733cf19ae5bb0ca3d501aa6103

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
71KB

MD5
86c9047fadcda4a116f9aedcc0550aa0

SHA1
b95f6abc80791ab851c151a49bef6cd6d6e5a588

SHA256
5551955880e6be6fc30e9c90a12a4a7ab4ab07cacfc95fc5e16c07436cd9ff62

SHA512
3e532580f2e0159c611da7d50864504eea21c6aa0eb3d7b2f06ed091bd344344e26399f85e195eaa515406ec35db27f3589ebcffc0b0ae4ff5ad05a79028b38b

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
71KB

MD5
fbd360e64c2fd67a890394b207f2692b

SHA1
061da9915afd389600ae0820c685fbb25c3b3c0d

SHA256
326212d5d51a1fc91f1404a357283417678449a5eb55346e7e9a88791da3dcc3

SHA512
aab79048d1b89cfd3d22e6b31858b06ead05152a29c058667b9451773497decd78df889dc4e709a0043a787382ef366aac5f4442ae8b2cb3cc996c9692022c83

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
71KB

MD5
8ddce4ae0770858e871ba8d461b72437

SHA1
3832afb4554262cc3184093b5b069f95298d4456

SHA256
b1a665833ff3ac7d2e5a6cca0666dcca077f71bdf0dee619b2e7a6d6979d27bd

SHA512
a4962621400962c8d9193da7c00db64c58b918d787da4dcab938e831112e4a0102a7abaf89be94c8af061d6c967a83c4f421c4c69e0934563923a021314c6b3f

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
71KB

MD5
272a1cd7b3c67be22348ca53fa765b6c

SHA1
80ca521c96d8d716bb30cee2c63da1df5101724d

SHA256
ba126a216fa27bc2ef77677de032ef9245932412ac2a2b7d2d429e2b741e6f54

SHA512
66347e5c338486abdc7a4bdcc71bae9da8e3e9780afd32f2cf94cfbdff3b16d36ff1e7ae7107e63c855ffd46a87899eba88519743af836963f07e59eaf6b954d

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
71KB

MD5
0365e12c6c3a41109245cc1abef50ffd

SHA1
909412eb91e30d3277ee32c53080006e82e2ba63

SHA256
9b6055bd0610d697d62b921916718098e8a2b06ca2bb55edcdba849935d2e850

SHA512
d5198888ed3e9dde66a27e775eda84c3ff4102a3b62e3c4e611ae4230b0cb65e8df07024426b0704a2f7181a2865552c77935ab7ee0be3c08ca3e00682c467c6

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
71KB

MD5
4f2e3b93d2d0dddecff14d50e461c305

SHA1
8e215725d56596a26ed355fc22e8d455e61add69

SHA256
737c95687dbaa3385433f649f6688943a1616a52853a04f36bc7c1304636e29f

SHA512
f0c87dfec1d3aca1972c9a56bbbd87dda25c172914504f5f802449ebc617fec55f8156339b0870c2b9f7f260cd4130c5c59bfb5f5fdcf9b8f8340da6e8a331a7

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
71KB

MD5
cbc6ffdd69393ceb27e9fdc7f1b5abdf

SHA1
8a8db71bb412a4c462d48b71b3171164390e0c7f

SHA256
edd8f3898f2ac7264bb6ae105550a6b28303bfb65ebcc006fd97cd945cf7a75d

SHA512
07bf4a039c96b99d2cad21cde159a6c1f522710867469ce0cd5109eb632cb564b597459f196184870ff4911de45e6abce02e8d4d55bba043640226ad24a9469c

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
71KB

MD5
9c3e9fa55b613e903778ca4182861727

SHA1
e6e0a3e101c720fea83ab377e9b48b75a0463b41

SHA256
0c1b39be500643e8724906e21db237b6ecbad86b69e0a8b392edffdd30660dc6

SHA512
5534a70538c0662b9a615e1f5b1b165dfc6038996c49d646effa1cfe50274253b9cddefab3d19ebed2486ab230e1bfb1a68ede0bd82e63af9f1f865a0f646e2f

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
71KB

MD5
886fd9d35e82d9d52e13491448206350

SHA1
4f2d6a41fde7f5560179c606b6f7277d0ddeacd9

SHA256
abbf29b48e435fd771c56cc7ff78c62f67395a2953becc0bd5d9c0053725e2db

SHA512
9f0885176da12b34eac5776ab65e421960fcadcea89b177afe8be9c8db2400e64d55ed99946902b746cc093fc925226ce6c1e6f1bf5b47b5a7daedea03734633

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
71KB

MD5
501b95650e404f370cc331e0657476e3

SHA1
f26f89540f90a431fdef0611c1b673a9a94ec6e2

SHA256
cd69f88bc82b646d0416b4d631139e90bdff82fb9a3adaef1edb6ad7df1e0286

SHA512
401e40fbd34b41c5fbae27cbdbed36f83eab4a7bda561a003ad906a13a355ebb689dbde2c8d60c61216ef3c1ebbd96d8831aa3ca0d85252855616f8e459741d8

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
71KB

MD5
32501043725febc60a132fca415d1074

SHA1
295a2504ef8c006f806f638235204e6b0b0e8ceb

SHA256
ffb787e7272c6c99862a6d3d546b0e304a8b3b0b7e6eee7911c3964378e32bee

SHA512
0b9c602e7e9916b8fb87280f78b05d8f9f49fb87f51772599efd4a8f8d73104d731fd55ef5946a559d1dc936e4464d10f202f0f3a0e89061fdf68596ed0f10e7

Download Submit
C:\Windows\SysWOW64\Jbbpnl32.dll

Filesize
7KB

MD5
2141f30e0cfb3c0b812f78f1d79f17b1

SHA1
f1025b725616a999819ed932cbc5a8ad9537e14d

SHA256
dafa05afc36ada8a04247262abf9595163f599b485952bed4b189815be72097e

SHA512
36bb670270fa4a8e7219aaf009400950ccc793b11f8bb42d21d3d479371fac15b53918e2be3fedf28d3a5b8e6c7c5ca6d78e0cc56af55f41f63d07fe4c9512c7

Download Submit
C:\Windows\SysWOW64\Ocalkn32.exe

Filesize
71KB

MD5
1edd9e5e33dcde2c9c3c71d9668b64a5

SHA1
c71185453964d6937830b0f2618b68fff47e6463

SHA256
4b2d80ba7cbe04b998436cd3e3afffa42e12f81a994f33327a575dbf1cb3bfdf

SHA512
f7b8595c093bc0bbb65bfe9649d402b5ad96d443459aa0043c8f1bbcd5429df2894fe707fa1d71772c9a914df8f7c86edf2fdecfd330297be8a45c3a0d6ab181

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
71KB

MD5
038eba9063ef97cfa0e7f3fee893732f

SHA1
eca5c676025019c7a88c749f03b087d6f4213dcb

SHA256
6b0e1bc0ad8575f1d8c6aabccfe38292d8c5e0ce75084936d50ad671ea9860e2

SHA512
940f9760f4592df13c35be650ca9cf313d1a38de7e5a9e39a6307b41164b6a36aa117fa511a5e61c61732a213ea8c70bf109667e698224f91e985581303f1c1f

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
71KB

MD5
4fd93b6a2ba286ed53bc13e3f9902eba

SHA1
ca278723638113ce19a0970375282fb424250e2a

SHA256
9a4c93e6f2233243c7b67b0dab778d4b4bf1dcdcd36cd4dd7e1468b92a2cb452

SHA512
e1f1b7beaa76715dd44886ae1487ff7075584757a6d1b44c5d3b00f903a575e4d28364757c85612d3fae48ca1f96ecd85ec9db36d97741ac1319dd1503842d62

Download Submit
C:\Windows\SysWOW64\Pgpeal32.exe

Filesize
71KB

MD5
0daa6c5dbf9b3a0652b47ec9a6e8f2de

SHA1
24c7341c31bc0563542bb746f341541a1db7b0fa

SHA256
5aec9877df301672a3ac7ed376831be1ff06366876a287e3c9c6e3f0585d6a30

SHA512
92eaf0cb96991633ff2f4455ed9da376339a4f4ce3f4390f0ae633047f5451931e203b03905cfee7b527c1dc45bbffe6642259855ec2cfc5fe6daf4e20e5ce32

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
71KB

MD5
512c8733db79c63cb0e2342001fdd0ce

SHA1
dc17ca38a43ae9cfff2fa4e5513a3b5cc766f903

SHA256
0614d67cd6df868165bd80262ca4c3895a6ffe201ad0fbcd83b0a1a2b976e53c

SHA512
78f4669a135b2d7bfbd80aef8f8ca4a024b7667df52f25e65a54f2218cb03fb003068e49bd36856966e8bc1566d676e6d969d870d61bb4f76015d4b2404978a0

Download Submit
C:\Windows\SysWOW64\Pmagdbci.exe

Filesize
71KB

MD5
872e28ff5586dd512b6700ed94b3d5a2

SHA1
0b7a24e32bfc942c90d19364f93978c875e4172f

SHA256
88ae4b3586df853c5b4b051dbea4a70102d40e145be1d4d67869ee49b2f8e1b9

SHA512
360745749ec7188fef036184893d808f90b1be8e7bbd9efa7a877cd4c54a1b318454a693604a2984314f63254ad274143f2fb44dcd440d7456f0f768db26d5be

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
71KB

MD5
172b686fa9220f5c5e2a39ec4b3f6562

SHA1
cc6a5ca9d08eab9e8d77719db4a4d63fa34628e6

SHA256
2cace356cd4833a2f205cab5c26afe0d87b561737cfea83b31d8baa7aac97fa2

SHA512
1edeb866e40c5ae37d830ec0f2b33689cd14617a79b2a5b78e27b17fd52043e54481d10d117ea2af033561d71148c532dc6ad4a1e29592d01399bf8cd2bf3fe6

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
71KB

MD5
e006a1d9b42278f4e80dc7e1c70b36ef

SHA1
99134a0fc312d4d66ccdbc2c4271661039385cb1

SHA256
db073f455960ca1aa0d853cc71e72f7d1d9690471f10adeb4c755c7654e3bbdd

SHA512
00ce0e7386ac10fdb2a92049560badda149322b6ffd2dda491045a7a841332a6c6cda9fcf45a916ec4b6810bb41336ddccd7334d815b035c976da0e4ad9d96b8

Download Submit
C:\Windows\SysWOW64\Pqhijbog.exe

Filesize
71KB

MD5
ed64b0b1ba09d8f3fec913aba77f9fb9

SHA1
fe3531bb991bb3a13d9ebb6dc95952c5f03bf43c

SHA256
12e2b64895e6a58134c7a8488918d501609c81f01112125c8e6394b45e060b9c

SHA512
52679e24678f2f52177965ba555c31348836b30b842e332000fef23962a5869d1ce8eaceb9d3d1827be9b7b5c940839b9bd971fe4bbb107fe7de7e55e882b579

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
71KB

MD5
c73d789a7774b6551e0b7145463b40a2

SHA1
b57f390bd73cf95f0aa5b6a63434f46f7b4a2910

SHA256
50d9bf987b0bafefd79e35128167dd98896200aabe4432116286cfed982d4dbc

SHA512
0ece627a841cc4b671b5b078eae47bf07e5c803e641fdd40b70093ee8e34c25f19f9a99eb75bff191d3c398757a790b8987d467bf63c88ebcfde26cecf1dd4f0

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
71KB

MD5
17c94b5b3f37fff0fc5166002b04f1c4

SHA1
e75f9bb7f76f8b045307b7d652eb42c269496c09

SHA256
d913d1397668b42805dbaf779b02208d113102ff42785872ae2699f285e42f8f

SHA512
032b32f6657e3f9a7a72db6642521c3f815419db6513719db2a5a29bb7f14aff3864c92ef4ddc73086b95b435d94f51dca43c8f9cd3cf57a5f646b61389b4485

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
71KB

MD5
110abbc595da2555ca18fa8b358310aa

SHA1
3823a96ae6fcf34541b4a9366abaefbe998705f7

SHA256
1039fe7d81bcfa3474aa5116ead8740d6e24d3dc29037de7c6ab88137addc25f

SHA512
19dd6ea52b95914f564297f5f74efa5c56391bf48a49afbb1126ee5d7a3e56615b078c3545687f97b3b36a85d805506700babd437288bbf17d792aa2012b6777

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
71KB

MD5
293f75003c50d9af04b5fe8fe40fbd5c

SHA1
4880757ffcd5398bb9720c58c7cabadf2502a18f

SHA256
c3129afd8e1052269231e48dc7ed682eb66c886571d5be099960e1802b46a5e3

SHA512
00a7bad60b7b7c2a46aad20259869ee2413b1ad8a10d67568ef4efaff7d5eb47cb6b12c944529b667f708f85b9094b638b2ea8113e32f3e1b04af1a7aec169ad

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
71KB

MD5
e085bb95d29441892c437e240035aaa0

SHA1
7fa01920d307c37559443ef43763044037b765b2

SHA256
a656f8d4df667492cec332f92fff470a97834b89df8ac66402c0bb3da94f6582

SHA512
f892b03e7695b720de131a83c8dc6159bb59876e9311dc26c2a4242c919b7203c576a2160b2913549d010c8fae27a2384cf7e1ea5b8b449a5fb87366db736c93

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
71KB

MD5
7a81aad42a3dd9dbb6735113b0fa2df4

SHA1
d73da3ff44f3122abe738fe63b52221f51ed3f20

SHA256
d1f9fec68015e11ebf2055974e652cad8cbc86a0f730b35c9afc5b90258d27e2

SHA512
0acfe8d47964a8a79062f1cfdef921eea417c0d9e6afa1a150634f40c23c8a437449fad4e8495e58af49bf5d380384a9ff741838027be20b06806e1d1fb4e03e

Download Submit
\Windows\SysWOW64\Oghopm32.exe

Filesize
71KB

MD5
512f4ee330f9670158569ec2ab8db3fa

SHA1
d497468d8cfcc848939d050a6def77ef0e853ca5

SHA256
ef36bb79f24aebc77dc49cd8c3e4698d119eb7ba519bb46d6993fdccb02d834f

SHA512
47dd5b732ee9e4c414c58109650096b0bbe0076d3747e0f8ceb83d9a259b23c84b040f1438233a675262dacede58e9a7f0281563f96021ef4e1c367a98ba39e0

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
71KB

MD5
29ee73af5c46aa8b0b78b436366c4479

SHA1
9892a2f5a3f18b6329cce22b3b77264b399583a7

SHA256
919a480a7a70c9351d8894c333cad4da71be49a2a7c6a94505c079f3aa9835de

SHA512
122ef631c3b365a9a2e9d80fab354c40107f1883d2cf5950d70206714981eef39eebd80af416984fabf4b6791db55defddba4b1c3de7a59650e56b1353c6dc43

Download Submit
\Windows\SysWOW64\Ojigbhlp.exe

Filesize
71KB

MD5
1657308c5ac79755b5366562e67e124c

SHA1
921c431bf0de4968a6699f9fe75d023e2d8cea5c

SHA256
713e7446e410e7f6d4e7c710a27debfce80b20e8f38c7f65a9259af174b71e50

SHA512
cec008817e9162a8ba0bd78ea0a87d2bdac10c75e7c7d05565dcb6d473db7de05a61896fddfc9748f949f2658515c1087f7b7497eaecacf0fd3c8fe7b22c6e45

Download Submit
\Windows\SysWOW64\Oopfakpa.exe

Filesize
71KB

MD5
628ab6797f1a2657648a5ec41d3792f0

SHA1
b7e015181d89beabbe66982aaf05684b0016ff5d

SHA256
901095d14fb581cf7eb1017af29f2c43978f2f627003c5259804bc832d88a937

SHA512
b2fd7e6b9a8e7a2905c4ad63a58458b12255deded818a757efdc1d82ea086e140b396340c44891db5d0ee0c57ea21333c58291a46b843de521ff65ee2bb3829f

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
71KB

MD5
834e5f29135148826c6091f46d8a0398

SHA1
4fde0a3e8109382cfd64798f4272b3f2a5b3e5f2

SHA256
d0c841e94401641fd58f9ccabfcd32945338d8b0c8876582718fd8c8e33d1b42

SHA512
2520f61ac532b5ad153679c4c013d2a4fb34d52d2f00bdd9a7d50ed989598ea9daa829fbff06a45039534e3f4951d678e3856307eba31dc192a1677028b5b706

Download Submit
\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
71KB

MD5
5d6ec6c3a71a9f7a7d6560b8aa2bf80c

SHA1
edfc33897c9faad568abce8d65bb61957201120a

SHA256
1c11e742fe02b082500ce4a585f2a6757b5673ba390d79dc87fbd35949f042af

SHA512
0abe4250fcd880eca69876a14994f8b30901d8f312f4f0dcdd68833062e74cf3e8b58fefbc96923f67fedfacf1d4bdd4a29034696fdc465ec93bcb04ce1df68e

Download Submit
\Windows\SysWOW64\Pdaheq32.exe

Filesize
71KB

MD5
e86c5d669ff66986412a92c1df25be04

SHA1
c8b9aa429bbe37003b31a1b538cd98dc1e9b682a

SHA256
4c9ed546ab48f89bb1a8e8adc8a68f6ca678eea6b88ab4fecfbe2f4aaac1c365

SHA512
8f6a004e867f9d6b8768ceaa8090aec1067748bd845e9ddb5db7986d9abcb90ce81d02e059fbb586f8aa0e08657eb2d46e380881eb98b7ff69fe6b679a954f8f

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
71KB

MD5
50a8fbb280bd8b71f7ecb1ed197d2e20

SHA1
be20c4207bf8693d2eb38c92ca82f833ce1aa00d

SHA256
66836eb5321b81ef97fee6a60c9fe0ca7d51b310458e12dca72887333e61afe8

SHA512
502404c1a8e36de015e74cc17c1c58a39f7e2b76e7be4ffb11e6897f052f044dda5b84b8750b99dd6717e0cd46375222ccae9ca72c5ff48de6120ede9c6b8882

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
71KB

MD5
6ffe25fbe421b242d437c668a59ed944

SHA1
db958c45f54e047aedb989eff937c3b46d29977c

SHA256
fc078af25649dac7621ccc1f3c2846a82610d211fae3cffe00c3ac8c4d3ecd7e

SHA512
54e274e999d00d07a78015968dc44eea15a177dfeacb14938546ff314b004a71b6c8eae94312a3ce9498debb9ba6d6991bff37c56dbe6d0e993eeffced9ae222

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
71KB

MD5
83e8e49d86c50a9163a688ac4cc8fbc7

SHA1
86a3ae64f5dfd7e5281bbe1865ddca04de23d792

SHA256
277943369e4a86efb631aad5284d0e5bf16403df89f43ca9c1ca9e56a28e871f

SHA512
711b5933a806b5bfa64298415a4082a7dc23128f3ab90272855ef19a18a79fe7128c92c5372c2cdf3f32015ab3a80e396f2486009beca9641c4bc9cad9cfeab1

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
71KB

MD5
6b0136a8f66a17211552e772371f57f0

SHA1
e8fe8a7d39c1477dadb6ef5aa5b95c0afcc1e4fa

SHA256
486c3bcb77dc9123d1eff3949d5f2dec95c792eb7cb4bfef75dffe335f71fb1d

SHA512
28daa45645260a493553edd0479c9a3ff294ee6f1e13b14f44ccb0ae0ad38bd0ebbb4ebed5b8f90bcde1c3ff45090c1715aa065e12eb049116a7de52d417db03

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
71KB

MD5
bd441d4248893c0ff0bfee71308e8ee8

SHA1
53c6693314e0cf606154c911ff39059c92f1587a

SHA256
5c5cfdc32106a6f1499509045339d709b3b823fcadc711d5e65051667227dea2

SHA512
31f886763994ba366c369ddd462ccf081677ecfac42ee70454f5c13c18a0e2949d93567bac620e77feedbf46b55fbf7fc9879f75217ecb3f818def4e8b86d576

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
71KB

MD5
5486462baf6d3e887f846a9a8b99d69a

SHA1
9d02931b8382c3c481ff54fd14114d7a5f95243a

SHA256
455ffe3634436446bb409ce717044d5f8fa7db399c14e53330ffcd524ffa4878

SHA512
159dff5509bb8beb677517cd8e0bfa6cc133b19641480af903fa91e37e4df9e0d005ba231ec337e3bc5c51e627b964057a05ce0e30ca0ebb158793bd4dfe8f2e

Download Submit
memory/468-423-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/468-422-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/468-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/476-367-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/476-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/580-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/580-89-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/580-429-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/592-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/816-116-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/816-451-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/928-286-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/928-276-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/928-282-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1048-375-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1080-487-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1080-488-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1080-481-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1244-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1292-295-0x00000000002B0000-0x00000000002E9000-memory.dmp

Filesize
228KB

Download
memory/1292-296-0x00000000002B0000-0x00000000002E9000-memory.dmp

Filesize
228KB

Download
memory/1328-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1444-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1580-472-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1580-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-317-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-327-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1596-328-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1608-499-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/1608-489-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1608-498-0x00000000005D0000-0x0000000000609000-memory.dmp

Filesize
228KB

Download
memory/1712-274-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/1712-275-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/1756-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1756-187-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/1756-511-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-265-0x00000000007A0000-0x00000000007D9000-memory.dmp

Filesize
228KB

Download
memory/1816-264-0x00000000007A0000-0x00000000007D9000-memory.dmp

Filesize
228KB

Download
memory/1944-245-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1944-241-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1944-235-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2008-465-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2008-455-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-189-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-197-0x0000000000330000-0x0000000000369000-memory.dmp

Filesize
228KB

Download
memory/2108-392-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2128-305-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2128-307-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2164-316-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2164-318-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2164-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-143-0x00000000002B0000-0x00000000002E9000-memory.dmp

Filesize
228KB

Download
memory/2308-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2324-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2324-222-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2400-510-0x00000000002B0000-0x00000000002E9000-memory.dmp

Filesize
228KB

Download
memory/2400-509-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2404-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2404-104-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2404-435-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-62-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2660-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-411-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2660-69-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2660-401-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-49-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2700-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2720-360-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2720-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2776-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2796-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2796-350-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2804-333-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2804-339-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2804-338-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2868-434-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/2868-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2884-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2884-12-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2884-13-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2884-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-169-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2940-500-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2968-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-381-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2988-391-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/3048-34-0x00000000002F0000-0x0000000000329000-memory.dmp

Filesize
228KB

Download
memory/3048-27-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3048-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3048-40-0x00000000002F0000-0x0000000000329000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads