berbew | 412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
Size

117KB
MD5

70f4f174e6d1a4d5341982f0b0b65d3c
SHA1

f2c50e4ca1371546a464ea866b48c4eeac0270d5
SHA256

412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e
SHA512

06e7c183ce93ca25bb77ed78e215096d0d764be3d9498eb71c0e1586036b29e913543cf2ffbfd4ad9b4135eccaa2887b249f85cf7d6505371f0a0b8b6459e6e6
SSDEEP

1536:8QHCGPPC7wLJIL13++pw+Z2dqrXiPBwKTrFFfUN1Avhw6JCM:8UJJ1fU2TrFFfUrQlM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alqnah32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 43 IoCs

pid	Process
3008	Ppnnai32.exe
2172	Pkcbnanl.exe
1292	Qkfocaki.exe
2804	Qndkpmkm.exe
2860	Qcachc32.exe
2636	Qnghel32.exe
2528	Aohdmdoh.exe
2584	Ahpifj32.exe
320	Aojabdlf.exe
792	Afdiondb.exe
764	Akabgebj.exe
1944	Aomnhd32.exe
1908	Alqnah32.exe
2768	Abmgjo32.exe
1884	Agjobffl.exe
2400	Akfkbd32.exe
2420	Andgop32.exe
2004	Bgllgedi.exe
2424	Bqeqqk32.exe
2776	Bdqlajbb.exe
1756	Bgoime32.exe
2312	Bceibfgj.exe
1728	Bjpaop32.exe
1044	Bmnnkl32.exe
1588	Bgcbhd32.exe
2204	Bjbndpmd.exe
2852	Bbmcibjp.exe
2196	Bjdkjpkb.exe
2908	Cbppnbhm.exe
2900	Cfkloq32.exe
3032	Ciihklpj.exe
2548	Cnfqccna.exe
1296	Cbblda32.exe
1644	Ckjamgmk.exe
1796	Cagienkb.exe
1484	Cinafkkd.exe
1064	Cbffoabe.exe
2864	Ceebklai.exe
2112	Cnmfdb32.exe
2180	Calcpm32.exe
2176	Djdgic32.exe
1968	Danpemej.exe
396	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2084	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
2084	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
3008	Ppnnai32.exe
3008	Ppnnai32.exe
2172	Pkcbnanl.exe
2172	Pkcbnanl.exe
1292	Qkfocaki.exe
1292	Qkfocaki.exe
2804	Qndkpmkm.exe
2804	Qndkpmkm.exe
2860	Qcachc32.exe
2860	Qcachc32.exe
2636	Qnghel32.exe
2636	Qnghel32.exe
2528	Aohdmdoh.exe
2528	Aohdmdoh.exe
2584	Ahpifj32.exe
2584	Ahpifj32.exe
320	Aojabdlf.exe
320	Aojabdlf.exe
792	Afdiondb.exe
792	Afdiondb.exe
764	Akabgebj.exe
764	Akabgebj.exe
1944	Aomnhd32.exe
1944	Aomnhd32.exe
1908	Alqnah32.exe
1908	Alqnah32.exe
2768	Abmgjo32.exe
2768	Abmgjo32.exe
1884	Agjobffl.exe
1884	Agjobffl.exe
2400	Akfkbd32.exe
2400	Akfkbd32.exe
2420	Andgop32.exe
2420	Andgop32.exe
2004	Bgllgedi.exe
2004	Bgllgedi.exe
2424	Bqeqqk32.exe
2424	Bqeqqk32.exe
2776	Bdqlajbb.exe
2776	Bdqlajbb.exe
1756	Bgoime32.exe
1756	Bgoime32.exe
2312	Bceibfgj.exe
2312	Bceibfgj.exe
1728	Bjpaop32.exe
1728	Bjpaop32.exe
1044	Bmnnkl32.exe
1044	Bmnnkl32.exe
1588	Bgcbhd32.exe
1588	Bgcbhd32.exe
2204	Bjbndpmd.exe
2204	Bjbndpmd.exe
2852	Bbmcibjp.exe
2852	Bbmcibjp.exe
2196	Bjdkjpkb.exe
2196	Bjdkjpkb.exe
2908	Cbppnbhm.exe
2908	Cbppnbhm.exe
2900	Cfkloq32.exe
2900	Cfkloq32.exe
3032	Ciihklpj.exe
3032	Ciihklpj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cofdbf32.dll	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Pkcbnanl.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Nhiejpim.dll	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Pkcbnanl.exe
File opened for modification	C:\Windows\SysWOW64\Afdiondb.exe	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
File created	C:\Windows\SysWOW64\Khoqme32.dll	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Afdiondb.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Olbkdn32.dll	Qcachc32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Aohdmdoh.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Imafcg32.dll	Qnghel32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Qnghel32.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2124	396	WerFault.exe	73

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll"	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 3008	2084	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe	31
PID 2084 wrote to memory of 3008	2084	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe	31
PID 2084 wrote to memory of 3008	2084	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe	31
PID 2084 wrote to memory of 3008	2084	412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe	31
PID 3008 wrote to memory of 2172	3008	Ppnnai32.exe	32
PID 3008 wrote to memory of 2172	3008	Ppnnai32.exe	32
PID 3008 wrote to memory of 2172	3008	Ppnnai32.exe	32
PID 3008 wrote to memory of 2172	3008	Ppnnai32.exe	32
PID 2172 wrote to memory of 1292	2172	Pkcbnanl.exe	33
PID 2172 wrote to memory of 1292	2172	Pkcbnanl.exe	33
PID 2172 wrote to memory of 1292	2172	Pkcbnanl.exe	33
PID 2172 wrote to memory of 1292	2172	Pkcbnanl.exe	33
PID 1292 wrote to memory of 2804	1292	Qkfocaki.exe	34
PID 1292 wrote to memory of 2804	1292	Qkfocaki.exe	34
PID 1292 wrote to memory of 2804	1292	Qkfocaki.exe	34
PID 1292 wrote to memory of 2804	1292	Qkfocaki.exe	34
PID 2804 wrote to memory of 2860	2804	Qndkpmkm.exe	35
PID 2804 wrote to memory of 2860	2804	Qndkpmkm.exe	35
PID 2804 wrote to memory of 2860	2804	Qndkpmkm.exe	35
PID 2804 wrote to memory of 2860	2804	Qndkpmkm.exe	35
PID 2860 wrote to memory of 2636	2860	Qcachc32.exe	36
PID 2860 wrote to memory of 2636	2860	Qcachc32.exe	36
PID 2860 wrote to memory of 2636	2860	Qcachc32.exe	36
PID 2860 wrote to memory of 2636	2860	Qcachc32.exe	36
PID 2636 wrote to memory of 2528	2636	Qnghel32.exe	37
PID 2636 wrote to memory of 2528	2636	Qnghel32.exe	37
PID 2636 wrote to memory of 2528	2636	Qnghel32.exe	37
PID 2636 wrote to memory of 2528	2636	Qnghel32.exe	37
PID 2528 wrote to memory of 2584	2528	Aohdmdoh.exe	38
PID 2528 wrote to memory of 2584	2528	Aohdmdoh.exe	38
PID 2528 wrote to memory of 2584	2528	Aohdmdoh.exe	38
PID 2528 wrote to memory of 2584	2528	Aohdmdoh.exe	38
PID 2584 wrote to memory of 320	2584	Ahpifj32.exe	39
PID 2584 wrote to memory of 320	2584	Ahpifj32.exe	39
PID 2584 wrote to memory of 320	2584	Ahpifj32.exe	39
PID 2584 wrote to memory of 320	2584	Ahpifj32.exe	39
PID 320 wrote to memory of 792	320	Aojabdlf.exe	40
PID 320 wrote to memory of 792	320	Aojabdlf.exe	40
PID 320 wrote to memory of 792	320	Aojabdlf.exe	40
PID 320 wrote to memory of 792	320	Aojabdlf.exe	40
PID 792 wrote to memory of 764	792	Afdiondb.exe	41
PID 792 wrote to memory of 764	792	Afdiondb.exe	41
PID 792 wrote to memory of 764	792	Afdiondb.exe	41
PID 792 wrote to memory of 764	792	Afdiondb.exe	41
PID 764 wrote to memory of 1944	764	Akabgebj.exe	42
PID 764 wrote to memory of 1944	764	Akabgebj.exe	42
PID 764 wrote to memory of 1944	764	Akabgebj.exe	42
PID 764 wrote to memory of 1944	764	Akabgebj.exe	42
PID 1944 wrote to memory of 1908	1944	Aomnhd32.exe	43
PID 1944 wrote to memory of 1908	1944	Aomnhd32.exe	43
PID 1944 wrote to memory of 1908	1944	Aomnhd32.exe	43
PID 1944 wrote to memory of 1908	1944	Aomnhd32.exe	43
PID 1908 wrote to memory of 2768	1908	Alqnah32.exe	44
PID 1908 wrote to memory of 2768	1908	Alqnah32.exe	44
PID 1908 wrote to memory of 2768	1908	Alqnah32.exe	44
PID 1908 wrote to memory of 2768	1908	Alqnah32.exe	44
PID 2768 wrote to memory of 1884	2768	Abmgjo32.exe	45
PID 2768 wrote to memory of 1884	2768	Abmgjo32.exe	45
PID 2768 wrote to memory of 1884	2768	Abmgjo32.exe	45
PID 2768 wrote to memory of 1884	2768	Abmgjo32.exe	45
PID 1884 wrote to memory of 2400	1884	Agjobffl.exe	46
PID 1884 wrote to memory of 2400	1884	Agjobffl.exe	46
PID 1884 wrote to memory of 2400	1884	Agjobffl.exe	46
PID 1884 wrote to memory of 2400	1884	Agjobffl.exe	46

C:\Users\Admin\AppData\Local\Temp\412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe
"C:\Users\Admin\AppData\Local\Temp\412d10f493b3074f67c5e2bc852a40b6922bed5ce92cd69d944969408aa2be0e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\Ppnnai32.exe
  C:\Windows\system32\Ppnnai32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\Pkcbnanl.exe
    C:\Windows\system32\Pkcbnanl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\Qkfocaki.exe
      C:\Windows\system32\Qkfocaki.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 144
        45⤵
        Program crash
        
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Andgop32.exe

Filesize
117KB

MD5
1e8f7771ab9040fa13247ebfeb16005f

SHA1
f89caab3b690f388fe1450f9f05730debd5feb7b

SHA256
71fe98d6b6b674645b8833f5fb13c026c934467e3effa1f13a88e7c9e956513e

SHA512
99dca10453b69d13d26a58d9d4a6e924f66b70276e12df139707cd79b2cb23683923c49980cb061ecd3e5202b504b616d34f9abf3fcbd24e78d137c09e1b70c1

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
117KB

MD5
a8a362bfeac0d33453c8fd75d523c03e

SHA1
9b7951e65245ec432458060d783fb9f579343ec6

SHA256
276c9b9dcae34487729f67796e3a053e5c057e71480707c161eba8444911cca1

SHA512
07877d0d930c4310cb7e59dbbcf4b84a32bb594f51f21cb0a8ae9ee2ffc42affcd5dff0e2edcf2d434c609621f5fbab47ef5169228eac8dbc55b66258cb29d3e

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
117KB

MD5
85c29958817761a03e13b9c6d72c7061

SHA1
40c836d2075392b13f924bd427ec7bc2050b0a55

SHA256
b4d6b44554fa4e1225302f1937e6a8630533af9fd18f5ed2a7416fe22ca81f2b

SHA512
4efc92729915d7784d8500d85965edba9b810b64472d6633474ae0ca293f61b279c9b4d217a1b6f4812a0931d144f89846aecc59b22d15455ed4b4377b8f7420

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
117KB

MD5
53c917e3bf9a771ae90d2b9f871061ce

SHA1
ef73c5ee3e86a7abdf6f2b3ba54eff042e1ef056

SHA256
9edd5f9af935d5d20b2e8d56f549a94f5e82afd0fa4c9151642df51194f7f310

SHA512
dfb7bf520d6919eb4214b1f4c41a9682f1144ded6912b40279f3ae60c25d3bceadb6a4ae5fdf85c2315b5f392287c38066d68db50d249ad26a47dd9bedb4b36b

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
117KB

MD5
8e0f3a57016d035cf36045e20e7f2e93

SHA1
f1a08ea63410b4b1ab053fe1d7b2c0e5c75552c0

SHA256
b042075702454c3c1a44d3061402bc08dfea25d9bec411daa9a434da9bfc041c

SHA512
9be0926b8e1b75d67fa438417891589762cf680ecc0761f830185165c3771cef3544822883af9d8fe1b9745044621cce9c7c91243b57dcff9b3a54ce0ff5b1a7

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
117KB

MD5
a73b247be35f85e3345d5af0cd201601

SHA1
8e4f726e9ca7b829b85776dba975491d0bf045e0

SHA256
0658fbf936d5771e46d45f823269fa5bcd2ad2655bb71c5a9608834ff04ceefa

SHA512
1d645b35f31885657cee929738b0fb2ad34159c3ab0ac156b7601c7eab3da91c4a81ea60625d0b1d036ade7f74e192e0ef600b2c1a267ec4a20889bfaa364073

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
117KB

MD5
5e1897be6cc376d66f9f0b024c93b276

SHA1
dfa0d149102fa277ea7c771f04fad61df29f5f38

SHA256
e6f54769507a89d95d0416dd864a34597e6bbee0655db1e7bc83a29f124c153e

SHA512
1ef6f276e25483d458cbcf511e41d0995e5ef7c513b389d25a8cadea7d605648f1c3e27dafd440ece4a5095dede2ab2db2ee6f2bb2dde2224085ba2f57059bb5

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
117KB

MD5
5d5f544fc8b1072a655d73109fff5711

SHA1
6d41a58752f163e3dafb63601a9cd67044e6090f

SHA256
b8ad1277742b6fb921531f60afa3ead635296adb1c67a3a5451c2cdbb4a72861

SHA512
f923919ddeed214ee8f087d4047a7dd7dee4ce95046fa17404ce7f7c0cee0f0ba3d6e1b277dedec15b5eb52fd632c96a25864884e72e43e9a36a32112f1a4ff9

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
117KB

MD5
9adb38f5af9f591cd88469d38f4c03f6

SHA1
48ee475c013dfa0fd42d5ce72e80454042536055

SHA256
ca6da1043b135a4e3e332ae512cd19996ec718a58f36cbbe57a8bc5a061e9f86

SHA512
5a545ecb460bd9ff68d082824ed0b3a78465e67733d42c31f20b25fcb061744dbcb611667b26d8d069a2bf9985d6357ed75cf0f8d9009f56bacb9f03763485d3

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
117KB

MD5
2886a50c5c7b821fae6db37aec1e7d3c

SHA1
e2114dc99ab11e1bc3caf05f19fbfe05eac5d98c

SHA256
5d560e0296983779cde1f2dce9c42f6ee981442b27302e8526267547e99b367d

SHA512
9dfcad9aa2774f586aa4d7bd3b1706b6ace32954e88981c3656e82d837f4341409fe0bd8cb6c8c263d481b396f36bd9c13aad8c9d683c41e49c6df94da36cddf

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
117KB

MD5
e258242c72c122b498ffb712a9bb8c4d

SHA1
a3816cea58b03daaa031f356721aaf22a42c0f0c

SHA256
6e49d5d927c2f477d11c73b6404c10196a2072e47f828132331731139f8202ab

SHA512
8f842d2aded308801c881e54c3d3322c297d3185f837288c8a83bc8891ac3fa74477355390309769be756dd528882419d67e37f4080747fef4b7603dffa94dd8

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
117KB

MD5
3ffa4b21454a8755abbba7b75cc8cb6f

SHA1
2cb04706d94e0d378a942ffc22acb4f5ea0a9743

SHA256
e3c28df68c2bdb131adf6c365a4563f751c1e9f0c0eefaf68e0c471c30a9c48e

SHA512
13cbd7668032d87bf10346d1d22435b4731d9781321e10048d7f4c358edb8880acb596421ebd7417b3561439ad5013dea1077315af824f59722e870a347e6759

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
117KB

MD5
d6671dbb8673f28d6e87d78a0c0cad54

SHA1
7d5103f3f0c1375d61b5bb5e1aba3c72062f97ac

SHA256
64a38f0956be87973244220a5826e21314888927798e943e0b7f3fa2e26f449c

SHA512
c72d3f89a5aba59297b7bcafb8000303d77ea2bdca342deedccc354c33233324ecba456546eacb1db29c758b51b76d7b66c5419605c5b28deedc76aa19732931

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
117KB

MD5
0d109e20a768779a1eb036ce6379e559

SHA1
520fb55c985bdc43611c5749fefcd513ee98aa4b

SHA256
82748475161fba2a2e5284ea24286fd366f44346588e91e61958f54453407d00

SHA512
75d9a37f314a3d8a49c6fd0d30d7d52add06f76a694750a3a704ad321185b6bbdb21ce338a53c7b00a388c3388e84b175e522ac8b90a2443ace56a734d03962d

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
117KB

MD5
bca554fcf53c87e87609533e9430a24b

SHA1
ae2727231f4a2efe0a62e4bf70130b51b140e483

SHA256
8815c8e865b2f4580882f19674d6a9a753355d4e80944ff260ead0af882236ed

SHA512
e8ac783e7822893e1d54c91dee1d706953cc93b7e7c562218ff4c0cadb9f4e84c609c3af595dd03ca979f473e4948ad804a9cf9e1249cd3d177f20474e4ac13e

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
117KB

MD5
42baa7a2cd801ec893beecb91378e46a

SHA1
f3b0f3fa2598ce071dd151cdbfe4656561b12b3b

SHA256
bb38abe0fd5950a38543b2b7a6c373fbea38974e1130e0649b513ff2262ff46f

SHA512
0acd5c69f3b8a4831362f3045ff7ad9fd8b6c7f9cf14a296b3c5dc29c2440296426ec16c8e503afc6b1bbfdf4a3f033fb3782a1d7d63b1838b1461e78de6570b

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
117KB

MD5
0d8f7619f07d3622f046bc50c93a9355

SHA1
59aa613a9811800824848a1eb6006776684946dc

SHA256
87839083b749c39218074ce85251b7f0fac100690923304b87aec1161d3bbb38

SHA512
478b4584d594f03716ade5406f32b2b706ee0fabd4ecd169d15f5bd18993d3a5fc145a6e4fd2077187c5303db9497e196031b42c5bca2cb7bd83972110579264

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
117KB

MD5
0cf26689c216cd13312a33b830569f04

SHA1
e0ae2ba21bb85715ea400837eac73bad106624e7

SHA256
bd4f81a9d53d5e7163b1d7be61b64127835a98caeb8a6449fdc46c41fb3c0d99

SHA512
d4b6866c2990a91b6d35248585cbd8ed47afc0ae6f0fae3ee2ed54b2fdb96c988231c2b431ce160c275089487c79e4040cbf37211244da47cc4c3a4634d79880

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
117KB

MD5
b29352c6d1a67834922ac7a8f79b94d2

SHA1
24b742261609b8a899c73e4213c3ca7e64ba47be

SHA256
e8cf1cac16e10a244f0d39c74f16a34ef5aa576b9234664ccf270b90c621a5ee

SHA512
fb1c049a2ef9808d7f3b506d48e9c3059377ce9feb5592d4ab55bc1890ed81e210a8e90f4ea2c48af175c5ea2cdef0ed601c2d9483f0afb57320bdbc496291d5

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
117KB

MD5
f64ba6e2886f11ee6a90509e2fda5b0f

SHA1
7517420c8ea72a8bf9dbb316d2150549b2b20b42

SHA256
eb4d54eab6a6982232ef72459159e50edb4ca88da1826543f34ad1111f84dbee

SHA512
2b15babe20bccfa7f48568b48730276c02af0a846df4a918608ce1c26cb7df1e1c667a6c0c82181162d61a6c07e9328784738c5b1d6e76d086bc2c7018a42f59

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
117KB

MD5
0146f44ca2982f9b79edf8df268cee2a

SHA1
7b79c300e213d4d37bcec69d87b993e36cd0ae4f

SHA256
172ad3630c8981b37b5b1adc23f0e7afd750d314088566e923e1fb8a172dc884

SHA512
777bdf431a436d218dd314b041988d47f9682ea36bd32e55aebb6550bdc28f74e1ae43fe4c4b6eb4e945689f2fc3c1b83977e8346bc75b9ee70886760273f6a1

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
117KB

MD5
7cc004673f63b172dfc562f4510d994f

SHA1
9a6770d944741bca32248e340ffaa135c0808286

SHA256
46f510e4f22ecceb37f9a20cae81351bc9e4dd6fdf7d93cc8f420d38c0cd06c3

SHA512
8a9d270a48b897fd0b184cc37808e7097cf15e6cafc97bd8918d6cc1c875927496addbaf9d28ddc45f8f1a8529e2a2b6eae322e01ac326ca93a1001bc9b6ffba

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
117KB

MD5
ab08527c783339fb32577d849d4be807

SHA1
4e34f34249a8934cb65f4999f5207e8d56122817

SHA256
e8331ccb03e564b1b9774d040b11223c9c4ddf4c11dd1aedde34ff0c14ee2aa0

SHA512
e303ccd5df84a3b3688a3d8584bd5ed5c78073764fab657ff799ea336425ee40dc4c867006a3aff07404b068335503543b487feacbb0c46cb77faf2e9eb9bccd

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
117KB

MD5
c75c46af3d8738d628d1837b3b3b9439

SHA1
c2d76e5c49547c539e5bf7ae7f3ecf69e156714f

SHA256
dda91a0bf49ec84fc4ba476ba65dc4b7fa24b7253b2ef56c8013445cded9236f

SHA512
4839248b9fda0da8d63dadc2cf60aebc98cb77141c1bab992fbc03b85521fb87f2c77043ae148689979fd653835516db4a113ce5fa2e114ec455ac20e03b7fdd

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
117KB

MD5
9056d267353723ea0293312afa30294f

SHA1
0410fff33c62e4acccc8181050f3a4ee3448099b

SHA256
e973bba1423f1b9a22bf9711530adec76ce02d0acbf4f9310dbe3d5c7f2ed441

SHA512
2592c872d2e374fbb6c229f65e88efd2f86b6203d8ace2f1cc7164dab051187ee748a72cd5d1297ce5e41b426442903f90cdd9ffd31c315385fabe7354411727

Download Submit
C:\Windows\SysWOW64\Dfqnol32.dll

Filesize
7KB

MD5
ab60b4ae079e27810de18a915673d5a6

SHA1
6b79b626b05ab72bf99cb6e7421cb08a3af2fa17

SHA256
c24128b22ab2f56ab6bd4a7053f353b78c532a78d12c6d66a15a9ca8095c4f01

SHA512
2d2fa2f007677a4a6314b9f9a673731fc35dbbd064e576e2c563370e6b060c42974bbb79dfc6e6ccfc503087e1066ed65071941493c886a8087dce3f8e274a1a

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
117KB

MD5
9820ef5cebfb989c321cbfcf254afb8f

SHA1
fc442890d68ca9027687d3faa54d60b00825db13

SHA256
1279588f1db1f4d8d40f4ddd7ca0a2ee23d4064d66b2519adf2f2b05f47e90d2

SHA512
0bc38aa5abdf8b51f8bb1166eb12159e9ed78af31a6cf076bf59d20e4082eda1c52e8f84c626f349da4548cd4a38a186c61cdbe982560fc57d8b67040c25b26a

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
117KB

MD5
0ab9fef7adabd367f4f28881bffe5230

SHA1
f9d0ce8659c8fbd26795d5e4f979ded0b13cefb5

SHA256
da5d456c1c9ec247f489cf9c07b54255b3519ff9c670b9cc54c727fbcff04912

SHA512
988b53cad24971004d9de1f4aa1fe12206525250f8c5df90049c96d6b2a406a6bb4cc5a340fb4c6c570de59f3f7f7bc63431d7a25a536377d8494e70a9249173

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
117KB

MD5
a68963044ad3d079d3fbff76adf8b43c

SHA1
9798bd34478e5677edbb16ce41d1587378d665f3

SHA256
ed53597072be4dc21ee52aab4f6ab519613c6a7bf9a5322a7f709227893bdf85

SHA512
0f54c72475ebdfba21775e9a0c4002632430e36219733dd715717f3866b349ad8deffe6d1501531947a3255fb61c5fd94e9cdeac80ed261e0c79ae5534740eb9

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
117KB

MD5
550cf7a95b9029017d4e2a71856246c9

SHA1
5899c7449ce0a8b9495e73a400cfa4bde91a9c17

SHA256
7105fde51d53b132d70734eb649156a03cb7a1df03ac48d59914479653f616b7

SHA512
30c8968220aca2eb26b5509b92f40f8f2c3b39cff276e2a2a9c31635149b5d960c7bf67023028318d66b9eb589c221a3ec1fbc0d8ba6f145ad0dc87fe6d7a115

Download Submit
\Windows\SysWOW64\Abmgjo32.exe

Filesize
117KB

MD5
6487c5f12482ac0f50e8654e6bbca5f6

SHA1
a3d0cda0b6512b2856c298d00ccd67cfb1e6c11f

SHA256
29bd5f7cabc19146db4a80afc0066f4b8ae5a7312af845bc147ce1b776040c66

SHA512
b658db7ee1410bf0aac0e31c5628e7721f4f8c2ad5f4561c4038cc733e851de958e3d808e8c018771a7a398b4768fd785c19b2da1a8e7ff53ce274a6debb02ec

Download Submit
\Windows\SysWOW64\Afdiondb.exe

Filesize
117KB

MD5
ea05f8929b5250f908d57f172247980d

SHA1
f4f718643c6574867e9f0e791f2b67da5331ef26

SHA256
de6345197ab6cf35851ca68e2ccbcfc877e97390eb54374344d382174c5e0126

SHA512
c44d0b7644d82073c58957d71532e035114b49b094e721455c80643e87a9e9492fa8358ebbc86f4839914c8269428bcbbffa421c1dc1790b5a6dc1aa09c1b3b9

Download Submit
\Windows\SysWOW64\Agjobffl.exe

Filesize
117KB

MD5
bd379ba5d85b49297fe892e15dfac0b7

SHA1
4c586cbbb1c189be6844e47fa573012161592f68

SHA256
b11e319aa257799f3be6e4d83d9cde3890b79d3b67f30c0fe11cfdc2e3a2ebdf

SHA512
d6ac4c790d9a89eb25ae2bde9625bab3ddec43856dc3959eee3c087a7b2030030c48c59e51e5cdde6f46df2591c6da8a168f6bfcd091fcd08ef28bede2fc7c2d

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
117KB

MD5
6818ea5297d4eea4d4ee2d7a084441db

SHA1
5170bb8f229203e35e1acb7784e74e989030d2c8

SHA256
f5c143fab6e99dec32c30c5cbdb7a9a5af24e4e5a800f87272b82704e24cd21e

SHA512
ea78c2c7fe04286578135b7bdeeb2e14a423d3866253eef16195d5fde08280115f6442e709dce8c4ef7be19797557db4c1526aa4d74ef8ceba425e1530c30383

Download Submit
\Windows\SysWOW64\Akabgebj.exe

Filesize
117KB

MD5
533355b9bdcab6930930c537bf5aaf60

SHA1
cc512e0f13b1c09062f0a6760b60a0737feb3b57

SHA256
9856b9df07816dd9540e586847c748417daf1a7d91eed40173ce0c290db13db3

SHA512
a4029d487b8c9468ceb9773cbfa60282cf27e92b3c368f97b36717bb4ff27ebb8a32576d6af1053c757f2012c8b4270493c581c2ad1093302ae793bf2fcb9887

Download Submit
\Windows\SysWOW64\Akfkbd32.exe

Filesize
117KB

MD5
ece6025866e7b5eab5d70c85877b5787

SHA1
fba4181c758a350d21a1372b524ff10375482738

SHA256
d4575c4fd0d88249f034e42c0f0b0689a8f01d52653b2c9e66c99142f767cb02

SHA512
5aef87d470548470df10520f72f00ef49de19b3b350217717675f7155497440711f00127ad710a2e53f164afcd2fe87885a1e44731f7ef21b928c36711d69ee3

Download Submit
\Windows\SysWOW64\Alqnah32.exe

Filesize
117KB

MD5
62c37b4b8a89e2644702c259def65546

SHA1
d3db51f87c0abd23d04214a33807fa71a06f7238

SHA256
0cb9ca7787efee77c56c2d7261fd709c53e0b4a8d056c184302e857645ebe122

SHA512
3bfdf2723a6f8fadafc4def4875fd769f0f6fabd13ea5993108dc605d03144fe268c89aac1f03bd58ea0192dd2b2ea3324dc80ab943613bb695af81014adc9db

Download Submit
\Windows\SysWOW64\Aohdmdoh.exe

Filesize
117KB

MD5
72db497bdaf9511a1131e72ea341f0ab

SHA1
6883494c88bcbbb298303a8f48e32eff32758db8

SHA256
92d1dce6d3cec36b0beaabe307e084cdbbb896c0e54e8e6fa1e512f1f488f9dd

SHA512
e69eec9a3ee53082dd0d236ed6eeb58711c913d82b5a480686f68af28c2e2bb19d39cfc321363bd217f6abc12cf8fe58c0b75cbaf79db3e4d001e861cc6c11a4

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
117KB

MD5
f5c0ef14417bb9652833ac7c4652524e

SHA1
4b8efe48be63a74149022a6da2f212a36b876af5

SHA256
8f565c25d17f8f59c34f458df41394ebf1d20785ff4f9bf29db66b352118a095

SHA512
a196ecab20834d8f8560b1efc8b1e0a96c8fb90890235dc305ab74136cdb5fff31a8d9ca646a1c39202ca111b72a48f2558c249f71bb9dfd094f8d6e0e0a5815

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
117KB

MD5
69b3fd5464ebd8f502c37613237f452e

SHA1
3fd87a8de9ae27b1611ec082b3fc85e1ce4edb88

SHA256
8373e8353c3e0e4a085e0f54505eb6f91f3fdbdde9a2dd235d8aebfaa4a82e1f

SHA512
b459e66ce18956deda4433e4af8255861215137d1abc5ed47804251e6f37960e51a2c9c087574918e0ab1175d3843b131bf5b2149ddacdcf13ff39a6d35c9169

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
117KB

MD5
9374b0ee2c3aa7dcb9ca9471b0706da5

SHA1
f512fcc894dd16e46a9b4534fea550a1d394a6cf

SHA256
59341aa7aaf954e11ec3ef38a35bd0385f5228f7bd2a6cace04e4c713286066b

SHA512
e42cf38c9ed602e8e04d4bd8ab448b70e9a049248ba07d7621c3a54fcc546708b3c68caeede7dc9240fcbc6b19e94acbfcfcf663c78d0d7bace7f84edede8d48

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
117KB

MD5
7ff6fc1589872f7578c8d654e5033e24

SHA1
cfcce6fd8f54e96c4fcedf1c420471dac2fb7807

SHA256
27c0c2996f35489b1bde7e56994098991638c751ac999cd747fb43708d92ec72

SHA512
c3180cb0786508302ecd96e825e09b65258ebaaaa81805cf2ba44b205dd84c1a4938e2124488cf4d0e38d896fc561e3718287e539af429131205c4b0b64861fb

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
117KB

MD5
b4f22cfbb11143d18ecc1dab15d32eb9

SHA1
1f79ace9194856ede08712af3b09652e6f06751b

SHA256
653a242df32f6631f51795845f7cc57615d6bace388e9d5901ce387c14f60fae

SHA512
527805bf98ce30681850905750ca4ed528efaf62fdba3dc6e552163a174125f38363be68fca377e3d4d9b2fbdb00bd186b2b5566e97b29afc49f3be5e03f3ccc

Download Submit
\Windows\SysWOW64\Qnghel32.exe

Filesize
117KB

MD5
a0380cddc3af5212553f822330ca3b35

SHA1
93a4e55c7f5b673a901cf671e902c7860de31ffb

SHA256
dcf1b455976078d7226b5d7bfabb9902dfbad8165950160da9335d71783f319c

SHA512
649bf0d27b80e7db686e1aaaaae99db9e72c3e6552a2bafe65ca62ae944ae66d61adf83be063d9d565323fa965f4e9d8250e293473c8cffff001cc20d4030300

Download Submit
memory/320-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/764-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/792-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/792-145-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/792-478-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/792-477-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1044-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1044-305-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1044-309-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1064-454-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1064-455-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1064-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-442-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1484-443-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1484-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-319-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1588-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-320-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1644-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-419-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1728-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-297-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1728-298-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1756-275-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1756-276-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1756-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-430-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1796-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-168-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2004-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-243-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2004-242-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2084-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-12-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2084-13-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2084-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-350-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2112-479-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2112-468-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-35-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2172-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-330-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/2204-331-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/2312-283-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2312-287-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2312-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2400-222-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2400-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2420-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2420-232-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2424-254-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2424-253-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2424-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-399-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2548-394-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2584-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-465-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2584-114-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2636-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-88-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2636-431-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2768-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-265-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2776-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-264-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2804-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-61-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2852-341-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2852-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2852-342-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2860-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-456-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-466-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2900-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-364-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2908-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-365-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/3008-26-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/3008-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3032-386-0x0000000000390000-0x00000000003D1000-memory.dmp

Filesize
260KB

Download
memory/3032-387-0x0000000000390000-0x00000000003D1000-memory.dmp

Filesize
260KB

Download
memory/3032-385-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads