berbew | 433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9c

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
Size

64KB
MD5

dc94d99255eb2440402c87882535d3d0
SHA1

7c7782b9b0605e274adbe52dcfcc6094e4bb227d
SHA256

433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9c
SHA512

e0cb9ae8d758e569a359c3c7934e34751aaa9ba7b01bac490b43d8b1cc1bd42d054566b06136b35223f1d955bb98d7fb39e8d4d3ec7bb568a1800f6e88b02c72
SSDEEP

768:m4rjlQMcKemWLLmgKrEE/Cs2ArHcXQT2n9l/11CAak+fC3/1H5tx6XJ1IwEGp9TY:v5emALmgrEssH72H/11CBQ4XUwXfzwv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2632	Agolnbok.exe
2744	Ahpifj32.exe
2692	Ahpifj32.exe
2800	Apgagg32.exe
2172	Aaimopli.exe
2572	Ajpepm32.exe
2544	Alnalh32.exe
2600	Aomnhd32.exe
1180	Aakjdo32.exe
1444	Afffenbp.exe
2004	Alqnah32.exe
1368	Akcomepg.exe
1620	Anbkipok.exe
2864	Aficjnpm.exe
2176	Ahgofi32.exe
2232	Aoagccfn.exe
1176	Abpcooea.exe
824	Bhjlli32.exe
1540	Bgllgedi.exe
1972	Bjkhdacm.exe
2876	Bbbpenco.exe
3048	Bqeqqk32.exe
1852	Bccmmf32.exe
2332	Bkjdndjo.exe
2052	Bniajoic.exe
2324	Bmlael32.exe
2128	Bdcifi32.exe
2752	Bfdenafn.exe
2764	Bnknoogp.exe
2908	Bqijljfd.exe
2584	Boljgg32.exe
2716	Bgcbhd32.exe
2984	Bjbndpmd.exe
1548	Bmpkqklh.exe
1592	Boogmgkl.exe
1064	Bbmcibjp.exe
2076	Bfioia32.exe
2536	Bmbgfkje.exe
1572	Bkegah32.exe
2964	Ccmpce32.exe
2416	Cfkloq32.exe
2368	Cmedlk32.exe
328	Ckhdggom.exe
1732	Cocphf32.exe
912	Cfmhdpnc.exe
2244	Cepipm32.exe
1092	Cpfmmf32.exe
2468	Cnimiblo.exe
2828	Cbdiia32.exe
2328	Cgaaah32.exe
2656	Ckmnbg32.exe
2676	Cjonncab.exe
2808	Cnkjnb32.exe
2568	Cnkjnb32.exe
2444	Cbffoabe.exe
2988	Caifjn32.exe
1452	Cchbgi32.exe
2064	Clojhf32.exe
1976	Cjakccop.exe
2796	Cmpgpond.exe
2408	Calcpm32.exe
2300	Ccjoli32.exe
1716	Cgfkmgnj.exe
892	Cfhkhd32.exe

Loads dropped DLL 64 IoCs

pid	Process
3024	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
3024	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
2632	Agolnbok.exe
2632	Agolnbok.exe
2744	Ahpifj32.exe
2744	Ahpifj32.exe
2692	Ahpifj32.exe
2692	Ahpifj32.exe
2800	Apgagg32.exe
2800	Apgagg32.exe
2172	Aaimopli.exe
2172	Aaimopli.exe
2572	Ajpepm32.exe
2572	Ajpepm32.exe
2544	Alnalh32.exe
2544	Alnalh32.exe
2600	Aomnhd32.exe
2600	Aomnhd32.exe
1180	Aakjdo32.exe
1180	Aakjdo32.exe
1444	Afffenbp.exe
1444	Afffenbp.exe
2004	Alqnah32.exe
2004	Alqnah32.exe
1368	Akcomepg.exe
1368	Akcomepg.exe
1620	Anbkipok.exe
1620	Anbkipok.exe
2864	Aficjnpm.exe
2864	Aficjnpm.exe
2176	Ahgofi32.exe
2176	Ahgofi32.exe
2232	Aoagccfn.exe
2232	Aoagccfn.exe
1176	Abpcooea.exe
1176	Abpcooea.exe
824	Bhjlli32.exe
824	Bhjlli32.exe
1540	Bgllgedi.exe
1540	Bgllgedi.exe
1972	Bjkhdacm.exe
1972	Bjkhdacm.exe
2876	Bbbpenco.exe
2876	Bbbpenco.exe
3048	Bqeqqk32.exe
3048	Bqeqqk32.exe
1852	Bccmmf32.exe
1852	Bccmmf32.exe
2332	Bkjdndjo.exe
2332	Bkjdndjo.exe
2052	Bniajoic.exe
2052	Bniajoic.exe
2324	Bmlael32.exe
2324	Bmlael32.exe
2128	Bdcifi32.exe
2128	Bdcifi32.exe
2752	Bfdenafn.exe
2752	Bfdenafn.exe
2764	Bnknoogp.exe
2764	Bnknoogp.exe
2908	Bqijljfd.exe
2908	Bqijljfd.exe
2584	Boljgg32.exe
2584	Boljgg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Afffenbp.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Ahpifj32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Ahpifj32.exe	Agolnbok.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Liempneg.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Anbkipok.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ajpepm32.exe	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Afffenbp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2836	3036	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bdcifi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2632	3024	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe	31
PID 3024 wrote to memory of 2632	3024	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe	31
PID 3024 wrote to memory of 2632	3024	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe	31
PID 3024 wrote to memory of 2632	3024	433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe	31
PID 2632 wrote to memory of 2744	2632	Agolnbok.exe	32
PID 2632 wrote to memory of 2744	2632	Agolnbok.exe	32
PID 2632 wrote to memory of 2744	2632	Agolnbok.exe	32
PID 2632 wrote to memory of 2744	2632	Agolnbok.exe	32
PID 2744 wrote to memory of 2692	2744	Ahpifj32.exe	33
PID 2744 wrote to memory of 2692	2744	Ahpifj32.exe	33
PID 2744 wrote to memory of 2692	2744	Ahpifj32.exe	33
PID 2744 wrote to memory of 2692	2744	Ahpifj32.exe	33
PID 2692 wrote to memory of 2800	2692	Ahpifj32.exe	34
PID 2692 wrote to memory of 2800	2692	Ahpifj32.exe	34
PID 2692 wrote to memory of 2800	2692	Ahpifj32.exe	34
PID 2692 wrote to memory of 2800	2692	Ahpifj32.exe	34
PID 2800 wrote to memory of 2172	2800	Apgagg32.exe	35
PID 2800 wrote to memory of 2172	2800	Apgagg32.exe	35
PID 2800 wrote to memory of 2172	2800	Apgagg32.exe	35
PID 2800 wrote to memory of 2172	2800	Apgagg32.exe	35
PID 2172 wrote to memory of 2572	2172	Aaimopli.exe	36
PID 2172 wrote to memory of 2572	2172	Aaimopli.exe	36
PID 2172 wrote to memory of 2572	2172	Aaimopli.exe	36
PID 2172 wrote to memory of 2572	2172	Aaimopli.exe	36
PID 2572 wrote to memory of 2544	2572	Ajpepm32.exe	37
PID 2572 wrote to memory of 2544	2572	Ajpepm32.exe	37
PID 2572 wrote to memory of 2544	2572	Ajpepm32.exe	37
PID 2572 wrote to memory of 2544	2572	Ajpepm32.exe	37
PID 2544 wrote to memory of 2600	2544	Alnalh32.exe	38
PID 2544 wrote to memory of 2600	2544	Alnalh32.exe	38
PID 2544 wrote to memory of 2600	2544	Alnalh32.exe	38
PID 2544 wrote to memory of 2600	2544	Alnalh32.exe	38
PID 2600 wrote to memory of 1180	2600	Aomnhd32.exe	39
PID 2600 wrote to memory of 1180	2600	Aomnhd32.exe	39
PID 2600 wrote to memory of 1180	2600	Aomnhd32.exe	39
PID 2600 wrote to memory of 1180	2600	Aomnhd32.exe	39
PID 1180 wrote to memory of 1444	1180	Aakjdo32.exe	40
PID 1180 wrote to memory of 1444	1180	Aakjdo32.exe	40
PID 1180 wrote to memory of 1444	1180	Aakjdo32.exe	40
PID 1180 wrote to memory of 1444	1180	Aakjdo32.exe	40
PID 1444 wrote to memory of 2004	1444	Afffenbp.exe	41
PID 1444 wrote to memory of 2004	1444	Afffenbp.exe	41
PID 1444 wrote to memory of 2004	1444	Afffenbp.exe	41
PID 1444 wrote to memory of 2004	1444	Afffenbp.exe	41
PID 2004 wrote to memory of 1368	2004	Alqnah32.exe	42
PID 2004 wrote to memory of 1368	2004	Alqnah32.exe	42
PID 2004 wrote to memory of 1368	2004	Alqnah32.exe	42
PID 2004 wrote to memory of 1368	2004	Alqnah32.exe	42
PID 1368 wrote to memory of 1620	1368	Akcomepg.exe	43
PID 1368 wrote to memory of 1620	1368	Akcomepg.exe	43
PID 1368 wrote to memory of 1620	1368	Akcomepg.exe	43
PID 1368 wrote to memory of 1620	1368	Akcomepg.exe	43
PID 1620 wrote to memory of 2864	1620	Anbkipok.exe	44
PID 1620 wrote to memory of 2864	1620	Anbkipok.exe	44
PID 1620 wrote to memory of 2864	1620	Anbkipok.exe	44
PID 1620 wrote to memory of 2864	1620	Anbkipok.exe	44
PID 2864 wrote to memory of 2176	2864	Aficjnpm.exe	45
PID 2864 wrote to memory of 2176	2864	Aficjnpm.exe	45
PID 2864 wrote to memory of 2176	2864	Aficjnpm.exe	45
PID 2864 wrote to memory of 2176	2864	Aficjnpm.exe	45
PID 2176 wrote to memory of 2232	2176	Ahgofi32.exe	46
PID 2176 wrote to memory of 2232	2176	Ahgofi32.exe	46
PID 2176 wrote to memory of 2232	2176	Ahgofi32.exe	46
PID 2176 wrote to memory of 2232	2176	Ahgofi32.exe	46

C:\Users\Admin\AppData\Local\Temp\433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
"C:\Users\Admin\AppData\Local\Temp\433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\Agolnbok.exe
  C:\Windows\system32\Agolnbok.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Ahpifj32.exe
    C:\Windows\system32\Ahpifj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\Ahpifj32.exe
      C:\Windows\system32\Ahpifj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        69⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 144
        70⤵
        Program crash
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
64KB

MD5
3eb27dfdac891348d42678d4493914d5

SHA1
5a4a1340c339532bd480e52499d498df7132503b

SHA256
1c9c43fb117c1901aa4c157f5d9348197fb4bb93ea3d3e80e889353412b81679

SHA512
2c79b5cbfe78d33cec9d04ad5e0514b2d8cb9b1804cf44106d78172daa1bb1d73f1aa470e0753923146b6605011c3a86602887426ae4c9d519b278efada11c5d

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
64KB

MD5
faf27b1c00c2a8770debdf8e179ab7d1

SHA1
ea0704512bc59f6779b12ffbb10d5b1710b3ed2a

SHA256
7b66e23dc32975c02b74e1cd12f46df7cc5b7aa445cf8657fa3a057d0a628124

SHA512
169df3d61f6ad7df0fda1200de4c62093e27d62e271697d8b4351e52dc0eb810a31af82394992ca764359403b887cf4cedcabcc58ad37c265083aaec9f95e607

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
64KB

MD5
f8c88c25f4531f3c3aa2d9fed316dafc

SHA1
284b0f5d4e607d3427ba88d4145bed92735b7fcb

SHA256
08c997f21d8911d0521420136d0d1df8aab14bfcc0d64f08c7d0df483322e14b

SHA512
6b06b88e8b093b73480003ec2d71e800c98b602c7a74d0d05e800e03e60b63f8427587c2cba62ddef80394e2b4c4e7907c3d339e03634df869522834a4f42168

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
64KB

MD5
6c9e67e3c83b6900ff456a12642a69cd

SHA1
07c80ea72b99f811829dcccf53c730158215005f

SHA256
5868bdba60b5f6fd82376819b2db049eaed75e9faf45c723e268b7ad35a8efcb

SHA512
f40ea7ffc33dc023e5754542c26f2b4f32f27d08124056030b1bcc7638c03f0f6130403004bf00ef4d3d8a9cab0b4c9d44a9e77cc89ffd1f8f1a6527f6cc6b2e

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
64KB

MD5
7f316161dff3a02e733fb004f34a46bb

SHA1
5bbfb14b75e1f9a6359e6c4ee138c7bcf7bc46e6

SHA256
16bc6f1087d894b90cbe0e62dcc65f1fb34479d2a53dfedbcacc03b1fb0cecbe

SHA512
d3f6a4369c23e3afdc9cb75e8c6ec427e05948c8baded7291529d05b2f5944c39f8c6f66f21af0531ef21136512ea0c42f045a7c64cfff860fbf4adfff01be2a

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
64KB

MD5
433787950cdcfb5fe36068372f20bd61

SHA1
6284ac4bb260abc695b75642906b4e4e863aa24c

SHA256
0d8ad7369e27cedf0edd47b2e047a2898f548454f68fb75cc63d1aa14957550e

SHA512
b35d7b132994b1d1beb9fecee24a9f62b8bc5212c134d9e92415860aa71e42525b967983454a86de8497bedc32c30ef7c38d4096bc2434683a5389da2f036bbb

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
64KB

MD5
0b2000d31b82fe31bd21ea8d06bf542b

SHA1
a0663f60c239c6ac8a6237e36f97e6c88a90fc35

SHA256
b5efc163330ec61375897a0ef2f464917989255c360cccc882d98238cb5a6f57

SHA512
c365f95183ea3934120d5561c1b21934b9fcd4d5f7f7c314e72860eb35d0c136ef93666bcc00cbdad632dfb596e6be368103d2b2b744cbb756404fcadea65299

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
64KB

MD5
3616d9380940c2dcfd2e2ea80ac4a698

SHA1
3e3e33218f601ca6544e5090ec69b45eace39633

SHA256
fe67adae892c0f0e3c8e66fe40b4f3191c3e0d2db808e8993ab207a0653d679c

SHA512
9ae9a0f7bea23cc4e0ccff2276b5f6f351bdebf93f93dc80d11f55d82f4be0af6d68b00f52a56a14a1132e5baa149b0501d302c908a47377a601d8d5cfffb1e7

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
64KB

MD5
e6f6329843bc499bb260404f56ce4f5f

SHA1
f21575c350111faf02db4d370c112557a3adb0d2

SHA256
555903b3e36e6e68619a9f6e3472b5e760d627a79fb1ecd89ba07c0481e5e8c4

SHA512
5d8517f38c6123c9bad543eaa9342fea44bc5ca19bb008a4b091311967a805985f8a0519ff09406b55c52e978a7d5822a661a10848b2130f8ee74b505176e04d

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
64KB

MD5
8af72e66b66abc4f619cb47b03cd2bcb

SHA1
3ae697a3fc5d3e4c0bde39f5cbae23f1bc8d56f7

SHA256
69fb99b6991b7bd244d48090888a219e0fb75e7031efd3f0096a9d24a392fbcc

SHA512
71c0d8f362d14f541f2dd2e6abd71465346d67e48b2511b000f52c01c03f7acf93d4f4cf3a34a516aebfacee41a98a0099ed727096d744d4bfd1498856851e91

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
64KB

MD5
c1b7f43a21bb434d10c8141463bd2d50

SHA1
44183d9d142fe0e6ccb6efd254dd4f5f133b2b34

SHA256
bf077edffd536732266b5907d4ca78574131e56530cb32e0c2a564def86970a4

SHA512
6e37048cdff2333f3e661c59ff179e6f2ff72ebbe4992d24c2be9058a4001e52bf8cfcea4cd5c80300fecfd572d3e32bae94d8275de30e98cfd23ed7515a74eb

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
64KB

MD5
f9f674d13901c9a47fd42f5c18b24b32

SHA1
8740990791a05cf67de09658cdc17b6e8749077e

SHA256
569c39677a312ffe2b5089ff2d9d8dc3989c2d74ea25acfb50b255422176efce

SHA512
805c487bca154208e77c4f2481b286bd3fcbdbe962d310b27682bab35009c7ca6af793416e8863a4025089df210ab678478ca7541924c2942726a24d9de6902c

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
64KB

MD5
84ae35d4727497336d38677941b2eb21

SHA1
31fbb923606189e56cecec38591aac1e44f37ddd

SHA256
a3356f9d5af04b8f376327b253121379f1a98fce33bd70295d3ec47ecf9db02b

SHA512
a36bd9ac769ae17a5107ce66c83e52a63367534fa1c2d4f58018b141349a6a6f752ca4e68743b92b83d1efd923623fe25bf51576efb59673cfdc26d0cada7290

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
64KB

MD5
f5ef0441d9edc92b028f1e5a10e74ae2

SHA1
5a6db9a87397c0d185c06c453066761550ac8af2

SHA256
fc45ba68a5a1a63c802c95103b1c686f677e85c81d9c49f5da5a60f705dac240

SHA512
156bea5653ffcf46cf93189605270a1d8a24462995812d1a69812f83a75e3007ec20069861e7c672040969742d76812c381b179da67c039077de4e8cd9bb7dab

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
64KB

MD5
69c5748bfcad58ea77e07c82220437fc

SHA1
7c2899f4b1a7cd5cb8e2c2f4b15d2a9767bf9c09

SHA256
b869dbc32454b3ff4c660a2f33f75b06b5f57b784099363f774cde24094b63ed

SHA512
3b070c34a1881a3fba5d59e9eab2cbe682efee75f4d860243c002c70c43c07259b9fd21a75f49efc1503bd516cb14d9cb20334a8bf0f3edf520c519d9b2a6add

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
64KB

MD5
21f6a704cd608eaa60a35c8ca5ee5ba7

SHA1
298d8b1ad2b60f9c53cb01950518db35c748470b

SHA256
0ed8f7c3cdbe508b5459aaa2e8d24fc015dc279d51b1fa4150a8960279a08d72

SHA512
c14ab885e81011a53d085b2231e82f4d1968c3e325ff89535ba6f52595df97d6001a804b27a0641a7f242aa86098cf197d58a4a2fe7679de391bc560806055ce

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
64KB

MD5
3a41310c2672d95946a648f77e034b12

SHA1
40aa576f447d999ce4c13b1dd2c4b3662d354e99

SHA256
184b09adf1579973bdfccb06bd011ec2f2792f0bd14e0fc56fe06e5984f0ed38

SHA512
f676d4f4597ee8ee09ea56eb3e2b047542cdb000cf92373218e4626b052e55b1c6e83e43bb043b856e9a3d5a75dc8968fd9711f1129ee9be4cab53d17195ec93

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
64KB

MD5
78e18218dd8b247411a2daea4d2373f3

SHA1
514d9f9560d4bae255931502bc2ad0263ea3e838

SHA256
01942d116fa46f74e719aafef0bd12d4ded2f8748b53ca320aaca5367b5c4754

SHA512
aacd904fad6baf68167c51108008e3023a23dcb8229d5743a7503ffeaedfc1a89b065db588871c706912247709005a99979b21a3e55f3f0b1b8bbe02cb8b5d69

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
64KB

MD5
f6149eb99552790eb95e8557897551ae

SHA1
a5e0e7c9d8765e8d3b853e8406cab6231967da4e

SHA256
a76b5b8ee1cd49f4437c1d77d587f405459e7685ea5dd2d57760eda6a3b37002

SHA512
cbe6498d8f7e51b45a2177136111836844bf422dd63f2fa5558bacde00bad8c023e6087d48461c95b563ab843f89f0c95b7bff72edfb6cc1088093974b60811e

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
64KB

MD5
bc0f92f62ad800201a719b1878af505b

SHA1
c0684143d2195dedbc9120d0e8aabb5965d19c91

SHA256
1034724918e0e9203bde3d11a7fa3ffe10c3aee11ce479fd3c02bd39d7ca4e65

SHA512
ae9ba566671541cf74d72103ac46b8414668df265a679fa8872976c949ff6ce1f8708b5def71d16e0b47db4864ff467801dc972b2e9457f71259473229f7eb6e

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
64KB

MD5
7f6e442d8136d9dbc6ee825d8e8659ae

SHA1
940d30dd2f1154d203d236e60bee01b3be087340

SHA256
4f000d45dfd25cfb86f30325868fb9803158b169cd98cb40170f9c47f50f145b

SHA512
c4ff64caf25f826e258028f36e2e2cafd5219a15ca89454d8a5d398f40fb1b564c75c13c8f635106654164e95dd2abddba1be1bca954aaf0412c7b8dc0cac8d1

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
64KB

MD5
7d40f08b14a4c537171ae6839d2c6a84

SHA1
c3ca0b67c534e906a1efcfd34ae46dadca4869a0

SHA256
d7d7e37d2aaa18edd0dc0506fb74a4922cb959e0c5b1c77c18c2549e12a1aa96

SHA512
849dc978760b8a1fc1ab4abdda61cbc4649bb880bc3964c2a5825659b87201a694cf63ac62ff046d859b10659c2fd8c3282c96f4e09855125fa41bfe35491a1f

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
64KB

MD5
799857d1656720ec35fcc51c7c8e8af2

SHA1
cfd80aaa9888c43c549f8594ba1b301ce1b88aea

SHA256
d57d73321067cd4047ad12c843c5ac942f5031232b5b680b53c2d2321ba31be1

SHA512
afe089b7bb2812604a5d6c279de8ef8f9784dcf6581476dcf614be55013654e2dd208871ca174f1e6fea70334279515546c840cfea476215b35a86393879f12c

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
64KB

MD5
1cb0186ff84be014f4117431b54d2401

SHA1
dd5842067c448ffaa799c3b459e2424ae0c995a9

SHA256
63ea4c7eda0acbdef21f997305e11d4357f177061e90f742ec334e5720683a55

SHA512
8066ebb203023551b33c18ad83ece3f357e265a6ee4706fd0aaa002d6b4e6a0c1215280cdae3e7b3420b6bd8b9b672c31e180bd3e3ff98c284a030fa57fe882e

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
64KB

MD5
7fcbfb4cdc53b0570bf720dd549695f8

SHA1
68db342bec2bdea130fdfba51ff28caa3455fae8

SHA256
767ad0d4d936f77fcf77b8198bf9e104c9b671831a230332f0b1aa4ad24e783d

SHA512
7bf4592b920dd98974317cb8c6a0c63849cde5ce1f9de24789c2c890b74de8238f4639835febfee0b8af3a51f1ff0619e9f882ff363f631b7b5d7e49d49c5682

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
64KB

MD5
9bcb52f71346cfdffc1457753276d6f7

SHA1
789294ef896aff178b1f925c6961856f87436aa5

SHA256
bdc26e8b2618c44bfb990caa483fead30a5d9a2977ed63e4dbac470ccd12e583

SHA512
166ff8250fef08020c732c03ee41c9df12fab55e7c3c5059ef0eea6125403a91e5113ad12680af560e8f64fa57c142630c89ddfcd6243b23a564d708a085ab4b

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
64KB

MD5
19ac7dbf824c2cd13f2f63c0c762e770

SHA1
7c2fb6b0ff8850f9484c81d59acd755057a6725a

SHA256
5b544e4125c17ad5b12fd203daee18d201220c07235a0952088fe38f79623a0d

SHA512
e014dada07ecbed74d50e9875b19c42b86e7730fcbf76c954e36d3b7d0697a55ef33b900d86b0f9f18b577dae306d7046d787b476079738153133041ed14aecb

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
64KB

MD5
43109b434827150765a7bf1574b642d0

SHA1
c9b2096e0028a81cbb9e10745e43dedeff4050dd

SHA256
8c488ac2cedaf2d9ae0b08b9883ee00a4054da655a6495fbe468c789f1b771c0

SHA512
3df68c289d4587da3ada670336934018ec849cbe6f3433adbb35defe80b1738ca770ac12a901286264f6fc88e61987a56b07bcf18c5b085f49053b3e8427d960

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
64KB

MD5
92d14f31d59575279a23431aa166e6ac

SHA1
baaeb41b1fab7d39f93d2ecc4e17c9c54dc9ebcc

SHA256
faa4e34effeb1502930f1d8f84e794710ea5f5e65a87717f2379b16bac07c7a5

SHA512
4c9bab28667abfff878b8a6d4fae25a3be931893cafa225d54e1600fad316fd89089fc378cb2cfa7b11e8732c30a1fdba5f21fa77ede73afcc3b71166e35f9cc

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
64KB

MD5
3e05ec64d62fe28faf4a710212fb5eae

SHA1
5a0743ca1f561d8f21f607ecfcd070f470e0b714

SHA256
45b067a70596939a0662abe2fc60b5cee276ef9d5f02439cce23d73f9bebe0e1

SHA512
9648c22784625c7f3db3b91c35732d4247d2655f981e5533d5019bf3b3924f6a3ffb3656026266a16950a4c620c67acfa25d5c32fc9fc20192d515ca24970214

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
64KB

MD5
3b4154aba68f8cc0a2bec58a9c0edabc

SHA1
33dff64f62775f182d2bb3e5667ef491d7e4b41b

SHA256
a9ea971f735b56dff47d9061265370a3308cea36ec4499ddc2cb9d0e00d62961

SHA512
0cbd6127d2a037f566a024ac3c3645cf8ff74785ca201b3e92a13bbb0dc7ce4718bc29b2b1f81ba671cc88e7ce520086ccfea5a45a827d0fe6b55e7279a3e918

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
64KB

MD5
07e11ceb5174552a8d85bde3fb134b28

SHA1
3fc9ffe7122ba1960705db1ee4e72b563bfe1c16

SHA256
8752830cdf251ee83bf76d140afddc04157ee0e19336be731ad9b705d6496079

SHA512
2a0e5ca08c9d5f8dc5c1512c35d9ee6cc0d889b3d3a3426a18ecc43476525650f478abc686c8bfb4beb493750c4656651004a4ba30ada6a7226b1bd8315dfcf9

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
64KB

MD5
31c12a5c818b724cc59e25d3524d2091

SHA1
69430b175d2178b46ebd68746cc5271298a623d4

SHA256
82dca1afdcce5c8190d3db8fe2a7b4d9f825d5adec61134f10e913fcd4d3000b

SHA512
d2678443626c0b3e20026c147dacd0842c1e4b59f6db95bb561e885a2bf5b61d98d96831e476b3d77228aa1f9eeb19e4e0f1d9fd362e822c0ce75b64c487eb4c

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
64KB

MD5
272850e1761e2215888e6ec17a448c17

SHA1
e2a281ad7c836cfd1cc47637d3f2d7c428fb2ce8

SHA256
83205a7fdf337a6088fc3e80049b5b3ab9df473e2a5f83cb0e97f5c54024dc60

SHA512
fb5aac59123864b1a93b851af4d9a539adebd5dd133aecb2d897ded47a0a6dbb62ae8bce6f0cd4c86a27760c6409bda9ab42b0f541e91d9d5bfb8d2e6e1294d2

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
64KB

MD5
e1512df702e2b6727523148a897f05c3

SHA1
2cf9429c5a501fad85ae08a40eb41804c9b9b745

SHA256
85a554b639d3d8dd24a713b3bb136b4c404d88cfa5b8750e2154e07b16f34f40

SHA512
6dfaeb0927079ab9fc4c1fe25395a3958f29db32d3f36f8f21c2e0549065f734549caaea653bd8781dc97d0bad190a3492f5326fdc3a85b526411ea37de112f8

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
64KB

MD5
9fab93176553dd0c5f2e714b065aa06c

SHA1
bbaf7f98b26a6ecff9b965aaca9765e6a6868b88

SHA256
7f7a4fb3e1936af58ab648ec6474a36ac12b550d26e14cd4c20eb86187c3cd92

SHA512
c06fd4c795dc1c018bbf827a1489c594e736ac1d3f7cd9d7a2332993eb112eb5fdb08602824e34e92787c394577d5636501d7f95fc61c4c2accccff7fd411cdf

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
64KB

MD5
605e1c07d64bbc7f2fa0c61a57d58fe4

SHA1
75f51e240aa0a3d182f46fb380e8e516166a5060

SHA256
918b7710f216873ac0822ae277f4ec9e92b8ebfac8ad7d7434a21f411e84dfc8

SHA512
96dafe66dc163a0cdfc883c85eceb1864e996c9ad64d0baf0a56bc05f0ede07d0cfb006622103b5b1920fd9032d6b3cc2ad3aeb95ad139a77ae56867ffde12bf

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
64KB

MD5
259c2c63dd4b611eebceba5d49aa7b6c

SHA1
3c31c01e7733e6f14dc7cb70bc17fe73de8f4c7b

SHA256
95e1aed5a1f5c59daefa6cd48799f2b80b8eeaaacacc1aa9680bb35daf8922cd

SHA512
28342ab1dcf084e8d5d89b911c9ab3330b7cc520806e316b2c372b10dd5344cd1f33136bdf8db4d019687d37d2d29dc3faaace6b34ce5ca5e2e41cf0112aaf46

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
64KB

MD5
1c4fb2c31bce3121ae428e04bdc05fce

SHA1
b99268361a5fb6525117346c1acdd01d5fe38cc6

SHA256
1b330a5423932fec3bc7fef56e12a57cfb4ed8b94309fbcf96cb43f2062c85b2

SHA512
979b9e53b5d440473c1275ebd6cf6803ed0617b5a88541178928439444e178080b4f18f5bece0aaf0d313f161359f14de0f62dc96cd4c4fe802c74e08481b284

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
64KB

MD5
55ab5c7b4f8c680a55cd954a420ead92

SHA1
a2bbf3b26902fd5c680fc29c8807e634ce9a47c9

SHA256
88e58ec5d7135bbb1fcb44f9873d06fdbf0fd933fcb1750cfc96baf9f2aaadc2

SHA512
e34557e5812b670c6cb2b7be68549c5770d7588fdbc9b0f750280996b0f8c8713591f5214da603a6d1589c492315383b0932a84ac955a610969eb50fe4d96b9d

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
64KB

MD5
2ac5c671994d7085881f912adc981f9c

SHA1
3979e36a6a5a7536b922e2226f13d63d34908886

SHA256
243cc11ead69fdc5105910e55183f88fee819a164265099f12a8e92abedc0657

SHA512
edf3e2f1473814b5aa359cebb54e975fdaf5620228bdad3f724a80222317ef86133a90fd95f3ff5bd38088354ea231b8202fcead3be758efa5258e581cc63b93

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
64KB

MD5
ae08c3f5f4e641be4cf531a3afad8dad

SHA1
b10972e3270b519306ac51666fcf6ed05a58ef75

SHA256
c25d92417ee28fb6b10ebe342cb2151dbb2dc56c74ec602789402f1a17bac36b

SHA512
2edd8877be5daa96bb5b2615b7b3c42eb878d4889e04d87c093dfdde999a36be7caeffa6eda42f11a4e555ddd636bfe0d2bf418003aab19c77c10d481bc6f73d

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
64KB

MD5
0c54402ae65ee2b61dd26b54dcc60654

SHA1
82467b5ae8be5ae86ec3347a355cc57ae5a7b3c0

SHA256
8d67f4056658157a94f3a3084e893e76f64e4924d0f0ba06831d4a6196e48fd5

SHA512
7639cbd8f33b9d43815d9243a2351922bc3b2ad303f827682bd57740422755085fd5a3203426a18b1969e031032de62f65330758ebf29ce7033395be249f83b0

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
64KB

MD5
5e7721704d68542042ecee343d6cb2e3

SHA1
24f82518c5745435679c42c5297d03cc4836d34b

SHA256
112efe7846ffd71c7c079b2d7b5c2e4e61ab4899925fc66e7fcdfc954808062a

SHA512
b49c00553766c315acde9e16cfd527b06e435098fa2c8930945851c96ccd8cf10d91a49ac39e8d2a1c8fc7252743158c2ec32d0533bd9d6e1a86e587ff744df6

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
64KB

MD5
ee372ae8196252a34323f4a38dbe9f1a

SHA1
4a1c69552b2864972603c57321aa66d514a14ec9

SHA256
30d8494e7cb43414c0b7e9830eaef837b292847f28413b1d080d8b07ceb72f5f

SHA512
e721f65ef74216af7044e736db2398786b371f624cba96a3239bd14fa6d2be04f6774c5e6dccaac9e6b6cbbc8c4337bbafd836db0e8c1d9bc18d598e501449af

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
64KB

MD5
86fbc69b63de9365e6db9059792a91be

SHA1
8adacf2cde88c4dcb24a676e541caaeb66d745c6

SHA256
74975bd77570ace351db3ee6d4ef5fe7d345ca090797a993e4f8e5592103a491

SHA512
2e1d57dce87aae83cdca8fdc720c083f13cf4929fe454fcca236c6de0d51fe384fe5ad0d56133c8e0d45ee70d30f374dc9f4f720bd6e0a37d476bbe1f0d17055

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
64KB

MD5
66aa8d70a7c839a38326d920fee177d6

SHA1
cea0aa9a038a1ab8b6b259d5fd225189fb26cacb

SHA256
6a099f271da52544477085bf0b74e4f06d4d306635742135ca7c3bc6fbc3d535

SHA512
02806f4683ec5e99962e764c0b61b9d0a2bdbe106f4ce6f138365eeece6252b306c4e7cee44b788cdd07c814c79dfb88680a923ec53333e76bf66b80e4847daa

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
64KB

MD5
76c23c5e34911603350735bc42a0fbff

SHA1
40180941f98a5298f1f7c74be43de79689e5770f

SHA256
4bb6e68ab2be30884755b22c8580e7761f08646a28b7efde4a2c5c6c5f33d21e

SHA512
380c5132aede786747d55e0328a9d3b125096552bde75df5ac72f3d08b47b5d423b5ea5dfad4bbb08f150fbe0b6383075714ac091ed480735071505227d10ead

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
64KB

MD5
062f040c8d5119bccdfa6733b9cc3243

SHA1
c06862d626377a159a970310d61b5c59bd26d8a4

SHA256
a46c6ae85d2f8e38b62341cae3ebed0114bcf8157144adcc064cea15e50963f1

SHA512
e3e7688193325d4955272374b19c90b450b636b9fd2399378f7c9feff3b3e4e83e979167f1d2dd49b48cf03b0d376fdd262be6a73e5404f450cecffa3c84f040

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
64KB

MD5
7d513f7c4581a094ffc0ed15be5a43e6

SHA1
7bf7fe4fbb3203be1ce3aef0a0cde771544655a8

SHA256
d3089528e4a1fb75aed44c5afddb49dc7b4e761169a849daa3159ad83fa96602

SHA512
791ebe7751750127ec94ac7e99d55b847b0b8b5ec61675021c46bc8e9b8b985fc6865735cec89c2b7d4df57705370496b5a658e0fea0100820a200559a1ffef3

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
64KB

MD5
c56217c3fcfa7527c1067babd012d98f

SHA1
f7cbdf87cf07bb3d913916cf03e77ebaf6d86e9d

SHA256
24c96e518df3ff41df50fdc52ad0b9b9f7d86e20e6e5e9e8ced5f436a478a52e

SHA512
3f5d4920ca72c736f6430b15f9e8b4b176e7c8fe89240eef85ce330dc06b1e437a24646d3f039a9558a1a14b18e990a38dc374d43888d43410dc77bd7aa41e63

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
64KB

MD5
5d2d35ec7de8e4b83a6ef32d946ce143

SHA1
200c0958e93d386ef048a219a6efe3edb0da100e

SHA256
d3650d2f1def3e44ef6bf60652add7ae4bdd1ae87b20c9812f2d86aad157e4c4

SHA512
cc76c5077cadd4028c622c4cce3e533367f830d479a84e5d116976ba7f4df22224949dcd1624b3ac40fa874981bba9386600aaffb79ab1175e24ea57fd4a8954

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
64KB

MD5
6897acd544f20d0c174bd6593b93f4d0

SHA1
f9c19f0f07de374231d0b1d5ff64df2aacccb2f6

SHA256
9c401642afa3fa771e14a502eff0a921687ae33cb072e5281fbb3c39ec165a0f

SHA512
5587375c194e091ff89d23a825cfd025bd9e3e580136cd0e6a1e1426637fcf7725977ed86fcbe97dba7cc12c5e148844407b6f9700724f575775752805e055bf

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
64KB

MD5
0227bd1f0232b12b2ab7ad4ab30e571d

SHA1
f31101664773886abb331ea23684727e443f7e4e

SHA256
6c40e7f24f41ede75f1404433036c794603b782d0b01a565e1d6ae22739dcdac

SHA512
52c0890779ff61207a1d122ff0fb668e713474bf7d0e001a727688cae48eae12154b799d0e3722d57de46432d193c66eb4d3402a371afbe3d458174d0835744c

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
64KB

MD5
08347af46db4d20ddac34e07fd2038e4

SHA1
8f388e347a952aec34925436fd4843b346d7493a

SHA256
ddcd8bd091033d881fda31c60d4871a55864696793ed8e5a9dcc334c2157f150

SHA512
3bb55fb1e357b990d6836bd7bfe50af0a4d62f4dd8c24a91a6a975991bf06ae71d77ec0279bcaee20ff1da0d4873fa76e194f73a20444390b44f2e633d690362

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
4133581e1515d9e8ca578ff978916772

SHA1
347caf64a6d1c1a893c6a7bd5e827723f898990e

SHA256
483013db3c5dafec8e68be402e850ad27b02bfa9c5cfc0002e4942731b58eb9d

SHA512
f6ed15f6a5b9c6a514992d8213fa7ad2c1887581d381b383ca2ab4730504eaa1291cf64a7fcf4a55953fe555c0e9a61d76b35ba4e66594aa03b1d9ba0c135bf2

Download Submit
C:\Windows\SysWOW64\Nmlfpfpl.dll

Filesize
6KB

MD5
d7159e8770c176950951e8f514122e2e

SHA1
f320fd1224d1a96799697e6c232adec22482f01d

SHA256
a0264c9387bec33d752c88070a8fe899d73d9b61e08895c968d0e5e7245571f5

SHA512
437e93dfcb80ba3011418f3d242098c9f954e93262bf65fb65f84e1688754124279b81c62d434064cd1e41dfb4ea268295fbd7073325bc60a280eecc82444c33

Download Submit
\Windows\SysWOW64\Aakjdo32.exe

Filesize
64KB

MD5
7678bc17986ce5fe897e6037a8d1e4a8

SHA1
aa7d08735123df9f0d231246be01067ce53fac2e

SHA256
b126417934dcee3496e9a8749d9373dc8521e4e59a43c18f769c2c243de727e6

SHA512
f6a8c3730d5c31aae46bc2faedb354f3a541f052f1a0e3c9f4a90a76612dddb6d03fec5a87da5365dd34149e854f2fa9aa5f4ee344542f9b60264048b4e2ca45

Download Submit
\Windows\SysWOW64\Afffenbp.exe

Filesize
64KB

MD5
33e952e70971734bcc7f5da0eb93b350

SHA1
17a7cf25b70d5ad621d5bea7214c76023bc5dc17

SHA256
f4409e4a1666f275200acc758d4c48818766df88eb85e80042c0f4b6fac1d5dd

SHA512
dc8f4db972c766673f9f8aec71c12f857ec266d078de2221d713dc6feaa536ebd1dba10b9bc29d97d22a62b072a2b2c34d688c03c0df74ff702ddf12b233c687

Download Submit
\Windows\SysWOW64\Aficjnpm.exe

Filesize
64KB

MD5
090407addebc3c5a1941b368cfb5878d

SHA1
c7613ac48b4cc8b5bd1019e0062194d588688229

SHA256
88ddd7e270d13eadfe23c6b56c90cc39f258090e11541879a32060afc5162a53

SHA512
fac7e96ed27d58dbece70af13a2774b12f894c94ecd83810f19e6b525fa9cf6f3bfb16e1d82d3e6a96339016c99b44b67d4ba1ec9f68dae354ad28b3091f0ab3

Download Submit
\Windows\SysWOW64\Agolnbok.exe

Filesize
64KB

MD5
e2c36c2b1956c01df2b5c1432cf39f95

SHA1
4a90764fde4e1289856431dc3386f5a57f010699

SHA256
a60cfcf9c7da4df8716d1f2978b8c897eaa1ec1dda232563657886804f201e38

SHA512
d4db51371dad9c60d09affe14c4ceed2ee2eee0a4bd62c761d614f48f734f86977281c3b43b8fd334ad7228c9f2b401b85ae452d009256fd2b6d7247a9b397ec

Download Submit
\Windows\SysWOW64\Ahgofi32.exe

Filesize
64KB

MD5
68e563d32c59dc381730fa7a6592a184

SHA1
1511cbfffaf92465846f33fe47636cf67dd152d4

SHA256
266f5ae98c4f0f90871ae927af757e1f17bad39d482bc17d03d713400b5a060d

SHA512
a7f9c7ade3cb51d108d1f835ab781a7be503b52c003a06780e47d98769102dcd17b2fb5474f21f8ecfa73eb00e9b5409b795c19cbf7ddd18df5081c7e5ad54ec

Download Submit
\Windows\SysWOW64\Akcomepg.exe

Filesize
64KB

MD5
5323473b1e7a268e73b684adb9d3fa8e

SHA1
41401e2389052e3ade0f11e6b05128309c07c09f

SHA256
f15e9345d8515efda1b3d512d7841c9c7d315b4b3a0cddaa40bc4c036f7dbee5

SHA512
3034767a8113986be8e0ada8cafecd60c40d9d10d55dee1ec27cbe6c69d6f5cca66b6998699d5a5be9742dd13628ec8d454ffcd80e7a918f50119cc935daef78

Download Submit
\Windows\SysWOW64\Alnalh32.exe

Filesize
64KB

MD5
6450eb9ecb65efa9a555fb39d6b6e674

SHA1
8f96db78d9f461ccf9576c71781e8612e0325d33

SHA256
9265a00d0374d45893b9ed51ba7beebccd0b5070109986a63f947dc1cc86c6d7

SHA512
8de9fe31fb2d67d240f91b2437560631caed42e542c9c5c27001e8b7f4081794a4cb57cc3637e4e94f4529e6ca7e96ea5ca84bf5ae1c2c01ae29d701236c7a4e

Download Submit
\Windows\SysWOW64\Anbkipok.exe

Filesize
64KB

MD5
ae9b97847ea08f36cdd1ac83479a6bea

SHA1
76c92ceaf6e2956b577c4cb7a688074355bb8c2e

SHA256
b556ced7ebacd6c359f58e952b157205d15e65f33230bf78b163ed816df41bf8

SHA512
ecb378c426dd3592991df3c53a021bfd0409423352eef288f5fd921ca67a34f32ccf092884bc6779bec1620b557e8ea06fcb6eac6a560491dee4241ad22cfd52

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
64KB

MD5
9d21d60a3cae781e1b66829a30301a83

SHA1
b5500579ab904eaf4a95100fd684d1c093cbbc75

SHA256
2e689a5fb59389cc5556d765c9b9570cf1bfea3a82b5c813ea181d61b5536532

SHA512
6e78a5326b2a82a05bf9578084cbd66c798392b61381029f5e36d2676f31cd4c25a5595b044d852f6ea7b61689e84007ae3f34bd042d4506d39ef02d383f73ff

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
64KB

MD5
f518ed79f80432da7fcc5c4acc2858d5

SHA1
bb809efde0df8d374cf6afa289196ea6bb1ebb77

SHA256
a26c00d56dbb0bd52905883d0b616bc48a6703f1c6c667bb2f64f344ca0d211e

SHA512
fde99402d0d4ee1ac310ba7027004913ef3fb77cfd491d26aa7ac26260d2c890e5395144783bd57832c53e8b6b15930001a9a593a480b7f82f4d205dcd4d62cd

Download Submit
memory/328-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/328-827-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/824-228-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/912-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-828-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-512-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1064-415-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1064-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-531-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1092-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-840-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-219-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1176-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-444-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1180-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-119-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1368-480-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1368-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1368-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-133-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1452-831-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-237-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1548-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-443-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1572-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-403-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/1592-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-501-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1852-276-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1972-246-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1976-785-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-469-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2004-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-295-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2064-786-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-425-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2076-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-316-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2128-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-317-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2172-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-67-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2176-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-198-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2232-535-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-524-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2244-813-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-306-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2324-305-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2324-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2368-482-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2368-811-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-839-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-794-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-94-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2544-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-86-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-80-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2584-365-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2584-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-366-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2600-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-355-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2692-41-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2692-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-327-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2752-328-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2764-338-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2764-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-339-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2800-54-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2800-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-830-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-829-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-513-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2876-255-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2908-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-458-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/2964-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-380-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2984-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-815-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-13-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/3024-12-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/3024-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-351-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/3024-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-264-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads