berbew | 3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96

Analysis

max time kernel
31s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
Size

92KB
MD5

c6dfed4ae3a9c52867f1ad0087629348
SHA1

4737930c54f253b77525aa5836e6ae48173f6ec3
SHA256

3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96
SHA512

7e9ef7a85f125e8b5e3d79e416e171cfad367f7ff6da7fa1c3a961ea870025f298080a16b5b93499f5b16908f4d25770af80715f8531a700deda378edd740d50
SSDEEP

1536:xD/v/CPPLYaB4kdW4BrLwsF4LgNad6CKfKOOGRncva0N3imnunGP+y:xPa2keiOgYdhKLRcvnVbe4+y

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookmfk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjnamh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 62 IoCs

pid	Process
2784	Nhllob32.exe
2472	Npccpo32.exe
2904	Npccpo32.exe
2812	Nilhhdga.exe
2620	Nkmdpm32.exe
3012	Ocdmaj32.exe
1104	Ookmfk32.exe
2988	Olonpp32.exe
2172	Oomjlk32.exe
2768	Oghopm32.exe
1188	Odlojanh.exe
2880	Ojigbhlp.exe
2916	Oqcpob32.exe
2344	Pngphgbf.exe
2424	Pqemdbaj.exe
2480	Pjnamh32.exe
2244	Pcfefmnk.exe
1484	Pgbafl32.exe
948	Picnndmb.exe
1528	Pqjfoa32.exe
1720	Pcibkm32.exe
1612	Pjbjhgde.exe
1728	Poocpnbm.exe
892	Pckoam32.exe
1488	Pihgic32.exe
2332	Pndpajgd.exe
2832	Qeohnd32.exe
2808	Qgmdjp32.exe
2940	Qqeicede.exe
2740	Aaheie32.exe
2608	Acfaeq32.exe
2696	Achojp32.exe
1652	Agdjkogm.exe
2104	Aaloddnn.exe
2188	Agfgqo32.exe
1060	Acmhepko.exe
1416	Amelne32.exe
2112	Abbeflpf.exe
1768	Aeqabgoj.exe
1948	Bbdallnd.exe
2960	Biojif32.exe
2108	Bhajdblk.exe
2276	Beejng32.exe
1624	Bjbcfn32.exe
2284	Bbikgk32.exe
1732	Bmclhi32.exe
1140	Bejdiffp.exe
1736	Bejdiffp.exe
1392	Bhhpeafc.exe
2348	Bkglameg.exe
2716	Cpceidcn.exe
2724	Cdoajb32.exe
2708	Cfnmfn32.exe
2592	Ckiigmcd.exe
2896	Cmgechbh.exe
2640	Cpfaocal.exe
644	Cbdnko32.exe
2260	Cinfhigl.exe
2800	Clmbddgp.exe
304	Cphndc32.exe
1760	Cbgjqo32.exe
1604	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2160	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
2160	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
2784	Nhllob32.exe
2784	Nhllob32.exe
2472	Npccpo32.exe
2472	Npccpo32.exe
2904	Npccpo32.exe
2904	Npccpo32.exe
2812	Nilhhdga.exe
2812	Nilhhdga.exe
2620	Nkmdpm32.exe
2620	Nkmdpm32.exe
3012	Ocdmaj32.exe
3012	Ocdmaj32.exe
1104	Ookmfk32.exe
1104	Ookmfk32.exe
2988	Olonpp32.exe
2988	Olonpp32.exe
2172	Oomjlk32.exe
2172	Oomjlk32.exe
2768	Oghopm32.exe
2768	Oghopm32.exe
1188	Odlojanh.exe
1188	Odlojanh.exe
2880	Ojigbhlp.exe
2880	Ojigbhlp.exe
2916	Oqcpob32.exe
2916	Oqcpob32.exe
2344	Pngphgbf.exe
2344	Pngphgbf.exe
2424	Pqemdbaj.exe
2424	Pqemdbaj.exe
2480	Pjnamh32.exe
2480	Pjnamh32.exe
2244	Pcfefmnk.exe
2244	Pcfefmnk.exe
1484	Pgbafl32.exe
1484	Pgbafl32.exe
948	Picnndmb.exe
948	Picnndmb.exe
1528	Pqjfoa32.exe
1528	Pqjfoa32.exe
1720	Pcibkm32.exe
1720	Pcibkm32.exe
1612	Pjbjhgde.exe
1612	Pjbjhgde.exe
1728	Poocpnbm.exe
1728	Poocpnbm.exe
892	Pckoam32.exe
892	Pckoam32.exe
1488	Pihgic32.exe
1488	Pihgic32.exe
2332	Pndpajgd.exe
2332	Pndpajgd.exe
2832	Qeohnd32.exe
2832	Qeohnd32.exe
2808	Qgmdjp32.exe
2808	Qgmdjp32.exe
2940	Qqeicede.exe
2940	Qqeicede.exe
2740	Aaheie32.exe
2740	Aaheie32.exe
2608	Acfaeq32.exe
2608	Acfaeq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Pgbafl32.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Abbeflpf.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Pqjfoa32.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Oackeakj.dll	Npccpo32.exe
File opened for modification	C:\Windows\SysWOW64\Pjnamh32.exe	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ocdmaj32.exe	Nkmdpm32.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Bfenfipk.dll	Npccpo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkmdpm32.exe	Nilhhdga.exe
File opened for modification	C:\Windows\SysWOW64\Pckoam32.exe	Poocpnbm.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Fhhiii32.dll	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjhgde.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Poocpnbm.exe
File opened for modification	C:\Windows\SysWOW64\Acfaeq32.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pckoam32.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Odlojanh.exe	Oghopm32.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Picnndmb.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Llaemaih.dll	Cphndc32.exe
File created	C:\Windows\SysWOW64\Nkmdpm32.exe	Nilhhdga.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pndpajgd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1984	1604	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npccpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilhhdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odlojanh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olonpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigbhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npccpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookmfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomjlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkmdpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odlojanh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcpdm32.dll"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdqghfp.dll"	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkmdpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ookmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olonpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oackeakj.dll"	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Abbeflpf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2784	2160	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe	30
PID 2160 wrote to memory of 2784	2160	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe	30
PID 2160 wrote to memory of 2784	2160	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe	30
PID 2160 wrote to memory of 2784	2160	3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe	30
PID 2784 wrote to memory of 2472	2784	Nhllob32.exe	31
PID 2784 wrote to memory of 2472	2784	Nhllob32.exe	31
PID 2784 wrote to memory of 2472	2784	Nhllob32.exe	31
PID 2784 wrote to memory of 2472	2784	Nhllob32.exe	31
PID 2472 wrote to memory of 2904	2472	Npccpo32.exe	32
PID 2472 wrote to memory of 2904	2472	Npccpo32.exe	32
PID 2472 wrote to memory of 2904	2472	Npccpo32.exe	32
PID 2472 wrote to memory of 2904	2472	Npccpo32.exe	32
PID 2904 wrote to memory of 2812	2904	Npccpo32.exe	33
PID 2904 wrote to memory of 2812	2904	Npccpo32.exe	33
PID 2904 wrote to memory of 2812	2904	Npccpo32.exe	33
PID 2904 wrote to memory of 2812	2904	Npccpo32.exe	33
PID 2812 wrote to memory of 2620	2812	Nilhhdga.exe	34
PID 2812 wrote to memory of 2620	2812	Nilhhdga.exe	34
PID 2812 wrote to memory of 2620	2812	Nilhhdga.exe	34
PID 2812 wrote to memory of 2620	2812	Nilhhdga.exe	34
PID 2620 wrote to memory of 3012	2620	Nkmdpm32.exe	35
PID 2620 wrote to memory of 3012	2620	Nkmdpm32.exe	35
PID 2620 wrote to memory of 3012	2620	Nkmdpm32.exe	35
PID 2620 wrote to memory of 3012	2620	Nkmdpm32.exe	35
PID 3012 wrote to memory of 1104	3012	Ocdmaj32.exe	36
PID 3012 wrote to memory of 1104	3012	Ocdmaj32.exe	36
PID 3012 wrote to memory of 1104	3012	Ocdmaj32.exe	36
PID 3012 wrote to memory of 1104	3012	Ocdmaj32.exe	36
PID 1104 wrote to memory of 2988	1104	Ookmfk32.exe	37
PID 1104 wrote to memory of 2988	1104	Ookmfk32.exe	37
PID 1104 wrote to memory of 2988	1104	Ookmfk32.exe	37
PID 1104 wrote to memory of 2988	1104	Ookmfk32.exe	37
PID 2988 wrote to memory of 2172	2988	Olonpp32.exe	38
PID 2988 wrote to memory of 2172	2988	Olonpp32.exe	38
PID 2988 wrote to memory of 2172	2988	Olonpp32.exe	38
PID 2988 wrote to memory of 2172	2988	Olonpp32.exe	38
PID 2172 wrote to memory of 2768	2172	Oomjlk32.exe	39
PID 2172 wrote to memory of 2768	2172	Oomjlk32.exe	39
PID 2172 wrote to memory of 2768	2172	Oomjlk32.exe	39
PID 2172 wrote to memory of 2768	2172	Oomjlk32.exe	39
PID 2768 wrote to memory of 1188	2768	Oghopm32.exe	40
PID 2768 wrote to memory of 1188	2768	Oghopm32.exe	40
PID 2768 wrote to memory of 1188	2768	Oghopm32.exe	40
PID 2768 wrote to memory of 1188	2768	Oghopm32.exe	40
PID 1188 wrote to memory of 2880	1188	Odlojanh.exe	41
PID 1188 wrote to memory of 2880	1188	Odlojanh.exe	41
PID 1188 wrote to memory of 2880	1188	Odlojanh.exe	41
PID 1188 wrote to memory of 2880	1188	Odlojanh.exe	41
PID 2880 wrote to memory of 2916	2880	Ojigbhlp.exe	42
PID 2880 wrote to memory of 2916	2880	Ojigbhlp.exe	42
PID 2880 wrote to memory of 2916	2880	Ojigbhlp.exe	42
PID 2880 wrote to memory of 2916	2880	Ojigbhlp.exe	42
PID 2916 wrote to memory of 2344	2916	Oqcpob32.exe	43
PID 2916 wrote to memory of 2344	2916	Oqcpob32.exe	43
PID 2916 wrote to memory of 2344	2916	Oqcpob32.exe	43
PID 2916 wrote to memory of 2344	2916	Oqcpob32.exe	43
PID 2344 wrote to memory of 2424	2344	Pngphgbf.exe	44
PID 2344 wrote to memory of 2424	2344	Pngphgbf.exe	44
PID 2344 wrote to memory of 2424	2344	Pngphgbf.exe	44
PID 2344 wrote to memory of 2424	2344	Pngphgbf.exe	44
PID 2424 wrote to memory of 2480	2424	Pqemdbaj.exe	45
PID 2424 wrote to memory of 2480	2424	Pqemdbaj.exe	45
PID 2424 wrote to memory of 2480	2424	Pqemdbaj.exe	45
PID 2424 wrote to memory of 2480	2424	Pqemdbaj.exe	45

C:\Users\Admin\AppData\Local\Temp\3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe
"C:\Users\Admin\AppData\Local\Temp\3e6f43b82857be822c076f9e05bafac52cd7f46f196709db81da7be788719c96.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\Nhllob32.exe
  C:\Windows\system32\Nhllob32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\Npccpo32.exe
    C:\Windows\system32\Npccpo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\Npccpo32.exe
      C:\Windows\system32\Npccpo32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Nilhhdga.exe
        
        C:\Windows\system32\Nilhhdga.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\SysWOW64\Nkmdpm32.exe
        
        C:\Windows\system32\Nkmdpm32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Ookmfk32.exe
        
        C:\Windows\system32\Ookmfk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Olonpp32.exe
        
        C:\Windows\system32\Olonpp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Oomjlk32.exe
        
        C:\Windows\system32\Oomjlk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Oghopm32.exe
        
        C:\Windows\system32\Oghopm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:304
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 140
        64⤵
        Program crash
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
92KB

MD5
92a071889105340793cb4d60a7620fb5

SHA1
4f0f4b966c3767326e23161e57a1a6088bef0956

SHA256
3c346bf44cd0f1dc6c1e8c467c238d5e16afd813d47b5134aeb38f628905aa1d

SHA512
b12acd74f6edc70e5650b625cd7f54573c49db0e137350a4bddcfd610188195d295b315b6286460156f1b9218c831c4bcee6dd72b1a564bdfbe08f74513cfca5

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
92KB

MD5
860c577b40d2e4f46e15613e519090f4

SHA1
2b674a3a4e2273ef2887bfe73f191fddf5351075

SHA256
8d8c6d18f619f06daf6680cdf04b1239efca0f992241531a38a49986646ed05e

SHA512
6d8464a16abc2c02df42fc77d68a280cfbecb0dfaf11256769096d2c1f58bdfa4b1c2b337133472bb8a84e5746b384a1a0b4b431a8a21ff0f1b12d88c449a269

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
92KB

MD5
a7eebb08dcc4046931c0b86caa01313c

SHA1
3b71fc7c1320eebdc84d4cdee337088e43915614

SHA256
5721af83f53ae7c574e5cdcc960ceca089260a0b10bc7a41ce1bb89587ffdb75

SHA512
b992b0cf934fe5758af92b0da34cc48030432c5f6c9cdc7f52deb34396c4e05faf67c82b01fe5a82d0c28763921db07e1c15dc090abd81869cc1d1986d59ab6d

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
92KB

MD5
1b1b8b4a924662c110fe410ffd08a8ab

SHA1
a87f72de223234e53dc328701fe10caafa11936e

SHA256
f93eb9a6ce5d01ef2c2a572c312fec2694e29ca76149844d1e5a37b7797bb588

SHA512
3b31c424d539961fde1f190d798585bd5cdcac6edcc5cf42b9c93bbb115f146ed620337c4f6c39c63ab4e2673dd448df44284db6df4c52fa202bd155b1e6806b

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
92KB

MD5
2a82032d6218d21290f7357e029c19b4

SHA1
e84dbaecd8fdf6ea8f00f83ee23b6842a4f9d580

SHA256
ad4db331afd2f836fad7c61ee924b57d5912c218eb73f647d24d934e4fe87b30

SHA512
2c0fb600ebf1d529b9605fee40498ae9086a5bb53241622880e59bff86d066f69db1f04a14a1bca4fe89b4ff8dfc5a29f16a18e6e2c161bae5222f1e91323885

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
92KB

MD5
d51e44c6f35a21141a746d678a32491c

SHA1
d1fd32d27fc7e6a0e4dfacce891cb5ebc2380c50

SHA256
c9405dd4bafd6aad98662073939d74feaca7acbbff772a2f5bf830c363061722

SHA512
7551feed53699b567daabdb1bcc676adc506db4ae263f24c27cee03be563fccc118215e908d6a48e00ac3fcb4e58be75fbcd4545809fda2369cc420ecb7e9594

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
92KB

MD5
e948ddf533161ee2af66f37683395166

SHA1
8368623dd64828c838abae98d5961433cb34464d

SHA256
c07799e04ad884fe07b00af07826f755c19630019e2eb179f9e7933d6f27e696

SHA512
92b214fcf0f0fa982f2f5fcbf70b57976ec07d9661d4c96b187ef793cf7ee692a4e949abbdbfbd672a3634c99d7332817a2863348cb6aaa1ae71a4c1c64b65fb

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
92KB

MD5
7456f2a93461a6cf088b8894ecb6f1ef

SHA1
e055b3f5ee3da31aeb7a24a27bebc6d3b6883b48

SHA256
c2d973c6addd358966fe237567f310b2bf868b817ddb5acb61dd7983a47eede2

SHA512
e1955bc9253a7c6e429e834be7868ed76a3520f41ba6a7f0688005a5cc85b97f03dd19a9b2dcee6b46af3b4b73cc252984536c54efe7a28eff2616f5c21491ee

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
92KB

MD5
0c9e4ed3dd9c4289536b416d4c69ddf5

SHA1
d62f4b4dde0b257958cc1fff5e3deac7f054ef67

SHA256
bf06541e645b9dd0892f010659c650a11ada4456523e2bd91077f2aaf3a74b96

SHA512
d99da8999699bc7b9ebf59b2d5c838b3194928719f91c0cc45fb9a7ee6a14fc100e1053f425e6ca77bef892a026ef726abda71ba3faf53d3582a06b99f54769b

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
92KB

MD5
c933f77ba15a95f03203b5aa3d8032ce

SHA1
c18961fe23bfe5524634de3dbe221ea9fa054eb9

SHA256
9ebb2291553d1f40786f698f2aa4a8787584c465cadec11b8e08cc490bae4e3a

SHA512
ec3e921c001821d2ddae3b05b4ca4670dd39fdc1ec288c2ce3f30422d4a12ff1cfa00976edf47e1267f5d5fdc438ab649424bd7ac41620abfa2e6cf96819ef08

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
92KB

MD5
6d122bcf06436bd4c36b402a7f135b29

SHA1
7bc766c5443564078a2b0a9ad6a42a846f7d9f61

SHA256
9a925519b7e83414d5c8558c2324fd26788b184b011f8e2b7384cb60aca9626d

SHA512
b16c61d6c984997cfa8abab184220aeb8f8e7d3e4221e6c7f6f3351084cc616ba6503d4de278c45b4bbd54e99186cacec51d4bfe814c8793f01c44c18788d37c

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
92KB

MD5
c28409a6c7b4081a2ff230de58224abc

SHA1
1185ed4b7db4a32db62bef265deec6445809aabc

SHA256
efd466f47840f2041b9b69aa95c7a1092f9dace6c3a07a3dfdcb8556f008b0dc

SHA512
b6705e77445c0e9ce025a91dee128f9fff8a4c36a84f82bf84cdb06534237694e1a583f0f4f51e303abb1b9fa130678890b6542f665162577645154ddcad3cd6

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
92KB

MD5
d5a3f6d0df1fddc938ae4d71eb2564f7

SHA1
dff116b6a08971aa4aa61dfefa23c5916a3a1bf4

SHA256
f1b33b361006db4b91a2e5d50c60e1249692f896c5cea0e62ba348d04c7c10e9

SHA512
e1bd2dacb16230a3c0af168924399484374c42364c0bc47b0efd7338405c25ba1771f6da74140dc359ddeeaf17f8dd3b77056d7eafcc9a270d081032fd460528

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
92KB

MD5
997a74365ac8205cbaf7e3eb5fadafc9

SHA1
e0f9c77b21e579e1f753cb54953d9cb1bed9e52f

SHA256
49f272a78160e7436d113bfc49b62134e354448ffaad47cd23c9ce4a9c7f12ca

SHA512
cdb864dd61ac7ef4c94395bff4b584019639862a29514aa5fddeee7bd61bb9fde5f7257c6d0da4b0fff55180c9ff9f844e980b58241ac3e9735ff4269aa6da45

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
92KB

MD5
278c5d9d8f32c758a7248623d7b4bed1

SHA1
07e0a4b287af15cb759447fb9a1c127c0678f686

SHA256
8b036a55ad8a5055ed5d68852066a7063b27e0b4694b731c13f64036917c3562

SHA512
a3ef3e051e83cf2e054c9924ac45cc40a324fdea8cfa7b018d64e4de57d1d13ec05a39103f230877392951d14f206749d92b2fd310627347a62b0751f6fabe15

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
92KB

MD5
5e40ca447382778121b098d65d8d6931

SHA1
f33b7f8bb9dc92ea79121ddc2faf24a006db5878

SHA256
b2874525c9b598a811558934c79cbd6300cf1558a9e860ef286acc77d7959391

SHA512
cc2602e3a00926d3de5f1eac16d10a65d28cc4c3e8a439efdc33dafbfd369933f67215ea94736660cac3365482162e76979eb9e4bdc07bace042c27f11f91067

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
92KB

MD5
471cd9b8664ed1e9ac3487f640070457

SHA1
833a56ac98d47033b53bfe9e8fab3909a5989ac7

SHA256
43d6acc32149b055d4912993a45a2380a1cd3af650d3a7c325f867ea72d80745

SHA512
6cf85ac9b3757cdb14106d7d864c132978d9e0c8048327c5d7a5973b74ba8652eb17fb62fe1c96169990d44c493c03774bb01c3779d5cd0fd5c24ed394f18201

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
92KB

MD5
c980ca1cc8f50f6ba10ea7cd6d557ca8

SHA1
e6504dd3dc16a3761e8f6c6e1d359a62e0f8e315

SHA256
49a33994c0126c92ad433c0c32f605dc792161f019b17e5da05bc61e9991f358

SHA512
023e09dcd3085113d5437d2507be58dd0738b9287dc3632fdf98fc3a12192e057010afe6d2c52f7a4c893f27317060b64b0a15d87bd8ff20bf6d322cd51b6f61

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
92KB

MD5
264d8232037e3e00852fa07d3178d1f8

SHA1
6fc68360a6c3b0a37ba2fa9e85ff58d3a81fd7cf

SHA256
61ccbcd26a4f056e2125ea7024a1f6dcee480c9f93d7a9a04ec427bbddb4b41e

SHA512
dbca91e6bfa6f3365c62407515c8b65ba9ac3150793a1d2f0731fe0d7da6c24ee5d8549c8e1a2127086a229601f94df76ef1ede64c5787d14e070766ed91a9e5

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
92KB

MD5
e7ec74bcee141db956d8a1d9cff6397e

SHA1
da7b07b69a62d12a617fb70089c8796cf2922a87

SHA256
4dcc7b99c2c0c5f37840ead5b5cac50908a097a1d1773f51a5b3ce76acadb168

SHA512
eba7fefa8834ae303e7c35a96e4da536190545cfd4a57992d674ec8015b6221b512953526086c19ddd3cc8a523acdd92f6428e350d1f7859d6f267b6ea9a4954

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
92KB

MD5
c48a1a6d614d496f7d1b40f2149fbab9

SHA1
f0955fe186355409ac0538e002dc7dd9f40f950e

SHA256
d505b9ef91ec21a11c043c4691438327515d328888e57ea8f3f720a25eafbbc0

SHA512
2e3c2d77f3e825e97c63ecb96fc99a1c2d3f451607b3453b9d246b55ef367230c1131b6368f436f9b89696dcf2f6b44e1b330196a8203b92908cc560bb288eb7

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
92KB

MD5
e20627fe66fb206e7a5d08751d158764

SHA1
5c2c170ebb9ce0e0ba258430a94686a59a30e1ab

SHA256
2fbbe5ee7f5ca637379f8198d87854d84cda0e7c93ba7c81e0cd632d77b8ae0c

SHA512
7b03f74ea87156852a7b0dc33754ddc61963e953921432140bf6d4645e4116e506bf1a1e4bf13a0001c24d973d7de79bc14e478af8ffafb73e0cb1bb801aca9b

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
92KB

MD5
065f63f834358be755468e7abbc8f60f

SHA1
870f86d8215ba5c9fb026cc11c9639853a572c34

SHA256
86a42b0cc3ce8acd0ac9d05064396d03b958a3008a07342d6d2c893a6f16c42e

SHA512
aa8cb5cc0424d9f46fc95c6048c44a0c16aacab12fcd5de60ca2273901fe007ca6867f56041de2371c8b4ff8ab80bd12c72fbb478f63005650270ccc1b3cbbbd

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
92KB

MD5
c7113193d68562426151bf454a9c1879

SHA1
f8b8be42c0dcaa87ef96c7017fa1bd92424a5da3

SHA256
de3df3a2bbcb70f42d6d7efe62b001fd6bf295b7edc61a68635637a5ced60b79

SHA512
af0433b265fec0a77d52628d67e6020402080cb8d6dde988067e43118ca35d97f17efb3871d1f140bdaa078c0dd651f459344a8d7f7c0851f039dab3a23753c5

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
92KB

MD5
1f090eef24af4c04f6ba2d841aaa1b95

SHA1
da215825f49f71bc64b78126327ebb4ede8487a2

SHA256
4afd82e96071a12a536cb2d44a5d11332f91ec44ab65b697e4d32de292a3e6ee

SHA512
5bca6fc7861099c18dd7ba59bd8e108d022287acc41e298bc19c611611b7f6ab9a4a017ce8e690d4c8d978c1ac0ab3d5e0ac68a6b469254753807bfd17312e4c

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
92KB

MD5
447f515822d776b5a3b9d22160f323f8

SHA1
d930c9da42b84adb481eb6cbef0533824c13bd8d

SHA256
ec42794d92fe3a78625fffadda8bdfd50379564300649228b4bf952ed0c1c949

SHA512
7d1048757be992599abef4b20c33f87a322e265b04a973e7bd09c691d03235b7bf913fcd9496bfd1121ec97e6ca6a2bc229eb134395b355ed14a6c0ba4e5729c

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
92KB

MD5
f50c884f8044e2e958016ce5761444a8

SHA1
b66151537cb7a4d1c9f3e5e2366a03f8423b9048

SHA256
24b209b7a71cfc0935159af9c137afa55fd9d45d00384eb53c7209df38f7e01f

SHA512
98350ebb9691c4b72c1e4b66fc8c4c191c91f14a5fbd68c941c9e3768bcf8ce38af459c358adee5735642d38ea4d6b108c61471b9c86f555faa554f0067df594

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
92KB

MD5
bb4a54df64c9c71020ab8a6887a30c78

SHA1
406c955ebc9046a58217c897d001e64f4c4583df

SHA256
63c5c1558df3871cdbc2615bb39a313761ebeadd4e2095edeb7d7537fe59ee6d

SHA512
6acec6adb6bdbb1cc8b47e476342e4ac49b6286d7c9a085d39e10826ba1f686b6a3bcf27f8e1b6d0e948821f5b845c7ed3814ac725128be2bffaf93871194d04

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
92KB

MD5
150feca4b6f8e7520df90e4b8a44cd6d

SHA1
e561296dec4bed30f5f17a9a02b356d4acfd801d

SHA256
9e6c257ff4205312a3b7090e1df66149df9082583f8f6c48f5f923e97efa9761

SHA512
cd4b4fb75dd7db5368e4705d77a0b646f1f1f5d1bc6cbed66e75ef1579f2a897c78b8595cb0b0da1dde8e74884d472ebbaae89585933e0675bb20adc275678d3

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
92KB

MD5
5d895945ba0b68ecc728ba6db20174c1

SHA1
c935ad760fcfbe9e1786b2da5efa33ce1ac1a311

SHA256
e17d38a8845eb49bf7552e0e9d059516f2d9197014bb224a66a218320cf8a329

SHA512
9aca985228bfeee8663efd63da5e89fb07df478d1bfad3ae080992d5e8ee720c3fe0931d6f0ce954be26e8fad5157d14db0b49f3b33a6ad1bf14c4109679e86b

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
92KB

MD5
1ee1d7685942bced5070e4de59433d7c

SHA1
02ed6e380c563c8837e4caac67b00129aaa4201c

SHA256
921f1ba36bb4fbfbf02af5289ccf9bf6605598537fea9e4ccaf233676435327a

SHA512
95c0ee4fd6050064cfca958f4085b648861ca126dd0601a9b3f356e576e4ff4e23252711848800e1267abb10b928bcf15c554adba16ce44195b9f4292e7a4383

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
92KB

MD5
002d98c7b5117c51184f3c4a7b9124a8

SHA1
194a86480c85f21834f8d9e8ccc0a93478ef174d

SHA256
911709616d4dddbdba6d7bb060c0f5b6cfbc9e061a5cc2242261680d9567fd5a

SHA512
682e42b70f8ae92f4c1636af05f9dca7776217d16a0d35ebcdf2ca941c61bbbf9736a957c64ff402f9d0b74b280b47278835064e3ecda2e0dba0cca062957ed6

Download Submit
C:\Windows\SysWOW64\Khcpdm32.dll

Filesize
7KB

MD5
c2879503c00709fe7881b15cd23d2087

SHA1
9a337280cc1dd0152553adccdf7d234106ad29d0

SHA256
6a53cb3aecb655a95a3db5cd657307fd06d799e877f447c785437a32e4bfc523

SHA512
8902607a957fea323fa94c35ea88bb2c54aa6c9d6df66e5decc34bbb00eb185c22a49f8a43d8e0eb8e37fa10c87fd78a207e97dfe2a3dfd0291abc8feef7dc94

Download Submit
C:\Windows\SysWOW64\Nilhhdga.exe

Filesize
92KB

MD5
35c2a65f90ea1ad7035b807ae5a5fa47

SHA1
215bfd8bfd817b4bc73a3ebe9dd3eeec4fa8f850

SHA256
9a400e753715f92c055b45d7efd19583650b4a042498c6eb32752e9767ad8a1f

SHA512
d0fdb0d8a7074e433e76aff4af18f41ad9dd8f472fd30923afc002b4b8dbf86c6d045622802d74f28ee90855d881ff900d200902c818e136f78950f9f220f469

Download Submit
C:\Windows\SysWOW64\Nkmdpm32.exe

Filesize
92KB

MD5
21fa5c45ff86e7fba09720d79aa07e34

SHA1
a56e6feecbfc827b55c2d2963a33c581e0337069

SHA256
aad6d75107c32c6ba44e2d86189d29934340f91028fee3b001c42d92e5489224

SHA512
2aad30fdf47bd8aa8e474f7ab0903ff76c65404665375bc9da3dc75873545018522910d07df9e0dedabd6ce2e579fc946e37ee2f9f0edf66a718575f55184e36

Download Submit
C:\Windows\SysWOW64\Npccpo32.exe

Filesize
92KB

MD5
eb0eac794eb0263a9465648d19aa3492

SHA1
227532268d7f5f868e911f0e9bda869db1fe60cb

SHA256
e78bf9e2db82890dad503aa604f3ee96e6f2687fa3521e2791422fb7cbfca20a

SHA512
1179dc566e458aaa80f5029450afd38e437d2c23d6ffa7064d22235869318db22cc03b2b648a33802ad676564d09593eb8bf100e7692ad2cf04104e64b10a043

Download Submit
C:\Windows\SysWOW64\Oackeakj.dll

Filesize
7KB

MD5
211d8dc210cdb69f638fec1b0f3aa5f9

SHA1
50a820e4b416117bcc7f09008f6a249c2af6a73f

SHA256
12dfabb7b7bd32c7037a4a1e4f1ec19f78e5542c25cbea120c11fd4211b241c2

SHA512
c93848f0643a0bae8642a31cf49e91a145f1887ad8f648aaf028ee9b73d1e275f1c2c7bc3f461ad2421adce3db69b472e0b20ca7632bcbbae90bebd24ec27744

Download Submit
C:\Windows\SysWOW64\Oqcpob32.exe

Filesize
92KB

MD5
e17cb4c5289789ed07bd09da36a4d678

SHA1
cd84b0e0f59d8ff7ec020f8adf6f0771c587a429

SHA256
bd5e1f424f6f1e1701733ca94d9f34b28f8fd087a44f71a00972115f692ed41f

SHA512
25187c373d250580c2e593432a618b5d4cff17c12b2eb91cae2f486f3acb3a260de91806172ecf7d6a343a6b8030d6b45a347f0567ae389ce1317376ef153adc

Download Submit
C:\Windows\SysWOW64\Pcfefmnk.exe

Filesize
92KB

MD5
a52e2234e622b7d05bb60e0d858fcaa6

SHA1
af46d80dc41905294dfc049e2cf30a045d4064ed

SHA256
d58d1fd0bc1302e03508a821cf1b7db934f131341af44e1fb558c84d25ce0b2d

SHA512
9c5a1902ad4e06aabc837a039cf0c48bc48e5688504256d21f12307c362ed4405bdf9d9738d0c5518375fc775496b2b68fa9c96696435fdf6fae85d34697e819

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
92KB

MD5
86b9e59f12ec81225bed419742dfb13b

SHA1
a271d89578190875e99acabbe5a35aeeb767250c

SHA256
9ad92f0caf111d4f48274bdc66af9d1659006e626b7c7a2c7149c42d77659693

SHA512
49270e211c72595101eb937aca4d298bf61224b632a583fa483e6c72652f1c904732b4d40c5475ff90f19c6a6cf45ad2fbce48ce7574e67ac12d1bdb4760242b

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
92KB

MD5
430ce2950b7221a920104bb21393f31a

SHA1
35e75bf456b9b8033ad44be224068480570aa676

SHA256
d706f6260b41f9875128ec94f7f63649fbd7b9e00d8d1ab16f895686c91d620c

SHA512
3bd9cd31e90c06543c28ebb9a8e2d6e5864f7bda2014d56ec732be57dc01b02912817c7893904909f192f2c25bb1e2b9f79a33f15200469ef9be7fbb8eb2077f

Download Submit
C:\Windows\SysWOW64\Pgbafl32.exe

Filesize
92KB

MD5
0d5fe42f7d2d58e5b01bc2f75d9d1ec1

SHA1
ecba4d96fa8b136f539cf2237951ea37ef776d3e

SHA256
a2822dbcf4494a71ad835a6219b577c1ee0ccd90654b8a269d468f87da7e9126

SHA512
9a1cc8e9cd8f879eddba74b1d2249bbd3ba556ace59a00a06be134fb6dfebc38e535eb11ed0195241a7108ed453e6cd123474b1c9a1bad060a537be63b38d653

Download Submit
C:\Windows\SysWOW64\Picnndmb.exe

Filesize
92KB

MD5
32b36fd8408e5b3263601f03e44b6eed

SHA1
a3bf1020f5e150d3fc7e0a9d643376aa0c7fbe86

SHA256
91c3366a71d3fd9a3f2a00905891a1e5f7a2c21e753d2604a888726eea888890

SHA512
d7b12c8baef690ed707617e299defbfb720c02a9539914ad61bc24584bab1e4c152e120d6a2fa3f8174299e907a8f947b596fa6f8b4a3fb10cc9254f61e09a45

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
92KB

MD5
6004c6c8b7414d6b9cab5c6303789363

SHA1
3b8ab6e57bd1c3cf3763a6f7f6d24d656988c2e5

SHA256
649555d17a542bf61a673b8fd0ad52c6946742992f73483dec836a4c9deab30b

SHA512
c7cf1ddef6b33576eb4402b31fc4a14d1c58773ac16e3d24cf01d166c4afabb4d1adda4761fc79a5c801dc3b7d61a6412b7a8230c077637b0abe312c5569bc80

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
92KB

MD5
523a1508d793229cbf4591f45e78fe2f

SHA1
5884690402ff41228b5567a147ccfd1f826339e6

SHA256
293172e61ae172bfb1c6acdeec951e52ef6a816597485f4c9062eeeda4d96647

SHA512
278065bc0214bc8deafc8607a11fe29cfd668c9a447b790166d854be5a99fd92d142e1b50b894fac8634c84915ed54b6f2eade5efd9f99902efebc1184f557da

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
92KB

MD5
1d4290eaaaa57c9bfbcd5bcf6ae3e7f1

SHA1
23a1d38eb53f6b9e6ea53829f13c0c00389e73fd

SHA256
53bfaaf657f54261991bb77d744e80721e81dc1c504e091bfa92246d77813aab

SHA512
7edfbcca5a6c1785a95605dabaa4c129fbdaf21ac77eeec9bcfce1900e9f3285768b7f2f2af9bd9a182a8c2ad9603afd4ead2992d18f060e6dbfe1738aed5b7d

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
92KB

MD5
daef100802936a79584c5ecf4f5aee6a

SHA1
d318e494f6672d83a8284832bc61134749c3615c

SHA256
801a71daf12d0d97f2fe037b07dfd6820b3eba28067c29dfa9c4ca7bc1d7c402

SHA512
81856d13828306faa24bf8fb9fa156fe8a5e80f8c60713e716e36fc8c6b242c16c2ad6d2d78762a0556b2b8e1b39e9f0fedcc32f50386e15f7dfcfad347083c5

Download Submit
C:\Windows\SysWOW64\Pqjfoa32.exe

Filesize
92KB

MD5
eda71213bcea717999c75d2e142ae80b

SHA1
889249d9629d7e9a5d730621d23bfff3b95579f3

SHA256
1c2012b42b50a9ab44fd661978bc0f3c2709114e01a5bde83438acb601698c28

SHA512
67eb253dfe5458123b9d050f3b2bbd1048f58b948832629e092e1343cd57d3211aacfc96c8ade5ee8fffad2befa06b333607842abfad94bdb6f68dd39457376f

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
92KB

MD5
7e0ef4d50ff0b9b860aba50be26cfcd3

SHA1
2b175159621a8042d537ffa719bb6d52dce84a9b

SHA256
588b3d91fbadcd1a2d00b7f53d4413785be9ea970268dff5698006add9fad846

SHA512
2a768d76e96542ec2a0a32f80af40c77913c4c4d43f5e09acda7cf2a7d2a7fcf1c7f16f17a59b0c87abfbe6d4710777f883312c493402bf1747d9f94ab9fa3a9

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
92KB

MD5
e8e7e354d094441d0c531e5a72decdb6

SHA1
fd1a4c088ae8df9efdc820b0f6af87a1ae1b3ea3

SHA256
6e37652009290ee7bdee2353e1a18b816e6f46cb1c11475596b916da870328f5

SHA512
cd6aebc979b9d5816bc98950381bc58c123906b528d4c365ca0eab6323fd91cfb5be6009baa3cc7b95bc5d8c25286781999381ba22b0357ac7073878c676c8eb

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
92KB

MD5
ca3033655a79638118e9532829d3f926

SHA1
edc7e5ea02c8742a81016bfe472a50cb1d07f248

SHA256
631936907557f73c86eb5b92d45e0f08b73d5f748a9f5b554541663bc6f2c739

SHA512
0b2c59284edc96c5160cc89cc2d6ecefc076c4eb7615cb9a4b27c8b069708f6a18808d4fd16662761d631da8fb3ca065e2c2c77122e173aa742bf89b4d601e27

Download Submit
\Windows\SysWOW64\Nhllob32.exe

Filesize
92KB

MD5
e37c1edf283feb7af6f25cd94d0d5579

SHA1
9853f75bb733eec576491a419d275c3080d204af

SHA256
1e7acbfd62ea8a5a382c6b74de9afab7116ad8974836a304094df1c60299209c

SHA512
b7fcbd183415f23b43df09c8a2ded58e92389411484530452c395db65d82635eb50f3422d0180a96e0c3cdf11c4fd28a45bddfc7a52c8fc27985b5e50aa3e3f6

Download Submit
\Windows\SysWOW64\Ocdmaj32.exe

Filesize
92KB

MD5
a1d7bc757cffeab8d2a885d1d8e03766

SHA1
ef46c00979c8e78228dfc4c2dea33597858df317

SHA256
7b4dc041f40600b84a63648f32715f25dc31cd4faec622212d2e0e5c8675c344

SHA512
0d63c63fd21d7b9a7b57a88c6e542707cde282bc47fd0fcf67a936f74ee368ec933f77dc8f559f58dd8b75e39b33b8ae5e03e0eba4c53d41ac10b7d3f76db5a6

Download Submit
\Windows\SysWOW64\Odlojanh.exe

Filesize
92KB

MD5
ae082c4497501f2472e321567fab2015

SHA1
885df497871ff0b689a7ca582b8a8da3c63fe714

SHA256
af795d35d68c5863dfc841e6aed4ce9bdb4baf73d24da65492c0f8546ecabe07

SHA512
3fab32d535c877e811b19cc966668bf5aa03e34ec305e77dde22796610c11669b73af2b45d56a77bb5d7fa083199377ade4caa674144ed3508e6df117deee5d2

Download Submit
\Windows\SysWOW64\Oghopm32.exe

Filesize
92KB

MD5
901d8cebb58328a00821c994cd9d1055

SHA1
34d42392c32a2ba1c30f0fae86bd3a7b7761ae89

SHA256
7d0f9d88479c28e2795845f383dbaa937d0403fe8794a5973a7490695a7e5529

SHA512
adf7082611aee48192d692eb505691c101d547dcbfe764c59968a116d3818d5dce94dff18e624335e77a815b32769e4f8f8ba93ba029327618cb6dcc02f68206

Download Submit
\Windows\SysWOW64\Ojigbhlp.exe

Filesize
92KB

MD5
6f4df3c76b8b866f86a50ea2883c6fa1

SHA1
4493a7fa54efb36e15b6fe4cae1387a1a08f9b62

SHA256
8f24680e5c98bf90c3cf06dcb2756fc20c4246f479a75b83253dd4485edb2546

SHA512
8d2c04adba09bf0608498325de1a1739a26fafca96112d5d879ad80a43251bdec8658ce90e24448a6ab482485ec86ede12ea04285db4bcafef27a519887e74b8

Download Submit
\Windows\SysWOW64\Olonpp32.exe

Filesize
92KB

MD5
631b3371c40b385dcdd6f50f9b1858d9

SHA1
8ca8b8a13ad1ff7d41b551972ec9d28ebb0d32e3

SHA256
d873e3dd2a129936cee5e9ba70edcf43d57856d7dd88142f078f8da36c0d28aa

SHA512
50a555d1f5771ce5be35385bf71f7457578caff6f4f7c6f9525554b33f4aa549d2843caed50f18d31f3356fff87afb4b82699bc34d235fab39b69721f36f8fa5

Download Submit
\Windows\SysWOW64\Ookmfk32.exe

Filesize
92KB

MD5
0db66d4e4caf07181ec970eacb611d5c

SHA1
adcdd0d2b698434d54a836623aea57572657baf0

SHA256
3abdda75038b114c02b02dc96f0493832e0be98f9b8fc73ae48554b7cfc00902

SHA512
f766195ebdd3b6f4820ab85a316f696a0155bef275e0bf145bf49226d0cdc275af195012edc369be83e913399a50916db966729ae5f72e998a999f6bd3173cf9

Download Submit
\Windows\SysWOW64\Oomjlk32.exe

Filesize
92KB

MD5
d9c18cb53b720af34613e67801065b75

SHA1
c7af7057b924dbb54c30c5391727000b95382c28

SHA256
8c68b019dc21bab4cafc127070a06e346feb1b4893d348494ef9c091eefe0fff

SHA512
45c5993622db0d3e6156f6dd8e5b7605f0a5c292155bbe8bd525df5c8555495f8618f1106dbfa54a7312308617d0652354393043c9dbd9546b9b1a639870af43

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
92KB

MD5
c1ffa64139bc2094c4451bdbd3efe62e

SHA1
b9969f09cabf9e78aec79b639a2bde6026a2572a

SHA256
72165c79118004e5122cbb61b3e57eaadb9a297f7fb30043da40b2daf4fdfa2c

SHA512
3c052e9df5117b44634b1eddecf24fcab40c3a8892cd0f8de9accdc887926122d293089d61ef22bf46a51d544b078d17dec0f29633fd842ab8b3b91d0f305fa6

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
92KB

MD5
bf90dd478f8a74656c2233087d72928f

SHA1
5140670b1c70df19b2952e7c43c3378c73545e75

SHA256
83bc021fd71d8855d973fb607475f77744a387921e8de491956cc29c13d6b9ed

SHA512
6dda5882cf1f43ecc256b01b9e00c913538f8aae61b08271d9b6efc090732f2d0e5996eb2d3a80b5be507fd79befd654809f99d5f3765d2dd284cc0dc81f0ada

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
92KB

MD5
b3f75d0b36ffcb9f963acb37d7babeae

SHA1
d26b054e87c5c4fc192fda62ae60ac30b0c07f1d

SHA256
49c7e442d178425a09072644767ebadc18243b4af8128ea582e6cbec309f3bfd

SHA512
36b1397dc41c1ab5489e2cbce8fd2574e8b803f4223df88bc861fc1c5f64f295f87049bfda62749b5f1fbb748f21ada142b03084a0f31324ee5d4395b1c6f3ad

Download Submit
memory/892-288-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/892-293-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/892-294-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/948-240-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/948-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1060-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1104-446-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1104-98-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1188-485-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1188-147-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/1188-139-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1416-434-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1416-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1484-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1488-301-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1488-295-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1488-305-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1528-249-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1612-272-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1612-271-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1624-507-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1624-505-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-394-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1720-258-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1720-262-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1728-281-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1728-283-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1728-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1768-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1768-454-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1948-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-467-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2104-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-489-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2108-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2112-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2112-442-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2160-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-393-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2160-12-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2160-13-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2172-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-120-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2172-468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2244-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-500-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2284-512-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-315-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2332-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-316-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2344-511-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2344-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2424-201-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download
memory/2424-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2608-378-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2608-361-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2608-379-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2620-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2696-381-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2696-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2740-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2740-359-0x0000000000360000-0x0000000000396000-memory.dmp

Filesize
216KB

Download
memory/2740-360-0x0000000000360000-0x0000000000396000-memory.dmp

Filesize
216KB

Download
memory/2768-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2808-338-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2808-337-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2808-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2832-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2832-323-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2832-332-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2880-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2880-495-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-414-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2904-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-499-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-178-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2940-352-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2940-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2940-345-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2960-469-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2988-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2988-447-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-82-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/3012-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads