berbew | d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7

Analysis

max time kernel
84s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
Size

448KB
MD5

0a826f9b6964f136ee90c65f2cd55aeb
SHA1

a3b656216770b4ccdb314674b3177f253ef11da6
SHA256

d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7
SHA512

9b34e63edd4791dae37787ee88f7e83612b73243c728c63f6a405a781166520a1b060c87d31ce3040e6251909003d5cd87949a9f6929f0f569a1497fc28ff098
SSDEEP

6144:X80XVyr2xiLUmKyIxLDXXoq9FJZCUmKyIxL4:s0Xs6832XXf9Do3p

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlgmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odchbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obokcqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbmaon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbflno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjlhcmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nidmfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obokcqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nidmfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onfoin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbflno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqpflg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbmaon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjlhcmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 45 IoCs

pid	Process
2596	Mqpflg32.exe
1248	Mgjnhaco.exe
2620	Nbflno32.exe
2900	Npjlhcmd.exe
2628	Nidmfh32.exe
2676	Nbmaon32.exe
2564	Nhlgmd32.exe
1408	Onfoin32.exe
2012	Odchbe32.exe
600	Oidiekdn.exe
952	Olbfagca.exe
1584	Obokcqhk.exe
2860	Pdbdqh32.exe
2132	Pgcmbcih.exe
448	Paknelgk.exe
1340	Pghfnc32.exe
1968	Qcachc32.exe
1036	Qjklenpa.exe
3064	Ahpifj32.exe
1016	Apgagg32.exe
1804	Aomnhd32.exe
984	Aakjdo32.exe
1236	Anbkipok.exe
3016	Abmgjo32.exe
2224	Andgop32.exe
2332	Abpcooea.exe
2604	Bbbpenco.exe
2668	Bdqlajbb.exe
2760	Bccmmf32.exe
2700	Bkjdndjo.exe
356	Bqijljfd.exe
2528	Bgcbhd32.exe
1544	Boogmgkl.exe
584	Bcjcme32.exe
2724	Bmbgfkje.exe
1068	Ciihklpj.exe
1756	Cepipm32.exe
2852	Cgoelh32.exe
2856	Ckjamgmk.exe
2160	Cnimiblo.exe
2608	Cbffoabe.exe
900	Ceebklai.exe
748	Cgcnghpl.exe
2196	Cjakccop.exe
936	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
268	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
268	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
2596	Mqpflg32.exe
2596	Mqpflg32.exe
1248	Mgjnhaco.exe
1248	Mgjnhaco.exe
2620	Nbflno32.exe
2620	Nbflno32.exe
2900	Npjlhcmd.exe
2900	Npjlhcmd.exe
2628	Nidmfh32.exe
2628	Nidmfh32.exe
2676	Nbmaon32.exe
2676	Nbmaon32.exe
2564	Nhlgmd32.exe
2564	Nhlgmd32.exe
1408	Onfoin32.exe
1408	Onfoin32.exe
2012	Odchbe32.exe
2012	Odchbe32.exe
600	Oidiekdn.exe
600	Oidiekdn.exe
952	Olbfagca.exe
952	Olbfagca.exe
1584	Obokcqhk.exe
1584	Obokcqhk.exe
2860	Pdbdqh32.exe
2860	Pdbdqh32.exe
2132	Pgcmbcih.exe
2132	Pgcmbcih.exe
448	Paknelgk.exe
448	Paknelgk.exe
1340	Pghfnc32.exe
1340	Pghfnc32.exe
1968	Qcachc32.exe
1968	Qcachc32.exe
1036	Qjklenpa.exe
1036	Qjklenpa.exe
3064	Ahpifj32.exe
3064	Ahpifj32.exe
1016	Apgagg32.exe
1016	Apgagg32.exe
1804	Aomnhd32.exe
1804	Aomnhd32.exe
984	Aakjdo32.exe
984	Aakjdo32.exe
1236	Anbkipok.exe
1236	Anbkipok.exe
3016	Abmgjo32.exe
3016	Abmgjo32.exe
2224	Andgop32.exe
2224	Andgop32.exe
2332	Abpcooea.exe
2332	Abpcooea.exe
2604	Bbbpenco.exe
2604	Bbbpenco.exe
2668	Bdqlajbb.exe
2668	Bdqlajbb.exe
2760	Bccmmf32.exe
2760	Bccmmf32.exe
2700	Bkjdndjo.exe
2700	Bkjdndjo.exe
356	Bqijljfd.exe
356	Bqijljfd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Pqbolhmg.dll	Odchbe32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Qjklenpa.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Oidiekdn.exe	Odchbe32.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Anbkipok.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Nbmaon32.exe	Nidmfh32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	Pdbdqh32.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Pdbdqh32.exe	Obokcqhk.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Obokcqhk.exe	Olbfagca.exe
File created	C:\Windows\SysWOW64\Ojefmknj.dll	Obokcqhk.exe
File created	C:\Windows\SysWOW64\Paknelgk.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Hkgoklhk.dll	Pgcmbcih.exe
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qcachc32.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Npjlhcmd.exe	Nbflno32.exe
File opened for modification	C:\Windows\SysWOW64\Qcachc32.exe	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Pgcmbcih.exe	Pdbdqh32.exe
File opened for modification	C:\Windows\SysWOW64\Odchbe32.exe	Onfoin32.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Nidmfh32.exe	Npjlhcmd.exe
File created	C:\Windows\SysWOW64\Dpdidmdg.dll	Npjlhcmd.exe
File created	C:\Windows\SysWOW64\Ddaafojo.dll	Oidiekdn.exe
File created	C:\Windows\SysWOW64\Nhlgmd32.exe	Nbmaon32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Olbfagca.exe	Oidiekdn.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Aoapfe32.dll	Mgjnhaco.exe
File created	C:\Windows\SysWOW64\Nidmfh32.exe	Npjlhcmd.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Nbflno32.exe	Mgjnhaco.exe
File created	C:\Windows\SysWOW64\Oomgdcce.dll	Onfoin32.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1044	936	WerFault.exe	75

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbflno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjlhcmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olbfagca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlgmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oidiekdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdbdqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqpflg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjnhaco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nidmfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbmaon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obokcqhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onfoin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odchbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odchbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaafojo.dll"	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgjnhaco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcaioco.dll"	Nbflno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafaiao.dll"	Nbmaon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbflno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbflno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npjlhcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll"	Npjlhcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olbfagca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obokcqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nidmfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onfoin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Andgop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bqijljfd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 2596	268	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe	31
PID 268 wrote to memory of 2596	268	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe	31
PID 268 wrote to memory of 2596	268	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe	31
PID 268 wrote to memory of 2596	268	d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe	31
PID 2596 wrote to memory of 1248	2596	Mqpflg32.exe	32
PID 2596 wrote to memory of 1248	2596	Mqpflg32.exe	32
PID 2596 wrote to memory of 1248	2596	Mqpflg32.exe	32
PID 2596 wrote to memory of 1248	2596	Mqpflg32.exe	32
PID 1248 wrote to memory of 2620	1248	Mgjnhaco.exe	33
PID 1248 wrote to memory of 2620	1248	Mgjnhaco.exe	33
PID 1248 wrote to memory of 2620	1248	Mgjnhaco.exe	33
PID 1248 wrote to memory of 2620	1248	Mgjnhaco.exe	33
PID 2620 wrote to memory of 2900	2620	Nbflno32.exe	34
PID 2620 wrote to memory of 2900	2620	Nbflno32.exe	34
PID 2620 wrote to memory of 2900	2620	Nbflno32.exe	34
PID 2620 wrote to memory of 2900	2620	Nbflno32.exe	34
PID 2900 wrote to memory of 2628	2900	Npjlhcmd.exe	35
PID 2900 wrote to memory of 2628	2900	Npjlhcmd.exe	35
PID 2900 wrote to memory of 2628	2900	Npjlhcmd.exe	35
PID 2900 wrote to memory of 2628	2900	Npjlhcmd.exe	35
PID 2628 wrote to memory of 2676	2628	Nidmfh32.exe	36
PID 2628 wrote to memory of 2676	2628	Nidmfh32.exe	36
PID 2628 wrote to memory of 2676	2628	Nidmfh32.exe	36
PID 2628 wrote to memory of 2676	2628	Nidmfh32.exe	36
PID 2676 wrote to memory of 2564	2676	Nbmaon32.exe	37
PID 2676 wrote to memory of 2564	2676	Nbmaon32.exe	37
PID 2676 wrote to memory of 2564	2676	Nbmaon32.exe	37
PID 2676 wrote to memory of 2564	2676	Nbmaon32.exe	37
PID 2564 wrote to memory of 1408	2564	Nhlgmd32.exe	38
PID 2564 wrote to memory of 1408	2564	Nhlgmd32.exe	38
PID 2564 wrote to memory of 1408	2564	Nhlgmd32.exe	38
PID 2564 wrote to memory of 1408	2564	Nhlgmd32.exe	38
PID 1408 wrote to memory of 2012	1408	Onfoin32.exe	39
PID 1408 wrote to memory of 2012	1408	Onfoin32.exe	39
PID 1408 wrote to memory of 2012	1408	Onfoin32.exe	39
PID 1408 wrote to memory of 2012	1408	Onfoin32.exe	39
PID 2012 wrote to memory of 600	2012	Odchbe32.exe	40
PID 2012 wrote to memory of 600	2012	Odchbe32.exe	40
PID 2012 wrote to memory of 600	2012	Odchbe32.exe	40
PID 2012 wrote to memory of 600	2012	Odchbe32.exe	40
PID 600 wrote to memory of 952	600	Oidiekdn.exe	41
PID 600 wrote to memory of 952	600	Oidiekdn.exe	41
PID 600 wrote to memory of 952	600	Oidiekdn.exe	41
PID 600 wrote to memory of 952	600	Oidiekdn.exe	41
PID 952 wrote to memory of 1584	952	Olbfagca.exe	42
PID 952 wrote to memory of 1584	952	Olbfagca.exe	42
PID 952 wrote to memory of 1584	952	Olbfagca.exe	42
PID 952 wrote to memory of 1584	952	Olbfagca.exe	42
PID 1584 wrote to memory of 2860	1584	Obokcqhk.exe	43
PID 1584 wrote to memory of 2860	1584	Obokcqhk.exe	43
PID 1584 wrote to memory of 2860	1584	Obokcqhk.exe	43
PID 1584 wrote to memory of 2860	1584	Obokcqhk.exe	43
PID 2860 wrote to memory of 2132	2860	Pdbdqh32.exe	44
PID 2860 wrote to memory of 2132	2860	Pdbdqh32.exe	44
PID 2860 wrote to memory of 2132	2860	Pdbdqh32.exe	44
PID 2860 wrote to memory of 2132	2860	Pdbdqh32.exe	44
PID 2132 wrote to memory of 448	2132	Pgcmbcih.exe	45
PID 2132 wrote to memory of 448	2132	Pgcmbcih.exe	45
PID 2132 wrote to memory of 448	2132	Pgcmbcih.exe	45
PID 2132 wrote to memory of 448	2132	Pgcmbcih.exe	45
PID 448 wrote to memory of 1340	448	Paknelgk.exe	46
PID 448 wrote to memory of 1340	448	Paknelgk.exe	46
PID 448 wrote to memory of 1340	448	Paknelgk.exe	46
PID 448 wrote to memory of 1340	448	Paknelgk.exe	46

C:\Users\Admin\AppData\Local\Temp\d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe
"C:\Users\Admin\AppData\Local\Temp\d6fa9954de2ff65e2e77e550642dea4a656125026ce57274e33d8c671e86c9b7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\SysWOW64\Mqpflg32.exe
  C:\Windows\system32\Mqpflg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\Mgjnhaco.exe
    C:\Windows\system32\Mgjnhaco.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\Nbflno32.exe
      C:\Windows\system32\Nbflno32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Npjlhcmd.exe
        
        C:\Windows\system32\Npjlhcmd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\Nidmfh32.exe
        
        C:\Windows\system32\Nidmfh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Nbmaon32.exe
        
        C:\Windows\system32\Nbmaon32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Nhlgmd32.exe
        
        C:\Windows\system32\Nhlgmd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Onfoin32.exe
        
        C:\Windows\system32\Onfoin32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Odchbe32.exe
        
        C:\Windows\system32\Odchbe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Oidiekdn.exe
        
        C:\Windows\system32\Oidiekdn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Olbfagca.exe
        
        C:\Windows\system32\Olbfagca.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Obokcqhk.exe
        
        C:\Windows\system32\Obokcqhk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Pdbdqh32.exe
        
        C:\Windows\system32\Pdbdqh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:356
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 144
        47⤵
        Program crash
        
        PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
448KB

MD5
0e687946cda2a343d5f6075f6ad54f5a

SHA1
e6e4e5c9258124939fd70815fb7027cdd6f18a73

SHA256
040dd6ef623cc32b1cc97066cac66070c43f046b6d3474e203ab04bf8438e07c

SHA512
f86dff1520629bedd9fc0ab7c26ebc871227050d050a305e3e2e995121c1c0088bde055fb504473375a5db5189e49dd8aec5ca35641d7b70289273360cdb40ef

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
448KB

MD5
6291c3f50363a7bd90c5d3d06a31ea2a

SHA1
6e0485e0edfd85dbe3d2ea6466521b643700844d

SHA256
e893d2283baec6cc73e3746ffdb943fbbcf69042f8dcb52e9b0f5094b2f1481e

SHA512
f89153be3570dd6811014a90edb6c430330afd17390f36b1c37aaa0b6fbe3259e33082364756933075696d7f6ecf782c8ea7974eda896a07dce876ee0196126a

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
448KB

MD5
eb22527e1ce2e6cc5ac0f118ca15f515

SHA1
1b391ce889eab44a272c7445afcefbe63dca6722

SHA256
e4fac577c069369a19734a92e7afd449c9dc247734a280ab52c0ca08dc90f176

SHA512
77cf5fb171756d33b2a19136a085c45b1df71f365bd9e920b9ec2be4fba42f58a3f284cdb44653326be32bc75de8dabe926045c2f376e40a389545b28ff1128f

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
448KB

MD5
ea29b77d4cea3abe2f0bb15b7f3e9f9b

SHA1
d9608923720104bc9965533d915592c238a57cd6

SHA256
6be4548282938935c0c76dcc1838117c85046bb21b5e7babe21dd9626358e579

SHA512
8959cd8ddb3d3922f960a3b524d81cc3254b0a355657bf00065671ff8ae6ecc2d50863b65b90e3b8552613c5901e752bfab6238cfc132e5d1465a700d638d64c

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
448KB

MD5
9ac7cde070aab254338aad97ffa1447d

SHA1
8bd39bf7c8565b79a2b592dd37f9aed513c5b3d5

SHA256
5ba488f3b2cd36ab415674d1b5cff3f5779a3364d4be1427c570c54f78576cf9

SHA512
bdcb96527956477d43fcde8afea148ced8ef5a6d5e415175dc28d8f37f9528c7ac1cb462a191318dc77c814d549dd08c258c4a341ee8543d0be8307066165e2c

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
448KB

MD5
f51e0ba2cb42b9062fa86e6058103db2

SHA1
db5de966f1a1bfe9969c1c956dc2a00755c51dbf

SHA256
8621d07db49a4f95640959fcb0eeb6a76b9c848e0af1e97add06f2a6ddec3b50

SHA512
3889dabd9aed097abd001ca52e1a966c3bace84689190b9a1289d209a71d098507e3259e90f662d2cf7894fa1837d9fc31ead6199e01ecd82fc6a59f0eadfe3b

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
448KB

MD5
6a424c1de1c5cc1ec8003dfc2af7c154

SHA1
8398420ce27e91832e828718ff601ac1a1e4310a

SHA256
bb04fa091ff0e05730ec0e13cd26864046b28839aed8292b5d60c3761bfa566c

SHA512
0e4888f53e03c61b689970d72cb12246aa39a4d223ff5bfe7817d5759f5702cb3a4bfc36dcc14d579dfc3d9843ef685bc4f4c7391ebad372adad4458c284fb4e

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
448KB

MD5
ab92912a37713fbed8dba517ad3433d0

SHA1
17d444f68ec3100fd054d2cd7592af29bbaa52f4

SHA256
352711ae4a664ae203a5421d506934da55f0201350714383b55f893b033a68bd

SHA512
46670ade96b58fd55c8d04402bc8fcefa252c824ee8997d4ddc28861b31176c17dc197a3355b29f63a1a96a705e1bd8d85f2f33eb134d297bd4e3531fbfffc6e

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
448KB

MD5
da82765738a5bbd9ae81dabb5644a922

SHA1
1092d2fd85f8845bc1061a23ab156b08fd2e722e

SHA256
1fa60e2aeb41e191814f58fb48dbd7d2ae4a32e90c39d13f316e2499de07533f

SHA512
9cfe78aa061328ed06db51ba7f36bbab065c5823ca79d72630e435a2c643be95562acdaff3802682b4e60e114b3d583150bea9d22787ca459789765eb45a6a2c

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
448KB

MD5
0e893d4ba8becca38b43835887dd57fd

SHA1
14126d8390c24aee170471feee076ed6e1cb1436

SHA256
59bc9f77347623598068f8f33a8d1a6ca5103b5231184f39b96fb2bbea6e78d2

SHA512
d1426e9fc94fbdfe9b0f4fb8ee42265578f58368c2b9f6bb775323f3ca29209d9d2df75f14cd880bf501bc72b12e0e538e8f9a1453fc0145f730e1a45796346b

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
448KB

MD5
ad6788f258eb0b3e575ff8f207579ee5

SHA1
fb89c0018f8291a646ae420c8017c85c0d6a529e

SHA256
dc940cc83b91e72a707e85d363d28c63b292f05b73982accec1ef3a7db58d0fd

SHA512
1f5b1cdf935c8d3f24fccee38d1c94e8ed6a1bdf44217eb48dca5fff562d8138956ee02ee8a488e8f63def400c1b067897c73b1bce987f05323ce8ced473d9fd

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
448KB

MD5
4d22b43d40594671faa2c82e62cf204a

SHA1
16e9395885d221b7fa1f539a4a6830e382e4e136

SHA256
ab7cbd75817ae8b3567201bd88b2902c17705ca9126b0cfe83b19838c50af9fe

SHA512
a9d90aa0c3b065fb7bc1699ce069dd9af63790d3c8860ac0fea311520e63871f2dd831f968c8f900855f6ba99a965fbe48bf12a759ed22f40699c38a07b6c85e

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
448KB

MD5
7960bcd4b56c27a2d9c06c7d9d1f57aa

SHA1
7e15d839a54b580ed600f98e6d33de58aaeed40c

SHA256
ffd27c758d4858e074c0d788164f7b37827cff108ddd051f5db984c36e164317

SHA512
cf29d332c94b39944038a62280a67a9ebcc63c2fc354b1da9dee2d43f46b19355359dd2466cbac3ac5e5f8588d87218885af37548d4bd78ef1b5a944167285bc

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
448KB

MD5
5fddb80472ca67174dc23c053121ac1a

SHA1
7e3f92794752ec6d57fba72946bfcdf206ab729c

SHA256
c1bdebc69ec4463d6350428875290c637f1fd38e2c7794d7e83375a7cc10cb17

SHA512
c71bb23c96530001339c4503bb523b324fd2eeef67e63dd48dde8f02a0c67bfca706b2eecb1b515bbddf537c3a889dc0b155d3e1116ed8f1a449314474f14703

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
448KB

MD5
14da05f23e42f56280181d439025c4c1

SHA1
61c6749bf9ebdbb63d4ed3ef75a0f3c178947746

SHA256
f366fd0b206df58c80df7fb653895c4a68ea26d94cff0c36a9a0d9349f67721a

SHA512
44bf17ec67725a28d4a17767802b846dcf6ebbfae1f86d300a2ca6aabc8bdaccc52b12c0a0d14d1569c6194577a2b3c1933a3776e252f275efdbecb427a91217

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
448KB

MD5
697e854471a1933e3e3425f89d4e3c1c

SHA1
c8a853da72851461896e06b4f04a241c85007166

SHA256
b80ddac8d14d0a959d21aaaefb45cbcfb0fbb974e8dab5131a45fe381db212f4

SHA512
9f34178745a6eefb143df3471b7b07f95bbbb17b6fe5704ac42385278c25fb967fe4d91e97f52d698cbaee02e1b2b89b856a6c612d3e892f0d053a4c5e5a8bb2

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
448KB

MD5
dc270ae05267991763d7650bbddb2669

SHA1
b68b1549f06ec7117c23732c49cd0d78eb7e41a6

SHA256
57f3d1f4f5645cdfbec5dd05aa36d47222bb4600947b6268ba4d3a11be47fb79

SHA512
1dedb00678aa36619f397e58e33e50de7363b1ba27f5f54acd475a33ed5af573c88927fc818e172ca8165c8d82437ca7b56520f4b0c0cb15f66d81bdccd84775

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
448KB

MD5
ef11df99f2ec01eff4dfa0bf0d22f46e

SHA1
f5c2c0bcab6f122a1fceac01f5178f6504ac995d

SHA256
07e2e739b572fa92b957a7da03df1c71f31fb946bee10470c9cac4f39cb85300

SHA512
fa871b4d2617a1267f56b4595c135e4518a33b2aba9e031bcc467c60e60ac51592e1a93c14bc44371678ca327f5852b22e2be13944ab39a7225466c97a32616e

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
448KB

MD5
04a79d9c4c679b6c6ef0a95ed02cdd14

SHA1
9d93f59f22b17ed3064bc6d8c6f38868c7a2ae0e

SHA256
db25696da78cf988a4e28420aeee22d6925821a2a53d0734783383f42e9e2822

SHA512
d1ba7babb57b2392c085eeb9139eb1ddee061972c8de2981a945652bef3a2261d3e2225056c8b0c3d9fa175aa66862081b6d13a0402f2a52e37160b7402be6e2

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
448KB

MD5
e06db6ccdd8a14debfcbfec0da0340f8

SHA1
89c28255c651d729082704d9156eebe1c29673b6

SHA256
22d7d28d9e6bbb3d0b4e45f5f7102d8982e49ed169d211e7bffa086575f96962

SHA512
acef15b98d401eeec53670baf4e7907d1321c6163a42d859c0e4cef6a233deb92f81f9851e04419d3da5e63d62ad0482600f897e26021b06ddd7a9bdea27e725

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
448KB

MD5
e38cdd0b4414123f57cc41ca1fb24763

SHA1
8c4cb87e04c0cae8aaea14d2256fb16aafa76a20

SHA256
7c5d475c76f5a4983edcca8d9abeb4a00660068c76f7c70c6d84c9454a52c3f9

SHA512
f5a1f98bb7d0d07e60ae2d201a1c8d9956afd780ff7da596bbe7152d31a1c9acd54627ad932230affbe335c18cdb0d194ac0f7bf0a40691e38987c3e236aae2a

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
448KB

MD5
ca91f3e9e33c7994f43eb4e0ae394e79

SHA1
9aa5b87e2bebb88b0206ee4c39554d94acfa60ad

SHA256
9e6a6b3a78ae2e64c628e835227de77614a21cb0e13b86ec178313c1a809dd32

SHA512
79187e8f9a7add45c23f02b3d73ffec532ef9de7c1e64c69e81b8faf3d7d806d15e01b278aa19a5a73e5425310b72b808e0569a49d10f95d652797e31498250e

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
448KB

MD5
6b7dc0586544f57cc60458eb573cf7c5

SHA1
b120a6267dbc943a191110768b52c148c3607bae

SHA256
f99909bd72184bb89b8c5db4eea3cdb5a879ebf76a27ee1dc41e85ac262e8171

SHA512
fe0b55757bfdf0673a9474f01d034b9e9c55c166351b8864a298c0f0c4bac1e3d0561142919bcfccf91a067a0bdfb2834b317747809f079ddde2174de5c767c8

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
448KB

MD5
2677e9895d73133b92fc64e8fdd88d47

SHA1
44cf4ff882d7071fcf72b9b1213418299048ac51

SHA256
04871d64080099b702f7b9188c6ca3231b5740a035a4762965bec7bd2448a988

SHA512
77218cbcdfe92ea37848d9d4d8ffb04c3a43b13c77fd98617c13b2ab44e3020529e474f6d036caadf34a6414e7a854b8b8e99f66f0087e687ef70ea36e06ecc7

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
448KB

MD5
3b21f979a1cceade1afaa00435219619

SHA1
587684bb879ac62b16e5df138abfcb98c0a2be41

SHA256
10b22fde7065f39e3142884e4804025d97a4e0c6f8316899c360a1a1bed093c2

SHA512
e554cf669d709bff827b08d3e88b672d5aef0730cdce3d89adb1b24e4e4bb41032cd135d0ca9d393bca440f68766cd5ddf0d9694c38048ba6a6fd02d6aeabc67

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
448KB

MD5
4d47ec10d4358435aa4146e3465a1b5d

SHA1
77d9542bf6d084dbfad67bf44e20f7c334b191b5

SHA256
3a2d936badf7feb976d4337ee37295f6d1b5b21518b7fabf307250ec7c72bb64

SHA512
aace28814a7e306b0262326e644cab0df5cb412e920067b2cad657a27ce4e2f5dd0f76dc1ec0f67b3710111ce346d9c369f1355926eaeb90fcc75f5bc0ca36bf

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
448KB

MD5
4145e24b392f850257909ee09f07de46

SHA1
7a64d2a395f2b632d7f07cd7bfd236b1b32e6c88

SHA256
c5b8ef2a36c039c169e4f2681f8bac40df35afd7615d4bac1dbd6361f1a2d319

SHA512
6ad962717d80beb07f3b6af1c993cb8f965c8e126e2be47a090b1adef422377d68271c8be7457d4c295c736657b9984d0b105067f89dc305354847cda6d8acd6

Download Submit
C:\Windows\SysWOW64\Dpdidmdg.dll

Filesize
7KB

MD5
5ef8eb40044b2b6f6149f8aeccc49577

SHA1
d97ad76272918d08772a346ed24c2d1d938340a4

SHA256
1fbd85a804649a36ce9dd5d9bf5a3446b5661ef6cfcfa1ad38b58ff7e103744c

SHA512
163039a503138801a89fee09ea0f5bdfde8d3b9f54391bdff3bd5430762a8bac6244eea143d57793b6423d5ff7dd847ec0cafc089551149ef80e0a5616b4f036

Download Submit
C:\Windows\SysWOW64\Mgjnhaco.exe

Filesize
448KB

MD5
967316f4d456048df47edf939f72dfca

SHA1
98cbb196ec736a91bd7e1e176c83c3e55fedde4f

SHA256
8a8b48007a17722a74b8254b1ed880653b4265137cce71f6a9a4857fdd01af64

SHA512
9a8d0f502d0b71853cfbbc6b25c0039ef7fd900b62fb43d28b5a69f1622559523f66c814bed779137d875cf9bfcacf50bda187a77b6ada340d13cbb1a81652b8

Download Submit
C:\Windows\SysWOW64\Nbmaon32.exe

Filesize
448KB

MD5
f2ac2e622c447f9975234eb036f7be8e

SHA1
1f516e6c9a4c6e405c6a7d62089ebacc8e92c674

SHA256
1d7b687c20cf43e1c7b3cf35216248ddcb2c31c55a74a8a645b315fe0dabfefe

SHA512
3e881e92982f2ddddd167f9338c81bb3271fc847ad85372116a5c2ce5a95a18a65fa88c27c105105307e0c24a4545099ffb913962bdb1c6ada7b745ba281cd54

Download Submit
C:\Windows\SysWOW64\Npjlhcmd.exe

Filesize
448KB

MD5
87c20439ca359ef29b07afd633473c12

SHA1
170795905e89ee3de3dc616cc173b4401875e3f3

SHA256
f69cde45124422584beefe226be5093d3414d0543d8ac93e20be400e2edf99af

SHA512
2f03382e392bd62d6c78b9a56110f3ef5348853891c46a3d48aee2261749c0ecb5ccde2d531858b5ca961c3de5d346964fadf05609200b231207bf8be992d441

Download Submit
C:\Windows\SysWOW64\Obokcqhk.exe

Filesize
448KB

MD5
febbde4f85436d44fff3f68966cde6eb

SHA1
25498621e82ecc093944f14471284650ac1e9f89

SHA256
f95de8dfae4bc5632da2c377bd8aca8848abfc41a6c7d2c80b5bcd0e163ba348

SHA512
09fe7ec739a161fe734c339a84cb350a6f47d816e76e644b0540549eef834a21fafa9fe6181a680f16ad7225cbb99509463e36960e0601cadc5798953cacc4b6

Download Submit
C:\Windows\SysWOW64\Oidiekdn.exe

Filesize
448KB

MD5
d36ac9ccb1b205cb87cd34206191eb9d

SHA1
4f0358e4a67743cb32456734dcbf0ef11b52c751

SHA256
eaf8536630f2217d2d4f99a2e54b06bc7d10ce1f6fc748b3c79ed4715592ebf6

SHA512
5126ec22ed7128239a5f9e00983f6a5e792d7debbd099a1988eac4e8bb231b84604367a31135ae4342edac236d3a7a254b81a9eaf655f2c12560f77d657aa41d

Download Submit
C:\Windows\SysWOW64\Onfoin32.exe

Filesize
448KB

MD5
1947e07d51b4f7205e533d813b498423

SHA1
e4138bbe8a4b1c684eb6db2fd68f1925ed604b86

SHA256
d2bb0eca78b884939404b77af5aa062007e0e6c7a50b7b067caf5d205b7b627d

SHA512
16d1f278957f64932e9da1e34695ed536ee7e79b3b79b50ba4f13201a3a53f80287aa97802c7b6749e5b21177bde9bc2b601168cc0a6778c44365d1a0cabaad6

Download Submit
C:\Windows\SysWOW64\Pghfnc32.exe

Filesize
448KB

MD5
74a3c51a460acaba870d9653923c3a55

SHA1
5c630b27576c8b0c53624af416c665acd2290830

SHA256
7649d209c9657676e8df49c5c0f74fe0742bf95c7cd9b1b6d7feb93e6cfd4204

SHA512
58797f728921333bf39dc7b821c8222ca8d56d236c6635966ef114fe634ade1acb6fdeff2dd14049e5b3f2def76dc8915215a11f17f0794e96f89a5220abb3f6

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
448KB

MD5
5a318fa42b1b7c2d3e2776a563bad946

SHA1
5946942c9720d5268881f7d253035e72ca169ad1

SHA256
77fb55d50c5ac2d273f305cf0625f3dc7c0cb6c3252fff28516e06dfbe0c0c98

SHA512
9787cb5507725e9cb41d4f888cb0bee6076b9ede5a6ea5cd08f18f19fcfad941938a36883373bb22d174fab7cc36714dae30cbe8db628f3d5029d3e8e513db1a

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
448KB

MD5
35390e3dd53116d1958141cb5533f7b2

SHA1
ea24c6c820173989b4dfebe9bba328db6e2aa931

SHA256
b0b038e951faa9823fb7b4838941da374e5576a697283f263ef7535304d1ffb7

SHA512
4df0f94a46a2ed04cae5948d6c588079214e18be06674cf5a0e036a30bbfe0e53f62dce15eb94c84a46a29d53c40b950269a93442082bb2366daf8a8db2c7f0a

Download Submit
\Windows\SysWOW64\Mqpflg32.exe

Filesize
448KB

MD5
6ee6b0f25f8f48fc42a2da2d414dcb2b

SHA1
4f8498ad285aab1f1ddc2d0fb011c2368f5fe863

SHA256
9b9f8f86bbe875c43d0b288fabc701e49e906f78e0bb0f32f00b2cd9543453ca

SHA512
bd00bc70144bebc68bb5266ac881a6a65932b39784f3ebb19c2bd7ccb2fc02a7c1195a6177c0c3c7061f791e0c9b313eb65172f7d47a39476d534d1b0024ad08

Download Submit
\Windows\SysWOW64\Nbflno32.exe

Filesize
448KB

MD5
b0f019090ec3ac4ea46c147cb90caaf9

SHA1
378a60facab3cfedb6e230eeedf1dba38e8805dd

SHA256
fa9abb96da006f030235f1f2e57b35ed4c573b1b637b683fee17360f11ec002c

SHA512
559248ef50ef5574559cc52d98b7e4a7614d2ac78a4af3fdee01397883032c2920e56d038d14c50bd3975189de7aea09c84842d11ffe0c4680a2b17db9a3d51a

Download Submit
\Windows\SysWOW64\Nhlgmd32.exe

Filesize
448KB

MD5
610bc8ab54071fed0e42dd0c5da0fb81

SHA1
9e08afc2c9d214712bafa7ee0b731244a1095a9a

SHA256
2f259d9d60b1ef2fc0c21c40ec73ed1b13fc2d2851400997552eef55772467be

SHA512
6cc36914863345d24645671b3278fc318cf585d072530347f0dcbddeb485e0b050dc43db33002419f7fc9d871c6f07a3c72d5ee42b2df188db396fb1d501a0d1

Download Submit
\Windows\SysWOW64\Nidmfh32.exe

Filesize
448KB

MD5
c4b1fcc03c8daa9d8542e5a055ae548f

SHA1
6c56c8e283b18650fd13e18336d70c8e87e66560

SHA256
0fd7264944411610571829580163007e0b75bd37bcdea21b0d6e68bd6d67990d

SHA512
3244406c1c6ebecff9bfa9c0583303444a6d02ab86a7bb2ae7eabb8c87afa67a279d9f41b0bf98d4a1268574ea0df2de6149894f049315a8a444f90a7121de2c

Download Submit
\Windows\SysWOW64\Odchbe32.exe

Filesize
448KB

MD5
2d708bf8d5bd86b6e83ace8a8d99d872

SHA1
e9cfd3318c582fab85900721f2046159d1a1746b

SHA256
783ed4d5576b9b813a970ca2668155e8b395f69a2896c105d514e82d492a71c0

SHA512
5ce5ac196939137b13b7a2408810fb23f45a5410a6241d92f206292bcdb3d5150ef0d2005f1da33bec136889c386a1a5a92af93f3a12253713902f4f1c0fae8d

Download Submit
\Windows\SysWOW64\Olbfagca.exe

Filesize
448KB

MD5
6fa09a5d42bf02f9c5d29110fb7c5877

SHA1
efdae84ad214eef8e3c8130b7bc10fbebe43a2d3

SHA256
e8c06944347ffee720824891f9a461481ce74023257308bd76122ec26c63a116

SHA512
5f98150784ec40d21b6b3f8ef848bebbf029f8c064ede7d3ca58d3ea5414a09717ef705fa84069d436f06dfa687253f313625da970f583f315afae5abade3153

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
448KB

MD5
0f7387dd1d64c58b50e5a458676e9592

SHA1
6f0b25e1d91f891e374b12a5bc51c0d3302bf455

SHA256
583a8118af333df82769afc1956bc4fe2ffc0e77c85119ee686d8905918388f9

SHA512
0abb4168bfb661f1b1471502a7d27056e8b1daecfa1e48c090680e98e2a02349dfea0e9870fcbbe766b660678b5355c45b9b85c07de7333653ed027e8ceae9a2

Download Submit
\Windows\SysWOW64\Pdbdqh32.exe

Filesize
448KB

MD5
6142a1daf647b6e2ccab060252b0e2b6

SHA1
5e90193f93e556985b840e760763cfe5cee962b3

SHA256
9882024a04becdb50a26da847f947e23fba0e277e1bf47e18c8b7574042a3d65

SHA512
e97295f489e18dd8bada0bbca6a188611176e40e3a0336716e50f5c20d7a751485986c4200762fb33a419db095beaec4f400da9e28a0b02ef995e0ad8b453939

Download Submit
\Windows\SysWOW64\Pgcmbcih.exe

Filesize
448KB

MD5
2a31a6a8e3fc42d9409c4fe2308ff91d

SHA1
83ac0f6e9c24d006fa1a0e0cce0c9393b32481fa

SHA256
a3f9e4fcb131226e1cc3785eab4607d1a2be06fbb3f7cad169a9eff0404e54d8

SHA512
acfe77ce095aa8e2cf7e53d20d2a5c5c448bf484a15f8b667e4b76ee1c04db3ea134d4eb42d7e52028be8ec0af058a676fd03a4893f954387ee147b410f5315a

Download Submit
memory/268-567-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/268-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/268-7-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/268-13-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/448-205-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/448-216-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/584-414-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/584-404-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/600-134-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/748-500-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/748-498-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/900-491-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/900-483-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/936-521-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/952-154-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/984-293-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/984-284-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1016-263-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1016-269-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1016-273-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/1036-251-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1036-250-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1036-241-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1068-425-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1236-298-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1236-303-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/1248-364-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/1248-27-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1248-34-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/1340-228-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1340-218-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1340-229-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1408-115-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/1408-108-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1544-403-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1544-409-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1544-402-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1584-166-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1584-492-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1584-493-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1584-487-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1584-172-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1804-274-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1804-283-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1968-240-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1968-239-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1968-230-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2132-196-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2132-189-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2132-520-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2132-202-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2132-515-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2160-462-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2196-507-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2196-517-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2196-516-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2224-319-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2224-324-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2332-325-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2332-334-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2528-392-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2528-393-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2528-383-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2564-106-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2596-14-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2604-339-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2604-344-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/2608-485-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2608-486-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2620-46-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-568-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2628-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2668-349-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2668-354-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2676-93-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2676-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2700-365-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2700-374-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2724-424-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2724-423-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2760-363-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2852-446-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2852-448-0x0000000002050000-0x00000000020B0000-memory.dmp

Filesize
384KB

Download
memory/2856-460-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2856-461-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2860-504-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2860-505-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2860-187-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2860-182-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2860-174-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2900-62-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2900-54-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3016-314-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/3016-313-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/3016-304-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3064-262-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/3064-258-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/3064-252-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads