berbew | 339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0

Analysis

max time kernel
83s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe
Size

92KB
MD5

bfc984cdc39e7b075a3cf3fa8b1fe2c0
SHA1

72cfe12005e353aaa0a541e974d5ece56ec801be
SHA256

339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0
SHA512

4177a3d3a4c416de2a29bc3d6ffc609d7ab08aaf9af841849798950ee117a4b8a361e773d42fb7eb0ae46b6118648c9b9362d5d3e04aac3e4b4a031d433adfb3
SSDEEP

1536:ePktiLarhMgdoYwtGqEvn8QI2OFPe3Xsiwo/AZmL1Y/y+1gftx/DsmuN3imnunGl:ePkwgmYZ3vn8QI90+54x7smuVbe4+W

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phnpagdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phnpagdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2832	Oococb32.exe
1436	Plgolf32.exe
2660	Pbagipfi.exe
2676	Phnpagdp.exe
2808	Pohhna32.exe
2696	Pebpkk32.exe
2652	Pgcmbcih.exe
768	Pmmeon32.exe
1800	Pplaki32.exe
2432	Pgfjhcge.exe
1524	Paknelgk.exe
1632	Ppnnai32.exe
1164	Pkcbnanl.exe
2708	Pifbjn32.exe
964	Qdlggg32.exe
1032	Qkfocaki.exe
1924	Qlgkki32.exe
316	Qdncmgbj.exe
1728	Qeppdo32.exe
2448	Qnghel32.exe
764	Apedah32.exe
1260	Accqnc32.exe
2964	Ajmijmnn.exe
992	Ahpifj32.exe
2204	Aaimopli.exe
2108	Ajpepm32.exe
3064	Alnalh32.exe
2920	Aakjdo32.exe
2908	Aoojnc32.exe
2668	Abmgjo32.exe
2552	Adlcfjgh.exe
3000	Akfkbd32.exe
1716	Abpcooea.exe
2620	Bgllgedi.exe
1248	Bqeqqk32.exe
2768	Bdqlajbb.exe
1976	Bniajoic.exe
2968	Bmlael32.exe
2360	Bjpaop32.exe
2212	Bmnnkl32.exe
1640	Bjbndpmd.exe
968	Bieopm32.exe
1744	Bcjcme32.exe
612	Bfioia32.exe
1852	Bigkel32.exe
1548	Coacbfii.exe
3016	Cenljmgq.exe
1692	Ciihklpj.exe
2836	Cocphf32.exe
2732	Cfmhdpnc.exe
3060	Cileqlmg.exe
2872	Ckjamgmk.exe
2604	Cnimiblo.exe
652	Cagienkb.exe
996	Cebeem32.exe
304	Cgaaah32.exe
1300	Cjonncab.exe
1352	Cbffoabe.exe
672	Caifjn32.exe
1140	Cchbgi32.exe
708	Cjakccop.exe
1096	Cnmfdb32.exe
1532	Calcpm32.exe
1304	Ccjoli32.exe

Loads dropped DLL 64 IoCs

pid	Process
548	339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe
548	339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe
2832	Oococb32.exe
2832	Oococb32.exe
1436	Plgolf32.exe
1436	Plgolf32.exe
2660	Pbagipfi.exe
2660	Pbagipfi.exe
2676	Phnpagdp.exe
2676	Phnpagdp.exe
2808	Pohhna32.exe
2808	Pohhna32.exe
2696	Pebpkk32.exe
2696	Pebpkk32.exe
2652	Pgcmbcih.exe
2652	Pgcmbcih.exe
768	Pmmeon32.exe
768	Pmmeon32.exe
1800	Pplaki32.exe
1800	Pplaki32.exe
2432	Pgfjhcge.exe
2432	Pgfjhcge.exe
1524	Paknelgk.exe
1524	Paknelgk.exe
1632	Ppnnai32.exe
1632	Ppnnai32.exe
1164	Pkcbnanl.exe
1164	Pkcbnanl.exe
2708	Pifbjn32.exe
2708	Pifbjn32.exe
964	Qdlggg32.exe
964	Qdlggg32.exe
1032	Qkfocaki.exe
1032	Qkfocaki.exe
1924	Qlgkki32.exe
1924	Qlgkki32.exe
316	Qdncmgbj.exe
316	Qdncmgbj.exe
1728	Qeppdo32.exe
1728	Qeppdo32.exe
2448	Qnghel32.exe
2448	Qnghel32.exe
764	Apedah32.exe
764	Apedah32.exe
1260	Accqnc32.exe
1260	Accqnc32.exe
2964	Ajmijmnn.exe
2964	Ajmijmnn.exe
992	Ahpifj32.exe
992	Ahpifj32.exe
2204	Aaimopli.exe
2204	Aaimopli.exe
2108	Ajpepm32.exe
2108	Ajpepm32.exe
3064	Alnalh32.exe
3064	Alnalh32.exe
2920	Aakjdo32.exe
2920	Aakjdo32.exe
2908	Aoojnc32.exe
2908	Aoojnc32.exe
2668	Abmgjo32.exe
2668	Abmgjo32.exe
2552	Adlcfjgh.exe
2552	Adlcfjgh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Olbkdn32.dll	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Pebpkk32.exe	Pohhna32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Paknelgk.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Ibkhnd32.dll	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Gncakm32.dll	Pplaki32.exe
File created	C:\Windows\SysWOW64\Hkgoklhk.dll	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Qlgkki32.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Alnalh32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Enemcbio.dll	339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe
File opened for modification	C:\Windows\SysWOW64\Phnpagdp.exe	Pbagipfi.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	Pebpkk32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Pgcmbcih.exe
File opened for modification	C:\Windows\SysWOW64\Ajmijmnn.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Mlbakl32.dll	Phnpagdp.exe
File opened for modification	C:\Windows\SysWOW64\Pgfjhcge.exe	Pplaki32.exe
File opened for modification	C:\Windows\SysWOW64\Qlgkki32.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Qnghel32.exe	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Pgfjhcge.exe	Pplaki32.exe
File opened for modification	C:\Windows\SysWOW64\Pkcbnanl.exe	Ppnnai32.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Ajmijmnn.exe
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Kjfkcopd.dll	Plgolf32.exe
File created	C:\Windows\SysWOW64\Ecinnn32.dll	Pbagipfi.exe
File opened for modification	C:\Windows\SysWOW64\Paknelgk.exe	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Nhiejpim.dll	Paknelgk.exe
File created	C:\Windows\SysWOW64\Ahpifj32.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Pbagipfi.exe	Plgolf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1808	2004	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plgolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbagipfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Plgolf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pohhna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpidd32.dll"	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2832	548	339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe	31
PID 548 wrote to memory of 2832	548	339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe	31
PID 548 wrote to memory of 2832	548	339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe	31
PID 548 wrote to memory of 2832	548	339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe	31
PID 2832 wrote to memory of 1436	2832	Oococb32.exe	32
PID 2832 wrote to memory of 1436	2832	Oococb32.exe	32
PID 2832 wrote to memory of 1436	2832	Oococb32.exe	32
PID 2832 wrote to memory of 1436	2832	Oococb32.exe	32
PID 1436 wrote to memory of 2660	1436	Plgolf32.exe	33
PID 1436 wrote to memory of 2660	1436	Plgolf32.exe	33
PID 1436 wrote to memory of 2660	1436	Plgolf32.exe	33
PID 1436 wrote to memory of 2660	1436	Plgolf32.exe	33
PID 2660 wrote to memory of 2676	2660	Pbagipfi.exe	34
PID 2660 wrote to memory of 2676	2660	Pbagipfi.exe	34
PID 2660 wrote to memory of 2676	2660	Pbagipfi.exe	34
PID 2660 wrote to memory of 2676	2660	Pbagipfi.exe	34
PID 2676 wrote to memory of 2808	2676	Phnpagdp.exe	35
PID 2676 wrote to memory of 2808	2676	Phnpagdp.exe	35
PID 2676 wrote to memory of 2808	2676	Phnpagdp.exe	35
PID 2676 wrote to memory of 2808	2676	Phnpagdp.exe	35
PID 2808 wrote to memory of 2696	2808	Pohhna32.exe	36
PID 2808 wrote to memory of 2696	2808	Pohhna32.exe	36
PID 2808 wrote to memory of 2696	2808	Pohhna32.exe	36
PID 2808 wrote to memory of 2696	2808	Pohhna32.exe	36
PID 2696 wrote to memory of 2652	2696	Pebpkk32.exe	37
PID 2696 wrote to memory of 2652	2696	Pebpkk32.exe	37
PID 2696 wrote to memory of 2652	2696	Pebpkk32.exe	37
PID 2696 wrote to memory of 2652	2696	Pebpkk32.exe	37
PID 2652 wrote to memory of 768	2652	Pgcmbcih.exe	38
PID 2652 wrote to memory of 768	2652	Pgcmbcih.exe	38
PID 2652 wrote to memory of 768	2652	Pgcmbcih.exe	38
PID 2652 wrote to memory of 768	2652	Pgcmbcih.exe	38
PID 768 wrote to memory of 1800	768	Pmmeon32.exe	39
PID 768 wrote to memory of 1800	768	Pmmeon32.exe	39
PID 768 wrote to memory of 1800	768	Pmmeon32.exe	39
PID 768 wrote to memory of 1800	768	Pmmeon32.exe	39
PID 1800 wrote to memory of 2432	1800	Pplaki32.exe	40
PID 1800 wrote to memory of 2432	1800	Pplaki32.exe	40
PID 1800 wrote to memory of 2432	1800	Pplaki32.exe	40
PID 1800 wrote to memory of 2432	1800	Pplaki32.exe	40
PID 2432 wrote to memory of 1524	2432	Pgfjhcge.exe	41
PID 2432 wrote to memory of 1524	2432	Pgfjhcge.exe	41
PID 2432 wrote to memory of 1524	2432	Pgfjhcge.exe	41
PID 2432 wrote to memory of 1524	2432	Pgfjhcge.exe	41
PID 1524 wrote to memory of 1632	1524	Paknelgk.exe	42
PID 1524 wrote to memory of 1632	1524	Paknelgk.exe	42
PID 1524 wrote to memory of 1632	1524	Paknelgk.exe	42
PID 1524 wrote to memory of 1632	1524	Paknelgk.exe	42
PID 1632 wrote to memory of 1164	1632	Ppnnai32.exe	43
PID 1632 wrote to memory of 1164	1632	Ppnnai32.exe	43
PID 1632 wrote to memory of 1164	1632	Ppnnai32.exe	43
PID 1632 wrote to memory of 1164	1632	Ppnnai32.exe	43
PID 1164 wrote to memory of 2708	1164	Pkcbnanl.exe	44
PID 1164 wrote to memory of 2708	1164	Pkcbnanl.exe	44
PID 1164 wrote to memory of 2708	1164	Pkcbnanl.exe	44
PID 1164 wrote to memory of 2708	1164	Pkcbnanl.exe	44
PID 2708 wrote to memory of 964	2708	Pifbjn32.exe	45
PID 2708 wrote to memory of 964	2708	Pifbjn32.exe	45
PID 2708 wrote to memory of 964	2708	Pifbjn32.exe	45
PID 2708 wrote to memory of 964	2708	Pifbjn32.exe	45
PID 964 wrote to memory of 1032	964	Qdlggg32.exe	46
PID 964 wrote to memory of 1032	964	Qdlggg32.exe	46
PID 964 wrote to memory of 1032	964	Qdlggg32.exe	46
PID 964 wrote to memory of 1032	964	Qdlggg32.exe	46

C:\Users\Admin\AppData\Local\Temp\339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe
"C:\Users\Admin\AppData\Local\Temp\339f685448047ce45f2196188c6f228abc5531d55f63809fae056f95946dd5b0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\Oococb32.exe
  C:\Windows\system32\Oococb32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Plgolf32.exe
    C:\Windows\system32\Plgolf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\Pbagipfi.exe
      C:\Windows\system32\Pbagipfi.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Pebpkk32.exe
        
        C:\Windows\system32\Pebpkk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:304
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 144
        69⤵
        Program crash
        
        PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
92KB

MD5
ac3dbaa7e187230373397d155fe0eaf5

SHA1
c5e9c07ebffc4ad6c8567a005b5d887554656db4

SHA256
336a2ecba0fea14532693f34ce6da31c9299f2fd0a2529eb62d4f26a15b3fd2a

SHA512
9f57d9766bdbc4df6dc96d7b57971d93df2f630ab7b522503a9cf9ae7cbe9bb6ed2c1a6f04ad614b5361c6074c1ac563af3f1edb0e77857df34005263b824286

Download Submit
C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
92KB

MD5
516de96aef9646f6c5610eb30d7e69e2

SHA1
75885374f7c04426c95b474369de1fe372ded4ed

SHA256
6e450d4a081ed0aedead16713d86b08cea7cbad88823f6fca6a0fa86c3bcd4fd

SHA512
ee9031ee321468c5802df538c0749598ecbd55a02ffad3e868eba2e50029ca387358013aeea26ae046c42fb7fab85b39611bd2d16dc9957d4df44fd70545e1b4

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
92KB

MD5
598a23f1acba49fe288b6ce0a83176ed

SHA1
53bbcb01313363d58ad1db4bfcf9f2e0d45917b0

SHA256
7b81676d21fbf1a0a7d8c95656093b7d72e82fa26271c145fcb7f24a00e71143

SHA512
fb1978bdd1c6312b7d9ec3ab60a2933d0110d5fe8b5ed24f8bc06a2dde6f13df5d30e3ef1bbf45859d31ccfd05ff5284a64027d62cccb2b8553a33a7a6b55c76

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
92KB

MD5
eabec70b58f4402647d16c75a2f61b81

SHA1
34f8291a3798794db7bf7ec45e8ba1ce9c1554e2

SHA256
51383e1424e8ddc0196a5392f1f5093fbe728338185e96559fa04bdb7d01a5fc

SHA512
b9af191a0f014e91beaf1501045fb99686f07b7e032c194f563374b66222815d8eb2df4df28089c2a983b555f1630c3037472587ca42de41562db9a9165e265f

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
92KB

MD5
49ccd00e7dbefb1aef3ee8c1e8a42ebc

SHA1
c46702417f61e669a22e5413e72e492022825bda

SHA256
491c758c40288ae1f51d2d31ec4792b59a6f40cfd06803b226245358f2bf30da

SHA512
39c5f7a6d3d84db9ed9b38505f4a10034710a08477d014b5b824e587db8e588c83b2c53c94ec4bdf43a5dd442b7202ebbbce0b1bc58494d4d3cde2e88c6e9a8a

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
92KB

MD5
ba020c5e4c1c0282dd694085909e53d2

SHA1
d5bf87cb209a29c8a3feeffdfd4211b37a8fc407

SHA256
707a1f1f6ea37463c2183a89f1916a3c49faa9d6110780bc449a5721406fe339

SHA512
31a006b7061830444f32013a4a191957c7f18cd162387fbc2053d345bcd20ca02db180a22377dff4c4ed941f729e3c48146e5f7e373dcb7394e5297ff4b82eca

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
92KB

MD5
22f97059d484bb3e95f7b41c28603001

SHA1
b624baea09bf9b8532bf58b9499b633762370a65

SHA256
887c9d5764ab7de5f597a4f91f30a2b8aa3ad3657ecf00bb9459cd2bca430b89

SHA512
8145b2a482b3d2cd97994a6f66482c4e9c4f86c79a191d2ef6cc86737fd59510e19c13884aea5e0c1adce220adbc8afb5d98f0d209fcd794155d3d54241d456c

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
92KB

MD5
3ff794420bfd2d3344bc2899bdc5fefc

SHA1
b388c6d5cebbffd21ff098d9f518d5897f417fcd

SHA256
55634e10979ea40c9eed7b883b5111fc6b633e21089e750bac711a8d20652e3c

SHA512
03c1f2231a132baaaf41b4594268452f5dec2388b361e75dee49f0303950015d4f18d740a8fcc40228941d995bc8ba07d320f3f9ec9c7899c5a373a994da1ead

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
92KB

MD5
6a478ae4eeb1dbd7372a87b42dc1d6db

SHA1
4facd65318e1a9cb92dbe1584775cb9f7e3c413b

SHA256
67527667490a5bf0a54ca36782e7a4a924199bdf1bb842dc00fc7dc1596d9e51

SHA512
4015100ac9426807745a31da5383f1c73a03ab8eebeacc0fca98f4f784f238233b244a63c671e4d44eea3f488218d470e034c0c004d73438a81a8517771524bf

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
92KB

MD5
461d0b84d478d1be5ab0167934c0dfc9

SHA1
78ad011bfc6f2f29d97d867cb1edbcb7293c977c

SHA256
4f1bf9b180b582098afc817ca39df6df7fcc89a847a7aa12811deb43cbb67d44

SHA512
ff2e1cdfaef14644ca828f91b38624413193d96734440d3c218abbea4850c3eeac774a331d14fe76f664e4fc3a7c8a6e64443beb8c7ffdcea969b04f0a6a557e

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
92KB

MD5
dada7581d895895b0dcdf5f5796b84b6

SHA1
29c49a9a15fa3e93f631382f6b2aa0707d253b11

SHA256
c6df050837d905052a38ba665c4d49dfde4595a77c7ebb407df4a8d4544ff8b2

SHA512
560e7263458fcb3e03f41f003433e5b552b32778e6b9c49b4dd7e7043096b5647a2ee11a144922e2475d87148beeeadd4f752343051dcc9fdd49f836f407e60f

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
92KB

MD5
ce2db79db0b42ed745229953ad997e3f

SHA1
a1569188c935808a47ed0f0d70655006d11b37f1

SHA256
d6f76fa09112bd757ea3eaef8bad1adf2a626d5fd0ceb07b49ab926256903757

SHA512
1a20262c9d56d18036466f85b33f8145d0ac849f04af59b4566747e54025432b65b47d0134b1654d2ed73fef90f5174a3e50d7b2efde74861bb0c17170d7bcc8

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
92KB

MD5
13fc006113c4d9013f6da327f71f5a53

SHA1
46d75d7a701af884af365a69d1f4eff3b32ade60

SHA256
32d6c1761cdf15ee1d57e320029dbc9211b795678b723f501d441223da2a3d2e

SHA512
b7873192c171a45d119711198764624138b4e581c84c02f71e4bfa1a2eda80a24f4ddc2865748734cfaac449e640cf7968ffbab3c00699f0e6977e28f80d28e3

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
92KB

MD5
6821649e7ad6d4dd9beeafa550852672

SHA1
036aecae5e5a40b1ffe4d31448b0aa2e05df6781

SHA256
dd84d2cbd0a7ffaff7025d6d534cb008d100c4365e8fde6048ed9a61a205d068

SHA512
286c61ff3b74a464b07c2f382868a47a4664be690816e0081039fed7b5259686d60c6e11fec6729bafdb92bf0ef4c7264b74fd89ddd752692e978966372b7295

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
92KB

MD5
eef8f651794f2f63407caf841630c0c4

SHA1
7adad812183ac003fe1226368cb41829cce8bef9

SHA256
977b6cf2acc2149edf92ebaa77d7be4cbefae222b47a7a819c9e492f9983f50c

SHA512
310e4b9a5e9b41deba722fd2c8a0e0343da3f8c88821f9f381da87b52374fc04b7d94093c804c7ecd2ccfa4ed8b708c577587b2b8e27ceb2a1f7c9373ec2e740

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
92KB

MD5
115c38dbc0aec0ea7d9a31ccfeceb083

SHA1
17b0e96de336920d85d3c2feb4251496df049eb3

SHA256
093989da34076c85acd405daf9d1919c64b30d43264c9c769e69c20372d0c4e3

SHA512
18b88519d70cb57cd71603674952d96df958d3acc7076069255060153eb6a35515c213a2a57eaaacc18a15c1b24437eb1954c6ca6d5aa19c011a6e03455f0c91

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
92KB

MD5
1264f2948d74372030c7c8859d86fe9a

SHA1
ca2aad6dae8b40a7c02a2f1dd1c4ef9526d7161a

SHA256
1732552accf17261c80643674d382ac237003ffef535240b5d4f8bc2b6e76524

SHA512
f4fbb955976ed89a6dfa492ab80e9bb909b9c2b4e97b38b4f5d6b71add7081df46cb00121d7e9d7487ae38233dc3be6488e94c31800b0788e50634c2fae31a33

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
92KB

MD5
9ca5fabffd265022e8d0cf78baa62edb

SHA1
45183a4967c09db425fd865a829a6af938591d16

SHA256
cc68f7d415500d480a6bd440237e609fa4d3e0c1976a259fb762dde01913b624

SHA512
ba83973de02bb118056dc6fc5d86f7b4232677cc990a7ecc2fc8fa95e3eac99258fbc9e73a93e1b0739fd5d025701a1acb94e89fb77edb858fce350f7f21edaa

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
92KB

MD5
431b0baa9f7a5784b1edd7211725fcf7

SHA1
64365e0434de579622ccdfcaf301ed10f3e23df0

SHA256
7faa2fd46f0b296ce0a830e7b2e95a39fb0b6471b34da2d960a2ab8033c03d29

SHA512
17766cda78eec349861d0d37824dc4ccac3801f3ccad0f0b11e1f07511229f9a48eb9ce44f371b9247efec8338e39de01fcbb08cdb16513cab31cac6ab2a58b9

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
92KB

MD5
a029118aefd166d16be49ab0c90abeda

SHA1
a1d8de31b85498a44110b83100ad34ecf230f229

SHA256
e8f4fc6f533a12d807dc4c193f58b944bf28e6fbca1026bf87c64ff63effe7e9

SHA512
b135f4b9f2f260b32e0f325afb0c743b1c4be94238183307ea2c999ba9429e3e81127cfae00d19ffa895e8b58faa024a1bae4aee50902dd1a890b6c57793a671

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
92KB

MD5
e1bf4d299ce523e20309f1bb0b112273

SHA1
c8bb8259fdc85bbdf2020ecd06864cfc7858ec5c

SHA256
5688f2f182afec9247472dc997fa0ba982beb2ddff342db58b463a44a91e8d90

SHA512
5107214b0c8e185061a4bb461b15615ec3cb4b908f3b5aea793abf90ed38430f644c65149593c355af35bfb9b6695f0fce6c516a3b809a7aeb1dc121191b4b41

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
92KB

MD5
69ed778d2c89aaa2a2a92567d6af1b87

SHA1
c4027217d234000e82e9748bedd6b753fd71ffe5

SHA256
9853684eabf6ace934b194a6bc60c4a128c5e06635c8003bb6ce2d80a84f4209

SHA512
09054649fdfb5ef6d833d4663aefd6896b321a0acd9da3057dab844786c05ae76bfd40e244ac9e7a7722dcacd67d95a3ebb444bf15afa982eeecc28059653a45

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
92KB

MD5
25364eaa3fc7952dcc20599dc9d2ed43

SHA1
e455b914cf86b79717db74aefddd9724c85d2a23

SHA256
54a2a30ff15be389515a3e96c0d456fba694eb278f4e003621c6578b878c30a2

SHA512
b2d62728d8124af107c619b10b9a03b171d94d3afb778107d54c950c54ec1f364e9a48881bb203b1eb6a508c3cfecabdbc47a62944a621819d27bc011ef2c509

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
92KB

MD5
0af06abcf644a108a6cda380adbc8198

SHA1
c362d4e1ed0be3c2971d338787f80d0fbc736187

SHA256
b3a21e97efe665ca1c49ec8f163818afb342b8087a60c6a7dc8588e0e11019a4

SHA512
1bdc4cc960aa8538b43b9678b32b261100f64d905c9bc926ecfe159cb355634ad19c59eec511d118f7a2e4649bb4f7b3158e1c0b131e82f7142dff82bd5302a5

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
92KB

MD5
2c214955945ffa1021131d992c6a18a2

SHA1
00bc70143d5d5331368afdbbe83d54ebb9af5816

SHA256
9b4d09b16ec79d1047c691ca830fdf8e719295055583b04fb9c2678ac9d606bc

SHA512
330953fe811938956e1c4f3020999b45d568d627272e9624b1b6ef813c4915671c96c10c96062cd8897b233eb2b44855ed8c70b772c84dec0c3f595da21b406b

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
92KB

MD5
2e5c9069b772427932ff6c6e1180512a

SHA1
9c6698a13936b476cfae5cd17db2964965f97adc

SHA256
970e5291856ed137d9e9946434798865e7cdb5f308b1d73bc8b3fb577c222e8f

SHA512
2992b0e42caa95d5aa48274f082aeebf0fab9cf1fb91ee1c81d98e7c8b26b6486a876fc173ec6b45d96325e17caa04b4d6ef4b4d9dab3f96476828e1e879ff12

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
92KB

MD5
7fb2a2c580336e91e2ce270566ea6a83

SHA1
2af13df757689f02ea6ad523922c8aa763ee58e8

SHA256
523f5be1d781c3b97278d9a73fbca037557ec927da04ec07782b369c0838cf64

SHA512
d4131df89dd0e03eb77576fb8c1e09900802ce61d77a214206a4dbef3d7037df0fe3552de162af2bf8c47a9f9b6c18701f00fd17c37adf013dee96b041afe3af

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
92KB

MD5
399d25b4dc6e87eef574a07e251f4a6a

SHA1
c271bbc432294bd8eb08189ac326cfcc70d3e8e1

SHA256
859b44eceb112f791a1f4fc748aaebeac9d46644c77dc466333fbac773e8c08e

SHA512
3ce1aad191b79b228fab928bd2f0b8ee914cc580b28e3fa17ae7529ef51b22e70618556faf3503c466533325639605ade2797b06abc2bb3f7bb20ea9eb60737d

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
92KB

MD5
cd68f6a36a3f39ddc578c08a58fd3b43

SHA1
fa621b8d2a563782ddd1dd4f2921c74e482accb8

SHA256
234b16cdb0d099465b441c15ae30830affef720255c8b66cacb05ac29e84fe18

SHA512
6cf4bb5bfd73b27565d1810d0eb63f5e040f95c232d587dfb4b269a91ec5f3103be9efa41adcd1f032b1a11ed849a82bf788e909d182ec666975335b4769bf9d

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
92KB

MD5
7539091f153586cf0c2a300adc5a00a3

SHA1
c1e70243bc6fd5d0d3372c8027d6ae026c6db9a4

SHA256
1e10f245c8b06350f7e5a925e7123dfadb37ea2d65d5fbf338ecce30b299a253

SHA512
e268f6d1d07d004d4b2b01c6757044e4825c4ed0f705a08931cef00719d0494164eeba5dfe3b37452490b72a6d2c4a4149c1140da1ebe25887fd925f9eaf49ed

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
92KB

MD5
8bcf4757c75cbc2f86ed5aac0e434daa

SHA1
a72c57b364466a7ef7af8b2abb5c7b1901513db5

SHA256
87e17367d81731361b12c840cd35c642075580848e23e22d9a613d388a11a85b

SHA512
059649d74a23623d3cb8d982c7fd566b8752c4bebfb502e0823f94459e10621d9283e95b3338f277d65bab72bbbc03b8d05e23d03195768cfbba7925101cd0b4

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
92KB

MD5
71fe735395c2bdf7452ccfddede22694

SHA1
8aec9e7a28274dbbd0b8ae4540f1a18bcafb7a66

SHA256
ce1e43a95996c97c472c7fe4eb716a24e6d05921f31e6d4e19ecdc9afc7f845d

SHA512
1012793b406c6b79cb264179215e5e9de4f7c9783545bcd0cf3232c9a0bfe52327e8cc3a1ee310d4e7efe51aee947760f2a6e6f593589c3e15a5204d9591252d

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
92KB

MD5
0549fbd90655f720a20b92e80ffebbed

SHA1
3564dda4aa3b3e9f335764e5b2b8c6143f537b13

SHA256
45ac6208d53d727e54cbfd8047a7b38b0222e4b4db36e8f5c8e4a6f1f1334471

SHA512
cb72ddd599a83c957ac57fe9d4d31122e278b40e8766960b0f36e2c5652e09b271591c2eb2ce7de390257ef5cf5f0312560a6db4b52afcd77e741d0e50e9ecfe

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
92KB

MD5
d0690516deb00b68a0fbabd7020bf095

SHA1
0f682351259110abcf26f5dd8448128639b65dfa

SHA256
73999d11c132bab34e5e6b225a4bc31a67abee8450e7fa336da2b15c18f0b309

SHA512
4248680bf7d0ff42158652ea81900a59d0515856e2da1be69da00da105844707e301d93f6b34103c7d338e340141262be0bc16ea0abbfe4a49460f9bc8d66d6c

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
92KB

MD5
441527aa77d8769d9102f1fe8e69f944

SHA1
38514b20a693bb74aa006c1ed7313bde6eea0137

SHA256
a11554a46f3dea9970df52ccf5934f8bf67dbff4dd20b5a32c1d1dcc88a863ad

SHA512
62eb71f77b66cfd96182625f07d1c94354949be5633e16f1bb4729fb9ce66e068f780b3340dbb78a1a73fc9fcff04d8ca13b6fefd1138d23796367e871abf0d8

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
92KB

MD5
9a401e595947f521e09a12c0817a33e2

SHA1
c9994e49fa424e208639b779a8da6d6961467be6

SHA256
79a269fed173768fc035e93f1489dca75eb81fc7f90acd5b3639b52f9ed0b7af

SHA512
c3f7329a7e543706124faedcac3a5ac4f1cd5786f7345a622e5ba8de9364afc51478a027ecd648d28dc8713af8dbd12821730dec72298b6b0fc043a182edbfb5

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
92KB

MD5
21a5570490d31390f51f5e694c2757d2

SHA1
4cdadd1f5f915dd9d9015a0f0d8d1e5525e6ff4c

SHA256
7d2c59fb059cfce4c892bb2f2f9bc9d9ffb7ae705b0ec065d9d45ba8cc3ec842

SHA512
cb415a9cb4b6a83103a7b8e34f8b28d4155c90e5ebf14e922a1877adfe0fec8597daf359002b1c7ead3a3f8d81d36e09dfa29e1614dccf8e3d3794f0be8a454e

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
92KB

MD5
17574a4076fdaede192e6707702c2df1

SHA1
fa43d03d3799c36723d5d0d2cdd5d3c82ae8236e

SHA256
748c898fd93473dfea506a9e88bbd831a7754e9557e5cc2c53b5d6d53800d4de

SHA512
4b9867c0355d7f1428bcc775940d5ca473a54b341ebeceea9f763f1c30397de50ef22cf1feff055055174fc10d3777bae58b26ae3c816d2720031856e66ac70d

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
92KB

MD5
643a87982efbc7cf560349f3665d3602

SHA1
a91467cb87ef81220325c794c1f4d2e6c588bb99

SHA256
7ce89476c3f5dbd6139427558dd3c4ee3942b3bbef625800b1378e276c89e683

SHA512
15e5c8bc97f669df123915f4b910cb1655046bdf75db980ed471ba227e6c79f97ba0a23ed6c5c5b7fce92a91312bd1ca266cc21887a52b87621e8e24b568b9cc

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
92KB

MD5
f54ed4996ffa9279e1b63c4ac63125f7

SHA1
672e4c518da089c9d724b1695e3731c8d9e27fa3

SHA256
3b779f1df3236a869506b8693705903ccde0cde33c9b48e20cf10a08c3c3f625

SHA512
a19a36707e62aa9d95553b1e6ce0f3f95384836c94005a8040cb8a5ca34299befa65e3cf6f57aace666660c70824375e5c4ea82dc62c2389874a22962a214e72

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
92KB

MD5
0f04f68ecc28b4701bced2f9b7515e1b

SHA1
8f6398dbf3d8e27926a3815aa5ed8dd4dcfbf01c

SHA256
3cb2868bc49eb8e47cb1c849cdc9e414745cc84f2cb15cb8b43bc45622317b9f

SHA512
5dfc2d7a8c311b1270b788aec4e4f3d675c546658f8770793891079f6c5b575c37d44fb3fcfee23404a1983a41ef299a4cc8284afcfc844e25340bac686d9b9a

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
92KB

MD5
d9ff38c70b43c5d1759ee651f41674e4

SHA1
8e137ccc12f892e9349190933bb883f494c6d35e

SHA256
4eb4e6e1c254baff250864de3f4aa1e43d2a57aaefdd4ba7a6f669d97db93f44

SHA512
ee6dc0702d9b0b29a20f54547a40f2013653d93510684931bd8e47c9911ee516d499e4fe0259560bc5f56ad25537e52e5bb59b904ed7be9d005bc0d7b2c57f16

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
92KB

MD5
2250a261784878781e3f9c87a0571c46

SHA1
67d29f2b60935b971aed8776d8c69e2c70a450f9

SHA256
a924af3b39a9aa10948502e6cd9c669850f8a69bdd7ac3b895818a2ae19a9ade

SHA512
92fe72557b472a619920eb3081f2d56513f07eda98f6d07b732a0c980b9b1f5b087c99f79894da3db4c8c0bbdd7fb864f338a4433e24d0e45c5c725f9d8ac10d

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
92KB

MD5
2a3c7983941660743382e94cba214547

SHA1
b8a95b8b21f1a578dc0325236ac406d86128d1ce

SHA256
464c64e3d033cd685a61ad68006b5cedb00f4a74843cf33bc26cf5da12eb2222

SHA512
c0629c2dbf0cc89838d0779c36736a2b2a2b95259cd9e7295c76b4125a813007dd4f1dd9babcf3da7d2117a31ac2df009872d3c19133c88025cbd0d0646c4b1c

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
92KB

MD5
0b3eedefb266c1dae58b1e9e9004247d

SHA1
11e82bfb98ac830b0bfc82d438c29d29aed173eb

SHA256
e85cc2cdaf10bf6dd33782dc7eedd0745ce670dc473be9ee7a985f68481e4b3c

SHA512
a5d8ef61766df5892d43dd87e3dd058e02495dd48d188f0d6c12fd6f2091e56e2af8c336eb94141699c054a31e2c7ca307d17877e89a2efb723cc02274de2672

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
92KB

MD5
aeed0f4d9ec8f027e6f4d9a6fc4d6393

SHA1
de72ba78d5e55f174c1326ba99b2d241b44a8dc2

SHA256
5fab83e52ab93e68a5c420f95b59cc884aa6cc2e6a9f121ca0f6187851f61ae2

SHA512
6a7be7aef2118104e7693934ea348a8142b7f278ed63a8be51e911906949cb0695a3c5d49032ea113b365c67372924d9cbc6d14254b4bd7101a0b935dc46f728

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
92KB

MD5
aa0eb4637bf0da2a41e789d62d379a91

SHA1
a72a9e64e4d20a1839022032af4dea34a892b270

SHA256
96c74e3408ec89aeea1b286aae01e8c8a76f470efba5ac1e3294de49ec991fb5

SHA512
7ba80864f6b6be8467c0873cd669a03359a7c701e70254c4c2bbc7a696f6b275dd841bcc50f76379062fa84c9c03676e41e0f18d90d9fa0edabe7a739235270d

Download Submit
C:\Windows\SysWOW64\Mlbakl32.dll

Filesize
7KB

MD5
407f17bfd6e629efc3d1ea6b88bc34a4

SHA1
45cf7a292b1c04e0ab7375c94fda87cc76cac0cf

SHA256
9c2597c963d190f85f0531191bd64419d67b53cbec1385f79af1024efa2ffb49

SHA512
2adf5e3391cfdd8548695a7cf37712573b8c16cef33758662a3026998402071586dcd81e82de7d3d299b4a4baf7e9250dbc0dc81d6b4e52f6935dfbe1edd4975

Download Submit
C:\Windows\SysWOW64\Pgfjhcge.exe

Filesize
92KB

MD5
2374548e02659eaad908fe13dbf9a31a

SHA1
2aa4c7326e0ac9ccd7d56c2afa55762cdc5fe8fc

SHA256
12f66a5a91a6075181e70289feeb021c54e7754decc667b43dd6e5d3d4c18153

SHA512
33123a849951cc34219354eb0177964d728b0abcb4f5b603366052c9228d61394c814c39362baf048e0ba981dbd62223516b1ece37c601538153b4e44b20ce80

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
92KB

MD5
bf299b6b1a0c418e189d9415e008abb9

SHA1
404a24f3249094d7c6b732fa99303d21bd709b73

SHA256
5b89be193f21175bdf16b9b69de02638b3aa64edb2a95947385c7a50546f870d

SHA512
f6f3388d7fe0005b72375af800ccb244c8722f17f003d60836f2df332f2869a246e6b55b35cefc9b0c27cb53dab01eb84599da0cc27aa6b5ecefddd20968ab8f

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
92KB

MD5
7e3ca8f1b9548b7f85f8826e891384e3

SHA1
6460661b58dc61e6ef84ae6362e333bf16aa4d29

SHA256
81b26b78df601e9c545d53245aae5d626ff4911b89adf0b2ca9df3674df1c6ca

SHA512
fcfc294ac36dc36f379d72cd2814a25623c015a9149eb1cb17859637a949172a42a4c65bb374241f6fa7ed086caf4c9fdeade861bc71e5749fef02ed9d1ff2f5

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
92KB

MD5
519a8f8c1435260bc8fb228e8ac5bb5e

SHA1
a9f01a55bfe85f2f55d6b46207d8885c8d9d0c5b

SHA256
e709767bfb06770d4138d679810ba0eaf6adfbe004cc91f3b205551a74944385

SHA512
96a0b0df64e0dbd99ef4d97b8cd8ae63b61480bda56e42945a2eef02f57ddb45103c497c6e3f86e82f29d4def5ab6077417b50d58d3e0970fedff8ce273e6c02

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
92KB

MD5
a9521b110a626f8ff4cf927c354b5062

SHA1
a1ef01184df80d6697c1da8109d2c378bf424af2

SHA256
7eecff82c394a2dcd5f77f3aa6a0a3d6ea2030f7720928c91783da097d410c33

SHA512
54567d1816fa10bf0d86c80432d3a30547eca5b429b37940cb5ef58dc51533305158dd3c057e2041f64b2422a827a3e4948e90bd7d22aa60e045f6effa9b00b3

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
92KB

MD5
de9bb2ab0eb9798ff2c5e98302fddcb5

SHA1
7306a4bce4877cbf7e0e9cf4bc2461e6a580747d

SHA256
677771403229d3a302fa939e6431f0fa70e0c6b34b75280a30ea275c2172d029

SHA512
488677817a843510bad5d4f2ff9fa9aa687341e034d94c7c318fb3f9154bd032a22db3f3b048daeb5720bfe32270552ea9f66ccc9b5a11723074ac628630aa62

Download Submit
\Windows\SysWOW64\Oococb32.exe

Filesize
92KB

MD5
bb1225ade321db206f8a51cc08cf239d

SHA1
6d2c6f1dcfdebc93ffe013da1e1d09e2d59ba082

SHA256
a043b3cfb04961b06be57dd710c746a08eca01816cc8a6f826caae7480b9393a

SHA512
d4bc303b1d66352de5d2b9d31125e2f63bd6f4afe7abe6dde64c7e1d25da0d2da276cc43bbcf1094c384d7446a40e463ed6815461de237d82aedf40f9d1e6512

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
92KB

MD5
4e266f96b97a6a8ec4572c11ebca556a

SHA1
6aabd378a3711af8ec2cb8733b21bc97fbe69ec0

SHA256
3330da64681072dc977acac73d10d30be6da815f1744df4d8da844fe12c3a782

SHA512
aa451827b7265fea1ab3e2dadc8353788b2075e0a7faa8b658d2049484c04cd2fd5797355d60a58fcb087af730d9afe15a065c9cc49830442f38db040135b66e

Download Submit
\Windows\SysWOW64\Pbagipfi.exe

Filesize
92KB

MD5
9be1d2606a1da3e8f07771ea164f4c41

SHA1
f402da580736ad24e5ec2db3f5afec8704549207

SHA256
dfc106fd53a126af501d107c864e0a286a6c95e33ca065a7bcbb2a65a5fbfbab

SHA512
a3fd6034cabe53f3a957622f27f79e178f9d650dbe7b769309b7444ddc5b625bdaab786331a0c8351c1249f8375f7dc4a0e40a30e494019dd42bf5cba5550b53

Download Submit
\Windows\SysWOW64\Pebpkk32.exe

Filesize
92KB

MD5
1296d7e83d9a276b5e52b0f70be36ad9

SHA1
902e7c86d49ee872bc488827231955ff26943452

SHA256
b61854619343595bfe4101edd4c85468b5f9589367a4ec8264d2f1c0e39dc016

SHA512
499c9f65d67c8fb189f8d9808de19fc638ab352d860f1f7b66fda7a22f7df9df0c1daa2b4f569d16071ac8fd74febdb0f54e47769e1a324733ffefefeea0e08d

Download Submit
\Windows\SysWOW64\Pgcmbcih.exe

Filesize
92KB

MD5
4b31f2f956d667fda735cda5b650fa8b

SHA1
cd97c2bf50b0ef027eee999844607d3cb99068d7

SHA256
70878546b1aeb91b8347ba346e4afc065165a7cc9c6d9b4e044b9b5d7289148f

SHA512
e8c7799c2e35fc3fb78d3bc2c03aff7de88d5a0ac8c55778a1ced80e8b93907ded68f3450cfad932542d4b7e433aafc6b8e98ef759e030653047cb4fe028c2bf

Download Submit
\Windows\SysWOW64\Phnpagdp.exe

Filesize
92KB

MD5
a4c9644c4d3eebb22653edb88ecc8654

SHA1
8fed4e4798014ef31296b87ebe1c42210ef3ddf4

SHA256
c9803f9741bdce5dafc43ad1c47fb0cb85a80491b56adb76f6bd99aac09cd142

SHA512
a940c4a9036538291c7c7dc4845d44f552986378557b1337d415cbddeb614438c63ec96767cd9ffbf687389b48acc2a64a9cc885d3c9cb169269410165287005

Download Submit
\Windows\SysWOW64\Pifbjn32.exe

Filesize
92KB

MD5
98fe58594fc85fc95616c4cdc5977b8c

SHA1
2bba7834e944014afcf2b994e572c9308ec6b474

SHA256
b6f4e740d400613ddc79434d877b86f9861b1240fe34c504c3989ed76e60342d

SHA512
256224a48a789df6cdbccdba1bfffc6c0bf9a3cff16886e4e2a9a8fbcc8b5a421464c0e972160460331c5b294cede0576437b3595530e0f172e33fdb5d7fe4f6

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
92KB

MD5
10b4f97d5c8c41cb9eeeffdef27c2b15

SHA1
b72e06921570847670b6ce5b53bb9bf073147e68

SHA256
7b4040c09cc5ad04b15a4b53673d30ea547dd4b6b9e799a1a4a1db81396f97e3

SHA512
b84d620652785d7237d6b37b421cf1293ca3219390e0b6dc0387845d041c93988a3b9df6b23bf9be60a218c691ba050e0caecb845879396885be64f35bb11c58

Download Submit
\Windows\SysWOW64\Plgolf32.exe

Filesize
92KB

MD5
f49f4fa4a65eae7b0c55eaa8fc505f4d

SHA1
2c65a58f9110c6c3fe3a7c65391d696b0f5e26da

SHA256
2757d15ca6d537826464f04e6f45b958621543749cfa962b8b4a77331bab31f7

SHA512
e8f927bbd3974bc6d38244665b12d9b0ef3295b013932c0006670f80aa3b2aaa46d8941aa57b17db9c5693261478e8cd817bcbe0e1c59fd22c1f164063a2ca96

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
92KB

MD5
fba65870ef5f52921b761ded23198245

SHA1
9022af05bd0880e04b92e8a55e84db9af603e90f

SHA256
ffac29e3386516d05a6a535507430e3cb2227e1f91317f89a20d2df1a9912b79

SHA512
82caad01d7f06a4cee6f281fe774c76ab72fb373cdf0625da7e9ab862558c8f8c7162cda9c4cd7561e22a475a4d4624e62918de199b982de0b3b5eb0735f6c8d

Download Submit
\Windows\SysWOW64\Pohhna32.exe

Filesize
92KB

MD5
863a0fd1d27e4f250430ffd30fa972f2

SHA1
fe27f499a6c4e76ed0c6b44d5e03c0f735734fd4

SHA256
3003eb77eef273c7c85f56395c2aba1d416d31775bb81ace529a831fe059563a

SHA512
4f3ce5d2868d2e9a134ede127417360da47f9226074c5556b1726a200b71d5dff473885757b011610812203a5ce6189018d2b32993cda37fbe493cac94f838b5

Download Submit
\Windows\SysWOW64\Pplaki32.exe

Filesize
92KB

MD5
8d9a84772b92449ceceeb38e9c2d2f8a

SHA1
bcf33992c46f701679c72e885a870620b5340758

SHA256
7728feeb629b17ec350866673450097c42ddc7b29a795355f066b9ca1d5d8697

SHA512
efd836c47b50ac2b9bdf7b736142b90e29a527e0015a7619fe335eab2e367d4bdd73d2962b862271f49ed636e180b4692ed15a4bc7c502993d1711c60af4363a

Download Submit
\Windows\SysWOW64\Qdlggg32.exe

Filesize
92KB

MD5
c9476bd5b8a787440bf1956eaaeed48d

SHA1
5a66d2af586b23c2ef72b04248a00f6aa4d9a8ec

SHA256
7c03c2761cebac131374a2fcb38421f7d740064adb1d2bfb2ca2ca5659525c22

SHA512
3b3466b9d31875c65094494d61301e2840663140ee528501802d9bef24c6719d6a61706edec3ec0150e6f60204c0381c8b3f5cdba04348a9b579ef286c64d78a

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
92KB

MD5
698d86eac455e9958d98da59bd91d306

SHA1
d9cdfd1f0cb622d88bbec74b0f23bed205dd724d

SHA256
6e06f67a750fe8a6d6a80bb2e9c2e83616f0d166e8cbc156ee395f49555f662d

SHA512
df7036d765d95e1bc5cb0a41a8ac9b84e18995db9f1dcdf5aa55369562402b43ca5bdeea5ce939aef83c6d20161d8435f30401f9aea5f5af108e210586496544

Download Submit
memory/316-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-238-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/548-334-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/548-6-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/548-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/548-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/612-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/764-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/768-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/768-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/968-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/992-297-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/992-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/992-301-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1032-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1032-516-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1032-219-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/1164-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1164-485-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-420-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1248-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1260-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1260-279-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1436-26-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1436-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1436-33-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1524-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-470-0x0000000000340000-0x0000000000376000-memory.dmp

Filesize
216KB

Download
memory/1632-170-0x0000000000340000-0x0000000000376000-memory.dmp

Filesize
216KB

Download
memory/1632-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1640-480-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1640-486-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1716-397-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-400-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/1728-247-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1744-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1800-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1800-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-527-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1852-521-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-526-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1924-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1976-442-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1976-441-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1976-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-322-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2108-317-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2108-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-310-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2204-311-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2212-475-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2212-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-462-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-463-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2432-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2432-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-257-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2552-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2620-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2620-409-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2652-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2668-367-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2668-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-60-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2676-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2696-399-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2696-88-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2708-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-193-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2768-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2808-75-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2808-378-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2808-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2832-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2832-24-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2908-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-356-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2920-342-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2920-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2964-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2964-290-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2964-289-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2968-443-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-453-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/3000-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-385-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/3064-333-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/3064-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads