berbew | 46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5

Analysis

max time kernel
109s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5.exe
Size

96KB
MD5

3454ce2e027d006d4e52f3dceab3c574
SHA1

342516d09d3c3f38dfbde7f6bae042f2e61da630
SHA256

46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5
SHA512

2b846ee49c620a5ad62b67dd633eae7afaec679b8d2459e338ae456782763162f9f736ef7cdd091b7afb6d63a6498e451983e2cf68043f180624519561738d32
SSDEEP

1536:rQvmZuCuEnRCZisag5cZvEfuFC/LOo2L37RZObZUUWaegPYAS:EmcH+RCZi9icLkLO53ClUUWae/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1208	Pmannhhj.exe
4348	Pqmjog32.exe
924	Pdifoehl.exe
1488	Pclgkb32.exe
2560	Pfjcgn32.exe
1680	Pnakhkol.exe
1868	Pmdkch32.exe
1160	Pdkcde32.exe
844	Pcncpbmd.exe
5028	Pflplnlg.exe
748	Pjhlml32.exe
3096	Pmfhig32.exe
4148	Pdmpje32.exe
440	Pgllfp32.exe
3196	Pfolbmje.exe
692	Pnfdcjkg.exe
3792	Pmidog32.exe
3108	Pdpmpdbd.exe
2524	Pcbmka32.exe
4800	Pgnilpah.exe
1472	Pjmehkqk.exe
2456	Qmkadgpo.exe
4040	Qqfmde32.exe
4432	Qceiaa32.exe
2600	Qgqeappe.exe
1516	Qjoankoi.exe
3488	Qnjnnj32.exe
4360	Qqijje32.exe
4868	Qcgffqei.exe
2268	Qffbbldm.exe
1740	Ajanck32.exe
3000	Aqkgpedc.exe
4408	Adgbpc32.exe
3516	Acjclpcf.exe
2248	Afhohlbj.exe
512	Ajckij32.exe
4740	Anogiicl.exe
1732	Aqncedbp.exe
1404	Aqncedbp.exe
4892	Aeiofcji.exe
4404	Aclpap32.exe
4152	Agglboim.exe
3508	Afjlnk32.exe
3224	Anadoi32.exe
3648	Amddjegd.exe
3264	Aeklkchg.exe
1852	Acnlgp32.exe
3752	Agjhgngj.exe
2596	Ajhddjfn.exe
2792	Andqdh32.exe
1504	Amgapeea.exe
3636	Aeniabfd.exe
3472	Acqimo32.exe
2836	Aglemn32.exe
1004	Ajkaii32.exe
888	Anfmjhmd.exe
3336	Aminee32.exe
2124	Aepefb32.exe
3576	Accfbokl.exe
2512	Agoabn32.exe
2840	Bfabnjjp.exe
2104	Bjmnoi32.exe
640	Bnhjohkb.exe
968	Bmkjkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe

Program crash 1 IoCs

pid	pid_target	Process
4456	3960	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1208	4928	46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5.exe	83
PID 4928 wrote to memory of 1208	4928	46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5.exe	83
PID 4928 wrote to memory of 1208	4928	46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5.exe	83
PID 1208 wrote to memory of 4348	1208	Pmannhhj.exe	84
PID 1208 wrote to memory of 4348	1208	Pmannhhj.exe	84
PID 1208 wrote to memory of 4348	1208	Pmannhhj.exe	84
PID 4348 wrote to memory of 924	4348	Pqmjog32.exe	85
PID 4348 wrote to memory of 924	4348	Pqmjog32.exe	85
PID 4348 wrote to memory of 924	4348	Pqmjog32.exe	85
PID 924 wrote to memory of 1488	924	Pdifoehl.exe	86
PID 924 wrote to memory of 1488	924	Pdifoehl.exe	86
PID 924 wrote to memory of 1488	924	Pdifoehl.exe	86
PID 1488 wrote to memory of 2560	1488	Pclgkb32.exe	87
PID 1488 wrote to memory of 2560	1488	Pclgkb32.exe	87
PID 1488 wrote to memory of 2560	1488	Pclgkb32.exe	87
PID 2560 wrote to memory of 1680	2560	Pfjcgn32.exe	88
PID 2560 wrote to memory of 1680	2560	Pfjcgn32.exe	88
PID 2560 wrote to memory of 1680	2560	Pfjcgn32.exe	88
PID 1680 wrote to memory of 1868	1680	Pnakhkol.exe	89
PID 1680 wrote to memory of 1868	1680	Pnakhkol.exe	89
PID 1680 wrote to memory of 1868	1680	Pnakhkol.exe	89
PID 1868 wrote to memory of 1160	1868	Pmdkch32.exe	90
PID 1868 wrote to memory of 1160	1868	Pmdkch32.exe	90
PID 1868 wrote to memory of 1160	1868	Pmdkch32.exe	90
PID 1160 wrote to memory of 844	1160	Pdkcde32.exe	91
PID 1160 wrote to memory of 844	1160	Pdkcde32.exe	91
PID 1160 wrote to memory of 844	1160	Pdkcde32.exe	91
PID 844 wrote to memory of 5028	844	Pcncpbmd.exe	92
PID 844 wrote to memory of 5028	844	Pcncpbmd.exe	92
PID 844 wrote to memory of 5028	844	Pcncpbmd.exe	92
PID 5028 wrote to memory of 748	5028	Pflplnlg.exe	93
PID 5028 wrote to memory of 748	5028	Pflplnlg.exe	93
PID 5028 wrote to memory of 748	5028	Pflplnlg.exe	93
PID 748 wrote to memory of 3096	748	Pjhlml32.exe	94
PID 748 wrote to memory of 3096	748	Pjhlml32.exe	94
PID 748 wrote to memory of 3096	748	Pjhlml32.exe	94
PID 3096 wrote to memory of 4148	3096	Pmfhig32.exe	95
PID 3096 wrote to memory of 4148	3096	Pmfhig32.exe	95
PID 3096 wrote to memory of 4148	3096	Pmfhig32.exe	95
PID 4148 wrote to memory of 440	4148	Pdmpje32.exe	96
PID 4148 wrote to memory of 440	4148	Pdmpje32.exe	96
PID 4148 wrote to memory of 440	4148	Pdmpje32.exe	96
PID 440 wrote to memory of 3196	440	Pgllfp32.exe	97
PID 440 wrote to memory of 3196	440	Pgllfp32.exe	97
PID 440 wrote to memory of 3196	440	Pgllfp32.exe	97
PID 3196 wrote to memory of 692	3196	Pfolbmje.exe	98
PID 3196 wrote to memory of 692	3196	Pfolbmje.exe	98
PID 3196 wrote to memory of 692	3196	Pfolbmje.exe	98
PID 692 wrote to memory of 3792	692	Pnfdcjkg.exe	99
PID 692 wrote to memory of 3792	692	Pnfdcjkg.exe	99
PID 692 wrote to memory of 3792	692	Pnfdcjkg.exe	99
PID 3792 wrote to memory of 3108	3792	Pmidog32.exe	100
PID 3792 wrote to memory of 3108	3792	Pmidog32.exe	100
PID 3792 wrote to memory of 3108	3792	Pmidog32.exe	100
PID 3108 wrote to memory of 2524	3108	Pdpmpdbd.exe	101
PID 3108 wrote to memory of 2524	3108	Pdpmpdbd.exe	101
PID 3108 wrote to memory of 2524	3108	Pdpmpdbd.exe	101
PID 2524 wrote to memory of 4800	2524	Pcbmka32.exe	102
PID 2524 wrote to memory of 4800	2524	Pcbmka32.exe	102
PID 2524 wrote to memory of 4800	2524	Pcbmka32.exe	102
PID 4800 wrote to memory of 1472	4800	Pgnilpah.exe	103
PID 4800 wrote to memory of 1472	4800	Pgnilpah.exe	103
PID 4800 wrote to memory of 1472	4800	Pgnilpah.exe	103
PID 1472 wrote to memory of 2456	1472	Pjmehkqk.exe	104

C:\Users\Admin\AppData\Local\Temp\46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5.exe
"C:\Users\Admin\AppData\Local\Temp\46dbcbd6addd44340f8199c2209737a29252c6d1427bb80561ec378245a326c5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\Pmannhhj.exe
  C:\Windows\system32\Pmannhhj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\Pqmjog32.exe
    C:\Windows\system32\Pqmjog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\Pdifoehl.exe
      C:\Windows\system32\Pdifoehl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        27⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        30⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        40⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        55⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        62⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        66⤵
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2700
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        76⤵
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1652
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        79⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        80⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        82⤵
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        86⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        87⤵
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        89⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        90⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        92⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        98⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        103⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        104⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        106⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        109⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        110⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        114⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        117⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        120⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        132⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        135⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        137⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        144⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        146⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        150⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 220
        151⤵
        Program crash
        
        PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3960 -ip 3960
1⤵
PID:5424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
c2812f67f458c0b8bddfa7217fc17976

SHA1
d0872629cd0a3744b57f0df6963b09c1f90f3eb0

SHA256
43140d1132c7e02f18467e57d8cb447b66f8e6a207a8eef87db03f245cf0e202

SHA512
a3e6ac8185b4627559225278356411188892749ad409cea1c3c5f07c3843c97e3ed548d425b13ad21fa6ef93f14eadea6ddc4e6e76b079671f99e1dbd5be1444

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
e08a624400cae22f2d527a707af84991

SHA1
1ddfbb72e3fe503090c35d62039353aad42aaa59

SHA256
91d284c08ee3dddd7a4ac5443a2b2e652f7ee88d8aa259b31bfa627e5abe320e

SHA512
be26b4af8a57bb8ae05d0a767bd03aced2dfc898454d33fe07e8240ab85872f30fc63461cbdc6b71679f56f961d4f5c61dfc97f6dfba570382626cfcfcc826e3

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
96KB

MD5
127dad73cc1cabfa63d12a0b25a1ea5b

SHA1
2e6762f4522204960a8d192e36b11e12814184b1

SHA256
c5cf618a0fa0eefa50eb4d95d7dd300aa6a1e0370e8416663ca81e2f3dd7edb6

SHA512
1e886651228f50f556fa394271b703cec8169396201cfe2663157e57f6ced70a7deac2150c77c249c3320d240cf108903a7ab1cfbec55d0dda6eb992ea433271

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
96KB

MD5
176b3bea83c00dbcb982d25236300bec

SHA1
477e23161f1bf4c08aaffe30ec87b71291688f51

SHA256
01b04431bde015a5c5c0d078cf55115f035437ee8e0882cec60584df7e6f4445

SHA512
c6b73adff5fec829b596a696100519a6b168e88941ca923d61c88e8554dc4068fbc54e0b3679173cd5ccb93b531debf7a7c8f3a95eb2b37748e9d4ba4ce4a837

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
65bb14260f43408095a30da57aa5b4b8

SHA1
77b3dc76c398ad9d0e0649f1946127c6e7a0d6ce

SHA256
3a4b0352421228ef1aa924f46cd595fffe24c142ace130e8ca56410d1a3486a0

SHA512
62726e5da5fee5f305ee03657b5156b52e152ffbf2e7f0b55f9c5ef7485049bd920afe9fcbe31e567087038e9bcc98fe2d93f359df045aeeb615dc19b8e455a4

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
7e6e2b20c62e79be5701fcad6dab6421

SHA1
66cb4becfe524586f50fa1f4e1268f06aa904536

SHA256
202f4171edac507149878b700fe314e49f53cb253dd5e09fc0d57b5083df7c5d

SHA512
07d204ba36823c6d68b9ab5a3e9dae9a3541747eb95e54dcf40a3c01718400f94eb4dd04e3983af5736d260c36d53ab9a315512229ce9b3f62e543b0295f86ba

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
96KB

MD5
de7527091b53c717b1bf837e21b9b26d

SHA1
857bee23ba1101e7649b7d613e0a3db496377bb7

SHA256
021a54c826cdc639453816ca69f98b3b8ce39f24634e496e7f885c3caaafbfe6

SHA512
6a44eb9e6ed9e3d27528ab337ed50f7855d00eaa3be73258f0b5ce4f5251117aeae2f5acb2d728aa55f93bf7559d7c2825d568931aaa613193daf5aee28627f9

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
7742ce8e2d768bc3ed5a265fa42db878

SHA1
658da440b1ce2cc1e00b4f38758d4478dfc7b9d8

SHA256
166edb503c5b3cb69cb2bbe34f70e1b4fee3a2dfa1f31fcaec09edaa1474bdf1

SHA512
a3105d21bb113dd75b54742f1b36df48992077486e58f59d6b025c595b5923196c0447ebcdf7d78884bd24227f0eeda8850861839e4567529d0506c37b4a4dc0

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
3b7d3fcbe4e06db7bbc35f232c220d99

SHA1
3ee02811c3725ac741c8342d828d2e0abb03a55f

SHA256
09110ed09111f232ac208dff89a5820f76c0c795da98f66cdf3019a8328bdfaf

SHA512
afcadbd05d5675b52526afc8440c65bd9976d006170706e729759ade4aad6811714083280ca206e6bc238c53143ae8e977e1c5ebbb728e541a8418c2b88977c7

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
9ae585f7e16e39918bcfea723c1e7480

SHA1
aaa0689c5c1ccb2cd4c430d9f9d7e5b552df356e

SHA256
c30e81437bc697ead418385ad4aba30ca5d0635b59735cc3d33d6ed2be727171

SHA512
65cb77f13111345d1a8f308d33f00055bb115a41ba936431c853151411442d0ceb9af7dfe42254018c0f3eed5715da93c46b19f5f4aced2c4a178738ce49695f

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
fb13d9637cc6812ee66b5902bc725694

SHA1
e7493e83c2b231223ef456b533e192da301d300c

SHA256
a110afc92c1deac1455cd5931ac1548c1bf774b9b3afd995de9e1e715f9eaad8

SHA512
7bbe0b2340478346b4586a2f26e03059cfbf528a573da9ae7250a5d83e4a89bee649227f9c8f6246f0269e409245a57661b86b9b608c61feb5e065e5f861aa66

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
00f56cb5bde97900a8555a92d4cf8102

SHA1
59f2881746e17426e7a2bbadc3db4e9e1077990a

SHA256
e2e6ba6cff5d06c6f3070b726228b78a1bf1edc5e370a7d5d8ca23ec246f705b

SHA512
d475db95596b11db976907468a50164d8c123e863748490c30e3799328f1493182031bd0d75cbf783ba543ba43085a4318d46e986ad68872c7912a9ee0cc7bf5

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
8da8ef008a5042929b8bcaafb516829b

SHA1
38a8bac508392e73e0c75ef858aafaf3eed8662f

SHA256
607b037045306190773bcf8b22271addaaa6a6cd8577dc3fc20db08a2da40cfc

SHA512
fc4e0c94819f40e78913dcb1cab6d25fa0ebef431ab899e68b063c3c96656c00d27b14a86131681a5c44972441f9841299d6e7fe85ba403e066876761754835f

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
59c846cd6a16a1765c19027bc2c34e7b

SHA1
4d2029416808768c2e3cbb5c57df62dc69e1a81d

SHA256
bf52d40f3adb1b5f5911f91db06661da644715ff1fd850366bcd37382595a8bd

SHA512
fc0f2a3dd5972c98b07d27c359feb58ba214113568c506d34546b42c057ccd84c29063a44425eb437f34bd28767349f24cfadc708e8d29e4b47470e105cb975a

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
96KB

MD5
198873a7f2fe984e7ffce1c9d5b05c02

SHA1
ae62338765b4c6838241e6fc7a220aa2ef822636

SHA256
2a09a89d3ac9c329684ddbb5541159ea6947d1228eadf379d0027272b061ab6e

SHA512
862eecc04f276a625b3e585875779f1c18bdd9ec950d9f04990117af682110c6f3b28d63b761e06a520755dee05b1d135f772816eadd3f91cd3e46791e0fff9c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
32bc94ed6975c58c13a41d5cc680c752

SHA1
2b00a03c5fe8e2f4ca301a910eb9ae39f3fd617f

SHA256
3263dc2086b5f5fa803fef46043c6730fbcf49b4b5daa86a006bdbe343fd209a

SHA512
aaae1dffa97d613734870a8bae12eccc277f9c5de958263c5845d74626980bca50c898ae4bf05743131c2f87b517a470482d7bc7df62eba7c625f50c020dd9fc

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
96KB

MD5
4234f1577f5e232573978c7ff073bfb6

SHA1
1637d71ff680924961e53b4c02298ccb3299964a

SHA256
37ab2a5ff56b27ddbf8b5b84bea6be025781e2d70be09688bf0ffc74f1e2d72c

SHA512
a52a6526ae02406869cada31931b965c3a4989f662be024d87d76e4047fa68a5f833b1fa45c03082adf911d7b8d690400dda6233c6056a81128118e410659d86

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
96KB

MD5
ccaca88ce2772f02c26ef26e50dccfb1

SHA1
653b333245c091a97e73bb61ac7062bf9a786fbf

SHA256
593a8833e39a60ce9aad3d9678fac24f762f95dc08038add3d1f8eea50135629

SHA512
11beb29b6a84f1020e4a4f5fb2bcad1c27f556b5c4b890ec3a696d6d4f530a73327082a1f8fc9d2d17feed28c3d10fe53e49f063e5b17a39847eefeeeaa1a233

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
cf5dffe5f8c6a6c29c449213685bcf1f

SHA1
402ff971da3698b05485101adda9049589bc7d2b

SHA256
1d60b88c791399967f548d273a8cb080f243e2f8b8eaa0d7c47abdd8a2ec52b7

SHA512
17941b2f8ddfd95bfee7fda053468116f4e97501c91eafe8c57312bb823f188afafce04a6804285ec141757baf2ac122e80e15838cfc94e6cc5a0bfe752b9d81

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
78cf8936ade19e919bb94eca6552f288

SHA1
a8819fe4870db0467959c7ad650bc8ea861c9bce

SHA256
a9183f79e94f6e9a8f1c91e3b967785eb6d9f2f9d5c3e054651ffb02e78b0606

SHA512
94923960dcb0cb7336f572a00aa4b05402aba68421b760a4068968d65555535863a8421fa8bde7eab6dfeaef39f233b5bf73ead3473560fc0fe59f27420f18d9

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
43eaf8cc17997664348fa381ff372934

SHA1
a8d9287571506081da4797e9675d5a91957bfa1f

SHA256
d66429a157bc50400e2c65f5366bf68e39b063a5e39ee9a89cbb58390aeaa154

SHA512
afcd8c13ccccb1084df5d279e98f3bb76ff0879ed322af3309e1a29166596fff37b96d23677332741edfa5f30e3151716608f4d4e6a7a6ae9f2bfbd5f4fcbf5e

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
96KB

MD5
1aa7a774e128c16be2e501a42adb2991

SHA1
2b2d706b4ddfc6304150d36265164f8ff751adc5

SHA256
367575aa966f6869c35537adafb2d5a03f21b96e6513fbeb66d23c047181488f

SHA512
e481e816d9db2091a03265f9bece9fc80fb79b6ea2c9109c5ce67242ca87f524c0b89bd7062f8f3f8bafd2333f03632d603332b5d88cd967e0ca4518238d4a9f

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
b554eb5b409336dce0cf952293d95241

SHA1
a0970308a0e6da8c5613cb795b587c34daef6865

SHA256
58966393a97f571141fb308f85862d2fa4c5032e29636289090f82be75ebd3eb

SHA512
35b1ede71894e1c5274b945140a5613c132e4db45f69f542c6dc2bb692be6d922b7ceeb7f8191a00e8e2f4e81d2afc4b49da13a1cbde0a6adb41ff2c59d81bec

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
96KB

MD5
967a83b01600537b633909d064ae9294

SHA1
2924362c29e5faac38331b9e5c422bae429335e5

SHA256
3b81e495e7139a64d10f21d7a9bcddcf75e6cef8462831ecc0b380d539a861b8

SHA512
5bade9c7d9e792d9fcd0809ece9a92e943193058c3788ce911adc786ce2946fc815702b886e464170b31882e11525c8350320e42baa927f3336bf662fa6746f9

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
72f154aeda45ee66f08e7cd1690d2cdf

SHA1
274c9d47e67f93f0bd1e3898532708410f7918a2

SHA256
b1e17102431f3efaf9fac259678de9520fdb16594656d72e72c203f0b7e03721

SHA512
b86c964866437fedc3e6ed8dcf46e658977650de5a1ca96a3996c1d9938c302e530120a9ac918f9f77d984d035ffad7f0551c773be94f8eaf7557bf8a9d0c7f9

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
96KB

MD5
60e62d69399d2a71e5517e5db675353d

SHA1
4fab27cc0c20eb6f970823883214fca26dc9717b

SHA256
0afd93fe9d6f555127569ccddcf4e8a504bfd9bf3b695148664d71bd6b3445ff

SHA512
4733de9cf3bc7d73de7797de88df50430c83509bb88a23db4238ea21d123fcbcafaf744ed6472cd4e6aeeca250cefaa3b377f6f50efe517b9b13ea5571b8ea71

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
f21334caae8cc6963e2cd61551423842

SHA1
9286f1232eab185c7693422164498fe0878f24b0

SHA256
9d8c7a702d2517fd99730d79f6fc4ef93007c0c457a50f8ffc7ac57612931974

SHA512
de29839b37c00a5f29f4fdba5b6aff70927a1fab390a1a0ce605f8444efe7119b4efa0783a56ef505d7a3d2611c0c6df7c8b3ffdca240792c440bcd003fcb071

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
c676cbcc6694ac9b701e06dc59d93c78

SHA1
52f5a8c242f55fa4e13f78608ef8264aa3421746

SHA256
9d30b9bbe1cbcca016c8994f9258d98255d035101beb6e60e6b593ccd71d1100

SHA512
0dc612424914cfa2bf9f08ee305d26bb3e64bb186339f84a454d8fb619db7d54c1ebb805c93486aaf5764af2987494c8043ba1975e9ed4f8ad8dcd2223113dd1

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
7a565d8098ef2fbe603b43a3429fc25d

SHA1
1c427c96b4b9c222e0af709a9e0d28f44ea135d4

SHA256
31ee2003e3c836f8bf37192fad63feeee7a006d79207fab9b159f1abf3871aed

SHA512
0beace06b0e4fe65e7409720440c45b83adaf37d4db5fd3464eb80cc79371e70e3a7b7353fe4531a83a57c1fdb9b693d25cbe828568b0263b8de90864d714427

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
96KB

MD5
65c2f45eba67aef65db0d320083a6d9e

SHA1
b765bbaa38d9363110f93a60adc4f3f966e2abcb

SHA256
52717801b4b9f3cb2a3fa1156fae2220181940bd4e775bba6829919884c88bd4

SHA512
6b0a70b46f3f4fac3e9c26df2af38c103f34373ee244df341e5c0d076d25e47b7cce67854eac49746d6ca872b4600e747acb6ef9cd7b45bf7bb947a7ea88e8de

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
96KB

MD5
c3c04041dd68423cd306297035efdb93

SHA1
c641c70d925e07ffb3bee62c878dfb0885820314

SHA256
0332eb77d824f084b7939521bf8d53fd6dfa1dd16c0d974a49e9ccad07e89800

SHA512
cce34d12b79cfe4fc47c9d0aa0f261cad295d64b27248aa259cd1103f24f9caafd72d62aea5ec23c95def561b07812b793a3019a5e582ff8c424b551b0ec9197

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
96KB

MD5
7f342b1b854304e99831e16bd4921b5d

SHA1
3a5ac39e7aa448960ed88765eb8e633f44d5e58b

SHA256
66545ff59e0baedd4840890426b908cb8a5653c345ca8bd6b48539614cbed507

SHA512
c60ac69e0e9fcd55a5fefec9335f48d51c706f51376b3e4dccce45ddc3d0ebc634c562cfb116e3b1ec3b5aa29d6a434e2c0b0fc74040157b7f990fe733f72ecd

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
96KB

MD5
09508b020652ac454b933026005232ea

SHA1
4ce9d1f47c6afc75ca3f953894c6647bec997d74

SHA256
588decd92ce45fc4f176ecd6a0b13c02849806291a1083c5df2ed24e655dff54

SHA512
86147afe8805ff5f429b927a6a6128a05a94651fc9b66d0ce62358a10b4a46346914eb73d582ac694e5aa911bfb82acf6fc74a541c2bc5f8d780ef1278ee4743

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
96KB

MD5
1aa2dfce568a8c3401a2e5d60043af23

SHA1
cbb9deb777a773da01a030a1ba4612bcbc2fdbbc

SHA256
636acf50c75b607171d477b69d1d726880e0b81d87a4f22bfc31413551207d1e

SHA512
3f0b125150e269a4ff8797b269a3e8cc50bef8162db15ffdcb17b1783bc5fb075b3ec81a156f51ecfb43ba580899458caf07d31085ff65c7aff4acb0d48f8e95

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
62c6c64a03f21944b62defc09d430752

SHA1
c22c193eeac22fa807d8b2fc3819944487d91e13

SHA256
505c5bb1f6843793393c315a40e65924ffd2e4fb5d55050b1a77326766b4874b

SHA512
45ab61e0b528e9ba611818a6a09ead41663404ba33522b7934adacf9e7b9a21f28b2adc8abd3f42b46c193b117e13600fee307e29d5f8d12db188c6b744ec544

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
96KB

MD5
422230903ae75fed72fc2f869d5b8bbd

SHA1
cbfc68508b837fe5c1528c70f1ab4668429c26c9

SHA256
d257bf293e15823e2b6c6a3cf78acd8a7298301e57abfdcccf46c555b5b48bdf

SHA512
2de22678b7eda44b9f1a3268e6ad20f2d322bd7a4172dbfcba96a7189502f404f71902a31a2f93aff46c187eda2f561609fc5f0088fdbc0386c6b364a995697c

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
9d7da07a42abdd3840179ad621905d19

SHA1
2ea82b2a0d5012b968fd324bfc46ce5543b0c813

SHA256
41d80c1bcc5bda7114dd5cd2ea34f4550552c80ddf142f54ebb75b4361c457a5

SHA512
cb21f99ee4d3912f7f97273abeda9387944da8c9a08cae235fecb4be3d8b3a765e49b56b38338392026e7086cd1150f0ad7037a127517bb0fc42425c9250ae04

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
57eb4e87db80f23c7c6e7164ddd37593

SHA1
bf854cd8e9e1bf6fc0c769a44bf75e10877fffaa

SHA256
6784cee0edb7ecd943c16d64e6d8d9c41200008aa9bfcd93c17f9ec8a4ac0870

SHA512
3c6e37d2610278b10ad3721f107783858dd1a18b928e273e50e79ab1449c16ddc8c907403d0c2b155fa2c907f36fc36d4654c247af93abef8c3bbdedc8e3284d

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
0202c960f480d832ed75ab860caa234e

SHA1
b432aa17e8fb60107e3e24889a81e268f01ad04c

SHA256
6d27e0c7fb4f9786773c656dc32f2d622758c76f5d9036b325812a50b680fd1d

SHA512
4cf2290d0b2bea828e8bdef2431e701cfce46ad5bbb4311a91a9804607574d0181e53bc4d1b0539ead0376315e23eb3a40cdf71ac5e6d79c451951ac8296b221

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
3ced559aaa841013226e9cb89b0d2608

SHA1
0613051fc6c2e6515b7b62f9edc29247d9712c4c

SHA256
d7c454be003dba8bc3a9a0b8e057d408f32e4649ca964c014680edd64816e0f4

SHA512
9432fb50d695c990aa508d992297463ab1eeb08155eebc6d8cbdd1fbe743a16571a85b490180c0fb6d7f1dfd674c16532bd4abd98c645eedbafdd95d5778e150

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
f52a0c73382da6ca70053d0ab2073554

SHA1
685b19d22615b2d916d988183ef9df6d12eea6a3

SHA256
15f95ca16c78541c727036a6b8e3146afad9052977b6fef6d829927eaf91da69

SHA512
83b609dc4407f231a6f6425239406732f17e88b3c09a6f588c0ee0489e9916ccf9c16e3930c72d3b1ef4fd61d2df0dc57c099d1ca0edffb956478795411f93ca

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
179e7a1444037ecaf9a8345f001380b8

SHA1
fd43e8d5d88fe2be4afb18deef282a09ea71e120

SHA256
973cd8a3f70dc37f70d4e43d60a176539e3af3a5206e0dca6280ccef7cd6fc07

SHA512
e0917bb6ba61ef1ebeee17d52aab39f973d776ae10d6602aeac868bbb8b732f7be82960e4cef49d5c3c00e05242c8ab26411d21e82b55f6056a9ed2698db4020

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
297f1ecbd4b4f82b139ebdbaab2e0331

SHA1
9a3a0dd5c4f582250bdfe507c48eded514111846

SHA256
7bb0587d74533fb401cea8d177cd5398b3c9e914f7f0b4f312e63bef364fb448

SHA512
5f995ee1725f990b641f83a0c06ee9beedf921722b2454694d70bce0bf2a735d11d1102dfdbdc5675a60093c28e9ccf12a8d6c07b3a8cc4ed008af2c2ff2f9b9

Download Submit
memory/440-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5028-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5184-1090-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-1066-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads