berbew | 874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29

Analysis

max time kernel
108s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29.exe
Size

80KB
MD5

90f296d3413637acb246d391fcebe065
SHA1

a575286cc70d0406cbd5ab5d65a69a01de50727c
SHA256

874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29
SHA512

473b23682813394ec5efe87189aac54b6943ec7699e6b25c2bfaa751ce02c04e59b657284f1be40f582aa57d337f86d4f13e0c82d6b785e913e7393a00f70186
SSDEEP

1536:6pPjIwDFGm5NZKt6cmTjXAjhhhhhhhPRS5YMkhohBE8VGh:6tIEFd5mMcmTjQhhhhhhhPR+UAEQGh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4912	Oqfdnhfk.exe
1224	Ocdqjceo.exe
3820	Ogpmjb32.exe
3208	Ofcmfodb.exe
3692	Onjegled.exe
4248	Oqhacgdh.exe
1180	Ocgmpccl.exe
1976	Ogbipa32.exe
4884	Ojaelm32.exe
4100	Pmoahijl.exe
3940	Pdfjifjo.exe
2648	Pgefeajb.exe
2132	Pfhfan32.exe
5020	Pnonbk32.exe
3828	Pqmjog32.exe
1784	Pdifoehl.exe
2024	Pclgkb32.exe
4000	Pjeoglgc.exe
3952	Pnakhkol.exe
3128	Pqpgdfnp.exe
3816	Pcncpbmd.exe
432	Pgioqq32.exe
4060	Pjhlml32.exe
1756	Pmfhig32.exe
2516	Pdmpje32.exe
4340	Pgllfp32.exe
4940	Pjjhbl32.exe
3500	Pmidog32.exe
1288	Pqdqof32.exe
1700	Pdpmpdbd.exe
1552	Pgnilpah.exe
1556	Pjmehkqk.exe
4092	Qnhahj32.exe
1580	Qqfmde32.exe
2464	Qdbiedpa.exe
4836	Qceiaa32.exe
400	Qfcfml32.exe
2556	Qjoankoi.exe
3060	Qmmnjfnl.exe
3776	Qqijje32.exe
1456	Qcgffqei.exe
4328	Qgcbgo32.exe
3972	Ajanck32.exe
868	Anmjcieo.exe
4820	Aqkgpedc.exe
2240	Acjclpcf.exe
4252	Afhohlbj.exe
3124	Ajckij32.exe
3376	Anogiicl.exe
468	Aqncedbp.exe
3000	Aclpap32.exe
1852	Agglboim.exe
4548	Ajfhnjhq.exe
2396	Amddjegd.exe
1232	Aeklkchg.exe
4896	Agjhgngj.exe
2588	Aabmqd32.exe
3444	Aeniabfd.exe
116	Aglemn32.exe
2252	Ajkaii32.exe
3892	Anfmjhmd.exe
4264	Aadifclh.exe
1476	Aepefb32.exe
5128	Agoabn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5932	968	WerFault.exe	210

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 4912	2316	874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29.exe	87
PID 2316 wrote to memory of 4912	2316	874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29.exe	87
PID 2316 wrote to memory of 4912	2316	874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29.exe	87
PID 4912 wrote to memory of 1224	4912	Oqfdnhfk.exe	88
PID 4912 wrote to memory of 1224	4912	Oqfdnhfk.exe	88
PID 4912 wrote to memory of 1224	4912	Oqfdnhfk.exe	88
PID 1224 wrote to memory of 3820	1224	Ocdqjceo.exe	89
PID 1224 wrote to memory of 3820	1224	Ocdqjceo.exe	89
PID 1224 wrote to memory of 3820	1224	Ocdqjceo.exe	89
PID 3820 wrote to memory of 3208	3820	Ogpmjb32.exe	90
PID 3820 wrote to memory of 3208	3820	Ogpmjb32.exe	90
PID 3820 wrote to memory of 3208	3820	Ogpmjb32.exe	90
PID 3208 wrote to memory of 3692	3208	Ofcmfodb.exe	91
PID 3208 wrote to memory of 3692	3208	Ofcmfodb.exe	91
PID 3208 wrote to memory of 3692	3208	Ofcmfodb.exe	91
PID 3692 wrote to memory of 4248	3692	Onjegled.exe	92
PID 3692 wrote to memory of 4248	3692	Onjegled.exe	92
PID 3692 wrote to memory of 4248	3692	Onjegled.exe	92
PID 4248 wrote to memory of 1180	4248	Oqhacgdh.exe	93
PID 4248 wrote to memory of 1180	4248	Oqhacgdh.exe	93
PID 4248 wrote to memory of 1180	4248	Oqhacgdh.exe	93
PID 1180 wrote to memory of 1976	1180	Ocgmpccl.exe	94
PID 1180 wrote to memory of 1976	1180	Ocgmpccl.exe	94
PID 1180 wrote to memory of 1976	1180	Ocgmpccl.exe	94
PID 1976 wrote to memory of 4884	1976	Ogbipa32.exe	95
PID 1976 wrote to memory of 4884	1976	Ogbipa32.exe	95
PID 1976 wrote to memory of 4884	1976	Ogbipa32.exe	95
PID 4884 wrote to memory of 4100	4884	Ojaelm32.exe	96
PID 4884 wrote to memory of 4100	4884	Ojaelm32.exe	96
PID 4884 wrote to memory of 4100	4884	Ojaelm32.exe	96
PID 4100 wrote to memory of 3940	4100	Pmoahijl.exe	97
PID 4100 wrote to memory of 3940	4100	Pmoahijl.exe	97
PID 4100 wrote to memory of 3940	4100	Pmoahijl.exe	97
PID 3940 wrote to memory of 2648	3940	Pdfjifjo.exe	98
PID 3940 wrote to memory of 2648	3940	Pdfjifjo.exe	98
PID 3940 wrote to memory of 2648	3940	Pdfjifjo.exe	98
PID 2648 wrote to memory of 2132	2648	Pgefeajb.exe	99
PID 2648 wrote to memory of 2132	2648	Pgefeajb.exe	99
PID 2648 wrote to memory of 2132	2648	Pgefeajb.exe	99
PID 2132 wrote to memory of 5020	2132	Pfhfan32.exe	100
PID 2132 wrote to memory of 5020	2132	Pfhfan32.exe	100
PID 2132 wrote to memory of 5020	2132	Pfhfan32.exe	100
PID 5020 wrote to memory of 3828	5020	Pnonbk32.exe	101
PID 5020 wrote to memory of 3828	5020	Pnonbk32.exe	101
PID 5020 wrote to memory of 3828	5020	Pnonbk32.exe	101
PID 3828 wrote to memory of 1784	3828	Pqmjog32.exe	102
PID 3828 wrote to memory of 1784	3828	Pqmjog32.exe	102
PID 3828 wrote to memory of 1784	3828	Pqmjog32.exe	102
PID 1784 wrote to memory of 2024	1784	Pdifoehl.exe	103
PID 1784 wrote to memory of 2024	1784	Pdifoehl.exe	103
PID 1784 wrote to memory of 2024	1784	Pdifoehl.exe	103
PID 2024 wrote to memory of 4000	2024	Pclgkb32.exe	104
PID 2024 wrote to memory of 4000	2024	Pclgkb32.exe	104
PID 2024 wrote to memory of 4000	2024	Pclgkb32.exe	104
PID 4000 wrote to memory of 3952	4000	Pjeoglgc.exe	105
PID 4000 wrote to memory of 3952	4000	Pjeoglgc.exe	105
PID 4000 wrote to memory of 3952	4000	Pjeoglgc.exe	105
PID 3952 wrote to memory of 3128	3952	Pnakhkol.exe	106
PID 3952 wrote to memory of 3128	3952	Pnakhkol.exe	106
PID 3952 wrote to memory of 3128	3952	Pnakhkol.exe	106
PID 3128 wrote to memory of 3816	3128	Pqpgdfnp.exe	107
PID 3128 wrote to memory of 3816	3128	Pqpgdfnp.exe	107
PID 3128 wrote to memory of 3816	3128	Pqpgdfnp.exe	107
PID 3816 wrote to memory of 432	3816	Pcncpbmd.exe	108

C:\Users\Admin\AppData\Local\Temp\874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29.exe
"C:\Users\Admin\AppData\Local\Temp\874bd8963d927171a0609d44767eeacdca6b844104ee9502cd9c36e7332d2f29.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Oqfdnhfk.exe
  C:\Windows\system32\Oqfdnhfk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\Ocdqjceo.exe
    C:\Windows\system32\Ocdqjceo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\Ogpmjb32.exe
      C:\Windows\system32\Ogpmjb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
      - C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        38⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        46⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        84⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        87⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        92⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2412
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        97⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        98⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        100⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        103⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        118⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        120⤵
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        122⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 228
        125⤵
        Program crash
        
        PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 968 -ip 968
1⤵
PID:5816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5784

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
80KB

MD5
a65cab6f9f1d33fb02a0ef9a1aeaa8f5

SHA1
9c054a05193cbca0ce9d5f538f5e42e9e75fc272

SHA256
9e6792da5a2d42c3ba60a44164c00b2486547e3a296909dae471a778b019769f

SHA512
fc1fbf7c44cd680263161f8d87b4b3a641b4ea68258d61603d7f08ebd62c73756e8e9e51e386866e34ea2a9863fffabccda5fc6c49e96044f79d61d494e14997

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
80KB

MD5
10ee839fe65ea5929e8dbdca55273cc1

SHA1
8264b08bde50a751f7bd6e4631ee0e7b49217dcc

SHA256
2a83722c23353abde77d65a5ef902943ba72926365968d982e906e0703627dce

SHA512
05c19628957de4f076ef7d3c1bfe7c8c9d43af5614fe7ea908e8db07f1830718593dc39a1a0c74f65a84a9cf9892c9309540cc1c975791117d1bb36112b9aacd

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
80KB

MD5
2eef07bfadc30fb161bb93b49ee5836e

SHA1
cede53acb7a8716e47cfb4e1ceb91bde3960cc48

SHA256
6c34d73b7ec9efb0991c368c25646728123af280441d65cdfdcab2ccd79bd4cd

SHA512
5f793b422a556eca33ea86df26178b20664e2884a22d70a623b8e76cead843324e52afcb232bd087976a1b6042ba16c74aa0780aff276a9488e71c51608742e3

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
80KB

MD5
3a14e1ce28fa67ad8b7fc4408d81345b

SHA1
6b85865e682ab88e37238d65e07ee26e18d9902a

SHA256
2990650598f931456350940d16b513c082a2b59e4825295e3309d9711a083a3a

SHA512
f916a65e097e81a2967c3f79b0e06503ee0a58117cab7ab55270484ad77e7a68ace1e0b13b110a9626d91a5057a09b09f58ea2ad042c36924ba0dffbc4ab7aa3

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
80KB

MD5
f58d404776ba2af7466f1c834457b782

SHA1
b964d93aa1ab043c7283c38bdb22857e35eb9e43

SHA256
1fffd03c1794b41ae12d40344af3a354b78c52d9123a6ce04695600b9039f500

SHA512
a0d04457633fc502a5d6654144ec0966106b2640a26e284344859d80f5823e7db15f2f53951dfbf6976f7228f4f72356885afa2f32bf23b22c20c57baf98ff7b

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
80KB

MD5
c105f9f41d9762b296cd6c6b5339bed0

SHA1
76a5055440a1f14984654c81ddb05f39208d1a62

SHA256
52194237b0ffa1514c835f1fd9f2c104848fdf1e25876dc56dffce03fad9f59f

SHA512
66d34639c04f015bfdec68ffbfb24eb55b8b0ecbd6962d4c9cc65e8b38730c43a0a55920b39332f3c4af47798f7417882fa930b8100dda714d109279f9f51fe0

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
80KB

MD5
8838c7747c9b261dd2c74811af9c2f89

SHA1
0d4a0235266e24f8e24fd8501e6e95ded00c48aa

SHA256
1f3f52fc1dec51d50b3f390b074e1dced3a09023f11dafcf3d58426217b5f2c0

SHA512
9c2f9b5e827716bebbf09fda964f3b96a2823b07cd579b336b77dd76b410297bd0ea33f3518cd4beee15d97422e0a0fd98fd8d3a231cb88bbca6d9467b59a523

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
80KB

MD5
20f7d4cc34246c3d5820af50e7a1d4d4

SHA1
9af6fb75b30a101b524f756120ccce9c501f2914

SHA256
c184ed4520217f619eeaac3901cfb5b54c1bf2983abd91f4a36feb73079e5033

SHA512
78ab325ea440170f9f7f800f8e5b8a3f0f1afb95188e8bc6caa3290c64157f1530f89f7fd28947cc42ab7124b00a0e96d04940f681e62709597cdfe56e3ebd98

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
80KB

MD5
24122e619008443d712275e2289328c2

SHA1
45dd9423214d4b934cb1a4f72f12812b0329311b

SHA256
d3b6134bb92e257869698508b8a9e0adbcadc8a727842de46fa45e6e12c6ad91

SHA512
bfd235d5c13a174a83d34c3d0450b5f5d083c0884c697e6f085493d187d358710c7c9f3cf1da886ebeab965d87833c7af4e671b0d99c22b43d505e2548c4122c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
80KB

MD5
fe4c53f60e80bccf5f9a07769fd2f591

SHA1
e1107c5ad87833699c9d0da8042b7cb17a8405e5

SHA256
cb07af577eac0bca57700165de5cbb9093f18ad99ce2be8bef138bb2b6b76878

SHA512
c650e16f3a8a1868046a77508d3e169ee8457a30124d4c41c244f629bdb782cb73e941c73d34f613bd7bb16b913652f306fb67f81ba88fa4035cc739df0926b1

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
80KB

MD5
0619736ffc9d69082c5a10de670207e3

SHA1
3213a161067f22ba04944dc3739082766584ed60

SHA256
5796c2c712b01a15d7befadb2dbcde6b11fec47690362cf51e897dd836a0db72

SHA512
5840e4a3239ab250af8d8e81c0508f5a7e0ac9cfd8c99542acdc108795c1050a06c472961d5aad7bbd4b3ae5553d8f399062db54ee4af3efbec9f582ed1d2a9f

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
80KB

MD5
6c5bd9c7f269d59cf86abdfd18934d50

SHA1
ca2728c9cb547b7077689a2a762d7f8b7778a539

SHA256
048c45d8bad09d3c523fac0146c55d5743b09f9727c3093e4e4023433d6cb31d

SHA512
ca82ad04dfb850e09aa67b16dcc362dfc5a8e65372e1a710fb08f79247763ddec4f9374f83a24e9d58da1b8e78ba0f3c823cb1f6a9d19f42ac7a8eec4e534e0b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
34a3b5f4da60a8d1da5d01062e5399ab

SHA1
e60494970401c87bf7a00386bb6518896b16fc4a

SHA256
f842a6b456861c3a36c117d63d5edccb51201e434ac632a8372aa756f6e90eb4

SHA512
9455b7ebf4219324dc516304a9a2203b3739eed611926c416150550921c7c5a836126cf4078f18b3dcc94261c14b9d4021b79f394b0ecfbcc5c19ad3c99e02fe

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
80KB

MD5
ae5c80db4571e67649ad8bd40c96da1f

SHA1
53aab9f6d7679ffc3a8223eeecfbb1b82d265e6c

SHA256
bd4c62263142d2ba353cb3b94364cc8d0bb31568b542b4156103d856d8b242e5

SHA512
9fc2923c76ca8304c6bde7aaed95e5d9054b9133ed3a6ef13b884113c83bd95cdf5d9c0ac1326f8e8748fdc399c91db0439f3fcbfe68a92080f6134c645efed4

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
80KB

MD5
4d3489d992277a018a587678027a4812

SHA1
77b2e1f3011fca38d0c3972df529716a3a125b85

SHA256
f5042fb57a17a1749bed856c265a9f1a3ce48f862a4507131c9a08b51ebd685e

SHA512
9e143c974d3c5ae67366d12f8992824beae09ba590d8b44cd6a0094fdde9d3be3f3f7fe20809c46a4dbc1ff4ad45be23ff6ecbad59658c544618791a024010d2

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
80KB

MD5
23582d2524f17d8f24383577820380aa

SHA1
d1d59d72a18286929ccdb07958f9f5ce102c90a2

SHA256
1c561256f43105f08fa06a77feeb33ad50467cc8514d8351a8af77fe02ffa169

SHA512
8633e4aae5b736a862d8ed40e39b8dbd16b597f9921ed07c9da41def46079dd2d41186f9c6a8c0937ec51fb1b76cdcd3f1eb2f94e8a066e0a36560ff828c11e9

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
80KB

MD5
41bcc4ad5fb112b9179f94036bf30c3a

SHA1
2be652ae1f987650b6cb1b895f518ffbcc14c353

SHA256
acc4ec7c6280ef7a0ebc6d0aa7adc3012ea8654bba7a2f1c567b319277538719

SHA512
55bc25d35844df17bbdc0c55b0d297048fc9c609a1452331ccfff0c71bfcc11ba68cbbfd6c4a0bd0671ed5dc137ec7849a600d22188683f5740e8f946f620508

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
80KB

MD5
33a2d923877c023ae0d11b3e232e7fd0

SHA1
eba061f6a73903e28ebae0d5be3b2decb46295e8

SHA256
7f6d2b7463be7bdbeab29a067d8a9f03ded1de4892669bf7d5697dfb1e27159f

SHA512
f00551b8332289b264535f7fde8fb7c33fc704d73101f08efeae276240a75380ac1d44c2b167dca81361714a498a001192054321a1c0aa3b846fdf3a383c7ce5

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
80KB

MD5
f7ce4132252ef731732cb62e9d27d0f8

SHA1
58cb9c60df9dd334fb19724166c25cd9a5d9c046

SHA256
4865815df73cdd6ab71ab0bbf98d7cba9567a4359a9f534c8a3190604754ac81

SHA512
f870ba9d291005c2557eea4718647facff8b6174690867db5d4fb10f06343813e294fcd4b7ad33140edd19118d343215d5508064fecef665d263e69bfb78cc3d

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
80KB

MD5
2502c9133438d3d602e3bfa3aaa490a3

SHA1
dbebd0c818343fc3c018f0c5f95ca77459c0970e

SHA256
70fb25222dd1d385ac1fe9811fae48bbacf37d576866e2e75544c64fb010d13b

SHA512
24f1bd50ca4a629664733d19ba94f7092953733c47f539951b6cc18baef90ab57f4d809882ad5e80111ad1d3604d724b8d088b4c407a3dbf6984f070fc4b282d

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
80KB

MD5
8a58a8b353ca25b5ee404bd11eb20a46

SHA1
447a80b09360c4d946be8c8692b2f7b4f368576f

SHA256
db5af234d53b753d4e205315e643fde0920c65b17c11e07355f118eabb31b3c1

SHA512
b171874f3670ff58ed3075ab3363d8cc8d58e99169dc54516cfe4d89050bd8ee7d3d636a035ee5ac33a0fe3be23a634f76a8ee23ae9cce01b1eef33d7960f108

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
80KB

MD5
3198fd4ac645297c3b3a82b08fc44fbe

SHA1
f35ffefa73b897715563e48aa86b70b69a163154

SHA256
56924eab399b9508f4e1ac3a1c9846ec0199f96748c7c8c5c6e48df898f32088

SHA512
d2609b214a9924289c3dce994c5ad45c9b704f33267943a68a2e10a0efe1c215070c41cf1b5989ee0e45e26376dcd78a28e651ac18f41ea48f974e888cbdb206

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
80KB

MD5
c264f7faa9eae6fc6de0e19c10cbd670

SHA1
ec01c9017f09020006dc22de8db48206599df015

SHA256
cf411541f141a2fa4aa383d983f5034613bcae8c633422ebcec7150264631582

SHA512
be85d65c12cce3b8b78a028b04b46a92cc4074833ecd468358d0ec9b5f5bb4dfe56754f04242038b5a9d58f27b86fcd3fc5a610caf559799559405065e5240e3

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
80KB

MD5
d7d54022a9d167cc91861add70328eac

SHA1
6af562836eb5c37e4fa0c18d8f1e0db822f2f6af

SHA256
e4f78e433df755901bdb59315e6cfd94f92e3180caa989fd0e22ed0194a026af

SHA512
f5b267fe82293cb2d8ddefadb55576d03b0d3aba457a20ed4db84bee5b0a8385726bcb751fbd9746da9478854714730457da1497a62c9946a2978911f83d1b75

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
80KB

MD5
e59c70e9c092f19b315f93c37ab3d9dc

SHA1
53025f9022b643d284051eba56612cf40670e443

SHA256
79deb457cc6c868e218cc69152ec612cfdbfc13d4dea42eeed34fcba48d1005e

SHA512
2cb2a8c1bf6d91a89dc8e03a4d38b422a5228e07a405788c2005581ce4c32e677723aba67dcf81421ddab50310e46d1563e0636767af7d6aaad5b564c9174be0

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
80KB

MD5
ca214fa118ed0ae155b11b3b245ad7ca

SHA1
8ff77e7defdd7a0906df4e08ec4241981b911623

SHA256
6811b3e6fbbbc9211f9af20626fed62023019d89ad187cbcfd718a262e339371

SHA512
8b168ac480278af2f72861a747dd1941a2aaa872d88fc57d3e8c8367d97039fed837d24e6eca9fa4295ad6e5bd551c784e80c78a28bb5a3f13de0c9704eec86b

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
80KB

MD5
2399316ae1d975b47a258124296a6f6f

SHA1
89d7305938b66805ca99063ab0a93ba1e70f97c8

SHA256
ec6a10cda39b720ab3cd3dd89748313236209761993cc95352f582361fc56244

SHA512
48d0cfa5c4dbba49538fe6a620c334bd0bf28f9ecf3c3377b2f89f32a2fad378bd1b9ff9b24b4223f90901d2050e9826e0e52ffca6770b331113851b185840b1

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
80KB

MD5
bc0f2631a6bacedd0023424d4f526868

SHA1
80172c515f09664021d9b39219363aa9e916af74

SHA256
ca0a60d2cad986147e395b3e9d70718c610dfe35db081fa97e9d7454b045f672

SHA512
4ef5f505e81a4340c6c2cf093787eeb6549796e1b327bba8af0bc0f545def9ea6ca546a1a3f5f60eaf9357fe9e132d05bf87c6d7863e4ab2d5dc6ca7f0c4fc8b

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
80KB

MD5
90a1904734b1ed1212efe9a6dec69d62

SHA1
be7e7348f9870663711603225538bbb448b14126

SHA256
bf0e534f271619113ebd595146b7c987e4cb3210b41469305226f7c7ffe78788

SHA512
c01c2ae61eae531ecf3539b4ed836e9d1de929a9c605f1784a92337b1bafc51a231db388a26108bc8062928cf44e61c2d08a04d062d2bb4db36e24abefe47071

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
80KB

MD5
e5b760818b86dea0a8ba43b2fee5a497

SHA1
4d87f05586564863bc008dff54a177779b543a79

SHA256
86f7496a49ec9eb6de6fccd715ebefbd2b51cc982f4fa3cd3b7a4bd93f8db550

SHA512
57090c09aa280bdb6613a2f0791321ff9412660bca87602d207db367937474b38c97d93bd5506f8944014f84558b90ca2fa8b7a57b5d22ba9fd9fd262a557865

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
80KB

MD5
2188effd2d6c79d002b968b6c71ceb6a

SHA1
a3a30b853305d1233a052fc4f19a7666d77c4780

SHA256
3c1bec22acc2b870e6b8751a6e406ddbbd8d143e9ce2204d58acd08e2c756928

SHA512
19870fb011771120dfe5d0cb73e15a47cd2e7073319396c83434adbf1331bee629595573bae428bb40b58ffe60abf8a9c97c67a9364cd46c99aec78dc5890efe

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
80KB

MD5
ebffc98ad805d2fffc08ea940e22281c

SHA1
c735f4b851866b20b9d48c3035d7466119e4bd42

SHA256
601a9b4d71d8b5121f134c3983404569d25c038a405b7f157cb2d8127597e045

SHA512
f97b9d32927442c3e55be7a6e4966ef01bbe99a133995aaf4313e8989990da62d93ad102615703ce918db095e267e3668246613ed5046dc1b1733aef69f6a899

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
80KB

MD5
6193cf54073216e3178528854435a2fa

SHA1
113ee63618c4e34aeed409e94108f0c3d0208b9a

SHA256
b04f772e5e57d499f72aca04f60fc0db555baff9600be44a1ece7cd315badcc3

SHA512
0d90f2162f261dcaee98d34ac823eba0798fbb557a6cad99aebbbd4c35c4600163dfa47771e99d5de5d555c3ec2abca74bd3fd19af5104285b3267c6007f7b8b

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
80KB

MD5
e8ad87a147ef82b5babaf0876772a012

SHA1
152f721b45944cdd47bd569659864e72e223009b

SHA256
48a6106065c1d5278de2305f4d4a4b9adae22ad567b9e04d1e3deaa2aee0b58f

SHA512
0c05b007c5f7e15633318c699d931eb4c7ec5dc70794f2de6a37b39ab54cc97c80be4fe173cefb1e004e34d8ecff7077ad39d64fe7da252662ba201186241bed

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
80KB

MD5
d77b3ace8aa1a27a2f6171d951123bf8

SHA1
70134ba8875ee75eed496ff932e92d4eea153f1e

SHA256
91d09db816fc43795bda88ed4782d9af6c050a07de28c75b681239541a6f8fe9

SHA512
e836a704b144e95e3dd069f6f750e68ef3faadebde35b800db05b971c86bbc0f1f47327fe1041ac8830322f4a8a730faa57dc500b7701d6bed58550ab2b5b272

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
eedeb9f92ec75e8c8b435a180d2fe9b9

SHA1
0013c26f61d76da273ac51bd610471722f0c63e9

SHA256
645a472bca94e7301610c3758135f13be3cb9a59f8d7bde7b0555b4375baa6fd

SHA512
a335401ee27bf8ced07dea89178eb58703bae15e63a1e390f270178c20e0e8a2afff5d11ef1b92afd511ff884d54d91868cdadeddaee48dbe9e8a2976ee92da6

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
80KB

MD5
6bf84b01aa22e02ad3422d427d541b77

SHA1
77b5c6351a7ce01108ed7d409db4744cc260fe10

SHA256
b1347494fde766bdf7f199ea208c5e348483740c300ad7a6f11907d58a8266b2

SHA512
25b88af5928a6d850194257ecc9beebea6a8487ab080de1d6eeb269da66571dd3b5ad474a937a87becf7e97be629bb5f4dc57b11f087e92102f41c0f432c0948

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
80KB

MD5
c99dc13f93095f717ecd0ee29e051f53

SHA1
83c4fac47de4ec856e6636325b4673d1f592cb0b

SHA256
e4581444a147f91f0730f4f76794c751171550e2b28197c0c3d0e0fcff89f646

SHA512
9e25a2a0c2ac44f200d02d9acd8ac3051b2920bebfe79a5bedf81055bf3575913b24ef2096539f43824a4203552d5fab905a034b4c75b787b5c1d170d73245b5

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
80KB

MD5
50ac79cbc899674dcceebf5fb35b0903

SHA1
763157663bd94b4791a0cca0f88470fccea5aced

SHA256
754938cdf531d4765e01ed47b8456333ba0f1f9691a20a8785e731bed09d6189

SHA512
f4950e19181932edc1fd7f7fccb30d3d638bac0e3060d97afcf62189808b5fea0ea929ba8463fb8ebb888737643ddcc6f910c70fd5e14e0dc649d0423e51e021

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
80KB

MD5
02899cce880159805e308e1a3d740e48

SHA1
a1561d6a9e70d80ea1be3704e73ce5a4124e76ca

SHA256
e1c0aaa1b5a0ded15f4fe315595ec81ea8b85452469820e30fef52de0448a5e2

SHA512
65a3a2ec5900ee86cebfafeb604bc171024c7f11b3802df6247ecad2da7e27c91a0694d237bfaa58eb07a067cd019798c724f7349ff7943aa02b1b610323f097

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
80KB

MD5
b820ee1de0086fda89a61b3a8d92a848

SHA1
d4a925a6f9a7a7faf7457d6e9f814913fb0c02ae

SHA256
546012ade78707217fb869ab5ae66621ff1f9d401cf38a3a5ef40747476ccb36

SHA512
7c625476c1bb88b8299eb7533e5b7237fdaaa85caaa36263fcc229f798310c3206242de37daede4faed642af4a9ca98accc5a726fb7a2f3f1245221474c752b8

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
80KB

MD5
a4507605c948188aab45744ba54b1a59

SHA1
be4f799047dfaaaee4e80ea24a6533f40deb3ab9

SHA256
181e15e742523ac6702d6d81aedb4f68b0001b9a9e613ab2dae773ce8dd0a678

SHA512
5cd2240539edb06008c1b0827b21a00a0bf21483bcc255c2f829a1c19753919a39687314ab4fe5bccc4adcb84ac90237f65ce84d624925ccf329c201c5cf3317

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
80KB

MD5
9f9d71726b7e4a511fa181fcec97b421

SHA1
ce4e94d599525f0a5235505a39096424433e3a59

SHA256
e0d1648990d0e9cc702606b247ba026afd33d3426498d7668d6efb59425ecae5

SHA512
d00b2c801849ef7ca278c4d4326232af17f2d4c3f808a3e090a863e1398b528ba8c66091178290c194d3ea54bb9fb83f2a60e6cd368103587067a9e1ad186b60

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
80KB

MD5
eb60b821ed36035869b4b8e797dc1177

SHA1
2b2987c8149834b909ca4c9b5a63e920acd9c8a8

SHA256
84950414bc6a8c0ddc6667c335707138d511ee32d984a978531d1de73a7d2407

SHA512
fd8f03be64e47e6a0cddd97338141192b3111bd053459210800ca50906e55e2301c3799a09c5a94cba9778b026a9c6d2c46ac915fb9fffa8c6eb0868241cfd3f

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
80KB

MD5
41701dc2e78cd72af1348f04dd84ec68

SHA1
b242c850f91f75a3dcacfcf232d892a55274330e

SHA256
9a4659cd90141949933699b850778c50361d01cf67eab7f16aa5c56ca09eebde

SHA512
01d6428e11082424a852e2b736040354514331adb5e36bb780fa1b3a9c912713e7f405a24f1fb1d52ac2abd987caa78e5aa85672190f6ab7350c103580e87229

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
80KB

MD5
3e5e25064281f2e662e0efa0448a395e

SHA1
688c53fc1e0f93b7b4352555f915e4e6cc82122e

SHA256
651c29a4e82938878fa2e99f813ec85e8a27a8c71c3f9f6451f1f4dc1a2cc474

SHA512
c55b49df66ac71bd459e4626b6b7a9bae6b9a68c8433b37c1da250c016ef7edd483cacca6508d356a84905142a4950d8e62079d77b820352e3fe884d1bfe8984

Download Submit
memory/116-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1180-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1180-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1224-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1224-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1288-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1456-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1552-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1556-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1852-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3124-356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3128-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3444-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3500-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3776-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3816-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3892-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3972-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4060-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4092-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4248-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4248-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4884-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5020-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5128-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5168-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5192-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5208-463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5248-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5284-598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5288-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5328-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5368-484-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5408-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5448-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5492-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5536-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5576-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5612-524-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5660-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5704-532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5744-538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5912-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5960-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6008-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6056-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6100-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads