berbew | d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
Size

96KB
MD5

ac6849fd53d8a53963f09c9fb8d10e70
SHA1

d7e07069787812e81609d4109e2165d7c2be1e7d
SHA256

d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1
SHA512

e3db188bc98c7ee9f066049f065139b8c2b3bb798c83e7e12a39925be5c523aaaec74a708c5efc5cad8a0f7e333643ea0cbf7910c976e42e60d75804f9280daf
SSDEEP

1536:bGCUWdQJ5rata0WEMeWHM2L3ZS/FCb4noaJSNzJO/:bGKQJ5EF83ZSs4noakXO/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 62 IoCs

pid	Process
2312	Pdjjag32.exe
868	Pghfnc32.exe
1840	Pleofj32.exe
2772	Qgjccb32.exe
2776	Qlgkki32.exe
2728	Qcachc32.exe
2544	Qjklenpa.exe
2996	Apedah32.exe
484	Accqnc32.exe
1832	Ajmijmnn.exe
1932	Ahpifj32.exe
316	Apgagg32.exe
1956	Afdiondb.exe
2868	Alnalh32.exe
2400	Achjibcl.exe
688	Afffenbp.exe
2904	Ahebaiac.exe
2332	Aoojnc32.exe
2376	Abmgjo32.exe
788	Aficjnpm.exe
1788	Agjobffl.exe
1012	Akfkbd32.exe
1716	Andgop32.exe
1416	Adnpkjde.exe
1048	Bkhhhd32.exe
1652	Bqeqqk32.exe
1632	Bccmmf32.exe
2756	Bkjdndjo.exe
2668	Bjmeiq32.exe
1196	Bqgmfkhg.exe
2540	Bgaebe32.exe
848	Bnknoogp.exe
1952	Bqijljfd.exe
2716	Bchfhfeh.exe
1916	Bmpkqklh.exe
912	Boogmgkl.exe
2044	Bcjcme32.exe
2088	Bigkel32.exe
2420	Ccmpce32.exe
2120	Cfkloq32.exe
1188	Ciihklpj.exe
696	Cocphf32.exe
1664	Cnfqccna.exe
956	Cepipm32.exe
2396	Cgoelh32.exe
800	Cnimiblo.exe
2244	Cbdiia32.exe
1656	Cagienkb.exe
2264	Cinafkkd.exe
2736	Cgaaah32.exe
2548	Ckmnbg32.exe
2092	Cbffoabe.exe
1628	Caifjn32.exe
1212	Cchbgi32.exe
2600	Cgcnghpl.exe
536	Cnmfdb32.exe
2528	Cmpgpond.exe
2896	Cegoqlof.exe
1600	Cgfkmgnj.exe
2156	Djdgic32.exe
600	Dnpciaef.exe
920	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2888	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
2888	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
2312	Pdjjag32.exe
2312	Pdjjag32.exe
868	Pghfnc32.exe
868	Pghfnc32.exe
1840	Pleofj32.exe
1840	Pleofj32.exe
2772	Qgjccb32.exe
2772	Qgjccb32.exe
2776	Qlgkki32.exe
2776	Qlgkki32.exe
2728	Qcachc32.exe
2728	Qcachc32.exe
2544	Qjklenpa.exe
2544	Qjklenpa.exe
2996	Apedah32.exe
2996	Apedah32.exe
484	Accqnc32.exe
484	Accqnc32.exe
1832	Ajmijmnn.exe
1832	Ajmijmnn.exe
1932	Ahpifj32.exe
1932	Ahpifj32.exe
316	Apgagg32.exe
316	Apgagg32.exe
1956	Afdiondb.exe
1956	Afdiondb.exe
2868	Alnalh32.exe
2868	Alnalh32.exe
2400	Achjibcl.exe
2400	Achjibcl.exe
688	Afffenbp.exe
688	Afffenbp.exe
2904	Ahebaiac.exe
2904	Ahebaiac.exe
2332	Aoojnc32.exe
2332	Aoojnc32.exe
2376	Abmgjo32.exe
2376	Abmgjo32.exe
788	Aficjnpm.exe
788	Aficjnpm.exe
1788	Agjobffl.exe
1788	Agjobffl.exe
1012	Akfkbd32.exe
1012	Akfkbd32.exe
1716	Andgop32.exe
1716	Andgop32.exe
1416	Adnpkjde.exe
1416	Adnpkjde.exe
1048	Bkhhhd32.exe
1048	Bkhhhd32.exe
1652	Bqeqqk32.exe
1652	Bqeqqk32.exe
1632	Bccmmf32.exe
1632	Bccmmf32.exe
2756	Bkjdndjo.exe
2756	Bkjdndjo.exe
2668	Bjmeiq32.exe
2668	Bjmeiq32.exe
1196	Bqgmfkhg.exe
1196	Bqgmfkhg.exe
2540	Bgaebe32.exe
2540	Bgaebe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Afdiondb.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Leblqb32.dll	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Incjbkig.dll	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Ajmijmnn.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Ahpifj32.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Pdjjag32.exe	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Ahebaiac.exe	Afffenbp.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Qgjccb32.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Pleofj32.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Ibbklamb.dll	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	Bkhhhd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1756	920	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll"	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cbdiia32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2312	2888	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe	31
PID 2888 wrote to memory of 2312	2888	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe	31
PID 2888 wrote to memory of 2312	2888	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe	31
PID 2888 wrote to memory of 2312	2888	d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe	31
PID 2312 wrote to memory of 868	2312	Pdjjag32.exe	32
PID 2312 wrote to memory of 868	2312	Pdjjag32.exe	32
PID 2312 wrote to memory of 868	2312	Pdjjag32.exe	32
PID 2312 wrote to memory of 868	2312	Pdjjag32.exe	32
PID 868 wrote to memory of 1840	868	Pghfnc32.exe	33
PID 868 wrote to memory of 1840	868	Pghfnc32.exe	33
PID 868 wrote to memory of 1840	868	Pghfnc32.exe	33
PID 868 wrote to memory of 1840	868	Pghfnc32.exe	33
PID 1840 wrote to memory of 2772	1840	Pleofj32.exe	34
PID 1840 wrote to memory of 2772	1840	Pleofj32.exe	34
PID 1840 wrote to memory of 2772	1840	Pleofj32.exe	34
PID 1840 wrote to memory of 2772	1840	Pleofj32.exe	34
PID 2772 wrote to memory of 2776	2772	Qgjccb32.exe	35
PID 2772 wrote to memory of 2776	2772	Qgjccb32.exe	35
PID 2772 wrote to memory of 2776	2772	Qgjccb32.exe	35
PID 2772 wrote to memory of 2776	2772	Qgjccb32.exe	35
PID 2776 wrote to memory of 2728	2776	Qlgkki32.exe	36
PID 2776 wrote to memory of 2728	2776	Qlgkki32.exe	36
PID 2776 wrote to memory of 2728	2776	Qlgkki32.exe	36
PID 2776 wrote to memory of 2728	2776	Qlgkki32.exe	36
PID 2728 wrote to memory of 2544	2728	Qcachc32.exe	37
PID 2728 wrote to memory of 2544	2728	Qcachc32.exe	37
PID 2728 wrote to memory of 2544	2728	Qcachc32.exe	37
PID 2728 wrote to memory of 2544	2728	Qcachc32.exe	37
PID 2544 wrote to memory of 2996	2544	Qjklenpa.exe	38
PID 2544 wrote to memory of 2996	2544	Qjklenpa.exe	38
PID 2544 wrote to memory of 2996	2544	Qjklenpa.exe	38
PID 2544 wrote to memory of 2996	2544	Qjklenpa.exe	38
PID 2996 wrote to memory of 484	2996	Apedah32.exe	39
PID 2996 wrote to memory of 484	2996	Apedah32.exe	39
PID 2996 wrote to memory of 484	2996	Apedah32.exe	39
PID 2996 wrote to memory of 484	2996	Apedah32.exe	39
PID 484 wrote to memory of 1832	484	Accqnc32.exe	40
PID 484 wrote to memory of 1832	484	Accqnc32.exe	40
PID 484 wrote to memory of 1832	484	Accqnc32.exe	40
PID 484 wrote to memory of 1832	484	Accqnc32.exe	40
PID 1832 wrote to memory of 1932	1832	Ajmijmnn.exe	41
PID 1832 wrote to memory of 1932	1832	Ajmijmnn.exe	41
PID 1832 wrote to memory of 1932	1832	Ajmijmnn.exe	41
PID 1832 wrote to memory of 1932	1832	Ajmijmnn.exe	41
PID 1932 wrote to memory of 316	1932	Ahpifj32.exe	42
PID 1932 wrote to memory of 316	1932	Ahpifj32.exe	42
PID 1932 wrote to memory of 316	1932	Ahpifj32.exe	42
PID 1932 wrote to memory of 316	1932	Ahpifj32.exe	42
PID 316 wrote to memory of 1956	316	Apgagg32.exe	43
PID 316 wrote to memory of 1956	316	Apgagg32.exe	43
PID 316 wrote to memory of 1956	316	Apgagg32.exe	43
PID 316 wrote to memory of 1956	316	Apgagg32.exe	43
PID 1956 wrote to memory of 2868	1956	Afdiondb.exe	44
PID 1956 wrote to memory of 2868	1956	Afdiondb.exe	44
PID 1956 wrote to memory of 2868	1956	Afdiondb.exe	44
PID 1956 wrote to memory of 2868	1956	Afdiondb.exe	44
PID 2868 wrote to memory of 2400	2868	Alnalh32.exe	45
PID 2868 wrote to memory of 2400	2868	Alnalh32.exe	45
PID 2868 wrote to memory of 2400	2868	Alnalh32.exe	45
PID 2868 wrote to memory of 2400	2868	Alnalh32.exe	45
PID 2400 wrote to memory of 688	2400	Achjibcl.exe	46
PID 2400 wrote to memory of 688	2400	Achjibcl.exe	46
PID 2400 wrote to memory of 688	2400	Achjibcl.exe	46
PID 2400 wrote to memory of 688	2400	Achjibcl.exe	46

C:\Users\Admin\AppData\Local\Temp\d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe
"C:\Users\Admin\AppData\Local\Temp\d4f0bbe35c84c13bf9d7c5e38bc9c1832e15bc509a157d1bbad1223ad8824ee1N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\Pdjjag32.exe
  C:\Windows\system32\Pdjjag32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\Pghfnc32.exe
    C:\Windows\system32\Pghfnc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\Pleofj32.exe
      C:\Windows\system32\Pleofj32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 144
        64⤵
        Program crash
        
        PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
96KB

MD5
0357aec03d7cd13f05416087d3ee3542

SHA1
e92aaeb1b22fc3d26cab4b452b4d2aa4579c9f58

SHA256
8464d2b6ec7f40bfd1e90fb5ba2900a813e3f426770589b79465c9fe90147f78

SHA512
7aa94a1739502fc6707bd1262eef0dc93855467deb4c3c53ee7fa6628a8a5ba8a487372b3fedeadac7c37fbc96588427ea8ddad4d59dc308b9d5a8638f728c15

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
96KB

MD5
d1f935c992972cfd6a4cc386f08c8540

SHA1
6daa944c0d98585f4754feb683c50978b479d381

SHA256
7e1f94b37795c30e13998cb2158d9946265ba8b345a2857e5198bc13794261c5

SHA512
fcae648c1d0e83a36080c8b6a0a878141268ba16c883110f7bc387f6888e53e7c974a6a988a3428418a8de1ffd9663b65fc48e9f3a5413712b05890d86858384

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
96KB

MD5
fd45886486dd223c4395a9f0795ccc1b

SHA1
818b8abdcfb13bd1a28afbfcd7d9b1bac86314e8

SHA256
ef5f8fbdba6bfec783fa54984bdaec728015e12fdcc9d027778e1118d0c4c7a3

SHA512
01ebb21d436e081dfbc619e3ceef514228f770873a60d9a8178e3894197ae2877a44146d1f9578a96ba05c26c4182a25a4f3d6f2023447257548199d76f9b2de

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
96KB

MD5
370772f271b0d06ea72661a7726d452b

SHA1
a57537a7f11ef4ac7eacf16af7ac89fca015cc56

SHA256
0cc1c3c7397ff429b40de5b43e63c359eefad5b5b5b48d1013043949a03fa494

SHA512
b2a35e84869c808fd2301bce7fa107398be7a01b08402c1808f046b9d58c757401c171201ca08d7ac8481578cc10fb342c8378b18f4613a1f381c0c0383176fc

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
96KB

MD5
f90d69b2d70022b0aeb69b5d0123ca86

SHA1
f5876963120bd7ae836dd8292c821d9f8e4eb9ed

SHA256
464b0643bb0782407e522274f8d95aaac77116ad8ed9f5ac9166a56be0ca0a58

SHA512
23681bcb207acd58eee648e1ab1a0166068b3a273dbcac6f4abb14a9484304955a7741cda126b4df627932e5d0bdb40d67be326bd6235f5131d4bc4b9f0934a4

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
96KB

MD5
f0a9e2bf27b4e2e7cfa583b61a8a3d6d

SHA1
a927715cb2829acbe9c4c364ad645a5503f32425

SHA256
7653a6fde25ad38957ebb2f972332cc771d63d5b763daa1dd5d85896e14a91c6

SHA512
03cf304eb0b8f0a2bfb0a24d142c4fb7e8f0cbaf3e7c624e7577a106db3c44ab1cb4bc5ab8ff866e54e775a9e4167ff95a5ae94d4901803c3e330ea6ba2375fa

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
96KB

MD5
bc9015388e70c349ff0668b7435d252d

SHA1
6610f814b722675cf2afb1b814034d2b6900069e

SHA256
8a5e53c9ec222a6ae423d4705502454f4c54ff126fa704a49afdbb9284c024f7

SHA512
935a9e6f119b11df82db65d201fd7f3d0c3c7ce9eb5bb7472827c00a4d068973f58724709533bf7627b5a840c5a8ed3c5ac4107eac57b7fa8d67ebffa2ab9f13

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
96KB

MD5
ecbc10ca5ab58b17adaf94e45c3f5c4a

SHA1
aaaacbf5d6aa706df7acae9fa2a0b237b21f2ebd

SHA256
f5f5629677f35940e17efb7b7a62d29669b6c8a196125b0df98216bd75f1aa6d

SHA512
d09ba0608f5bcc1a3364e7e48f2d1d288e136b1dd5b9814c9e7319bf59aee2d550315376cb23ab67d271059bba1bf8c94a674ccc2018d0ca785c0d447ecef8b1

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
96KB

MD5
cfc78310814b84e3e6ed45e3a9de2ecf

SHA1
5a6b611945904b668ff010fcf5f1eb717e9bce67

SHA256
bdf0ebe36650fb823c2c88f4bda73c31463262fe0a614fa62e079d63510e51bd

SHA512
3db4cd427ce6130d9cfdc54a4926d9bccbb8e4311cfcbcb7b160f56e9d72561e9bdcfbbe8bfa8a14bebb3c3c65cb23a3820647efd3a3ae40859ab134af4a4775

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
96KB

MD5
f43f155f2708783fc55f4cd6828f485f

SHA1
b5aae4e8ad0a5ffd2728e1be817c182f8b367bc7

SHA256
3a26e3553203d7367f1f5d29b49fcd0939fd38ef76d265d2c356424985f0c561

SHA512
7679447ffbca3438f8e06fcefe68b2b6f9e6820c8c23036fcc26c86bbba4eb9564c7fc060539613a7e41207770fee7fab7e389a989055d14ad516a2c14a44038

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
96KB

MD5
6f34d77a3ca62e91c140b22b2377f7d2

SHA1
d2f920581e8256e37c6306b2a8454a485b59fb97

SHA256
9077dac5e9616d58c94595737c85825911823f14f0d991f8be0d685bf76b3e7d

SHA512
2fc9169d2b79faf900e1c806f832ee7e7e7b469a588ee99694515c4a14614c2d1344cf09aaad7afb11c60835143ba50b0ff6e6b6f408aa9d5636c9ca322e7047

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
96KB

MD5
420fa5880e87c2a8893c2085275cc2eb

SHA1
60d17ee1adda17f1b3a3df6ae6cfe1226d203ee2

SHA256
df14471cba86116a1d6cbc05df90d564f799b9ba7efe170f57fc3be5ea0e334e

SHA512
01d70212ce5c89072c9dba36879350cff79b9b5370569bd0e0745442fe0d87edf518dbb09105ab7ea49e4dd629fd521ce503e60eb6c33670521e49446941c3db

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
96KB

MD5
7d4ba9471c8e6bc393cc54296f94a699

SHA1
31a91443106a7c8fcce29957d2f1463d86c7988f

SHA256
daf53cfaf38637c109d23440950dc2674cb36feac723f3241ff02278ec781c4d

SHA512
741cfeb9bb66e254079585350fd5eac5b16d14cb29f130663b95518e5e479ec8ce1c2aa026a29260e329d32a3b38b4ea60af16ef3e5a5b9b74eddf1214fa7c9b

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
96KB

MD5
97d7c3955b2fded58b50ea582fc7012b

SHA1
e25c59e09ee2b96e52dbf79a90831e1b91b7a8d8

SHA256
54b648906a02e85467e2b872584cf45c4efe36211b27b8e22d12b2f0e410afbb

SHA512
21c9e087f866af36820f9f98a363b896aa43c8ae3ba0db5ff598d222fd5c9d95d0477c4f560a90e3f5225e57f44a91442148a802f438e1e68fca2393b784304e

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
96KB

MD5
09a293174b314ae6c28fe8371d8e1823

SHA1
c571512e2f017448ae86c2b5d408e7261fec86ea

SHA256
d242017b26d6d0a839362fd2fcaf5cc392a4e917834f85896e5c61f988d3984c

SHA512
f62c75504070b6d33d492c7c9b5abbae2c92a9a835a05a479f0eb52188e126594483d0ef9d81f286f7f299eacf07b813ea0dc3ce3d62c36666122bf9f8b16d37

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
96KB

MD5
652446a67ff1ae762a0b2720e2ed300a

SHA1
5e6b482691c4d012c051a90a58f3f20e16ef4af1

SHA256
e4dfcdbbb78ce50894cd01f2476d13b0fc31f65fba7afa48a8c800b91e375b5e

SHA512
fcd6920e2072f7f5c39ef2e148ce463709a76f077d619c82659c47066e46d864b43bff21959a7a1c830ce85232fec2200cba39bd400a24a66595f90cca77b9aa

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
96KB

MD5
5f13d2c2b897018088cd3e0619a50282

SHA1
96e180665276a4296ddb6431de94c68a806d38fd

SHA256
36f3867f355cfbb74538847da16124120f46fc235a7a5c6596cf7d9546405aec

SHA512
c5f7e42272e77fd686fcab8c93135f736d42d4cca6e1ceba0b24b896eb17633ae373c8c66189d97dbd1341c1082299aba78ac901afeac7851687fdd0caf1ecf6

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
96KB

MD5
9b9d16f959b7ccab0e5f84d3657dedbd

SHA1
a48094ecb9d5719400a7ab8744fe3f736de2ae0b

SHA256
59125f3096c4a299429ee9f7534032c6d5ff63f93266cd1302c5ca0b891e1417

SHA512
e8e6b8b1c6713700c2423da401cae51ed4a5315cb97cca26b73d6bb57dbb617230979d5bdb34463823b33209d074056fc40f8c1dfd5188a2c9ebf5acfb6357ae

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
96KB

MD5
1a0af15b7f9b1a794dedee0dc3be82ca

SHA1
dd15773eeb6205a97e9a83765753d0354bf2be53

SHA256
cf1d27ec7c440beebc61f210540003c37da8c66d4ceb52bb7ef93ead4859ee47

SHA512
5e0f2c44173c8c76d41ace4ab5dcdb727ae75ea073dd0d645941ca4cfa233eaab06a85fe5f98bdc04fafa925906201d3a9da2df2cd38ab194fc4eb76e8287d50

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
96KB

MD5
53f5be2c6a82449852ee76c4bf7b9424

SHA1
b3feb2239e802cabb281e85e7bd327b3d93dd726

SHA256
b8cb554ab38b4520b05bd5b4d3480f6c2fd1512438113eca9425155017e8053f

SHA512
079ebf45c51cab2f883961ce5261b7a994934bef858be4433aade4ed841977ab3c037d317f2c289e330ac302721d3387f9d2ee24521f9d7b8adf8063dfcaea2b

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
96KB

MD5
450d77c4a2e94265fc7a8b9521e841ac

SHA1
2a61f56479a0da2dedcada4d2dc1121c36e87329

SHA256
c8f89713e072560ae00691e3cdd1d27d1458281eb5d589daf106704926c1dfa9

SHA512
e350ad541c8a9bea47875354b2cb9aac1544f4bec9dd50bd2e33ae4ce9656b61ab2464995652be82c4129154722774c0868acd0f43f59d5487e8c73ee618d86e

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
96KB

MD5
8382421b73e7c9eca377159d09e08403

SHA1
79631b2c5b1992506b75cadc1e95edd3716ff85e

SHA256
51978ae5f9f19741aa5d66521cfda19d7ea0fa4ce26e44288c96e4eabb81cefa

SHA512
74554310ee80700273287a990a8feba810712266051d4184a0b1c4f53855b4af1ed192cce02f9c012148b7fe0454f495de094109531fd3a42e98c538a988c6fc

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
96KB

MD5
acf3e47afa8991d1c7c7342a4640edf1

SHA1
8c7dee574acb7af8bafc58227151040525323658

SHA256
e56adfd12496d90c079743755fd64a261655835b6df88617b4b847c014629c6c

SHA512
d20af6283f881a596c55e895490e09b533fd40956acb4a311813ce2627541fd0617808609fb296bf37a0b547bf24a4e3741f803700875e901fa331f0d2c63a5a

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
96KB

MD5
649fcc55496b1203bcb4935418a85814

SHA1
0c95539bf769bf020a547bcc4e73acfff4b4d1c0

SHA256
1fe21aa6c770104e452466db83026f4346747ff24fcd515c14c64431728ebc4e

SHA512
c8e14f80bcca71ba2828dd8953c1ab6362ea6586a59966b84fa793101133704958e537f8abd9f89ae7a9e1bd78a0cb8406ce91686ac61abfac22463f06ecdc93

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
cad6466b7d3f1d76c4c0bec0e4ed95df

SHA1
3de4c290b3d70ae47783137bbab06b21a693ac2f

SHA256
2524c5bbed38e2ce52fa2315571d829de7a32eaa7b5638d5fd2a1c95a8667b1e

SHA512
3efb6b73184d4bec33009a132291bc41e9b7f9f04f5bef460be5a32acda570f21faf6dee236517a87f15492a0bd5d0e40fd35bcd51be29d87e52b9061c01222b

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
ee2325af6026fb711c50bed92093a272

SHA1
b420ace1e4419357c114ad448af9d08079e60960

SHA256
356144adde928a31016a8670cdda03327b9ae56d975fe8cad1f9bb2392a81b0b

SHA512
0c66b719f75284e6f8eed473adfc8870f561b50eccc61a0b4e28987539b4c329decd0fdac7e98a43d5c8e70edf634c23a7126ccfe111ed65294d207dc7d01022

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
716824a28660c50f9676d6c3751afde3

SHA1
d8b944d7ee478c180617d4ba484d1343fe32254f

SHA256
dd721ee3448d6ed8420fc4b56f685b206eb1a044289fd4cd04cd5a630e9cce2c

SHA512
238f1502b645e64dd1f0d31c14a3e819abba71968ed4266eae1751877750597e8b9831cd21ac294ba84c24ae16d2f8b11e6dbd025f53e6f30a30ae8838b51d4d

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
96KB

MD5
8c39994cd93d5385cf67a252cc64f7cb

SHA1
35a0f5c2bacba8a5f0b0353418090432caf86c53

SHA256
a5ba4c4cd65153abda2a1594731847a0e9b7ea6879d19e3632e73563b45beafc

SHA512
5c06a553fe98247d95889d7a0d59c3948b79e6d85d439e598a6e2f359cbae179334d4169d1d3dc7af9a80b380eee37efbd49f9ec491afb8ee3ca0b6d1f626eab

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
929239b666907ff4a038afb281326be8

SHA1
50def904cb1e3a67cc48888bb27561da250875ed

SHA256
f22b37840bb6ab8843742a2243da2a70c7d2ffcc7c8dd4c7adb23eba243d57ef

SHA512
fd7f5bd3c6755c04b048eafedacfc51a09df88a9010d380996cfc67f22bf564d21eae81050b836f6b08ec64f4315b823c03fb5a68c61ba2f754129b9bdc3998e

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
646ac4eb9d5039c686d1ddefbf0f9734

SHA1
4d2b4f09500959fd42381b22af4bf1a7d4d40e01

SHA256
28125eb4fc75193d0c1b73d11c43534cdf3ff563fb7feb6e08078038f11c828f

SHA512
cbce56bf964d1064a217b84d9f2830467bc593648da4314d9940bd705e6045cb18c502a78d9b62dd67a3e35aa6e0f41e18d86aef4c0aaf1e5b564bda984e63a3

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
c9298be6b35a28e6ed26ea8717e546ce

SHA1
5efb41abefc36dad25002e32dda09769aee6a604

SHA256
da747ad7ba63dcc15ca619b672a8c99503766f1d7a0319cf45fd4755ea735033

SHA512
cf5dd2bafc9e47ea87c77bc6f543f9de32f98a45e912b1c288cc2232090dfde86331e59eaa59feda181833e7ad80b4a437f6b9c04cc3875ba0c15e05462b2245

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
96KB

MD5
3d489aa868ab14635bed1990d7a07205

SHA1
52ea50d1316289bdca8a4dfbcbf4ec2a81b0504f

SHA256
33f4f1d3c64db0cdd27cbe5fbb67f31dc4ecfd89420df7a26641e08bd9a16fa0

SHA512
05072b700d228cd1821c63dc2a7d8c07828781d8e7a89a7ac702cb7b9ca5a7dd0a7d40fe7da0b79b6f7a21bbbc6f7d084ea3cdac2ecfde537f901bfdb02a0a41

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
023067fbc5c0ebfeb1545b6b07b92f1e

SHA1
e4244b4d09c5b2576bb9a3a5b9def8695e782f4c

SHA256
b3da141c82b36135e33fd75a930196de1019a2366350c77b225d65eed473d91f

SHA512
31527d27797ff1884144465c1c76d16d5cabc087430b78799443bb567593f87199eaf1adb59b7f5201927ba436ff05d910d061d8455843f1edb161c2b19bb167

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
c6dc58e3d2313e2b131e083dea8d85ad

SHA1
7e771cb478676e2784990877d8de7f68f23bec4c

SHA256
632aefc7be77ab0ba038607acd73d9318caee3550f9e43ba473c4a76edac03e5

SHA512
62b84d29fb22cd7fa6bede7db13dbbed494ad099a31a41bf2917fd365c5e74af74e3e0e8b227cda60d8cf8da3e1abe2d36a4653193abb322a9def3b0710c8d7b

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
bc4172fc8985b46025d54552ba025c2e

SHA1
14d3979bb05ef123b55198e8aedab596c9a2cdda

SHA256
5f4724c481115e3c81b78677d8e60c3f204647a1a2cf847c71f1d6edd9d158d6

SHA512
60fde2d3b5ed989881525bd929d0d639816ed4fbce62b49be51bdcf7d0deda4783876c48cd5e7502a8f590cddb9d9122f3251a880b66fdf1ccbf51fec27aee5a

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
96KB

MD5
34476886d172cb07b6352265b0d4092d

SHA1
f8e3bd3a41c45e669014ce5522b2e36208221df2

SHA256
885f7eb6dc90df7205475c8ff896ffe7613ea8e681905e9c088befaec908261f

SHA512
f46ee70811d8e0094774adbe04507b3340d26c8f17bec59a6d9acb49cb6db8d741ddc7f662c44f9972108800f3d2096a18523b55fe1b3ad9df13341342ff0ab5

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
570f6ffc3aa4a8fce47dba72cdde299e

SHA1
c882aa7003ee9a262e2a4802a42727209603302e

SHA256
d3d9230046595dcbd054b971abcad486307af17b0a5366ec3b025127df7b0a67

SHA512
9c06cd82ec60a15df6c7c38cd0cba42d6821534cf2769d7c7f13ff8dfc8287c03bf35c8d4e9ed93b4b4044f1d6c582c950523795ffd9e131ae2c79eedaab2b6c

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
96KB

MD5
a52f3365250d7b4920aafb82cb07ad52

SHA1
75d2de7df8e5e7edcd77fa508715000fb1aeb56b

SHA256
e156a845a3d68af644e29816cc752a45da601a90a8fb92fec7a58305d389a99a

SHA512
9fdac2003ca5171475a4aef2f34b1085e2780ba55403630ae4ec69944428884df8a0d244ff81459f8cca45bb48d27247d047b2157e64e7273e8633cd800566c4

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
96KB

MD5
4a5c22c86f8cae884b9d2335550b5e96

SHA1
6145971d09d91f9f892d86270b91ad18d8cab233

SHA256
b89ea8a6b54b3dbd3ca7c3e505c87bc5d831eecee248c9cd5e740b87b1749cc7

SHA512
f86a3fecaa8ed88635ed79a063abb5ec652722534fabcb8b35f80c9d8ad444d9ca539596260f112ff7b98a87592ecfdb7ee7cb212960a8298103f18d7c5dbdd9

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
801136a89a4a6516998773eafa2f29b3

SHA1
d7f49ab7aa76e18eb65ab116ab6b6defd98f9b6c

SHA256
3424bb6ec33297a6155ff7e7112c36e8910da41269cfb081f79cd6b6af093efc

SHA512
02fbcedac039c128eeb077257f97d780a7793bcb08b90a6a51fb8fe0c4ced3182d1c7556d6a591f2cdc4e8159e35351db02f2556697b63d1d28a27f06eaf3406

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
539d8a19a35b34e5112a8db3094f4798

SHA1
55d7b2c2fda273af9839f8d45e120bfd3e02c155

SHA256
dad5284faa75f5e0afcc00e4d72da339ff76ace5c4ab1c22234ef9bdeb8c8858

SHA512
85bce1c11f2037bbdf8afc2a9fc97b5621e8afd416d1b62a5ef32c88606b8cfba07569ab1fa992dc1c33cdedf970005daa59ca9e0b7cb7afe03a086d897de666

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
dc35885ac1be83b3dfc82f3035e91e3e

SHA1
63fbeabb69f938e4ffcef96bf1b6f495ed221adc

SHA256
600dfd7f9c5ab9218726f020a02f157c0adf883e547cc50871ff73d24d10cf67

SHA512
aa8edb90f5445f707b9898c28acdb7f2d782562f1bc361d129830cff9e1b4ea75c6e0483bfd14db48c7da3f0b949bc836a2faf7077695b2534a1f5bdec57310f

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
75f21789acde32f6734763f8cd87c03c

SHA1
f337e9b93e41f302c8b4833c06cda438aff46380

SHA256
80fa93d9df5f3fe0e23643ab0865858ce59d49ae0e8132a3f001639577cf7c76

SHA512
db5be5bcc21f705f6e1306b20178eaf51c05075c50e6ccd56296deb61e44f33bebb0d64c05effbfc5f3c10c185bbc49d5349e5064ca899c5c94747735f8818a4

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
96KB

MD5
fef8c5e4a971278914603e2ad946ce85

SHA1
0731be9b9c059c184ea33e376e45989660a38ff9

SHA256
57000b5b7940b04d30ab78ab02cd446505078e7a09005ea212a4549e173d809c

SHA512
e6810bd9d90f45409c30d2f4fe3b5809eb4a47ef6bba8da8be5a6b091cfaaa966ccbdeb4dcb3d8ab01b4823b17bd8bcdf79439d3e0b9aa650345372804d6e8fa

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
2e4e4476b5c89ed0b76ea5bfa9ae585d

SHA1
61c19331ece247ee5dc75786ea0a6a4355010727

SHA256
bf4be4c4d26300cd95a5610bda7709e5d574133636d39c0beedf697484db96fc

SHA512
93410a953fedab792c3ae6485f8ebbebcbfbc6f34eecf1479a6c587e6d755977366ce4a86217f41b1cb007791176657687ff8d7afce89687eda15739d37df572

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
b18b011dc39d2fc21fda2d8a62dfe3e3

SHA1
0072585ec152d078ed2151cb501536cd4b6610bd

SHA256
6ecd270064fcde0c4ab2c14966624c28c8b74e64b2d9b6bd22d89eeaab9270e2

SHA512
e7328eab848f0d4c8228d798ea13b2706dd56b2f81f0fa0c7af0d5bf633356a312373cf2c2beb8905446448b86cc24f11ad6492a4a5772a804d53dd9c1389449

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
47e8aa5e2de4b0e2d2ddd6671be96a22

SHA1
5eaafc3050561513b1cbdbce5461220075be5162

SHA256
1bfba0b599fb4824289d0bd339ae396252379318ec6f10ae2420f52e3ca6b0fe

SHA512
a9c365b8a7b099cfabd3ce99c9ef6d9d9bbfafb62abc5f6d4f7dcb552eb4fe6ccfe314d74fd7f09b7d50e20d97e8f37ce64bac746bca6e89f9981085b699d76d

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
96KB

MD5
357a560ed25e8f60cf882c5c0feb6046

SHA1
2acb6eb5b443a0971550b31233bc2a303014ab6d

SHA256
1d01e191e96f47c883f6c0888f687431832dffe4d39013218f5b031b1f464350

SHA512
cb476992995e763b8484a3b7b523c280a022fac00c3f2b86734b7fb99ad0aa72709916e341ae1b778cbcacdf398d45275cd4b6165ebe101a6aa4596d4403991a

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
96KB

MD5
6551cb53078761ea0d085d2ae1cd4cc4

SHA1
f172243026673455d7707112deb4994f938c91dd

SHA256
a7300448ef90e1300d91aebe46c8628fe8bfa3b9b27fd87daf0a483f5b291973

SHA512
2657b22c55a4c13e2249bfe2f7a1543eb0556cbb2db97196eb7d50427d17c28ec9ff79b27e3aee425508807e36d5784b0b1f4af6254175b7dbd7b3821a2296c4

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
96KB

MD5
d2c72b3c706803ac24e5bccb46b917f0

SHA1
faf8a8c31a2a27a2e185c088cec2b2328b1fb60c

SHA256
b9b9ec932fa1f431361c3e7fbcbe91c11aa554288e5d4586eb55c49ec245e71f

SHA512
998ef80cdd2e719b99e02c20d6fe89418468a1ba578ee738eca25d78266ca5a26baf911f4e98ce5ed0e9cf12621f44428e8852352da1772eedbd36b2692487a0

Download Submit
\Windows\SysWOW64\Achjibcl.exe

Filesize
96KB

MD5
aa160e793ac502444e17482b96c93338

SHA1
146bc3a04249fe0168454c89edf079ef9903b8c9

SHA256
09713a8cdcca807a31f150c81a373ef4767ba7c11224577574a1605218895332

SHA512
aaf2a138795e76d19030f151f98a45d3a885a8d7f4b2b61253b61f06543dd1e25a2554c924a9214eb1c310e499e5075cb7fc266f6e1878f6410890c107eccf67

Download Submit
\Windows\SysWOW64\Afdiondb.exe

Filesize
96KB

MD5
18a29e4704f7f13cf8a4549cf38270b2

SHA1
06327c548d4b8b315ab54a8812971efb5df78ae7

SHA256
18a2d833159bd677bb19ee02a6beb09a2bf0a5f9fd7e2eda0054e06ebb9053e9

SHA512
a90ec9bb7b5b7169bed11b42ce3c298726cee91120d64102d31ac19e669c1778d3221e2ba3713616f3149efeae26587aa0e68f31f20059655a9d38e6d6b33460

Download Submit
\Windows\SysWOW64\Afffenbp.exe

Filesize
96KB

MD5
15995f2c5274883c6be0bd7e05342160

SHA1
0c9ad5085b7ee38e69912bc1d64b4aed561c5c57

SHA256
a965e86f419491492896e76d56771157b9637b0557363ffbfc27b02e6fd71726

SHA512
9f2e92859ffd376cc6b70e931edd46adc5a7caad5d2118afcd7a13e97640fe70dc68190e6662f286cc7b7504a6ffa5565867530181e4928982147f56f233704f

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
96KB

MD5
de4aa7980cf91fe395bfd40e0e37cd28

SHA1
e58daf11bd41c06f3a5cf741facd972cca86f3f8

SHA256
664481a3ab08df2a345c1a5242932ab37cc7c16956ee237999b3aaa6ed0651a9

SHA512
2176010b7e31ceaacc57921939dc36a3aafed313d7adfe2c3af61537a7c89364c6087dbdca8ee2345ce1e5cb95fb9dcf70d83b9039a08396baf12014a033a083

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
96KB

MD5
9f41c0eeac563f068f577a5e275b4ba3

SHA1
be1f447ed7d6650044e2368c2dd29b5df1eddf4d

SHA256
beebffb4d35814e8e5d1383972784a295a6ea3107567bbd873a0563eb3b39dca

SHA512
d5aa724f7919d94cd8e7ed1113be1228c38055b6d48c4d776228ace1352fc4bd18550197c342fdea7a9a3635e268747f44137baaae12d4affcf118b420dcd4b8

Download Submit
\Windows\SysWOW64\Alnalh32.exe

Filesize
96KB

MD5
3c05b4676f4cca7c68ffb2e48256f89b

SHA1
7b346f23a07e8d10046a72b6e4fe744c33a73c74

SHA256
6a30cc930083cd1de679d936426f33daa44bc41f7989e42e07305dc37ce27f13

SHA512
bc5621e09a4cc2a9d69125ceea6c2f3f1e719391185a6de82740025aa8a5bc654a8f5f1f9fac71f39a18223784ec54daca4ec29dca8939233006196eccc0058b

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
96KB

MD5
0ec94115e2c163684276325a309ea7b5

SHA1
bb2f3ff2d783f3759d4e7b43c20cfdafc51b799f

SHA256
4d4f4e2bd465433222c2b86cda1bfd82a9fdca4cd3cbe09ff81e93df3e3f2e4c

SHA512
c9063851053423c782fb32ceb419737d96889b7c026c18a6bff9c20c307f338ef6bbb33f58dd58b5fa38a0c8221631c59e4d20cb4ddcfdb3d88f86d3ec93cac5

Download Submit
\Windows\SysWOW64\Pghfnc32.exe

Filesize
96KB

MD5
69a28297414856f119d10f454bf67441

SHA1
06addd5e188fff87b08eba60fa141ad37477e0ab

SHA256
b60f19784490b89756ec555deb4d698f68fda21ffdf695bcb243d12db3834228

SHA512
9ed6aaa4a748fc29a52db4cabe52748c96bd1cd9926ae3d6ed1579f2a43e30648fe9cef75be70234f0cc61985a14649656d4afbbcb5c9852a863575f00045bcc

Download Submit
\Windows\SysWOW64\Pleofj32.exe

Filesize
96KB

MD5
bbaf588f8a54d55ab810536e9891f40f

SHA1
90a241e0f0f52049fd7abaeaa0468de4de9344a0

SHA256
af1b84609786e3d8a63cda9eace4b99ed8cfc48f709b2f8e1c26bdbd9517d7db

SHA512
56985e600eacf42bbde1faeb27538e38e11a867cc9c14777c88d48db45a913dca1d89c30d144069c79de671f3034f560772c580580b4ba6ae76ad769e91d5b23

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
96KB

MD5
f8c4796cb9a4088f0a358b15228e4af8

SHA1
21235bdfb032da92efb938a4f9b00538629f1b17

SHA256
4d4e20d7a9825ccdabca410647e443a93f0a88e28757275f89be196aea6a077d

SHA512
6728f5c78e6a327e7e44705f62c2711567debd51ed6141b10f79fbd2f23a7ceab61010a3e82d3fb88fbd6e651179ec933ee375d836343cc6295a3efaebed880b

Download Submit
\Windows\SysWOW64\Qjklenpa.exe

Filesize
96KB

MD5
bd36e4fb6745104423d0564105fe4d10

SHA1
5e6a4c4258873befbd2c93c87506917b4546576a

SHA256
cd27b69450046584d98ed0fc05ee101c8fd5573ffc19c257ccc96269246f972f

SHA512
8b92cb870c6f120c9bdcf633462960dc811aa24e17f6591078fbd01d4aa4da97883f2dd99017ace5e17bdfa9162d34548c843bdc4abb1525cfada915b4160dec

Download Submit
\Windows\SysWOW64\Qlgkki32.exe

Filesize
96KB

MD5
2fce1e31bc1a6634c0b221e0b1830ece

SHA1
6d4b23db2b5afcff8ebdd362a60ecf307ece9bdf

SHA256
164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169

SHA512
cffc3121ea1854a0054217ca772ab90b2288b39ad6f085e1537f26e13018d625ba2682f55167feaf6d63a1cee80b68e698e7fbd8865652d3c09610fae71c28b1

Download Submit
memory/316-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-168-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/484-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/484-132-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/688-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-224-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/688-219-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/696-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-498-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/788-258-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/788-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-387-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/868-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-368-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/912-430-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/912-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-280-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1012-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1048-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1188-488-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1188-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-369-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1416-301-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1416-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-302-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1632-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-334-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1632-335-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1652-324-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1652-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-323-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1664-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-511-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1664-510-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1716-286-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1716-291-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1716-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-457-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1840-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1840-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-155-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1932-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-444-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2044-443-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2088-452-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2088-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-474-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-26-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2332-239-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2332-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-251-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2400-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-379-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2540-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-786-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-409-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2728-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-88-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2728-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-344-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2756-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-62-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2772-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-402-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-193-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2868-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-347-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2888-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-12-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2888-13-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2888-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-114-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2996-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads