berbew | 931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
Size

55KB
MD5

feb35a89ac830b9761c40ca7513ba900
SHA1

2a37e11c9da4267eee7f4941f0abf5d568f5778a
SHA256

931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90
SHA512

3a60461f811d2e2cf81846538e49a9b01bffcd0c9429cfda461fd61bb32c4053aecf9645e7a640696082dd7d9f54d9d61bb5ac224779c1567bf51fb2135145df
SSDEEP

768:Ttzf2/TgO6ZFr9oN4gIJuj5tgaHeo1O06uX1mkFcZgv8KNrJZ/1H5zXdnh:2gFFxu/LPX1PKZYvtD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcilf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 59 IoCs

pid	Process
3060	Paiaplin.exe
2324	Phcilf32.exe
2428	Phcilf32.exe
2644	Pgfjhcge.exe
2672	Pkaehb32.exe
2568	Pmpbdm32.exe
2712	Pnbojmmp.exe
3040	Qdlggg32.exe
1440	Qkfocaki.exe
1432	Qiioon32.exe
1232	Qdncmgbj.exe
1992	Qeppdo32.exe
1688	Apedah32.exe
2292	Agolnbok.exe
2220	Ahpifj32.exe
580	Apgagg32.exe
2880	Afdiondb.exe
652	Ahbekjcf.exe
1700	Alnalh32.exe
1648	Achjibcl.exe
1540	Adifpk32.exe
1292	Alqnah32.exe
2396	Anbkipok.exe
1660	Aficjnpm.exe
300	Agjobffl.exe
1244	Akfkbd32.exe
2656	Andgop32.exe
2576	Aqbdkk32.exe
2732	Bdqlajbb.exe
2628	Bccmmf32.exe
2572	Bqgmfkhg.exe
2616	Bdcifi32.exe
536	Bgaebe32.exe
1888	Bqijljfd.exe
1496	Bjbndpmd.exe
1960	Bmpkqklh.exe
2940	Bbmcibjp.exe
2852	Bigkel32.exe
1964	Bmbgfkje.exe
848	Cbppnbhm.exe
1416	Cfkloq32.exe
1832	Ckhdggom.exe
2424	Cepipm32.exe
1468	Cpfmmf32.exe
784	Cnimiblo.exe
2504	Cinafkkd.exe
1556	Cgaaah32.exe
1412	Cjonncab.exe
2792	Cbffoabe.exe
2632	Caifjn32.exe
2580	Cgcnghpl.exe
2804	Clojhf32.exe
2272	Cjakccop.exe
1436	Cmpgpond.exe
2016	Cegoqlof.exe
2352	Cgfkmgnj.exe
680	Djdgic32.exe
1924	Dnpciaef.exe
1236	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2276	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
2276	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
3060	Paiaplin.exe
3060	Paiaplin.exe
2324	Phcilf32.exe
2324	Phcilf32.exe
2428	Phcilf32.exe
2428	Phcilf32.exe
2644	Pgfjhcge.exe
2644	Pgfjhcge.exe
2672	Pkaehb32.exe
2672	Pkaehb32.exe
2568	Pmpbdm32.exe
2568	Pmpbdm32.exe
2712	Pnbojmmp.exe
2712	Pnbojmmp.exe
3040	Qdlggg32.exe
3040	Qdlggg32.exe
1440	Qkfocaki.exe
1440	Qkfocaki.exe
1432	Qiioon32.exe
1432	Qiioon32.exe
1232	Qdncmgbj.exe
1232	Qdncmgbj.exe
1992	Qeppdo32.exe
1992	Qeppdo32.exe
1688	Apedah32.exe
1688	Apedah32.exe
2292	Agolnbok.exe
2292	Agolnbok.exe
2220	Ahpifj32.exe
2220	Ahpifj32.exe
580	Apgagg32.exe
580	Apgagg32.exe
2880	Afdiondb.exe
2880	Afdiondb.exe
652	Ahbekjcf.exe
652	Ahbekjcf.exe
1700	Alnalh32.exe
1700	Alnalh32.exe
1648	Achjibcl.exe
1648	Achjibcl.exe
1540	Adifpk32.exe
1540	Adifpk32.exe
1292	Alqnah32.exe
1292	Alqnah32.exe
2396	Anbkipok.exe
2396	Anbkipok.exe
1660	Aficjnpm.exe
1660	Aficjnpm.exe
300	Agjobffl.exe
300	Agjobffl.exe
1244	Akfkbd32.exe
1244	Akfkbd32.exe
2656	Andgop32.exe
2656	Andgop32.exe
2576	Aqbdkk32.exe
2576	Aqbdkk32.exe
2732	Bdqlajbb.exe
2732	Bdqlajbb.exe
2628	Bccmmf32.exe
2628	Bccmmf32.exe
2572	Bqgmfkhg.exe
2572	Bqgmfkhg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Paiaplin.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Pmpbdm32.exe	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Gncakm32.dll	Phcilf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpbdm32.exe	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Agolnbok.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Agolnbok.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Paiaplin.exe	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
File created	C:\Windows\SysWOW64\Ekndacia.dll	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Kbfcnc32.dll	Pmpbdm32.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Qdlggg32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Anbkipok.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Cpqmndme.dll	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Pgfjhcge.exe	Phcilf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1296	1236	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phcilf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll"	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiioon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahbekjcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3060	2276	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe	31
PID 2276 wrote to memory of 3060	2276	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe	31
PID 2276 wrote to memory of 3060	2276	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe	31
PID 2276 wrote to memory of 3060	2276	931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe	31
PID 3060 wrote to memory of 2324	3060	Paiaplin.exe	32
PID 3060 wrote to memory of 2324	3060	Paiaplin.exe	32
PID 3060 wrote to memory of 2324	3060	Paiaplin.exe	32
PID 3060 wrote to memory of 2324	3060	Paiaplin.exe	32
PID 2324 wrote to memory of 2428	2324	Phcilf32.exe	33
PID 2324 wrote to memory of 2428	2324	Phcilf32.exe	33
PID 2324 wrote to memory of 2428	2324	Phcilf32.exe	33
PID 2324 wrote to memory of 2428	2324	Phcilf32.exe	33
PID 2428 wrote to memory of 2644	2428	Phcilf32.exe	34
PID 2428 wrote to memory of 2644	2428	Phcilf32.exe	34
PID 2428 wrote to memory of 2644	2428	Phcilf32.exe	34
PID 2428 wrote to memory of 2644	2428	Phcilf32.exe	34
PID 2644 wrote to memory of 2672	2644	Pgfjhcge.exe	35
PID 2644 wrote to memory of 2672	2644	Pgfjhcge.exe	35
PID 2644 wrote to memory of 2672	2644	Pgfjhcge.exe	35
PID 2644 wrote to memory of 2672	2644	Pgfjhcge.exe	35
PID 2672 wrote to memory of 2568	2672	Pkaehb32.exe	36
PID 2672 wrote to memory of 2568	2672	Pkaehb32.exe	36
PID 2672 wrote to memory of 2568	2672	Pkaehb32.exe	36
PID 2672 wrote to memory of 2568	2672	Pkaehb32.exe	36
PID 2568 wrote to memory of 2712	2568	Pmpbdm32.exe	37
PID 2568 wrote to memory of 2712	2568	Pmpbdm32.exe	37
PID 2568 wrote to memory of 2712	2568	Pmpbdm32.exe	37
PID 2568 wrote to memory of 2712	2568	Pmpbdm32.exe	37
PID 2712 wrote to memory of 3040	2712	Pnbojmmp.exe	38
PID 2712 wrote to memory of 3040	2712	Pnbojmmp.exe	38
PID 2712 wrote to memory of 3040	2712	Pnbojmmp.exe	38
PID 2712 wrote to memory of 3040	2712	Pnbojmmp.exe	38
PID 3040 wrote to memory of 1440	3040	Qdlggg32.exe	39
PID 3040 wrote to memory of 1440	3040	Qdlggg32.exe	39
PID 3040 wrote to memory of 1440	3040	Qdlggg32.exe	39
PID 3040 wrote to memory of 1440	3040	Qdlggg32.exe	39
PID 1440 wrote to memory of 1432	1440	Qkfocaki.exe	40
PID 1440 wrote to memory of 1432	1440	Qkfocaki.exe	40
PID 1440 wrote to memory of 1432	1440	Qkfocaki.exe	40
PID 1440 wrote to memory of 1432	1440	Qkfocaki.exe	40
PID 1432 wrote to memory of 1232	1432	Qiioon32.exe	41
PID 1432 wrote to memory of 1232	1432	Qiioon32.exe	41
PID 1432 wrote to memory of 1232	1432	Qiioon32.exe	41
PID 1432 wrote to memory of 1232	1432	Qiioon32.exe	41
PID 1232 wrote to memory of 1992	1232	Qdncmgbj.exe	42
PID 1232 wrote to memory of 1992	1232	Qdncmgbj.exe	42
PID 1232 wrote to memory of 1992	1232	Qdncmgbj.exe	42
PID 1232 wrote to memory of 1992	1232	Qdncmgbj.exe	42
PID 1992 wrote to memory of 1688	1992	Qeppdo32.exe	43
PID 1992 wrote to memory of 1688	1992	Qeppdo32.exe	43
PID 1992 wrote to memory of 1688	1992	Qeppdo32.exe	43
PID 1992 wrote to memory of 1688	1992	Qeppdo32.exe	43
PID 1688 wrote to memory of 2292	1688	Apedah32.exe	44
PID 1688 wrote to memory of 2292	1688	Apedah32.exe	44
PID 1688 wrote to memory of 2292	1688	Apedah32.exe	44
PID 1688 wrote to memory of 2292	1688	Apedah32.exe	44
PID 2292 wrote to memory of 2220	2292	Agolnbok.exe	45
PID 2292 wrote to memory of 2220	2292	Agolnbok.exe	45
PID 2292 wrote to memory of 2220	2292	Agolnbok.exe	45
PID 2292 wrote to memory of 2220	2292	Agolnbok.exe	45
PID 2220 wrote to memory of 580	2220	Ahpifj32.exe	46
PID 2220 wrote to memory of 580	2220	Ahpifj32.exe	46
PID 2220 wrote to memory of 580	2220	Ahpifj32.exe	46
PID 2220 wrote to memory of 580	2220	Ahpifj32.exe	46

C:\Users\Admin\AppData\Local\Temp\931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe
"C:\Users\Admin\AppData\Local\Temp\931f1d9ac83a58ea3fbe4fe88646d2e242ea55e4369043411cbcc067c1b5ed90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\Paiaplin.exe
  C:\Windows\system32\Paiaplin.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\Phcilf32.exe
    C:\Windows\system32\Phcilf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\Phcilf32.exe
      C:\Windows\system32\Phcilf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Pmpbdm32.exe
        
        C:\Windows\system32\Pmpbdm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 144
        61⤵
        Program crash
        
        PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achjibcl.exe

Filesize
55KB

MD5
0f758092a4b17f4a49ca3e6e1ca6a653

SHA1
c68424bfaef183c801f806ec09c4e495f3808809

SHA256
40e2d73910d4f40b3d2348471ba8d3f7f81624638371e3c24be6b08b16fb0cac

SHA512
719246ef7e76fecb6ceb115f7ce807465a98b416ec776098fcb63ec920d1a281efccdde97eb5d08324ab0afd4d7e53f5e0f824f36932b9980fd16c8cdc158e71

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
55KB

MD5
8264b4e4b0fba4ecd01c58e109906933

SHA1
d6a100d4ce5ef9dabbd9eec1842d5e787d2d1a9a

SHA256
56dce40925b7416a2a83c0b6161bd4fda590e88e1faa73cff74e4686d4b2f1ce

SHA512
db7efd07a095fc0054c9206338ba6781546f10b69fe7eabbd0afed1c12a32ed434f71314a4cdb0b79f3d72b0f30cfaa6f9e5ae112da470ca3d8aa1e68ea7f163

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
55KB

MD5
b640ba98b929f5cf5d6eacbb5eca1966

SHA1
0af9bb9c55e7cfe2e7d2b47cb0153c67ec99b5a9

SHA256
44411bf7c83476b785a597425cfcf0a0d37fbd0655edd224fba3179e45412dac

SHA512
b7f9f1398f6f43af5c984289ccdbdbbad808038f2b3a4fe19b5de3af3644cfcaa4a6cf724e726e45ff9853e52ebabe40694bf00b436ca5b224aa5567ee0ded42

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
55KB

MD5
22cb3d366eb2fa3ac65fb8a96b0721ca

SHA1
b81b8f17f3104a24c2c5125f933390aa4b84b322

SHA256
9c123ed409cd29974275a0001840e35deb8ca2c10f23931f2b10e7405e363c37

SHA512
171b0cac6bfdfea3ed9079305fd7ebc409795c4edf2451949aa8a0b373c3a804113761042c52e737f3bc310ef6f3d173624039260ceccfc4ab2fae870e0d8eb5

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
55KB

MD5
105d1c0623f411adb0760d217023c10d

SHA1
481e90ec0d1a51a70d00372767a6973dc6d373cb

SHA256
26af18711771367e574dd22b9a0c90019929da83246a0bd2147831fa498b963f

SHA512
29579996622e6b9b48541f524b5183b1e2d20707f708fa3e29ff094e992885cc45a2648008e8200a71becce124fb59336170465ec04a87cc578333d1d2dd1704

Download Submit
C:\Windows\SysWOW64\Agolnbok.exe

Filesize
55KB

MD5
9936377e3cf2dc55a26fd9c7034243c8

SHA1
3f708135701d12bad874a4baf4dd3509272ff2a5

SHA256
baa255d1db6b432c63537e7f4c4261a8ab33df269982955a0f9c6b2ce3548262

SHA512
1a526ba88c59c6a6d77bfe10c0c9fd8678b69b727fadb3760139bf02b694a3fbf5c1119f016b774cd63ba4634fbfa4e7a573859874f4d88f6cf6ccb66e58612c

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
55KB

MD5
23cb8c3c99bf924e383b2dfcc20678c1

SHA1
72280724aa8de4e7ecf88a65cbaa74d72e9951b9

SHA256
99c2642c1e4e5e735cb3142f8a1f27d6dd7717e6f1243b83040ab1a0fc6db3db

SHA512
c4b61b293e52a868140ce240ab08a70311c4d9687da151318f12aaaa7d37b45557e43587aa4171495dd1d03db433cd711f82884109d88e32c5f6c1b7d158c36e

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
55KB

MD5
4c593cf1877913d640ebb9a1e4db9954

SHA1
ec9d85c5a6b5d9105d9c9c65e5385ce859369361

SHA256
2855891b72f5d0e939ba1eda4188af57d9eb544fa7d5cee8604cf2692f923cb4

SHA512
c108af2fcb016adfedd9742cf6102b32afff838e99695abd1deb70cb783edf64e0f3fa271b34fdb14ce0ed8bbe8a1fe4e6d1e19883cccbcb0d390be44c17d573

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
55KB

MD5
879fad897888aea3f23db4429c0f1611

SHA1
60d3e844a1777ee3703980be85bf6c49406e0562

SHA256
ccf61229e1b20f76201fcfee05bc0751d533fec827e6a8c303bb46ccfe8a5d41

SHA512
06f5373778d4c5b6715ef9b4a024e6cd9f0e87c42cf0eb6d307599bf92dbe6b61bb9eb812ad95737629f4baccd311c0bdd44cb60d01cec248b5de53b9ecdc694

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
55KB

MD5
96682601ac25fcdcd336c56afc005e25

SHA1
2bc1b3411c2887fde72d163c17afa2a583520e27

SHA256
fb97dd1199d4de12f076198be04b12ba7172aad43d7a52a459562e2f019b9d5d

SHA512
b889549b4bbeab95f99c67b33f1d4d357d1a05a6665a5adbcd51a0c338dd5314f29b555b1a04d11b43af6f05c0caee07f9fc8fe91bf9c89dc0b924034af16f5e

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
55KB

MD5
7c005876225de1b5104a437a94575b27

SHA1
6bbd66b5ffe0d543bc862f0dd15b7cec80d34544

SHA256
78c24a3322a66ce7ffbb844a536b00419566fbb8d112a4996c3f4b6245ec5813

SHA512
1257cae5f38fd476454074d094e94d201006327d54754d4dc723ae319a1098b3e71a7eff2751b19cad12634892d6ab1c3066cbd1af2b5ef7593e0cfdc987b87c

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
55KB

MD5
02057cb78927a385816049030a375f20

SHA1
dfcc01fb546bce13485e8022428091c6f644d34d

SHA256
a8707a454d7bb800e75a0857475673597c18cb2e01725af14d380172aadde633

SHA512
acdf30c3aaa7f418f92f2f8ea05821fe51aadecaf2d92c557df53c33e7f1b2de845a1e6a6db3d19691a53174b6cfda394bc15eeb3be2e15642bf3e7204b39fa6

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
55KB

MD5
b8052199ff0d8076bd3ee38477fc88bd

SHA1
982a5ce38eaac8e7546b77ef335ba20efb54b4bb

SHA256
630385dd5328a02150fc27148aed1004db910173c597031709a9f9a0ea4e72d3

SHA512
29bf55ce3018d68ca96e7997f032f5348a8b571d79c2c07cf67d0f0072553a85bd7f9270e9cdab669303277cedbf699915574aa2c9e3f3a7d81bd5a666bd2ab2

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
55KB

MD5
a4497979790ec6f8cf1e2a040372a29d

SHA1
8c9029b4274c605281bb98827d55a9668b75b3df

SHA256
55be70e444caac7b6e94912db5622f18640da784a51125afb6e4c65474eb51ea

SHA512
ddb08d74d565e35fde50801279642eba2a5608af054a5d01a6697272e41b613b180ab24db70a37f42c16ab3db641cf3bfb88573aafed8c19062538b2f9b50c42

Download Submit
C:\Windows\SysWOW64\Aqcifjof.dll

Filesize
6KB

MD5
e0c29f2e045c55f9674c21848f25c993

SHA1
07d08339e01360b22551c57fb28b15146657b645

SHA256
4ed26eeabefb1bd1b1d7cc5d59e2085403246b6a08d0ce37cd2af1e795989df8

SHA512
950c2beeb90b7a09695233b2cb33d703a84c7ea974f303a61c2a1160dc77ddac3e09ad8f6b2776816dec9dd0255f5c3bc0665a01e9e13b86efe47579a0f1858e

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
55KB

MD5
0a82700baf5cfed7d2fe6484a34fb0fe

SHA1
dfcf64282847b645eec6d1a3d63a0ebf99cfeedb

SHA256
73f2ef1ad974c91e5931dfd88c1f2f89c3db3496ea7f686139498f32d82802a5

SHA512
3754b97a16f38fcb1e66dd49ef833e036858ca6e8d066a27fb4db2404cc46cfae405a5a4c78aeefff7d7de14b30e456078b490e827f977060e41490731295685

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
55KB

MD5
954ccbdc2ce2c5ae34192686aa55df1c

SHA1
bfc55677cda05b2bb0dee2a8da439e9d7eddcc94

SHA256
8126c6b373c27986c895ee1dbea617023992abaa0db43b504d4fa44f9e7cdd2c

SHA512
e4dc833288f32b2f3801bce3cb72106441616a1a3660cca7acc8e780a3896c56cd04de07374ff3ceaf460f8bab8dddd2861ca34b925864d04b7098cdf2063a36

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
55KB

MD5
7009ede6e9e7d3e2667c8509d133102e

SHA1
8dafaf4dcfb3f270d38b47ea792bdfa487a16fd1

SHA256
e85081b2aee6c9d6684e8288fdd38be5c37b02bebe307dbc6beccaee1c4be63f

SHA512
bb19311edbaccccb24fe04f21bdc9c8c287d3bdfb817685a3bc41bd797be991f37de1ccfafe987ac09f7ed61cd7026aa9d0c5570fba2c6a432d83c885482b4cf

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
55KB

MD5
0af2945e3a08d4941a63d6ccea85336d

SHA1
bc3a515ebd26fa484f97c7b2f022c5562160980c

SHA256
bb0073c88eee96b4320d771ed44423944830b36d8c1e67672790d4919c97ff91

SHA512
75f6b0f818512111b3b71ab9ea78b95044989f15d143e181177a62f2c8f80216712deb50e55147dc050fd102fa12f013748ff19c0c80bf7f404ee39edf23b450

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
55KB

MD5
5b72b0b811685b9fda3b0ac469b84728

SHA1
9c5324c529c107d9e2d53138445a630cb757b42d

SHA256
60fc57049b392c39248eb3d4f6f4f3feed1d5cbe547b1f0d5e6405b1ef7f5f8e

SHA512
8dec36e7f4cb53c216407ba7c7c36f44e6ba3ab15c230a8946a135715405601f6dd6c40bbe3a9e32a45d03d887e2ab948446054cdac4225350265768dc83b855

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
55KB

MD5
24951b16dab46ace904e093e458b0a63

SHA1
449376bc570a1fa9d818f2174abc23e4d58e2196

SHA256
e3cb015a452b1db96dbff5a8d85d30c45c51ec089fe15c59dbd1dc8d9a417ea8

SHA512
382be9ad1168ea933145d870d665d7b87d870775aa00236606d2ed4db544200cd7ce7dffd4fa20cf89aeeb1851af7f618b9b28acbd79e72c985a196ffbcfa704

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
55KB

MD5
7d364eb9040bc0a881d9d48a26ca2b80

SHA1
ec2461388a85b46513d2f642ee0bce3bf5519aea

SHA256
8fc8eb22da9d7b128868b1cb3e9640e12548543c8045516069c16d2f53125441

SHA512
87e2b72233abbf2a006c11b95a1d47b2db9abf15147436791f39cb2e2af12ac50033def87ac988721bdcec20f7fb7b0424c1e7fc7131d4dfc2e6b9014f5941ce

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
55KB

MD5
1fa55e8298a38a3ef21211bdc33fb6e4

SHA1
91a8c9397721ce4d6c297bff0009ac04157d3fc1

SHA256
5074848c7b785bdfacd56e2150f5d9c48c28bdecf4c42a15ca631f07447484e4

SHA512
eec4e0b91702fa91cfd9ac99f3e6397a746a28fb6051d32928dbf73b5342187b79e8b9627552a54ce141a1803444336ac41a975712d04966333c94642008b427

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
55KB

MD5
23702cea8ff350655e3c4289b5516e85

SHA1
8b090b9013f72468bb344a6c226d33d85a145bde

SHA256
6527a678dda1fbaa71a92842287ca4a4cafe25f133a13b9c81453c8a30e4b877

SHA512
1012593076244ec8b2d64c8df2406c83efc48fc1591bf4fa30c1060f0b9b9461ea7ee87ee269d5836bee96073dc4b3e550163fd252275ca61a5d4e923069caa1

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
55KB

MD5
3c8cadf69b8aeaf76d2a47046aa3bb75

SHA1
9ea77f890eb34d8fb6939393ae275180dd8e137c

SHA256
bc8f55b6753315b24386f98a177cb30dfe73773018f4e1da25001fd1a8d0f22a

SHA512
2ab64862bb7d71a77dbcf3da00597c704ee7148fbac8601813fc0faf8fc171b21c17c34b13d43b12f7ad14eee0e7e2225662072493cad4fbff4d4a476252c4f5

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
55KB

MD5
450c356ef89e24f87a2708a44c5cc179

SHA1
b06906fcbfab93d4e946e359ace2c36b7ca3ff7e

SHA256
158c84e27a99e758f6262ba8f678a259209bb8b0de75a65c3e370aa1b062ee8a

SHA512
246cf25a45c089b8a04359061ceba4d30d05360f7a4cc4b9a69d4ba5a898a5910fc7d8172abd32263b9ce2ffe80933ad672c099d834fa9f06e2c174ed433de7d

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
55KB

MD5
1fd72f44d4679bce9b3050fd0dc8441e

SHA1
7ad6150bdb26b1e3ac62108c2d7448eb07c92cb6

SHA256
7bfaf88b869eae123044a1f92f90c39a3cc64dcb4fd34771ecc2f2f0278e7776

SHA512
65801759c725a2b0ad8d220934f1cee3809d0e2a88d37191210df49ddd59eb8d34b3e78e5d8fda33a7fc9208e8af3273c963fd1eddd0850979c40935d6ad8b9b

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
55KB

MD5
4ae6136ce91fa919f7a5ae0fc2e2b746

SHA1
306713068590b186323a26973269c7e2a29a8cf1

SHA256
6fefabd55c5aa9e779ba5161a9ccf5ccd37e820043801c301b37c994a772c593

SHA512
c0d3d3d1ed7e710aff76e26302a488aec3fc8117350c9916b79ab94b89288482b32ef61ce4a5a7313849a7ceb9913bbf38576dbdddf75ea4ca69604f7d4bf7a8

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
55KB

MD5
864fbd254153a92c1cfbc300cf545bb7

SHA1
2b80bd00de729d20b16f582f5fd10d5c9f4edcc2

SHA256
668342002a6d64e9b1f53e9b3e4ea60511081b1a0b30a0a76ced84f06f201d86

SHA512
4f40ed8ec98b6adc01ca369c12f02bfd16e55153b22f172757b68d7124121a7b078bab8ea4add7d04b942949bfc1893a3cdc83bca3d6632718146c1348a1c8b6

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
55KB

MD5
69fa5cbe2774ef8c299661e02b328e8f

SHA1
81114e8c75fb76a20855d8770fc8e8f2984fbb66

SHA256
10924e30398e74b25f2e711fb4492521b059221fd8ea48401d28a07a0ba09a80

SHA512
a5af44d22d4f53feba8d99ef14f1e6bf91c9596a99dda68324ee1cf4007a00f3dae70cf7213a0e41f9896a6e114054d792b9bb52df0c9ecbc05bbf917f77d641

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
55KB

MD5
2a9d388a0a4f4902a6ef9aeabb2a5f71

SHA1
1548e9c417aca856f0f22e9d7eb415cdeb6ab611

SHA256
2d9f7bc0d2cea8a140d3235743909e694d30250cec244c738355de7e82025f34

SHA512
d6797183e0f4770d99177702c23130d43855f92094de6220059ac7c3a58cbd17d0fc97c9997810ad4bade2a0cba7b4f6923e5dd91d1e8299231df54702b645d6

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
55KB

MD5
4293576869648599629c3a467e44444b

SHA1
04ceba388fe628738cdc4613c87c97e8b0449654

SHA256
8569c41ca0bfe53cc181d0d60ab92137f2f3632b3ad46ab93baf074f2595f33b

SHA512
20cf8b84c32238bdf5889d6a0b66ba65bb0897c682ee2ebc08a5bea6ade2267029277afdbb870e218b709de12ffcc08ddfceca5600560a6d3fc6b395ff9e7e1a

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
55KB

MD5
a88f10638c6598f40fedb4bc5759a452

SHA1
260d813fe86cb836d1258d7752ce527bc39c5637

SHA256
d19e9ba437127855757871008b4c9e75f5b0189a1153db68239d65f1b49306f1

SHA512
6ca09e5753d9416e6cf3006d9e8d10dad7ab885bcbb584e4c5f8a33c5ddebbf366a674158da4ec89ad09375b33fc2a021b7a6b960b89541811e916736cbd1a56

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
55KB

MD5
e727ecc8c4032e0c581e064f7c2cf16a

SHA1
132e457128f673e8cfc626e64c49caa53c9a2f2d

SHA256
10eafa993c0778c91e463b564a4f4fe2997d80bc1a59046e2e84cf5cf4cc25c4

SHA512
093e9422e2d3a870ad95fea60d48a1fad1e54dddfa25fdfe7cd5a46d0a4299c7c52b201cf62657bbb652e1f662d80818fa37269db4e5f49d9aba1badb2b5e2d4

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
55KB

MD5
dfacfa593c0fe4a25c56bdb20c9ca129

SHA1
b95243de5648d23893f343e71153ea2c4a428d3c

SHA256
9c29108bed0e5ccbeb8d92f35e3162210c6f90e5864cf8bf9e6578537abca1e0

SHA512
9531987d2cb251622072d8f1e137b5053857938ece32e2af6e59ae5ddded66ceef90c3135a74eb8b6dbb9cae3e12dc6b6456e00b21898c13009f220c251a4d94

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
55KB

MD5
18206564ba8be27c547f527139f006af

SHA1
1c7f43411cecd21778ed707320a39acf7a0e264a

SHA256
99be1d68d8953b5ce0eb5087ea148592108e8aac73d768dd6884d719afbe0e7d

SHA512
d7534723844fd5b591d3d06a6a7d0ca291c5c68005d2973f6ce720f3880eebada918acd4cbe030e2b3c45b874ebd790cb440630cd42c32d5b6e60c31f5939575

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
55KB

MD5
cc727f037c2db7f6304961c7ac75a00d

SHA1
02fbaea3425a3a66924fe0c86db1302afe6c3cd5

SHA256
69c95d1abadcd67be75fa17c3bf6bd35ee739bd58d6624f41341c723ab04701c

SHA512
e0afc1f7b849b4ea96789ae5296e54e68e34f9b385e234e8f6d502ae0e6b21be772e0983b53a1763aa3d3236b64f4a47da5c6ee44380c0b81dc5012d2c94c170

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
55KB

MD5
587ca9fd97f35eacd1cf359651adbdf0

SHA1
c290d011216ec28d31323d9f3fc216af1430077c

SHA256
a2271084343a9d1384de2656548213058e6e5659e6c332b4b2be521c36dc17f3

SHA512
4b20a262b1bcd083ae4d774ae1e1542f8811d56679bd22d74b964cd50f8490470e1fda95a9b7b601c4b0a15fb6cbe83ffd8de758a229bb095acdc67d9ca0fdfb

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
55KB

MD5
1e2df1f270a25a359b6ee37357bc434d

SHA1
59b89d9d8d7df875cfa329c96b200bfc4e505adb

SHA256
29def233cd90354f1b0f4ce90ef0f9e5eb3e27f60f8576b3eeede2decc0207b3

SHA512
b1c809852324dc111eb4833f4821f351c69e1a2efcd491656e624cd97b88ff75cedd3bf4ff034b0138698a10c5d2dbe17f2c30ef48fc09c7982d0e2fd56a4c01

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
55KB

MD5
2d26c1c7147d90e629d6138089d24aad

SHA1
46f70a90e93d92da3a02e50eba35cdff20914f15

SHA256
cefedd80939684c7cc5939237170ea84bb52ca27daa5f3cd0bd20db0317ad018

SHA512
1f991d07077e46136d067604137be3b04615526a74eda0e8bb3f131d88160eb8cbc5601f41d540c1b657eff3f5331387ef1bfbc237e6a4b348365ce38c2ffb20

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
55KB

MD5
a5f787882cab1039d51e7268d0366cd5

SHA1
3ce8cc735d0f967b1206fb8c5121983b9ef0d8fe

SHA256
0da36a2fbce640ae9962a3543effb1890849344611640b9976a7828bbcf3f5bb

SHA512
056557d84873e27bb8df3ff33b3c89d3ec1664151e8788cc827c8b3ccfee7c05d775b6e099fdb2eb1386095f9e6c35b50c4ab6dc74919004b0c90a104713356a

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
55KB

MD5
6c432c75f6430c88b18040e3776e03c0

SHA1
918b0c3a1f1470074f77d30c2263484003b7f570

SHA256
3fa725fc2aeedd9656a88e5743761ab82fd78751ebdb03f00364e0f6bd6b78f7

SHA512
82a7554e8c4cc9df55056ca1958d63a9ee7b2ee16c3a6fb790d9565f15692cbdb5e9a89c06682fe25c5ba61b612ee46a9bfb768d30a67331f9fb10c780870363

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
55KB

MD5
2ae3edccc937e4610c0da5e4c501d92e

SHA1
b9b46cbad152e0f87bd93c715eb8e5556f5ca47e

SHA256
e073c218109ce2378f77994b15c7939587fbc048e692f706a9d0eecfbbbf6346

SHA512
137ffcaae476ce5c4f1008119f957e9b45b92ddbda7178ec4c759460df0337570babcb0fa61cce12caeaf096c2c9b28573b8a3b1013282ec263ad5f5d9de54ed

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
55KB

MD5
79020ecce44563b6d297041423d161af

SHA1
5ad1f86c56b0356a6e9a099f3198f876948561fb

SHA256
474e8d168a892347c7403b15e68ea484c6938347fd4c56a1698f7277e85b3ab5

SHA512
8b562afffde44fd7ca163cd731f289cb3c7962156f8b140b154d07dd90bcbe2b8fb8ffcda3893dfdd7658a4977984af22df3a30839267a370a842b8afc438779

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
55KB

MD5
b340358ca2c19049c071061184ae1b55

SHA1
db13f50bb5308a074836890a750fbbc160e655a3

SHA256
f3135d405f8da7cf58426c259accb3d3c36314f13e1e5bb7cd93d57b7b5b0289

SHA512
bdfdf5f49a9df02f961fc3ed410c49c4bf86cd4dc4de10645afd2115ba8e5e5d254b8cc6c5d80a4d17aa042deb5fb6aa02c0c76326968793f15b6fecd0ea335d

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
55KB

MD5
7859834742e0433f462a4d6e7bc64357

SHA1
c316bdf89e3e676ea9b8d67453789c0713a3edb2

SHA256
b3e4bc617e947ff2163cb0ddbc5163c6092b18800990c3c159c373d4d193486b

SHA512
a4b218db44549128ec12a5c191024089f5a9c3f287dcaffebd996f5217483eae5b2cb3de399bfa4ce7cca61539e236d54cdf1bfb93e2893264f0e465e01e3b59

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
55KB

MD5
216ecfb87d5efab0fedeec7ef1aac26b

SHA1
f6f59228de93d012f89af82dc414469c625dde78

SHA256
e833b12ca951027bae3db9cf4ed5041167e7ce1bae65c3073cb99a8325e5d001

SHA512
58c7c29f81c409b1da368bbd4b3d00bee4b116b855375aff8465f6257837e8dc66ea78e3056f5f7ee902b3d241a5adfd66464a186f04631f521ee0b38128370a

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
55KB

MD5
09e5788cc6ae9ea6825479a7577b6957

SHA1
8e5fe61526a25303a75eb71181e6b69383bddc71

SHA256
a5ab05c47a7e82fa7c37e594bb5740e08c14bb0f79e1fcd76923f961c79e3830

SHA512
b508670ad13ab983d61ced105914be105e31cd88f97d335d6b8c3da5c4c4ae8c9b3c2de342beb09837eb40908ee20c2ab9acf118d899bb64b365306cefbf5b58

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
55KB

MD5
09f8df662981240d6cecddb31e959f81

SHA1
253a6d342e3bf3dd0cdc2e53bb9c998492485d33

SHA256
bfd2f7453f0e61b1c8c9ead9ab865ad61dd9da014135bf8fe8f540ccc78e49e9

SHA512
caa177d277c17e4adcb1027fb31ccc51057bcaaf33888e31aa52dceb9cf203d2f129cfbf575956653d8092b81b0059b6ec13398c3ff7afa75f569b6f57c080b8

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
55KB

MD5
a8cf608dee8ee4289e0a1ae5469fcc8e

SHA1
3a89065a4a3b6e74d57ac0acc9a76edb59a964a0

SHA256
3563a3ed81710c687564ec3ce099ac0f9cdd30a678df29227b1fd0d879fae6a1

SHA512
c1fc9856b065b679510ed17b9c953a3ce52ab9f78e2c6a89d6c60a88088fe73c41d4fb58f51badf227d02b28dfcef17acca98a8fcb69aef8e074940be4ef8ce9

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
55KB

MD5
e032bf449620ab69c91eaed5372de651

SHA1
932552e86610c578fd10d647d5dd3c8464ba85b8

SHA256
7a80b392c6a17009473f11bbf6dd14ac136955dec8629b7be138e6c617a2ff4b

SHA512
911b9b9a87876092a09e3eeab2d273de7b72e2fda5f310e9a96e0398b3c47a1358fcaf2b44c34ca795bac21b51ea0a95304a2b61792ca44ef346e2cbcdd20da6

Download Submit
\Windows\SysWOW64\Paiaplin.exe

Filesize
55KB

MD5
b8f3745316bc28c541779c1457af87ed

SHA1
6e5fe9504b09f08156d12ace0660b26fb0734f44

SHA256
70a7eee9de059c7fab329bb1f0735e127dff3176cbdc9ccfbf0b4e311d507f2c

SHA512
8a9eea0b52a03862aae4602db17d5fd3c490ff85dfc48212298b700cb7f5c9ef56fbae0cefbff3fd829594994842d96e39f23ace4a69ffc8f73085ef95a10c4d

Download Submit
\Windows\SysWOW64\Pgfjhcge.exe

Filesize
55KB

MD5
0ce344164c7d55bf674248e4892e84c2

SHA1
98633d193026cbe8cabeaa40c97acb421f369fb1

SHA256
daf801e9a8c910988589d62b57e0661725c1d865bab55ea63254cddfa2bf03c8

SHA512
132cbd180ef7e89511c32edae8a3e373e714ebd722d7c93a771a80190b051f9b6e3724059aeb568fb384557bc78ddf811962e4824342808454241655424a69a5

Download Submit
\Windows\SysWOW64\Phcilf32.exe

Filesize
55KB

MD5
33ee562a00c540bc9b08173b1af4d1f9

SHA1
d08bd9eaac69c10d64d36bf23a743cb02cb30621

SHA256
2ac893595f25f6ff2cb78ccbdaac2b290f93ebd983ac44e335becdac22203b8e

SHA512
7224ba2dfaa9c552de8476dc14a6ec9a3fe985870cba11b96c43d786ae25d94178149f6d9ec5dbf104793d39d31873d20dbc37e1f7fffb994ed9a2434ee08cc7

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
55KB

MD5
5ee32f2fca5113ffd163bd885500b4aa

SHA1
8ade4a55eb47ecd7da51b86e51b1bc0f6073d430

SHA256
c19f95eafc327b0691fe7234f81941e78fc4b1bce04070e2c9e56d333bd91157

SHA512
f8d366eaaa00346480a9b73c1ebb8925fbd9b5c2200b65279a7693ec64753c18a249e8869b43e22bb0a5701174493b10609dfe51b4ffb54898f05f064b940190

Download Submit
\Windows\SysWOW64\Pmpbdm32.exe

Filesize
55KB

MD5
0528a5afd4182b03ee173a687a6138db

SHA1
2422bc21d32e12ee284864e16c2e02af7d9b02a9

SHA256
c8c077f0015921ccb5c96fa49e2e7721154495583057a98e979b52383c57f085

SHA512
28554ca3ec3b253d3fbaff5004a4fdb44d4459ce8bc6cec46f5d2c22cc7499cb403eb7f56e983881c2e4b942ece0c45388b0e028d9905029d0db5073760d359d

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
55KB

MD5
90f9172611c254094bf83d846b10ee4e

SHA1
d8a8a77096fca19a9c6fdd921cb36a0933217f93

SHA256
1e5a82759b6abbbb613595b67f3399a027351d3930a406d813402605fb3a1a36

SHA512
0db426630590148c8a410a78e28b93cd0ccd37aa696e08233caad3feb45860ec0d5c6f4bf988f03f7875c4e069e5fa5a096f58aaca09ba247890820543e02b29

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
55KB

MD5
66ce0d29aa4d0e7bc0724f33b6528d9e

SHA1
6ae36c5745944b121b89bd2544ed75032f3917b8

SHA256
8f46962e78d5538adeb1673917840abc2a13d1a83c1a3c9235ce910bec4d583e

SHA512
32f05362381105c849eaf5d4d43e5823a20d082c0a6a906f64783bac20f5fecee0633376f5d4ba7344fa76bd250b02544bbab0e59e86c8b2adfdf7ec54984a38

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
55KB

MD5
b868554a19594f260edb0c0e96b95089

SHA1
94b0500002fa6a61dcdbb4e5b1ae243b066e23a9

SHA256
91a1c27d21bf5c1978a84e252dca52936bffea3352eaaa1bff7234472c2606ae

SHA512
e436956c7d139bc94f7f7ab49186e468531ef441406b110c22dc74073abe56cb684a4fcc62a6fa2063330b134afaa9cacb9dc2bb24ef6190a3ca875e4e4771ad

Download Submit
memory/300-304-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/300-305-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/300-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-390-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/580-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-212-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/580-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-231-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/784-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-468-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/848-463-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1232-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-315-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1292-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-269-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1416-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-479-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1416-478-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1432-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-133-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1432-446-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1440-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-412-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1496-413-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1540-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-250-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1660-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-294-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/1660-290-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/1688-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-402-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1888-398-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1888-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-421-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1960-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-457-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1964-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-159-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2220-506-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2220-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2276-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-18-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2292-186-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2292-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-491-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2292-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-192-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2324-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-282-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2396-283-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2396-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-80-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2568-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-368-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2576-336-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-337-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-376-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2628-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-355-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-359-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2644-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-321-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2656-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-326-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2672-389-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2672-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-348-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2732-347-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-442-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2880-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-434-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/3040-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-110-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/3040-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads