berbew | 50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe
Size

96KB
MD5

ba5b2bf303e4ba160f9596973b490ae0
SHA1

9e40077a88fe86b39232a6448021362769aa9f8b
SHA256

50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4
SHA512

e90f725c8d61787eabf93e439cc27c1a35f17b54c7ee34b25132935bcefc9387de1a4b11939e781e88e4c147407d2bdea290cb2502b5067d364f96bada75834c
SSDEEP

1536:OM7VIebwp+dOlCQT/5TmGeEWe073+jz0cZ44E:OCVIPplt/5zdWb/i/E

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2452	Pojecajj.exe
2288	Paiaplin.exe
1908	Pplaki32.exe
2756	Ppnnai32.exe
2672	Pghfnc32.exe
2720	Pnbojmmp.exe
1628	Qppkfhlc.exe
580	Qkfocaki.exe
768	Qndkpmkm.exe
2716	Qpbglhjq.exe
1208	Qgmpibam.exe
1648	Qjklenpa.exe
1944	Apedah32.exe
1536	Aebmjo32.exe
2416	Ahpifj32.exe
1600	Apgagg32.exe
1748	Acfmcc32.exe
1296	Afdiondb.exe
1684	Ahbekjcf.exe
904	Alnalh32.exe
956	Achjibcl.exe
1756	Aakjdo32.exe
704	Ahebaiac.exe
3024	Alqnah32.exe
2944	Abmgjo32.exe
1508	Adlcfjgh.exe
2340	Agjobffl.exe
2632	Akfkbd32.exe
2744	Adnpkjde.exe
2668	Bkhhhd32.exe
2908	Bqeqqk32.exe
2596	Bccmmf32.exe
584	Bniajoic.exe
376	Bqgmfkhg.exe
1936	Bgaebe32.exe
2060	Bfdenafn.exe
536	Bqijljfd.exe
2856	Boljgg32.exe
2880	Bjbndpmd.exe
2116	Bmpkqklh.exe
2168	Bcjcme32.exe
1188	Bbmcibjp.exe
1304	Bfioia32.exe
1660	Bjdkjpkb.exe
1864	Bmbgfkje.exe
1484	Bkegah32.exe
2384	Cenljmgq.exe
2104	Cmedlk32.exe
2068	Cmedlk32.exe
2300	Cocphf32.exe
2252	Cfmhdpnc.exe
3060	Cepipm32.exe
2796	Cileqlmg.exe
2836	Ckjamgmk.exe
2572	Cpfmmf32.exe
2308	Cbdiia32.exe
772	Cebeem32.exe
2296	Cgaaah32.exe
1556	Ckmnbg32.exe
2860	Cnkjnb32.exe
2364	Caifjn32.exe
1568	Cchbgi32.exe
2940	Clojhf32.exe
1192	Cmpgpond.exe

Loads dropped DLL 64 IoCs

pid	Process
2816	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe
2816	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe
2452	Pojecajj.exe
2452	Pojecajj.exe
2288	Paiaplin.exe
2288	Paiaplin.exe
1908	Pplaki32.exe
1908	Pplaki32.exe
2756	Ppnnai32.exe
2756	Ppnnai32.exe
2672	Pghfnc32.exe
2672	Pghfnc32.exe
2720	Pnbojmmp.exe
2720	Pnbojmmp.exe
1628	Qppkfhlc.exe
1628	Qppkfhlc.exe
580	Qkfocaki.exe
580	Qkfocaki.exe
768	Qndkpmkm.exe
768	Qndkpmkm.exe
2716	Qpbglhjq.exe
2716	Qpbglhjq.exe
1208	Qgmpibam.exe
1208	Qgmpibam.exe
1648	Qjklenpa.exe
1648	Qjklenpa.exe
1944	Apedah32.exe
1944	Apedah32.exe
1536	Aebmjo32.exe
1536	Aebmjo32.exe
2416	Ahpifj32.exe
2416	Ahpifj32.exe
1600	Apgagg32.exe
1600	Apgagg32.exe
1748	Acfmcc32.exe
1748	Acfmcc32.exe
1296	Afdiondb.exe
1296	Afdiondb.exe
1684	Ahbekjcf.exe
1684	Ahbekjcf.exe
904	Alnalh32.exe
904	Alnalh32.exe
956	Achjibcl.exe
956	Achjibcl.exe
1756	Aakjdo32.exe
1756	Aakjdo32.exe
704	Ahebaiac.exe
704	Ahebaiac.exe
3024	Alqnah32.exe
3024	Alqnah32.exe
2944	Abmgjo32.exe
2944	Abmgjo32.exe
1508	Adlcfjgh.exe
1508	Adlcfjgh.exe
2340	Agjobffl.exe
2340	Agjobffl.exe
2632	Akfkbd32.exe
2632	Akfkbd32.exe
2744	Adnpkjde.exe
2744	Adnpkjde.exe
2668	Bkhhhd32.exe
2668	Bkhhhd32.exe
2908	Bqeqqk32.exe
2908	Bqeqqk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Aakjdo32.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Kbfcnc32.dll	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Pnbojmmp.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Pplaki32.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Afdiondb.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Paiaplin.exe
File opened for modification	C:\Windows\SysWOW64\Qppkfhlc.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Acfmcc32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Paiaplin.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Pplaki32.exe	Paiaplin.exe
File created	C:\Windows\SysWOW64\Incjbkig.dll	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Komjgdhc.dll	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Ppnnai32.exe	Pplaki32.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bqgmfkhg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	1884	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paiaplin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmcef32.dll"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2452	2816	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe	31
PID 2816 wrote to memory of 2452	2816	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe	31
PID 2816 wrote to memory of 2452	2816	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe	31
PID 2816 wrote to memory of 2452	2816	50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe	31
PID 2452 wrote to memory of 2288	2452	Pojecajj.exe	32
PID 2452 wrote to memory of 2288	2452	Pojecajj.exe	32
PID 2452 wrote to memory of 2288	2452	Pojecajj.exe	32
PID 2452 wrote to memory of 2288	2452	Pojecajj.exe	32
PID 2288 wrote to memory of 1908	2288	Paiaplin.exe	33
PID 2288 wrote to memory of 1908	2288	Paiaplin.exe	33
PID 2288 wrote to memory of 1908	2288	Paiaplin.exe	33
PID 2288 wrote to memory of 1908	2288	Paiaplin.exe	33
PID 1908 wrote to memory of 2756	1908	Pplaki32.exe	34
PID 1908 wrote to memory of 2756	1908	Pplaki32.exe	34
PID 1908 wrote to memory of 2756	1908	Pplaki32.exe	34
PID 1908 wrote to memory of 2756	1908	Pplaki32.exe	34
PID 2756 wrote to memory of 2672	2756	Ppnnai32.exe	35
PID 2756 wrote to memory of 2672	2756	Ppnnai32.exe	35
PID 2756 wrote to memory of 2672	2756	Ppnnai32.exe	35
PID 2756 wrote to memory of 2672	2756	Ppnnai32.exe	35
PID 2672 wrote to memory of 2720	2672	Pghfnc32.exe	36
PID 2672 wrote to memory of 2720	2672	Pghfnc32.exe	36
PID 2672 wrote to memory of 2720	2672	Pghfnc32.exe	36
PID 2672 wrote to memory of 2720	2672	Pghfnc32.exe	36
PID 2720 wrote to memory of 1628	2720	Pnbojmmp.exe	37
PID 2720 wrote to memory of 1628	2720	Pnbojmmp.exe	37
PID 2720 wrote to memory of 1628	2720	Pnbojmmp.exe	37
PID 2720 wrote to memory of 1628	2720	Pnbojmmp.exe	37
PID 1628 wrote to memory of 580	1628	Qppkfhlc.exe	38
PID 1628 wrote to memory of 580	1628	Qppkfhlc.exe	38
PID 1628 wrote to memory of 580	1628	Qppkfhlc.exe	38
PID 1628 wrote to memory of 580	1628	Qppkfhlc.exe	38
PID 580 wrote to memory of 768	580	Qkfocaki.exe	39
PID 580 wrote to memory of 768	580	Qkfocaki.exe	39
PID 580 wrote to memory of 768	580	Qkfocaki.exe	39
PID 580 wrote to memory of 768	580	Qkfocaki.exe	39
PID 768 wrote to memory of 2716	768	Qndkpmkm.exe	40
PID 768 wrote to memory of 2716	768	Qndkpmkm.exe	40
PID 768 wrote to memory of 2716	768	Qndkpmkm.exe	40
PID 768 wrote to memory of 2716	768	Qndkpmkm.exe	40
PID 2716 wrote to memory of 1208	2716	Qpbglhjq.exe	41
PID 2716 wrote to memory of 1208	2716	Qpbglhjq.exe	41
PID 2716 wrote to memory of 1208	2716	Qpbglhjq.exe	41
PID 2716 wrote to memory of 1208	2716	Qpbglhjq.exe	41
PID 1208 wrote to memory of 1648	1208	Qgmpibam.exe	42
PID 1208 wrote to memory of 1648	1208	Qgmpibam.exe	42
PID 1208 wrote to memory of 1648	1208	Qgmpibam.exe	42
PID 1208 wrote to memory of 1648	1208	Qgmpibam.exe	42
PID 1648 wrote to memory of 1944	1648	Qjklenpa.exe	43
PID 1648 wrote to memory of 1944	1648	Qjklenpa.exe	43
PID 1648 wrote to memory of 1944	1648	Qjklenpa.exe	43
PID 1648 wrote to memory of 1944	1648	Qjklenpa.exe	43
PID 1944 wrote to memory of 1536	1944	Apedah32.exe	44
PID 1944 wrote to memory of 1536	1944	Apedah32.exe	44
PID 1944 wrote to memory of 1536	1944	Apedah32.exe	44
PID 1944 wrote to memory of 1536	1944	Apedah32.exe	44
PID 1536 wrote to memory of 2416	1536	Aebmjo32.exe	45
PID 1536 wrote to memory of 2416	1536	Aebmjo32.exe	45
PID 1536 wrote to memory of 2416	1536	Aebmjo32.exe	45
PID 1536 wrote to memory of 2416	1536	Aebmjo32.exe	45
PID 2416 wrote to memory of 1600	2416	Ahpifj32.exe	46
PID 2416 wrote to memory of 1600	2416	Ahpifj32.exe	46
PID 2416 wrote to memory of 1600	2416	Ahpifj32.exe	46
PID 2416 wrote to memory of 1600	2416	Ahpifj32.exe	46

C:\Users\Admin\AppData\Local\Temp\50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe
"C:\Users\Admin\AppData\Local\Temp\50d01183dc5ac279fde78fceab8ef8ed2b6d2eb0fa3c3c9ed0a4346e7948aeb4N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Pojecajj.exe
  C:\Windows\system32\Pojecajj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\Paiaplin.exe
    C:\Windows\system32\Paiaplin.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\Pplaki32.exe
      C:\Windows\system32\Pplaki32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 144
        72⤵
        Program crash
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
96KB

MD5
70ceb1ab7f90bf5f5150e50bdfc1033a

SHA1
d72f27fc4bac0b80b4535ffb0cd2766c8aa00cb6

SHA256
ed322c013b43dfd9cb41abf6dc07a1ebbfc460bd62475a6653fa0d7f56f14a3c

SHA512
de9fbf7b35df2f48d7249a0e9fdf6272121d84baeb51f269e49d1c5f82811535febdff61bb5e30d5db2aa3449874ccc424a3b624d712b986801fb29b31826e12

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
96KB

MD5
e462ffdfa196ae7152b7c92cdd06b836

SHA1
049fe8e72496832e09dc146a57a86a156ce1fb2f

SHA256
1e75105c7ead24933aa574888cc2077365fd4741b4eb743ac48672e2ebfa9498

SHA512
8f242770bcbb69e3dc944adf6837d095186d54b6fce7b19a2183ca2ad1a4bd5b0458d2e5a17ef46738f2002fb014e2cf3484a4605bcfa1414292446b08d94cea

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
96KB

MD5
35fd6c4da73e03275d4da702e8f367bd

SHA1
e2aa89793cb5f5e505f7d5f110c0a562ffad1ba2

SHA256
71c7be85c2c01ab9e76f86c668057c372733bde3ccb00eec70ddca2b4cc08d3a

SHA512
6b67bfa1ca4f12803c0f7950f5f9d9966d23848cf831b3c58e16986ad51cac73ac8f27b32dde0921f7eb4b0de4d3fadce7221c2e41ebb46c2f257183fd6d00f3

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
96KB

MD5
a70b22d80c5cad382d423e7fba9f6f5f

SHA1
f89f3de94e274cb9c3c308b4af0f17a2c92e7bab

SHA256
6f5757b35f5e38428529e239ae1f9c1e0725bbc586d691b018e8f40d83adcff7

SHA512
8768db3dba7c80dca36c6cf54ae4ba6b3b5f0197742bbbd54aa82c3859a9b53073a0fbe675ba7c66073e2fee9f7445cd9d14608b0ae8459d5c37c110ec9b578f

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
96KB

MD5
2240ac6c56cf76452a75ee27807d6dad

SHA1
52307e4e221ce0b6c249f7757bba2c693cc3e65b

SHA256
4d21551a35b00eb1d34d6f68b204d63f2312c012577d7fdd8b8521ed6aa43ee3

SHA512
72c257d22337dc9c4d8af69bbf26c389c3337a48dd8276b404ec13e2357a7f0af5903246ccdba1b59b978fa639da63a42ded5695b23d2859f764726189a65a0a

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
96KB

MD5
36147ed50b1643cece2be1478c7c58eb

SHA1
4a58f544beecda0e5d2128521c62b96dbc893e4c

SHA256
e4c54e2f0423ba62b3f6cb62bba95b4fc6dc1e6e86e4b8735a08c916ada77f9e

SHA512
fda1e45bd0c0f6c8ea6ad47b745c4eaf8c0b84534682adeb8158d7cc40ad6b2bd3a8a7900cb80543598d5821ecdd2b033cd301d3127a70c236172a5be6fbf87e

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
96KB

MD5
4653c22c9b4719f2ef875b106d143eb2

SHA1
9af21e273399a19101aef249dbe722975e8a235c

SHA256
643a2be145908ed304b0866450216deb8f4701101987e6323229d72b966f700c

SHA512
277af65d134221c96c61229398f309c3d0ce79fbaee9b5cb7e9780e3577b971d5c5541a8271d1aee602b94907ae9611a8d3d965dfecb646c783a9ae6479e91ec

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
96KB

MD5
89d824d9224c280198af152fb1d3e171

SHA1
08efa8965031cdb8bbf0efff1ebdbf85643cf48d

SHA256
d0a59148e6205e74fc808165c6901ab1e2079ae8cc571a5631c8616d857879b8

SHA512
09989bde1692f2e23cbecc644ec8396e5badda652a0d3ef02c1313b0fd7b4a004acf0db7dfdf6ea122fd4025154fe9aa043ef841c80104579ad9e14f69b485ec

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
96KB

MD5
dfde1fc7daac793409cfacbbe76af827

SHA1
70f454b43f6f48018b2c3a1ba1367a2995970830

SHA256
c970ddaa19e1840d7a9beddd6ebe430085bdecb2ad30150971c61f0d72323115

SHA512
e4607d68c1d7bfc0c621484954bc4161894d1c599912c07577ddeddc9db6746ad55527931d2d9d955d911e4f674cee76f451e4b97b941f38769626c6756f9a5a

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
96KB

MD5
d2f21bbce28678cc6212454a94a1fb51

SHA1
50c6e5c543d72903364bd08da0024c131a467921

SHA256
edc67c001e1837d1cc3bb8ef348a05310f6c05061c556ccc81f18413705def19

SHA512
2d3e8b8b637b53fb64de7a4d377984b55501587449f9c2e69c73b473b477341bd63b408ae44724494aa2e8b6c18629d70cb5c18185ecb9e7adf12a2df5e3f4e5

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
96KB

MD5
19269a3be2574938c6b04d81056ef2c1

SHA1
003e13eeb90a13a2793625bf9b086bc17c0c81d8

SHA256
70a115b2b904d6190b510e6dc0f1bcceaceab34f67711d61335c8713cdc20d4a

SHA512
c360013df297ab4b28486b01cfc6b17cfc7d322813c434ec6e195a9b681dee572f6fff7baaeec7ca61be29c754ae50fcbc04a8b319100ea3f5698d891766c9cd

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
96KB

MD5
feb4716ef43673925bd0b6fd4ee5e8cb

SHA1
1ed44040a21a6f9e72c92b14c73d3e718ef88b38

SHA256
d95c02790fefc7b4895a2d223f13b03c8bdc69719184d67bc659e3e944a918f1

SHA512
b61fcceea0cce2eccbb56892bcc16e741c50589f442f7f2e5e749d04b569e10e26022c07491bede95deaa1af11398299279a40d4fe33517b01f61a9ed6548f32

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
96KB

MD5
9e2826b227bd83fc650d256214c4f3b7

SHA1
c5ef919c7eeacfc78429d339711a0608c4b1f078

SHA256
2aceac6464753d4e9e27b3e025c399f319412fcb9430b168e2b0c1ae88c8c959

SHA512
bd9d8b10a2299f1732b0c801210bcd1fc4fe135c68693daf83a4e1b085dc80c837a4e09c222cfbf62d2636cb81430d558a0702b9b208f5a0949631679e4d45f9

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
96KB

MD5
3be7c1380a1cc70d7e4ae52fe90deeab

SHA1
6d4a693d781171af353456f507593f1d0820a575

SHA256
d26fb0b2e803f4958337b5af4f6895268b9b3e215a7da5518a3a013511430a2c

SHA512
ce7526aa1a864646743df8d9d69588175a8d3dc4812cbe4f2845457fb2616574593b15bc5c29213df3c52c6845cebf26aa494b6c1929d263732ca86bc2c9938a

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
96KB

MD5
2efbce7069f529ef9cd82725cf6f3275

SHA1
2aefd1e149bfe98e1fa7bfd8ef416779f49b37bc

SHA256
4bc4558766a07332365577ee8016affac9620604c97276a4d8e743b2f9bd68c5

SHA512
e29a5c237b7cd353e31b7d9a15bc71bb675e938cf9bcd43a7efc9d212e07e88a6ac1c1e4c09409b90c6f41a1e8c5a543d1dc74f998ff64c79c412949c65b0860

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
96KB

MD5
c9325c74e2855c035bd14c81858bdca3

SHA1
996ab9564d13263c902b405abf7a6ed452288f12

SHA256
13e7c16d6083c51b682142aba2ca56b63328462ab12bf201598ab87412c1ebee

SHA512
6533a98406e61fe2f50276d9fa60cb94953bbd3bc59c82bf2f5c7a0cbd5d721518462f65b00dbea6d321978ee34dd2ffdf6a4a9c4a65cd18b8d935130ba46237

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
96KB

MD5
045f2a7d7ddc72d6bbd4ef22a0450b6f

SHA1
0dc738d28e4e031403f391c8e264e8122b452b86

SHA256
ff702b5e4a13c85ac4ee592834cdf550b805278395020ae750b809c3ed1a95b6

SHA512
2ed53b0c262982a05fe5d580f78dbe52413c8e19c5cf19ae0ada18fe4191a139f6f3e1b9d210413f99da2d8a5f00ff753198f315cac29ce12f46268f069c2c2e

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
96KB

MD5
740e39051171f83a6c9bbd02dae921af

SHA1
21d365838e2586d5adf99d29bce690527fa7fdb1

SHA256
55e6b772e15c1962aa2fcda81c9dd33eba4d75a9afd670cd4d0cdbcfe9b688eb

SHA512
c5ef6450b8c71ac31cc475349e8c4751a5c225ba4dcb48cc57e8cd0e41ea1f4457b995f16c22f437429c44fb04505250fd8e1e67489b20172eda71aa1038bff8

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
96KB

MD5
0e97d022becddb4c9071a1eb5242d9d4

SHA1
2539ce07308c17172ff8724d93c9f03be4fb166a

SHA256
7a1cc8280b71fcb4a22bddfbb3713ee158453e48796831360fedd33d29a29e2d

SHA512
4680db54e42e175ab6672759d1c49d25576a267119a276de2f600a1fd6c88d898367a2acdb3db57c5baa7dde905d16f71cf0828084f723ff83051a03cbd40cc1

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
75d4d33514fac1c85e01c637d9fad782

SHA1
8f43a48974c93dbd06a025e74ce0f17750c16a31

SHA256
7d23da4e10a112b713bc7c447b0a2eece3b3bc9d958a664a2226816746f9cfe2

SHA512
a1ee4bec916fb567e7d9c507c272ff4497fbe4666b8d92a05c4e35e221d008e1a90349021d508e4453068e0a13b5ccc947419ab0f71cd070cbd62c800fb96ac2

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
96KB

MD5
c3c3a6b5e96730c6350e91666b204474

SHA1
f73d1efa3ac63fe8b0aa1dc0167bcf44e9ca6970

SHA256
b6d64b54bafc74959c3123ee3575da14cf9793396eab47fc5c8a00aee2c493cc

SHA512
d0fcc1a0325493f66d49ea21b7594b7c3743fd6a2c5ee9a4f4759f951245c6d287f4c8648bc54961996a8a94d06623b55171b8fc52ad27f715bb54e0609352a1

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
5e3f92a251df2a9d01168c9c160bf1df

SHA1
f1ff3fcf2aa8271a53446eca995c1fa94cd3e4ff

SHA256
67f8a0c9aa5a3ce7d5a71ec2cd48edffd2a471a589e655bceffb3eeb7e9adab5

SHA512
fd504650209db30d05cf6017efdec165d1203afd657931794b02ac1ea55da591b8eb398643276028e7e33b5ccaa6bdc3d9b2c585e66cbc46a52a769b86754d4c

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
96KB

MD5
38f4b85543f1efb89619405af800b5ef

SHA1
43f09330025fbfab6e40d5c157eb617f84ed178a

SHA256
ca83c51b042e3f89c57715de651cc64337017e5cb3d17d5d0ad95fbac281553a

SHA512
b577073e4b121c8f86f24aa7a10b843c09ee8152a2704f97f73c2485c5030068ce482c89c0de4daa9402301e909851a4a37b4e5edeeecff2d955bc3473435766

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
96KB

MD5
fcdda2f1abde3058c29ff63ce8f7fc57

SHA1
42aec241e983ab10d22dbf0222e9e5a0c8c39b5d

SHA256
3bac3fe1554c972114e9bddd810da9105b7aa71d4f89e0137e6dbd994bc08891

SHA512
0e544b6a56704ba45f9067a1fdb7f088beb38d80477465adc761a10ab22e6b86e34ad3437395a6a668c1f5d9a8970e5ee1fbc1d631978b0a1a650218183e8b27

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
96KB

MD5
24a422cde71dad92d9758968a3b0846d

SHA1
bd425d0b18a5f532b0862952b28d0013c099ec76

SHA256
4e05ec738fac41e056931a543bad9d29ff98c7eef4e3b72cc2e61ab2477c4c4d

SHA512
da33d33c5887240a7dd83146ebf1eb36dc2209ed78f01b41e3c93d6316979defdc9ea8dce56219a47549eea5eec1b672bf98d68e8c359b765b52f1dc30986713

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
96KB

MD5
d528d9647c90b63c039e7d707575ab39

SHA1
2fb54a6b3e90b8b936c10cfa0b859f5077cb6e71

SHA256
8b16ac4ccddc41be333fd4b3d877be7c016a089550282e96f073ad6f4a1f8c3d

SHA512
fd0b0c3090598defbe9f2889f06faefd6b10c6f3e26eecfc189557efff0ed7a8e78427a949dfb844df57a1dad56e1a3f0af3ded303a6f6198dc37ab9427ef96b

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
96KB

MD5
2646c6bcdf3a80f9423383d67e7798d9

SHA1
116a0588964278317d08370bd7608ce9500d3832

SHA256
14867eb554e004fe7e3e9bbd5561ab7eb8aef9e3b437f33124531e852eeb2c3b

SHA512
73408e72ffc6c6adb77a5d353005ea7690db35c56d7665112a31ec1308bf9074cb5748119463d4c2404ca22a952676b6b1bf90f417491d99fdcea60b30bfc958

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
96KB

MD5
a6ef31ec5f4991efac86cb9c5aa68544

SHA1
c20944bb013aa8997cfb6c297d3bb1b0c869cb5f

SHA256
b8feecc32015aa74ceaa8cecb72421ccd36c87d80bc929b9df65cfeef16dd5b9

SHA512
df66939d9b3959552ed7d69fd1dae0cf37a0fff52ba67303a277e22e60abff574cdbeb21629f3f45019cacf9ad562ee7741e7019215aa59f8d29ce86b56c3966

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
96KB

MD5
c1723472a535dd6cf0944916a45dfa94

SHA1
405f0df8f6c2ce4197f5b0a0730fe93ae7196695

SHA256
7a5a4bf12ddd1fe0db2300a3c8d9b8d32f8715da35efeca86453e417c851c4cb

SHA512
aaf066aefda7427ca0e1bf720b350d99ff5e5891ef904cb5d968d49879c322d68e399553fcbc0110abedd767ba67416a6894052a3978132bfe91a2816317a9db

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
96KB

MD5
b37028f68e24b1a70002b875e1ec15c1

SHA1
683ab244efcc8d0c30a0d40d78b7506f733cf3de

SHA256
af900b3990ac77fe00f47acae7408179d81b08c24ba36975d115db3dc1239e29

SHA512
30ed09e1cb2d95a1a1278a6ae7a9c44f3ccbd4db795492cc32673aed06e179c2e1e75e69d09c27b0ea48948da8b0fcfa05a28d7f52fbb9e20fe6b602b2d137dc

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
6a2cc4223f3bfa98f8169bf51f567cc9

SHA1
2f49ed2a175986f646025d0ff476a1d394dd3433

SHA256
12d75138d8c744938816433c573171debe49994c2a233ae7dbd8997dfbcfa54e

SHA512
cf251f4098af13acc2929662f3eb16eb56039e58f2296bd2bb1ce69e17d163d48cc010d71b8c91bda03ae1d37c5aab307a41bcd3563a1541859a6da29c661569

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
26a5e86c354a26aaffbb02e9ce2d554d

SHA1
7191f9ac10b48499bc40002d11ed496471bbc099

SHA256
dc98ca03340bcd7c2def24c4a8a1008802069f1a5c8583b51b570f5a2ea2e096

SHA512
f49226a1230494f1c6858c815a96b4c06f4b723700ebb5c7df3c79cff9c4e90a1c519cf624df038fabd43152cafcf18e2c00a3de172bb93a45524af9ce99a432

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
29e6eb75481777fa971c59be2ce76983

SHA1
f5687d7f5926717c7f94ab9041aca54f8bf1ce0c

SHA256
1d1a2d97b6c9d9c414984db9e05f6a29dc692cb5f1b72f6625eee8ab176af685

SHA512
f1e8bdff6d07430a39c7394cf9c7ea165073d07f9a917416181ccd809b10dd0261129556837dbf500380ea75320195712d6ad24a173e8599185c37be05191975

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
96KB

MD5
7cb1b17eebf5125275188e036a26b57e

SHA1
ae6ec7cecd3cb8e5c846f551caf12ce49874d16b

SHA256
488b265c95b590fa3842dc56a94449d27964e0330342f382952781d341666117

SHA512
33939dad84f999f24e4704b30684c4da144dfaf930bef975bac83dde3a1bc958055400f45896eb9e353d35a9f6fcf90dbe4ce9cc60c22c736efd775de289cf83

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
0ac935691a1866786c18579273831463

SHA1
c133eb22ad4dc54e750a993729e4712a990e532b

SHA256
e729dd64f3df52cc46e3191e369b86f2d2f0c264928f5c4d2c51b8224e051eb0

SHA512
ba1eaac1114260357cf54f71c4ea98bdd559c4e54f50f4eb68544df136c5e9f28f26791c6465801e0ded6b0b1da9af850fe5c959d7a518b3782d5767135185ef

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
96KB

MD5
31350ac206a7e1a6e104dd5a8efe4faf

SHA1
00f79688be29c1677ca822290e72c89d1d170448

SHA256
eb856b18404c224c9b4a568315c5e61e7783bdd0df630b39122c52b8901d2bfb

SHA512
e2c7157ebcff62bc9d3ee24502384b040b32af39eb584558a8fec201691b5d4bc45fb93f13c13158613e513a7d10d5428fc57bc966254e9ea02b358d84f05f63

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
96KB

MD5
325915fd8878cb2aab7cccf56721502b

SHA1
dc69971f5423c4adf301c4c869abb281c9f95871

SHA256
222a9da3858298a79951b021038c812a8e7a66c21a2f8375140f1cdf6bfaaae6

SHA512
99c7da58542e19242e8f950e95e670fd34cdd671e8402bb42b4a57026d7ea62741b0c03aa064abd20c79a7ec3cc11425a3a16b34aab84eb0966a02d78961f649

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
5d456d62a51048c20838815846bae33b

SHA1
4126c71b38d64f4ce03e64dadd1f58887082f63a

SHA256
c51a7ad2d28188f45bfc5733e86e9156fe917704a198fa152e713f9e4a7f3800

SHA512
cd9b7ef0ab93860ac7b2bb7d5005a7381339ecafd9fa2b1637c14a487f86d44cddc0f04a467b3a1ad253160374ae7d4f71735180beed07993ab992e192d23137

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
7843abe75976cfae7450cbe7c26cb467

SHA1
fb697b815aff71364fe9e5d6b08df8b7f539464b

SHA256
3b00224f5bf66cbd53a7b8da8a73a3fdd9468acb2cac786a8f2df28e1949fb60

SHA512
112397bba53383f84ac081993f6b7f1d38b62dfe004a053f87236ba9bd63e87376d56d67bc7267dcb47d3ada7569b16ca612e7d9d93825ae1e710da7acc75e2f

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
96KB

MD5
9aab0ccaad8817a3aea13d3e1a50eb33

SHA1
e4267d360f8294d4af7545577e6ff0fca6a2b657

SHA256
84366de81236ca2a2c53bbee6bc8954d9559da0428ead79581aadb0275d5de29

SHA512
804f8664f4a684153ab173f4536b0ab1be6e08259ffe7a8cf4396baea146a44ad7024ddd70847dcea64e10dab98ec303bc1a94e97935242d1b47a93e659b27fb

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
11cc91ae3a5894ab3670a54d50f34ea0

SHA1
5f98d3ca6a4ba8903eaa9a1982f08fb74704763a

SHA256
fcb0cba62c528486207de3cef196aa45ccd7075567a10a3097c824b52c54aa19

SHA512
6a5923f64786e8e4bbdcb69bcc3100f8fbc6de998bc84a97826f1021fc73000b4d507a65689a3d194dc38a4b5e7738626765576fdcbf7cf2851a89f759accf72

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
c882a02e22da3a92d91954a12f510591

SHA1
6a153cf3dacc40c7abe2e594ce309c617da4cfac

SHA256
473af5b1ae9b23026d2c0a02595ce1167e843b71a11be12487e887de6bdfba2d

SHA512
d06f293b9312a22a79c26ce2149efae4e6a4069af65f471f9c2b32a19c85897473b42ce0e7a5d07c2831569a4c27055a146d51a1bcef7a3d17e7a71072ac2fba

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
96KB

MD5
2c5ebb0a34354f0107bfeb0f3e8491d8

SHA1
bb64f9de0196f5eb047f366d4a5be8e5735db51e

SHA256
8d7e599aed1f131a8ae40ba074ce9e57c7dc71ee350326b725b9f54ecb35c264

SHA512
1845b140d57e9c8540162185b4b903cd3b6209f4be9a9e14cf43f0bf7de4d194b4ef9be5e0694ca6cf83bc9b8edbee08b6cab1796114f3db4b5b2937795b838d

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
96KB

MD5
c48e35530a59936e85d150590411f8a8

SHA1
812a868308aa7a3f40fbfd80e0fae724eb6446f2

SHA256
5cdaef682df21f4245edcd30a7bbf3ecf31a662e7e80b42fde571db06548a46c

SHA512
832d70dc95b06490a87187db1ef61a40e5dbea6b05debfd147aed0a72a8df33f663d04fb0b2421b22548b65a0529fa17b0095b673135232de6b20264361eccb5

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
5d508e85cf56f25836e7aff29e3bdd6a

SHA1
bcb61c54639f1d657207fc7243faf15a7f7b9b4b

SHA256
615e5b3c904dfa31768228b135defa47f202d311f1c7c9122236b16183c64515

SHA512
0673f98e77a600dd61ee475617f5d23d798d4c2727cfe6800615aafe97d214dd6bb14aa9f700a37e83dd5b9aabcced180f7cd18521a9a45fbbdd8525d62c0b7c

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
96KB

MD5
650247997f06d7f88d9aeddc0d0d91ed

SHA1
c8104f3888707f828907866138785842195a5b63

SHA256
c3a5fbac6589a26cc93af79f87cb92bef7e8957c8de4e37905c5a66d43544a2c

SHA512
e5bb4284b387187617ad181f202686d5c07413ccb1ab6ac3f500337f49e7adf1ec5a3012fa72d3b5c0305ee26b4535af6f1c28e76db20fd1b910cb54134bcf91

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
2116e89df886e702dbed472351a2c320

SHA1
fcba40546e3a2970d0f70515d131ea3381182ec4

SHA256
4ddbc115a76c299c2bc2088e97e714e2633bc7e9c87027db78fcd06a294dc1b6

SHA512
0490c7ecd15051ededadc3b3159118fcb095088a40bdf92f6563d5dd6ca1705a664b4857190429f150e4d241558e57aea9bed58db9af3b4e6373af512fb2884a

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
96KB

MD5
0858dade056e113a41aa130a80f7cddc

SHA1
fe4ecbddaa7eccc1c3d7ef5358c755f116b6959c

SHA256
2f31630d58b84e4e922eac391c2905704816c0f7f3c689eb0d11e47fb93c25d2

SHA512
fb629fe13cfe357db05a56a370b458241196f69fa8d40b93e85c5c6dada5bde23a4dfd2eacf1934f9df2017ac5e0c9a3903dc350e3cab0f9caa6372b972a4771

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
96KB

MD5
e0692516317f64be466536fb6dc95317

SHA1
4ae21a407a8211da88ee09f4c85a136c2a528f11

SHA256
a2f23f0a3b50abaaaf8f6bdaeadc471d3dcb243b825a64f3d83eb9ee2d6d14f1

SHA512
e82067dd50663ca177794d35773cb7477464f52b17bbf2ed836094361e093daacebc9bb4740bbfae09394373767037f6dfe3a63476bbb2415ae58d3cf4746217

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
96KB

MD5
2c20f8cb4306bc3f2df1b7e603ae5bd9

SHA1
0ac480d095bd07f658e1151cd4ca9885018037a9

SHA256
b33aade2d7c966c75309425fe036f7aaf7deecc0a76dc7b78c5150acf5fd7faa

SHA512
0d3cf2f80feceea2d2c9e7518a0e0b66954871e5fff2b37a29f1801eba03ecdf9afb56245106b5e9bd0e61fdc585b296f81b083fbfa95d6c6f0cf0a71e8bec0e

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
96KB

MD5
6a4215ec9876bd7a8af76f99a7645677

SHA1
2c08a9432be1d94bebadac3cd6e81b62c408497b

SHA256
cc4718772a268be8021b6663cb13c1273f5b644f4b20ca234ed6bc3ac350c2c0

SHA512
09537b03ea2a34c43d5f898528fdd00410177db9704e819f9767097e46005179fe26565bef47e0fd35f673b01d0e85426991af291234d8836ff6acada4076223

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
15ed3545d546f7749bc527298491209c

SHA1
a6350c6d1d1ca79caf8564d207871d7cc27b0e60

SHA256
d52c86f1995b6e75f029030491e53e1f202d5501a8e3ec0efe5ce793d11b37e2

SHA512
ff445571859cdead20bb2580899e364b0f37da6ec5a50543fa8577d201f550d8ab03012deec44017331c1d15b1cfe1800c8c8633360c4d9aed6f785ef7944e11

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
d8b75b16809b5a0f5f2b72b83ac63c03

SHA1
83add545d380f1850920a391fa381eaa27a8be1f

SHA256
3bd73c8de5e511b1835f3a9249d8a1a6c0c0b19d9a1733ef8d2bbae0b3b3a619

SHA512
a751269b64a84f7cad69929c49649bd152604171e35c82555f3f6e68f754be0067757c9ddb3f0abd24b2097b453e07a53ead4b5676f5c17398b9ff14aa8c3576

Download Submit
C:\Windows\SysWOW64\Leblqb32.dll

Filesize
7KB

MD5
573d2536a7b921310df2aff3803f6f0a

SHA1
73748347a635da9832886c3773037aa6d68e5c99

SHA256
9d3b2d61dda92da6f482eefd444a16f69aa99b4b62249e641fc30490d262074f

SHA512
2ad9bca079f954612f493fd2e9147e47edef1b60ae5a13da2281f2bd60918ba78a8425a4ed8399a86ca6eb724d8f0df8d2d5545cf5316ccf31ac8ef3c9255ab0

Download Submit
C:\Windows\SysWOW64\Paiaplin.exe

Filesize
96KB

MD5
e7cb800619b100fd96c56276ca5acf6c

SHA1
188c87a40908e623826ed103bb5d31ad69b69e66

SHA256
b91badcc5073491c3f2e49c20cba9fd86f3b758147ea23f29b5bb642b1befc4c

SHA512
b7eabf28941f373120d95c695afacb789fbaed2d074a9495c22adb4df8aea1514d49bf2cd4ccd3e5f9bbd296733b6523f219ddd2d7d756faf73121acd5d3ba1f

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
96KB

MD5
8f600a5231980ab9df2f4797b31cfb5d

SHA1
0ec3d58969149a4a1a447991497934819e3a04f9

SHA256
881af824c86b657221395c9e3d27799898c63d9499363b053578cfaa8a9e2695

SHA512
b027416241a21894024d08adc948c2258d07469494352c82ab0de6c77455a8483d35b42f69e999a7c4a67a2306b5903193d27b6afe493e323fab350e9660fcd4

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
96KB

MD5
98e36cc9e2966a21a4926aa26235f1c8

SHA1
bd98be951007b954e53a0ffb17f8011a1cb38a59

SHA256
6363bea853715ab5a2067ccbddb2ae293ab54cc095e54186ac2db8b4e3b36440

SHA512
4f2bfa5c188759448a75451a3df6a5b6adf388f7a920f498914782cab4dabc47230c5b786738483a265cbd259c0bf7fd0ba98b4419115b311f176ca7e3820c1f

Download Submit
\Windows\SysWOW64\Aebmjo32.exe

Filesize
96KB

MD5
b9d4650de7883491546f73518c87ae06

SHA1
b0e2297fb0658f16eeb5ac0261cbe394e9d61274

SHA256
0103d5960718d6e56c14c7ffdaa1d58256845e125f659c8899a286084cf560c2

SHA512
7161ce8d5da9bbabcfda62576d25618932ac9b6958e3c46722947d23282fc5de689542bae11a62ceeaa0f7915a78c2f4da4f4daabfa45c42b16f2f1b2231f3f5

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
96KB

MD5
3e070a4c03756d45e83521ccc00c7215

SHA1
b2d818d4799d55d1ca3717bc9bb9efd6ca21c92f

SHA256
22a3fb0376514352026e12ed7677416e4d6972c1b1ac46a56ce780326725730c

SHA512
5e2e2318438cc4055f8e474cdcc09edaa2517992970a555a0d74b6408a7be5e8f5ce2f21004d53d99ed424c0c10c5335fa71236ae89985606b11c79516d3a89c

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
96KB

MD5
8ddbe4bc40b583577defd9b65ca91a48

SHA1
b0f01df778b13fdea73a2c3dadd0851ff99551eb

SHA256
856e2b317fb4297e4ec3980f43c766956d74419ea65029284b0121eb875b292c

SHA512
f5fc9c14faa1e0f3eab01e05b36f13b9908dd665440b7283cae76c5094d6b27dc79d89035131b820d366839e220479cdaddd001c32596ea91f26a0dcf900168c

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
96KB

MD5
1c3dc8fbe7f688bf28361df4d82718a9

SHA1
2532d36e1f3ac744ee99c9749abf7b1a2c371d3e

SHA256
4c6da6f8ac321fcc358efc76fafa513712941f969b72bf455bce0b6977f4f8c4

SHA512
0720db2be31ccb4c3ac55ea13b7969cfa7b8c778d7bfad6f75f15984499746ec9e584e04d12146b3d94734db2daa1a3b128be7f4bc89dfda9d31d3dd2aa98117

Download Submit
\Windows\SysWOW64\Pghfnc32.exe

Filesize
96KB

MD5
c34c7e45bea0da5209eb7f85faec75ee

SHA1
825b665daf396ac243d01fbfa9d1df614fb9faf9

SHA256
cf7ae7ffe9ac5fecbefe5599d7b52d748e1e06d330129ab6206ac3a4614c9e30

SHA512
ed1072376490f4535c0f412aa3b2e7a4e0ed4d9612ffc9e5e3194bfcd48b10935390312fbe51526352c1df3427e6db16666a96e05dce618faf52b2e9350f08de

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
96KB

MD5
e7f7bdced2ae826e0a51e18fcfcad244

SHA1
e17a0d8cb5eb74b93a0a90e3458ca842fd79fad5

SHA256
dd2b2bf75c53923446394d998af154fdc6b32676800e38f31aca5d10e296e7dd

SHA512
dd5c8fa1aa6290a69ea77e43161bcfadcfd78e34e4c17eb696c9fe8714c9859f1a4f8eb1db30a64d97f3ad6a899455c5dc9a9aa69e91ea35dab783188977bf80

Download Submit
\Windows\SysWOW64\Pplaki32.exe

Filesize
96KB

MD5
3c1244994b1db8eb448bc247a7b8cfd3

SHA1
88ae2590c5ea9bba692ae0af8cda3b4785c3e5bc

SHA256
8711c2763cab68d8d3b0c5e683497806cb821588620117ddfa5a524fee3f761f

SHA512
eb894214e3d930b4461d7400b8baa11ae961217cc3e9be1ba143477e320820db2895c624b95db6f935a9d0c77122ad855738b54f112b2cd6e17b1ebd887f8fe5

Download Submit
\Windows\SysWOW64\Ppnnai32.exe

Filesize
96KB

MD5
8e15bf5a8abae55c3fde7e361a2220ce

SHA1
9e72c5ac809c0e61dd700217275017f4b9d2717f

SHA256
99164c5c466b52e2f2c6d45ac1ad013c97f63d2f79cc6ad8c6e73925c6652374

SHA512
202f6ea12088acce8e9932c0ac29755333ce7ff224930b326781091e7929533339cfc3a4ae5cd489333ee8fb90bfe39111ceec8a38e855c2506ba0e1365998c3

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
96KB

MD5
8b8b3431a86e0a63b1bb2cce2d8ef6bc

SHA1
245a592ac3a9d51afb37226bf2b701113f23751b

SHA256
4cd89459c65f4348d22eb2c55fc83efdb4f3139b8c0b58b79ef04a65c51f2113

SHA512
1141cbaa605854692f13f67d243d1753e42df56ed4800fe8c598eb2fe86ac9eabf5fae9d6b2482cc717bb6c6064d7629b4120b4658922dba356922bb6555a084

Download Submit
\Windows\SysWOW64\Qjklenpa.exe

Filesize
96KB

MD5
b11fb9c17a346f7ed54c654fcdab077d

SHA1
e831bb001ab8ab67cca4d0d5b8800d7a138adaaf

SHA256
acfba1ac55422c62ab0bcca9c1601f497bf65e8bf84e1c685ccd4e6efea8af30

SHA512
2dfc4dfa4bcda378c8e4f303dc3a90cf2716cc2ef4c179e10f66c9e6ab67bfd9e3665437554b5215334606dd4562baad8c0fb4b1ecf4d83d6bb84186c4df45fe

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
96KB

MD5
bda2e425be6063032a90c37d4317b3c3

SHA1
a18cc9ce8d2e2fb10247c2948e0c19c770537949

SHA256
145819cd6892f8a87bd6b489217ddb949c0177fbb790435076983767a964d8bc

SHA512
f94b2d770798c55833e7a257933a485bb9b93160dcc4c76d1ecbcbd89f8cf3a9cb3200bb4269dbbb46e2e06c9b74911b3205d7a620474f02122a5cdb7af94a27

Download Submit
\Windows\SysWOW64\Qpbglhjq.exe

Filesize
96KB

MD5
8be66c760b3a450519b1a17c960094a1

SHA1
f495156a15444f25c7df8902098f8e7b8a60fe03

SHA256
e3bb4b345c474bce6c00759828d579655cd46f5ca06e6a63a2e7b824faee471a

SHA512
263d49b45b3852035ced517fa82ba672a9434c821a6ddb8dc60de4577268bfffd51ac78134af112775d54c55d124a4c251e94b4e3f5b35bf9b0acf4b64966a25

Download Submit
\Windows\SysWOW64\Qppkfhlc.exe

Filesize
96KB

MD5
8fb355e0ed5425ab98944154e6ee034b

SHA1
c40ee4d1b8a32b0f7285df21fa8b3fe10c7b4d22

SHA256
15ee0498fe8ff49f970ade87fbf23520f90da73c4763ba556dc00ef42b375b65

SHA512
0578d8cb3f5c82382fdf44c58d39fe694006c9df5a6bfbefa4d33bb16a4c5e50829edf1a0dc7fe7cd686a61f5e5a2d9cce5f19140e78b023a9f95b97727cb119

Download Submit
memory/376-405-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/536-441-0x0000000001F80000-0x0000000001FB4000-memory.dmp

Filesize
208KB

Download
memory/536-442-0x0000000001F80000-0x0000000001FB4000-memory.dmp

Filesize
208KB

Download
memory/536-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/580-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/580-114-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/580-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/584-395-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/584-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-287-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/704-288-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/704-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-258-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/904-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-532-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1484-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-321-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1508-320-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1508-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-192-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1536-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-218-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/1628-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-166-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1660-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-514-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1684-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-274-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1864-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-47-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1908-53-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1936-419-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1936-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-427-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2060-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-471-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2288-34-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2288-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-333-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2340-331-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2340-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-22-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2596-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-384-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2632-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-339-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2668-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-365-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2668-361-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2672-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-139-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2720-87-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2720-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-62-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2756-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-16-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2816-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2816-353-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2816-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-454-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2880-461-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2880-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-376-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2944-315-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2944-306-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2944-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-299-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3024-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-295-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads