berbew | d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58a

Analysis

max time kernel
26s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
Size

88KB
MD5

5acd501897587507c854879d68891630
SHA1

567d320340caa9b71c9b2f02fd50be88c8452b91
SHA256

d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58a
SHA512

93e086be77d447860ddde4b74905c56e3bb4928a9bf8643cb67f0752a6ced7604639376a74b030bb3318b8d3994e8d08df59fe26d070c6687c56a3facec405b5
SSDEEP

768:G6CqvrUaaxFEVnc3WGU/AaPPWDQKG/MRHTxML2afXreSyacWRh1Y/5OR/J247Pp+:fdvrUf1GUHNacMh6S847PpBInouy8b

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogmhkmki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogmhkmki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agfgqo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2248	Oopfakpa.exe
3020	Oancnfoe.exe
2644	Odlojanh.exe
2708	Okfgfl32.exe
596	Oqcpob32.exe
2916	Ogmhkmki.exe
2080	Pngphgbf.exe
1680	Pqemdbaj.exe
2976	Pgpeal32.exe
2316	Pjnamh32.exe
2340	Pokieo32.exe
2188	Pfdabino.exe
2684	Picnndmb.exe
1676	Pqjfoa32.exe
308	Pfgngh32.exe
2056	Piekcd32.exe
1148	Pckoam32.exe
1532	Pfikmh32.exe
2160	Pmccjbaf.exe
1816	Poapfn32.exe
1712	Qbplbi32.exe
928	Qijdocfj.exe
2428	Qkhpkoen.exe
1736	Qngmgjeb.exe
2164	Qeaedd32.exe
2808	Qgoapp32.exe
2588	Abeemhkh.exe
2312	Acfaeq32.exe
1048	Anlfbi32.exe
884	Aeenochi.exe
1860	Achojp32.exe
2928	Annbhi32.exe
3044	Ackkppma.exe
2676	Agfgqo32.exe
2936	Aigchgkh.exe
2156	Acmhepko.exe
1820	Abphal32.exe
2136	Aijpnfif.exe
1080	Abbeflpf.exe
2216	Afnagk32.exe
2400	Blkioa32.exe
960	Bnielm32.exe
1392	Bhajdblk.exe
2196	Blmfea32.exe
1292	Bnkbam32.exe
2800	Bajomhbl.exe
1584	Biafnecn.exe
2604	Bhdgjb32.exe
1244	Blobjaba.exe
2420	Bonoflae.exe
800	Bbikgk32.exe
1228	Balkchpi.exe
1960	Bhfcpb32.exe
2948	Bjdplm32.exe
2240	Boplllob.exe
2780	Baohhgnf.exe
3060	Bdmddc32.exe
1508	Bfkpqn32.exe
1476	Bobhal32.exe
1516	Baadng32.exe
1000	Cdoajb32.exe
2388	Ckiigmcd.exe
1312	Cmgechbh.exe
2564	Cpfaocal.exe

Loads dropped DLL 64 IoCs

pid	Process
2848	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
2848	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
2248	Oopfakpa.exe
2248	Oopfakpa.exe
3020	Oancnfoe.exe
3020	Oancnfoe.exe
2644	Odlojanh.exe
2644	Odlojanh.exe
2708	Okfgfl32.exe
2708	Okfgfl32.exe
596	Oqcpob32.exe
596	Oqcpob32.exe
2916	Ogmhkmki.exe
2916	Ogmhkmki.exe
2080	Pngphgbf.exe
2080	Pngphgbf.exe
1680	Pqemdbaj.exe
1680	Pqemdbaj.exe
2976	Pgpeal32.exe
2976	Pgpeal32.exe
2316	Pjnamh32.exe
2316	Pjnamh32.exe
2340	Pokieo32.exe
2340	Pokieo32.exe
2188	Pfdabino.exe
2188	Pfdabino.exe
2684	Picnndmb.exe
2684	Picnndmb.exe
1676	Pqjfoa32.exe
1676	Pqjfoa32.exe
308	Pfgngh32.exe
308	Pfgngh32.exe
2056	Piekcd32.exe
2056	Piekcd32.exe
1148	Pckoam32.exe
1148	Pckoam32.exe
1532	Pfikmh32.exe
1532	Pfikmh32.exe
2160	Pmccjbaf.exe
2160	Pmccjbaf.exe
1816	Poapfn32.exe
1816	Poapfn32.exe
1712	Qbplbi32.exe
1712	Qbplbi32.exe
928	Qijdocfj.exe
928	Qijdocfj.exe
2428	Qkhpkoen.exe
2428	Qkhpkoen.exe
1736	Qngmgjeb.exe
1736	Qngmgjeb.exe
2164	Qeaedd32.exe
2164	Qeaedd32.exe
2808	Qgoapp32.exe
2808	Qgoapp32.exe
2588	Abeemhkh.exe
2588	Abeemhkh.exe
2312	Acfaeq32.exe
2312	Acfaeq32.exe
1048	Anlfbi32.exe
1048	Anlfbi32.exe
884	Aeenochi.exe
884	Aeenochi.exe
1860	Achojp32.exe
1860	Achojp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Okfgfl32.exe	Odlojanh.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Pckoam32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Picnndmb.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Aeenochi.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Oopfakpa.exe	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Odlojanh.exe	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Pgpeal32.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Piekcd32.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Pqemdbaj.exe	Pngphgbf.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Poapfn32.exe	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Pckoam32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Pgpeal32.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Qbplbi32.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cklfll32.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Ogmhkmki.exe
File created	C:\Windows\SysWOW64\Ifbgfk32.dll	Ogmhkmki.exe
File created	C:\Windows\SysWOW64\Lbbjgn32.dll	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cmjbhh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2300	2772	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmhkmki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odlojanh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll"	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll"	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbemfmf.dll"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelloqic.dll"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomkh32.dll"	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll"	Oopfakpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2248	2848	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe	30
PID 2848 wrote to memory of 2248	2848	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe	30
PID 2848 wrote to memory of 2248	2848	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe	30
PID 2848 wrote to memory of 2248	2848	d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe	30
PID 2248 wrote to memory of 3020	2248	Oopfakpa.exe	31
PID 2248 wrote to memory of 3020	2248	Oopfakpa.exe	31
PID 2248 wrote to memory of 3020	2248	Oopfakpa.exe	31
PID 2248 wrote to memory of 3020	2248	Oopfakpa.exe	31
PID 3020 wrote to memory of 2644	3020	Oancnfoe.exe	32
PID 3020 wrote to memory of 2644	3020	Oancnfoe.exe	32
PID 3020 wrote to memory of 2644	3020	Oancnfoe.exe	32
PID 3020 wrote to memory of 2644	3020	Oancnfoe.exe	32
PID 2644 wrote to memory of 2708	2644	Odlojanh.exe	33
PID 2644 wrote to memory of 2708	2644	Odlojanh.exe	33
PID 2644 wrote to memory of 2708	2644	Odlojanh.exe	33
PID 2644 wrote to memory of 2708	2644	Odlojanh.exe	33
PID 2708 wrote to memory of 596	2708	Okfgfl32.exe	34
PID 2708 wrote to memory of 596	2708	Okfgfl32.exe	34
PID 2708 wrote to memory of 596	2708	Okfgfl32.exe	34
PID 2708 wrote to memory of 596	2708	Okfgfl32.exe	34
PID 596 wrote to memory of 2916	596	Oqcpob32.exe	35
PID 596 wrote to memory of 2916	596	Oqcpob32.exe	35
PID 596 wrote to memory of 2916	596	Oqcpob32.exe	35
PID 596 wrote to memory of 2916	596	Oqcpob32.exe	35
PID 2916 wrote to memory of 2080	2916	Ogmhkmki.exe	36
PID 2916 wrote to memory of 2080	2916	Ogmhkmki.exe	36
PID 2916 wrote to memory of 2080	2916	Ogmhkmki.exe	36
PID 2916 wrote to memory of 2080	2916	Ogmhkmki.exe	36
PID 2080 wrote to memory of 1680	2080	Pngphgbf.exe	37
PID 2080 wrote to memory of 1680	2080	Pngphgbf.exe	37
PID 2080 wrote to memory of 1680	2080	Pngphgbf.exe	37
PID 2080 wrote to memory of 1680	2080	Pngphgbf.exe	37
PID 1680 wrote to memory of 2976	1680	Pqemdbaj.exe	38
PID 1680 wrote to memory of 2976	1680	Pqemdbaj.exe	38
PID 1680 wrote to memory of 2976	1680	Pqemdbaj.exe	38
PID 1680 wrote to memory of 2976	1680	Pqemdbaj.exe	38
PID 2976 wrote to memory of 2316	2976	Pgpeal32.exe	39
PID 2976 wrote to memory of 2316	2976	Pgpeal32.exe	39
PID 2976 wrote to memory of 2316	2976	Pgpeal32.exe	39
PID 2976 wrote to memory of 2316	2976	Pgpeal32.exe	39
PID 2316 wrote to memory of 2340	2316	Pjnamh32.exe	40
PID 2316 wrote to memory of 2340	2316	Pjnamh32.exe	40
PID 2316 wrote to memory of 2340	2316	Pjnamh32.exe	40
PID 2316 wrote to memory of 2340	2316	Pjnamh32.exe	40
PID 2340 wrote to memory of 2188	2340	Pokieo32.exe	41
PID 2340 wrote to memory of 2188	2340	Pokieo32.exe	41
PID 2340 wrote to memory of 2188	2340	Pokieo32.exe	41
PID 2340 wrote to memory of 2188	2340	Pokieo32.exe	41
PID 2188 wrote to memory of 2684	2188	Pfdabino.exe	42
PID 2188 wrote to memory of 2684	2188	Pfdabino.exe	42
PID 2188 wrote to memory of 2684	2188	Pfdabino.exe	42
PID 2188 wrote to memory of 2684	2188	Pfdabino.exe	42
PID 2684 wrote to memory of 1676	2684	Picnndmb.exe	43
PID 2684 wrote to memory of 1676	2684	Picnndmb.exe	43
PID 2684 wrote to memory of 1676	2684	Picnndmb.exe	43
PID 2684 wrote to memory of 1676	2684	Picnndmb.exe	43
PID 1676 wrote to memory of 308	1676	Pqjfoa32.exe	44
PID 1676 wrote to memory of 308	1676	Pqjfoa32.exe	44
PID 1676 wrote to memory of 308	1676	Pqjfoa32.exe	44
PID 1676 wrote to memory of 308	1676	Pqjfoa32.exe	44
PID 308 wrote to memory of 2056	308	Pfgngh32.exe	45
PID 308 wrote to memory of 2056	308	Pfgngh32.exe	45
PID 308 wrote to memory of 2056	308	Pfgngh32.exe	45
PID 308 wrote to memory of 2056	308	Pfgngh32.exe	45

C:\Users\Admin\AppData\Local\Temp\d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe
"C:\Users\Admin\AppData\Local\Temp\d054515a82a072e0953c75625112a220a86534d4811e5fa7ce38a168eccef58aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Oopfakpa.exe
  C:\Windows\system32\Oopfakpa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Oancnfoe.exe
    C:\Windows\system32\Oancnfoe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\Odlojanh.exe
      C:\Windows\system32\Odlojanh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1736
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 140
        73⤵
        Program crash
        
        PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
88KB

MD5
9338cd0d40b7132707fce4333435a336

SHA1
59b3c0eb240d92f18be3c3a358d3c04acbfdd2b1

SHA256
b2965f61ea0d38cb15fe588e4aa27e1a8f79850923833ec881cdd1c2011bfbbe

SHA512
19d28cfd74a44e830daac0af43bfd5022d537edb0c76f16167177c99eec2afd4b42549964ba05bfd62ea3c85488f90b5e801233a412f6fb2f63a6bf56d46d055

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
88KB

MD5
19089cf5fa0d422a616b53450e88c247

SHA1
ce7f6e784f2e7ca9a2b2a356a98836f10cd4850e

SHA256
e7af471d5e598f28f2fad3692f174fbe90202be3805110335e14bcae85afc494

SHA512
cafc538584c6cb34937cab0917f1d805b19b814854ac2813394f2e7119e04c45cc0dc114f0bbe4a67c3c6619f2160a6298bde8500fbe800c790b327cd61c211c

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
88KB

MD5
a69345c2ef1af413969f510ba9ccc4a9

SHA1
eb6567f81443480634b6eebb0ffe3ac74b6208f3

SHA256
da0b4bc864fc0386584a7f681413e264eb5b09c70c0e6fdf199a13ebcf75fdf5

SHA512
755e5a953466b8cd8cba8d77143054420b0c84fa8fceadd9af654bc081feae6ebf667ebf959e9c5c84aaeadba43eee31d82a402dac9dd4dd7989a24350fdef2b

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
88KB

MD5
43ccd9199ecdb0a9e216118f9df276c6

SHA1
f4dccefd805ea9b636edf7becebddf9484672402

SHA256
904a171d1338d72fc1669bd1cf15f515f5ac4c459192cc1e2f7c742d4ce75917

SHA512
0b9bac5bb926f5247efffcf6df4c991df925b9e4aa75913b0f0cc8842ee5bdbb990e6f3ad0ff8108684ac3638313bca688c4714e70f56d99a4a9e9cb3d759f4b

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
88KB

MD5
081c798abb23ac2236affdea89b2494b

SHA1
a2ca89386dbaa92cce2ed10d39e7c381f717ae20

SHA256
cc1bfe95e18250dca73b86b168ac3972cb20d724d4669b3ea469c873f987909d

SHA512
cc0e1a8ed55361e8a54a4e0a3908a058935cd54d09c2e0b7aa8ded3c0575cfcaacca5913f14831231e9d20a9502f816c6bd5fd44df40e0a34a63b4f66bfcf15b

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
88KB

MD5
d5591cc04c199b19614ea1239aa7d099

SHA1
e673b6de010e08a57050bea6c7baa475b983370b

SHA256
4864e23a784d6b0da9b9b435ee34cf1d48dda002d841f5afe6e67e3c8eba533e

SHA512
daa5a912e1416ed1fb4eb589b2e8cb4c392427fc98b1cecbe3e22e8360773f115d16441cb6e0f6b1c569de633ac2051c6f38c9320d9bd3b3912f07c64dc977d5

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
88KB

MD5
3760c3406278c21e1600e6d63c930cb5

SHA1
542dba6e8dcf92d0baccdabfc8af66123e55b42f

SHA256
758daa2b469c419e7d5455d50d16954975cfa5a103664a5bedec48594433680b

SHA512
ad21687112f1bdf3a4dcaf6a98c1f745501f728a50f6fa14d0a07edd4744729da7087130ab5f20f40c07ec33fdaf4f5621e2b7276945b2465fe011a4dc83c536

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
88KB

MD5
44ed2559f6bc6e8732ed9ded0200b1a2

SHA1
9c71eed10c7196ff736b054816fc9944ef2d04af

SHA256
86953ddb86569989bc85a650801897f3076fe9b28d46a073a3cb66806e28373f

SHA512
e386366c9e810b1fdddfe8cc1f12206447253d0279ea489f1ca9c9ad7788353ce226df5007fa1007aad9f434d681a84aa5bc4342795ed5d04a42a6c910133864

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
88KB

MD5
330837702525eea442e7a079eb9cc99e

SHA1
f1d4930e85f38e477dd11b48859ea89b56cd36be

SHA256
f6593ddb796cfe21ac7364d21dadea0ca805aab705fd1b37078389782ac40d58

SHA512
cd5053d2ec72bc66c4b076434ae4c3dacc1a3930562ac84e00a1cdb373dc4547b6f96f5235c940b25728e63edd3b177fd0e8a0a650932328ef41514c3c451fe8

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
88KB

MD5
7d3e6dcc029ea6cc76d1fd82c6d84dfe

SHA1
b2686a8b45a4725cf67b0e1f266ff64737ddf162

SHA256
4c965df1bbfe264a681e4c8bfff700fed33270bfc991f40c8ff02175cf8ae5cc

SHA512
a17e7c16e763100143c79a95c25a392956a0c4cefbb6db0019fe11d0a8bc731665adc2fd56ff2d793ea8782418eaa1c40036fc9a788520e66f3840b448ed6a13

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
88KB

MD5
c28cc9d8bb59c21b3deff17358e2d325

SHA1
9057ca980c0492f210d11caa8a28e820994c92fd

SHA256
01672bdde821a4f8c91bff5d4fc2ff6cd0d02afe0375eb4009116698f9cca77b

SHA512
1e70f06c101f1d7f2752e6072df7b0a9dced7b4c531526a81c28f35f3f980e7a60aa488294bc8f4d7d016a0fd41af67fd56eba42173ef36abd2665ad7661d2e1

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
88KB

MD5
d729e12cd7a0ee654998771f6f637a1b

SHA1
6f637801cbaf97798eaf2237c65da4e6d4f8cb17

SHA256
005842f85616d84ef39128a39e98e81d8e123b5e12fa6b3270a979e58fceb0f3

SHA512
31d6cd55b498c1a7c99d4ac1762b2e870a5445a1f91f6e26fc4965b9e2817ea527fa35bd0669d293c337c86b61a908a715f715cceb1a0fa808c09ee5ba932af8

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
88KB

MD5
1c322390457276a92a8eff287eef36d7

SHA1
ee2635f6aa9ebdcb8fd0698c148691996d2e83ea

SHA256
39d2dad5544a344a363c699b53d8f3aca7e59a8bfef3e575d7ce453442a81c20

SHA512
49931156a8a656b1fae8e13da4a4b257a7647477f0bf4a56eadaf923e77d0f2ee8568637d7f8ff99acbddb1cc30af54fedfb879abea917bb4c873cdaeccb7802

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
88KB

MD5
57a5ce2eba1e016b8d9509fc4c80dd5b

SHA1
bd4c277bfc4fd26eeb0de4b3389163c3e7f7d3c4

SHA256
618924e874d5ce65dbb6a9018bb00d47d73aaeabd908b1012f40efd208a425c8

SHA512
336abefd908efd9d3ad004127d38e2f2af49d99b38e0b5c4a9d76b165ed1d86c013b7a8a0834c8d5ef7196f49f843745f2e88e011fd97d3da2fc7908cded63a7

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
88KB

MD5
5c53aaeaa2ebaacec1568ecfd57eef8c

SHA1
e0d7574481b1b9408ba0dd3720f4b36c32f66eef

SHA256
39913c4be953bde26fc53d2167b7e03c3c568ca3e9b6204baac1418767ae4f85

SHA512
fb97e2cd50617ea909c553e87ce232f80165cf13a0530eacafd552600f2df3c95f59b5c8013f16c55ec3cef3d32c4da63fa9594030dab15b4b78d08c29cf9400

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
88KB

MD5
f2bc3f580cbae71ed1f3b5415d367383

SHA1
2b3f2a1aa87f9e3e07d0ad045dc8ab86665ebeb7

SHA256
44528378565ae83140f87ec8793d2b9933407d45358112f82ab167b745c783e7

SHA512
749e241f11c46e3dcffaa2a4d09a56618eadae84f7bc4f1e07cb6b8b92ae1364a3b5eb916131e6c5d798d1c44836fbc8eb284ddd3db27e404d2cdd0ef3e2d570

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
88KB

MD5
d49c80b3b60bf8b164fd115215a5f634

SHA1
b3ca34e96d45369b8b526bce1012b65dd0276106

SHA256
ee81606171ff78ba51dcced00e6115f335959bcd07d6bd73875170e897c98ca9

SHA512
930eb4f0f1474f49cbed191a8b47b8e630125499a7c5886b02a076d5774c50c1ed015c8b04b894084447266273a1dc34d1412bfd402c55ce0b28a8e201f6fcd7

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
88KB

MD5
c207fa8059575ab195888793e2dd3421

SHA1
dcf576842cdeaff32547e753fb2a97b786b04811

SHA256
d5a7a28998670b7e42922648ead7ee325bf9e0496739cb3b01685a48ecfe1667

SHA512
498163b10b07ac5d7350c8436b2c6d295d550d66335ea777f36c28aae297ade32af1d9ec137732d0fda8970c278a42c526d8bfe248018ddecfe101cc6cc23a68

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
88KB

MD5
c021e0c1d9eacdc7647aea487bf4a149

SHA1
89c042c2f3044f93270dfe1625feb397cf0bdb49

SHA256
f0e7ab42759e3d06c52b75dff345c3838ab3bff083f33a446217ae8944986576

SHA512
7754310771bc94ffa41b1af1af37deeae9c311d17e7c5d74d2a0a7221b6a945cd95192553726b8d4a1b72b1f52dff25c0cb8e46d0fc585c4ff0ead06754b8aa4

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
88KB

MD5
ac4583c678d495cd33c345b1d815219f

SHA1
253bcb83db81bd9f7f27dea14db555d2312d3ddc

SHA256
5aeb174d92444bbee6f74f149270d46c3a2ead7548b07c6541afb787448ccd9f

SHA512
471e2109b10ec462e5c5546e07b71479fe128ba2fe7a710139e3ac999f0a04b30a1fafb3d8b800defd0cc9da32a82f07d4a128d23e9ccfff71015cce9fdfc74a

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
88KB

MD5
1b0f0221a0ec88fa11f6f04d29208346

SHA1
7055aa2dea86502aee5c0b9ab858bcbc9f2df382

SHA256
290dc581d1b7f0fcdffaf367745f61e58ea97a320d91fbff3d21fa21c7016416

SHA512
1622eb7a45d7772a958bf591adc269858c1ae7b85090edad3f26cc08591531b7d15c189b64134befb143250cdc1273cd73ca399e5f1d3303de1a2f814e5fcde1

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
88KB

MD5
fd40b1d8eda162299ab7671ffc6a938e

SHA1
f6d1f1880afd38a82ed10613aa113c25f453d295

SHA256
183df294f3339328761161db95ef43c8b174c0cefadfb908392b1cc1bf8151d7

SHA512
2b30a9da3779e94f860226e6499615de7e9ba53a375b8da061b2012463e7ef76764d080f2d95bc3356610826d5015f964bed440ef96cbca1252caff9d360e025

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
88KB

MD5
01212b8e28cfa0335b58a484a2424297

SHA1
aa7ddee7f129425138e3a6718448b4975d62661b

SHA256
f26db1ae7ff5944f5cfc77b210b5248c2bb06396b5cffe0cf9d00ddd68a76bd1

SHA512
b604fdf3f2b7bde801c60bf869a92a1271d9a57182fab34894125ea14f728ecaa955e7d31245bdc022b98b2e92dee69da0cc733b3c0ad09ff755c48db25d6aaf

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
88KB

MD5
6901f77d081daccad35d2a17151ee063

SHA1
61b3427975a26632857a4d4eee0a134944ff6a7e

SHA256
bda75b599fe2260d1dcbbadf38d578a47c6b39a0d499c9675e78a42b3cd4e5db

SHA512
e138b69b224a8f06d3417486e529ef6dc5977c1b738a6fc4ee9ba4ab7af28679671732e0f0efe96d03994d553d8ce05790aff3b0f71d64b02e3e1ab69f863574

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
88KB

MD5
f3c1ea3ef23215e1b1155d0adb79f7dc

SHA1
0614ce528130881353311f2b7626c828c8c42486

SHA256
e134d5dd234d3f7283ff405e81cea053a01d864f53916dc2d98a8f29d137a499

SHA512
f7e09a6fff22ec632d32fcafa87c2d6794bbabec441dae9df302856f062d23c2e16a26b9492d717f7e78b102df51b5a7d05891b5000612006722816320ff424f

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
88KB

MD5
ec100caf5757a5db2d53a4db8ed73da4

SHA1
059d38c8baa58df4faf62c53fc9ed116da3ae786

SHA256
f245399eafb5aaf66b176462fc82d9f54a8396e3a41f979ffdb0270bf3ab8a55

SHA512
ba3678f2090b70ee064da2d603e2d2b9720a72505c78127750c6116e5504bba1cad5ac1d7ef2f789ea07bdf58bf88804a3af8558c8f09c35b7029b8d0596aa49

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
88KB

MD5
e6dbc4c67b4a5d534424296b11aa5e6d

SHA1
4904519300a82a5614ccc2a982daf8a85086e84d

SHA256
7f104d9ca47e0b5b42e63ba12d3f15b8b90f9774bb787116fce1f49d4fbfaf93

SHA512
936740d12a0dd1fbdf5dbd20c746de5d7ac9a20a2bc5c5bcf187fe154ac19abb218a715d684e3f1691cf96bae389957070dce9386d12663ba8b08bbe170c2c4a

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
88KB

MD5
8b6dd285f8b1abb28e848bae36c11064

SHA1
1080759b117a26d10d2f14d502f491c5c0cbaf38

SHA256
e87c0a5db69bf6f7ea1b9258281be2f7d379c863d272fa11017f7aa2ac739283

SHA512
95ebd834e80814833b10bc9e65506e56d21dc09f0da7b8f2fc013541807ebbca06333ec6d28a1811ee35c63706b6bba6f76a7776d5c4731da79c7f68d95664d8

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
88KB

MD5
11c1dafefbea2d19e9a0f61e2e4a5181

SHA1
666246185b53d7cec1ed4bfda0ebbe8df49b453a

SHA256
4bdb54e9fb6cbe2957ab456a04b5fc2741ae404d0926551b0cd0c7fd4f1413a1

SHA512
9a38d350a89aac026d1f76772f29467a7d8f5fb14ee9699376b5747d3ef0f07c7cd6993fcd4576b66d23ba0bb101954a00f179c5c051c88b3d5d4b236b444255

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
88KB

MD5
323a1feda9840b3cd4ecc268712aac80

SHA1
6c7f08c3daa375f70a12549198310741e6f2cf95

SHA256
da8da01a34453cc726f49ae6db3f6965561cadbcee337d1a0a325ad4332675ff

SHA512
d40d2a468df15a5aa103c0557aee6edf8fd012b784b043e8e948a1bdee632fcbb02c6da87e4a3af95dd0c373dfd310e15c4c217bb602ddb52b81085c4cc494a1

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
88KB

MD5
bd9019c1df8ddf999619d6280b2a33b8

SHA1
525cae396081c0d0bbb63a921940339657920ab9

SHA256
e7d1c37fc8985cbcd021e12288955d4fe074151bbcd3d1803e3b0b550feeab6e

SHA512
f5d1ccbe735ed96dc17881f3f2c9acb9fbdf2f4ba2eba2e0c5d36a8fed33208d4adf2f9a0f0c56db5a3134d544ff9fc847c78af8b38e5e55923fcef25d2f2b63

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
88KB

MD5
7cc1948d4aa65e14305d395740f410ad

SHA1
9e30bc3d2da65f095239fce64653201cd9e99d01

SHA256
ae869653755de88843fefc1f096f9295fe6feb070ea9c70678c902b39ed370e9

SHA512
589e28b9715c67f99ceb94a1d688105afea5ffc7e419a2e96195ccf436b5088526843f82deba4e6b4164cc6e05141e4c7749852b4d068c32aea359dfc4f2e4d1

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
88KB

MD5
e53186766bcf4e64803ffb9c4717da19

SHA1
62b1484e5b3dbe55f9da111cb9dffeee57703327

SHA256
011a3708f39937a95f10c852547dab1c03021ee2949554b42cc0124bed9e0684

SHA512
42d8237dbb43e118a1f205b53c1054fc948043c5a4b9be165cdf8a860609539e86246d85ed1080d6d7186d9892756d523e95366efdb6dc8a5f807f7bd3ffc151

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
88KB

MD5
5193cc86495af6a8aa20941e04486c12

SHA1
04f49972822352ad10d6cc0be2d5674d10d21037

SHA256
f4538dc09c2fbc86db60eb561077b1512e5b6960c3032e693577166d424fa9a6

SHA512
b7c8f448733c2f479c48e1be2b6a5f092e57a6b8666980ab78680f54fb48c19f4f823279d94535aa7c027a66c18128269358a4a00b0b7b38c1f30fc4d1b0ccb9

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
88KB

MD5
4d8be4412e5463d163e466d00733c5d9

SHA1
a834dc325d205579a86f596fe845d35159a612bd

SHA256
a496f2a8f19d2c61199a6249cf6c162bc865acf5486f451ac4720853b8d99194

SHA512
c9250f11023cef9e10b2d66144c640d0debcb28d15e81f7de657c7e6f0dab490361d0ebca57c0c949d5a135714d63c15a9766c24c5cf6d3cfa565ca2cb5e6074

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
88KB

MD5
4a37b8eb8e039ebf69ed77aabed9d50a

SHA1
6fc2e555eecac46e4ecd7fa66df47c9fc1bcbeaa

SHA256
50969aa3e81bfa65286c809f7827980669e91100a791b710e4b2ec89f65f1df1

SHA512
b7ebf4911ee4b64095f476d2118c10abd4cb6ee9264ee6148713e40bd0d77d22489a9c38674f429ed16b830cd6018ebfa7b4df5028382dbf829b741ba454949f

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
88KB

MD5
86e3a46e3982548cdba22751fa81f6d4

SHA1
73ceb2577ad15893353bf8f74a41e030ad7c65d1

SHA256
50c9eb82d9a58c8bae75d5c172ad1d3b3c550fea42be33815bae232e7ed0109d

SHA512
e76eb2da13f38b3d2bf447edc4d688a2143939928046172b20f67c871c59792e5282559dc9c2c94867f1cb45388c259bb18a85537809a4b158d4736e8b562013

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
88KB

MD5
289c98377b956ebf75c2dd5473a9af52

SHA1
e70893194aaa2e5f9385d1b8befd93581f78ea92

SHA256
43b50aacd79eaabed4370e05928b97810d8fcd0cea028e19bdbb122aa889c75a

SHA512
2415dd09ac707dfa06abd92a438436199fba9db5220536e12c40f4a401f8bd02254068e4fe45dddfe6ec8d6a685abe950871e1cdf423ca12d992eceb3536a868

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
88KB

MD5
8e904da5770495b17ef6881f1174c3d9

SHA1
38caad933368f6831b0da122394fb654225d6f64

SHA256
4b2c69ceeeba308950e499b89b942f875e8cfec4478c98dc12fe3cb556b7a0eb

SHA512
89d81cdb9d8e9d5aecf12715a0023b51d1994be3ea26ef8146cfe99ff626a2f5621ac5cbcb16808905853695b136580b4cb940aedd67720cab78691911395db9

Download Submit
C:\Windows\SysWOW64\Cklfll32.exe

Filesize
88KB

MD5
ffe2d6e8feaced91e397a2ded177e229

SHA1
8d968992cc2f5f48fc7ce17d6c2ce5f396c9cd4e

SHA256
281c5b6db8266d48ff43939d319e1488cb5ee104e3f0681a99b5776b25cac367

SHA512
b6d035cca958dded9dec0eace2eebbc5cf265894419a2a38a40ba7e9c1dc33803cfea6abdfa8f946c0b80e64dfd23e7363b3be05bf8237213d4820a038a3e678

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
88KB

MD5
137695370c0dffbb4716a4cbd8b29595

SHA1
168a50f32350634ea8c3725d426ff526a97492be

SHA256
0dda0cbb9a5d719cc97736c0816c2802649333ccdf49cbb0d6738807109b18b3

SHA512
d9e4a38eba6570cd3725cba5351b2bc05f0c864f75b55df85df3478c4c7761b8c971c208f7decd064aa7a3a5863d2b16335adc5bec98cd7c2b05982810444cf5

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
88KB

MD5
e58efa0a7e8d3340db4643d34f0a332c

SHA1
556a27fd028d3c7f4ba5b7d9104cc16a1b13e183

SHA256
c7a41e24d7fc3adc40d1c5ffb24f2208ae6a174fa5a338c95bf7cb5f3e6ccef7

SHA512
c6d0a0b2dd621a44560b0d2ea0b3cc04ec4dc989889b934eaa8bf1674cc3a61747cb4d4b309c8820e125b377d69ce636f58cecf174a0b29c8deaac362f1d5018

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
88KB

MD5
ce44bc45d6c1e48769f26d0196094b7f

SHA1
f541bd3a6794c63d6819f4d7e6af29b7b2d2848d

SHA256
0abce1d9ff3a756f8153742e230d619d4237925f962f545e361e387cdb8307b2

SHA512
06e42ec765b8da40b71aefbf13d3d8e9076296c3a3b1fd8e5e475eb2eb2e4c33d778ebd58ae1c4c476725ad7707ec3a3f3c2160269818254432ba6672558af6f

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
88KB

MD5
1bec078ce13099df017daef31e52bcd0

SHA1
ffc30b09dbbf8b10270701864373f77cc9134dca

SHA256
fe902fad9ede59a0c716fb53e4ce1092806903640ab6c9f77d1d54e80afaa4dd

SHA512
9e271d780ff9585a3c4e574d6d4d8e755d4a795545206e027c768d881d65b999a137bcb3d001880b52dce3f315f582323b83d3c51a3093b4506b0dfdc92358fd

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
88KB

MD5
a73e156ab8020698b62c52f87478347b

SHA1
d62c685e1317cd9c903d139dc28a1f80bfcd99fc

SHA256
1ab5679fb8ba8d01beabd1cf824a3e60f92fc1359e6fc21d4771a89a03db8432

SHA512
c22ad3271aef0fa6960286f0eb6b514f8183b943d122cddcfe57c7ad4fadce0c383f38ad2e4dcc05acaf32448f0122955f223db9db0098fa3ffdafd1e6a82dc8

Download Submit
C:\Windows\SysWOW64\Jbbpnl32.dll

Filesize
7KB

MD5
49da5ac7e3c3c90bc63fc398d26b69aa

SHA1
09cd997967ac7145dfbc2895e5195c9e439a726f

SHA256
59992184834f6ce9d90ef8281225fee899f89a2fc6137467d0104a832a53c414

SHA512
c223aae0c71175208293aa66221089564ab10a73a37f9b19e9c7032cc00b1743ee7f42cad9dc359f433e062f5402f4ed464bd412116bcf5da82f6241f5ddac18

Download Submit
C:\Windows\SysWOW64\Oancnfoe.exe

Filesize
88KB

MD5
d8dc0be0d5cda369a033bc19683f10b2

SHA1
edabc6537b058d5a6fe0e148041e26fd8e484c04

SHA256
4f07b8cf2693a2fb81c10e3023125ef90457944536997319cbbbd8e59c14858b

SHA512
cfa1f1c956a3e682c76a194339297fdfa7ee208b3044efdd27eb1f3f0a0742496026a59bf34d44cf4e9e9f7108924a9d6bfc5f7dbcf1e3d61f82aebcde8045cc

Download Submit
C:\Windows\SysWOW64\Oopfakpa.exe

Filesize
88KB

MD5
5cefc5931e0db450eaa2a0226aae94c9

SHA1
67a454365968b8bfca7afd90013a3db8bf566da1

SHA256
15a53071c34b95d4806bedce4def3390eaa08bb08fe0fc8a3756a56331a598cb

SHA512
16f64b645d1f7bc90c828a817e72947ff0b02f28402f710f9102fdf46cf66ca3ba9f71ecc406bb79745592ee0c6bdbb84f06f0178af0bdb60729e874bf404f3a

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
88KB

MD5
b8c50f9b93192768aa727253253b43ad

SHA1
b81c2e0f3a6a43badc67306ad385845ad72b5637

SHA256
83a92393b31384f7797fe63872375d945b1472f65988a37e1505ad955f57d505

SHA512
2bc875fd7e6ccd2ac7f735c5ab7da9ec03f2058ffd0905ab307964b71cd0a428ed595f494d21e8433446e83f297eff2ba21e7fc22eb44542b85b35ee3e97f504

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
88KB

MD5
3451eac97f3650d4190a6357bdf28cd3

SHA1
2c461883f01d114538fdf9ba43cb52177afc74ea

SHA256
35214ca767d2850aa89f3a0426bbb1779b457407956b4d4368fab5a10498a862

SHA512
9ad7f324858a626c0c222b954cd06b4e75f7eafa7d57b7904f30dd90eeb0b9d130ed9e4f39de8c74825a1032d6a62731081c4a76b9ce5cb4c6b93b9024314053

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
88KB

MD5
cb130a9e32c3a6afdb28b739ff3c69c6

SHA1
e7b86063835bdb7b5251001cf65912ad062deb7c

SHA256
f6bcc552b271f2c022ea9fc92f50d93d195beae12e98bc7d3bdd89ec9661d426

SHA512
68a9efc04c2b5cef753799da6f1921e82895911b8bc41e0c823507e9dd1a437c174f08d99160d5448b57bb054d8934dff947fcd833b588754b17a497342082f1

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
88KB

MD5
4f5f61f9f3bae9786df4b5e49252b67a

SHA1
241fed27b16b38fdb9162b0e1f64003b2aa6fe85

SHA256
7c319ce6b5ea97dd7ae96d0a0e6b6861476bafccada047884e7771f9feda6e73

SHA512
bfed47223fe44a248f099682b1d83f1033335cf09a2522f2b686e78b67ca57b53f6d252a37c65266e49a1df48a006dac9e697842247276a9dbd71f70739aa173

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
88KB

MD5
9a01a3a6b61a7e985066c6140ea87fbf

SHA1
b709baa7a28cf7f0b99046fce4bdeba956d52435

SHA256
4b98ff69ad3bc991e21d663256a4bfd1e53ea1d6f8d93e15ddf86daee63455ad

SHA512
e29eb90a1da697466da4e71a594df73dc947e97c46fa67c112b8af9d58340a05ec91a16dd140bd904ffe31192299440b95b4f26feb995a8bb1b0b08763612919

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
88KB

MD5
5948add4faaf1efa467ebc901c62f9f7

SHA1
fa7fae4ad1fb216b203cd4e044b5a5bb56a3ff06

SHA256
4adcd16fc457b6a7aa057dfc98924638dcdc87e1eb7f69072d94bcae99178e6f

SHA512
286874bd917854bbbce982f5e1bed7e37fe1eeca9a84ee80f34520d18a7f3d28d358eb048dd0ad4a71f92cbba59419d266e7ceaa8eb88966fa08bf69d46a5cda

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
88KB

MD5
9886c38c40a9bcb0fc9e05a5e923a941

SHA1
689b9b49500e76e20bd0d5fb0d61c15f1e583bfd

SHA256
0aa4513f19aba302628d66a926dea6a7567720e0f71e4b6b2ed7d300f7348f6d

SHA512
92751a18cd9ef1274c961b891b33ea20c4a24cf80fcfa946438398528213de8d9208a6e0ce5b821db8f41d400cf61ed892f26f6122cbcac0afd1b473dd2d1076

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
88KB

MD5
f536807b77c24262016135e09f2fee9c

SHA1
303a756afc53ad17367a23abaca2bdfebbbc093f

SHA256
63a4cc1e614cca1037c24c118559770303fe97289ae13df8ddb9130c0514c23a

SHA512
c4ddad4f2cd463f50c348229a9471b68efc434a6a97e617c44bc1b089fdce2fd48e3e9e2a422199c4f5978d5465c550dad49f371d831057bdad2e185cd5602c6

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
88KB

MD5
8272362d05fbd6dcf50c7833002ddf11

SHA1
86954b67cd1fd5d48ece8024e057dc87f6f73fb6

SHA256
247f3546f87dae743a774ef129c543f08830817dbb707a8bc9bf59e6709d16e7

SHA512
6547a35f3ac62b096d5a59db880e0e1d79472cfc1539bd06b5a9ce0f3a98a04f49f0d4e1e7c2c33326bc5ebaa8fd52e83bbee255df8eb33c86a4437f4264e36b

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
88KB

MD5
5da1c2e51fb4883ad6a6efa64b7b2569

SHA1
133dba668b9f96807217b5e7daf42f85e6693ddd

SHA256
b44a40cff8ef77739d44493bf538b73f505790236a81dd186059736cf20e1020

SHA512
e4fa0a6abba0d2f567d0a428286610f11450c938646a12d51eee47c7d5ab0536c6f44c0d63fb3bebc433505a1ca76181aa7c1a61944cbb992f7e2c26c10a141e

Download Submit
\Windows\SysWOW64\Odlojanh.exe

Filesize
88KB

MD5
76bb919db45dcbd15b508263a3fa02ad

SHA1
76eee6695f77d3a799ddccb6d8bb5e092b3166da

SHA256
2bb458a4648ed6f50a1a6bb7a654b997b14a7a78c7733477c04042baa069abcd

SHA512
d3c583c62aa254c090f8a5bd8952541b0f341c5d1f2539cc6a4468f9de640bc76ac7799cb77fc6ab3cc628fe3f193cda03228e5911bac282d7cd1ccf9b97d34c

Download Submit
\Windows\SysWOW64\Ogmhkmki.exe

Filesize
88KB

MD5
163a14f1290889970d1369805213b81f

SHA1
25cb9d9b6f79776340f35779ad5a961b252543c2

SHA256
c94b096d7e9d36ab588e6fa0c2956bb57fd76ef66b9517d9570da24274ae3960

SHA512
84c6998f54485c19832c44922d66b127e64862a2f6affcb19412ce08303264ff1150eb1687dd7125b1350607d5ee735e039dee3a64b30c2836024d57444b2664

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
88KB

MD5
0935f143e374202625aca8b6b7bd1da6

SHA1
3f8608a08ebbcc4313951f6389522d15d20a0a30

SHA256
4fd221e225e193c08e72f2db31fd92591e870f93a6e980fb715988b0317c58e8

SHA512
e48ca97076d020d54c4c2d59aa2389e2a7e35a48b05d400c19981904a541a8830e89004b8aed799f446e9d2249d8e11d6855a544844c98c998bbae5014a46422

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
88KB

MD5
c6a1c41162a38d9673bde656722b14fc

SHA1
dd9f470efe8f5cdc8ce59ed3e24e5446b8cb2453

SHA256
a69c5b212db575aacb9f464163735068f89c8f73b0f1131b2cee4f19c43f7824

SHA512
8e7a2bf531a2d57768263f7f14d14810a28645b6f2ad55caedbc983b9a5ead18c4a15bae8a3b038d61a58f1b15cb6d09b761f535f8286479be9622c375f6b3c5

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
88KB

MD5
f5c09c77595a00a8a5dc8a659e735477

SHA1
deb74c27427e22628152a6706d1599c92991bb1f

SHA256
0dd31fa573a5219f2938032714ca738f80762d9fa202e4f268ba6350eb5bd1dc

SHA512
45c465d22ad8aff0fa1dd7925329800f478dc33a1f3a19b09f2cce9b24d7f48975ffcc56a389dd3f23ceaf590fe3ac7452482ff35eb491bc8241941c5240c48c

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
88KB

MD5
d8bcd61cb13b97fcb38b30ecef63f82e

SHA1
69153124ffe252f877b5a611b88cfa9faa8f1672

SHA256
fb57c704185c953a5d67c4f24db70eb96020f79ea8d49a7a3213e2c1abad3a11

SHA512
13d2a83f2d3d746968e661b2714cf83237d568020c2219f35720cecfabbaad185946dcad652709baab685d8601eab459963c5a235d8a7a96a2057156c40119d8

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
88KB

MD5
c58f45e95d47cdc52fc3b26e9a2a3dd1

SHA1
e0b5b20c4c9edb15d0dd4f871b9aae1740f03dee

SHA256
26a1e6021c1e51ed7cdfd2c54939f5b297cbf1126cba6df9dd1bc5c2ef393441

SHA512
f3d55a15a76d13538a1043261492a0d763f9441a7f8e0b8d3ba3fb554eee49349c84a97b276d020ef144f3609a2f5759d4e1e2b4c97151dc8073d1e1821d1c0c

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
88KB

MD5
16888833d3bbbac26949483407406c59

SHA1
f49d8dc63cc51e3ac53956660a5d4907f018259d

SHA256
18cd526bf1a5317effcd222abd47a9c46d017a14274dc765054f1355a7be8167

SHA512
c19f55d6b2be1667740b07a5ec87f8fa04525cb6d4a7910188907758d6150bc7176a713092182a92127cd73540757b925738fbb6a53ec8ba1ff516dcfc55c1b0

Download Submit
\Windows\SysWOW64\Piekcd32.exe

Filesize
88KB

MD5
7214ffacf37f5e4dc58529de2ff90091

SHA1
1f524d0aa06210096518b3901e360f7eb1d5b721

SHA256
6ea66a83bbd8cbe157f002c2bb8d3c9f4b4efce95d172a1fb56d7bcce5cf8c3d

SHA512
80ab1f8088651991bec26667a23b5f9ea502809152b55e8ef9ae2d30faabbdcf884c87a9556c0201df7b187bd00465a48d403012a3d695a26ac08d2f3c6714d2

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
88KB

MD5
3bb0bef550d392d7b3ecb4579f9f54c9

SHA1
270b0296a0a421d2f7fae0bfd3ea32697d980e20

SHA256
c8fa0dd73ab826c1e610b391723e95073fdf3fa18a04a65b3344e99cfa7d62a5

SHA512
0b820060cfb96744e9db56ca7796bae3c23ac5dfd496f4bd678260bfa3877971d62f67610c6f9adff8e58baec6f519717c252a3a054ff63453682051326a1e50

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
88KB

MD5
74fa32cc16c950f6d85eb9ec5575ac0c

SHA1
c9f0cbbb645dd2a60257796360c2a99e8b546374

SHA256
22ab171b178935db4069d4100cc64abdb2d6ff2c8ccd41edaa51a5c524c06a92

SHA512
d6fa5eb1a00cf2dcfd994de62023d3f0c6e37e0aba10a818f268c756e8d552eece1d36872361ebc78b82b47f2c46192c5fd3672957a2fe55a40fbfff11a0b4a2

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
88KB

MD5
3d0385a97eb66a11b782cf129c28e91c

SHA1
90ceafe9fd59983742b1d8cbf59f765bc68a4fc7

SHA256
42ccd0ea52e673bb9ebc55aaa55a5ab9a382b6ac01d4a382d4e1e3252680f61c

SHA512
fba4eecbb07b203a0dccccef79facc3db66c76390eb0fe5ea6231213488fb9c81fbdb21f9385ca92ca57114c17ea102d7254132793420215ec8220f23aa96691

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
88KB

MD5
feaed1f5bfe4f4f11e5ae1ebb7228e32

SHA1
03eaf70b65980b7882a3657fa413f5b9886c7701

SHA256
1ffc9ea320752ee74cab6116d5e43304e8f2b4e5dbd4e63468ac154f4b78d664

SHA512
82c21e93663d7cfcde43f2992c6b1bb333a30db5bcdf38a524ecaabb7ff8ab1fb139138593c31dbc1d39d22ae4473b9a2ac9fef5485e3a7c46263f1706521fe4

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
88KB

MD5
7865eb563447221fb95f55c8c8cdd962

SHA1
fca115b7a2bbac8e7cad98b7a5ef8702e46fd533

SHA256
5a0a30ead6a2b70cdde3b8313a83af9c512377ae3de2a40d63ffdeb4705c672a

SHA512
90173fcda25c93016e9707cbba2889ac8a58fd054ed3ab9fe21225b505f3ab238ff84684d53f15bad8b7d508355c98283c2dafe3543d3a82235913192ebdbb26

Download Submit
memory/308-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/596-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-282-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/928-278-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/1048-359-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1048-358-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1048-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-473-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1080-469-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1148-231-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1148-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-240-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1676-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-195-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/1676-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-116-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1680-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-304-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1736-300-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1736-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-259-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1816-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-449-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1820-448-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1860-377-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1860-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-382-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2056-221-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2056-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-461-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2136-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-437-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2160-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-310-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2164-315-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2188-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-168-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2216-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-484-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2248-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-142-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2316-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-450-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2340-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-495-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2428-292-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2428-293-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2428-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-335-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2588-337-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2644-370-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2644-52-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2644-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-415-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2676-414-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2676-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-62-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2708-387-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2708-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-841-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-866-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-920-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-321-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2808-326-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2808-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-11-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2848-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-12-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2916-88-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2916-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-392-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2936-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-426-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2976-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-35-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3020-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-403-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/3044-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads