berbew | d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0

Analysis

max time kernel
83s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
Size

112KB
MD5

cc935c26c8640d843d6f13d580aeab20
SHA1

51f457b55350702f4cbde9acaff30275d565454c
SHA256

d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0
SHA512

4768d873f820747ff7d0ebb4cde9de9e6a6d5e32cc9c2503ff940ea77569caa0b2a2f555b2e993c580a5f6c3599b12e5efb6c5054f266efc51e456fb02ea5f62
SSDEEP

1536:KW6MEAbCFrxq6r8h1nY0L8/xLZxNi5RhrUQVoMdUT+irjVVKm1ieuRzKwZ:KWlyrCh1VY/xd7ORhr1RhAo+ie0TZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phcilf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkjphcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pepcelel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkjphcff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaimopli.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 62 IoCs

pid	Process
1792	Phlclgfc.exe
3048	Pkjphcff.exe
2680	Pepcelel.exe
2676	Pohhna32.exe
2808	Phqmgg32.exe
2696	Pmmeon32.exe
2608	Phcilf32.exe
1720	Pgfjhcge.exe
1752	Ppnnai32.exe
996	Pkcbnanl.exe
1508	Pleofj32.exe
1632	Qdlggg32.exe
1164	Qndkpmkm.exe
2384	Qdncmgbj.exe
1788	Qeppdo32.exe
2940	Alihaioe.exe
2628	Accqnc32.exe
1452	Aebmjo32.exe
1744	Allefimb.exe
2492	Aojabdlf.exe
1304	Aaimopli.exe
2292	Ahbekjcf.exe
2956	Akabgebj.exe
1784	Achjibcl.exe
3040	Afffenbp.exe
1600	Akcomepg.exe
2992	Abmgjo32.exe
2748	Ahgofi32.exe
2540	Akfkbd32.exe
2668	Abpcooea.exe
2576	Bkhhhd32.exe
2548	Bnfddp32.exe
2420	Bccmmf32.exe
2064	Bkjdndjo.exe
696	Bdcifi32.exe
2336	Bgaebe32.exe
636	Boljgg32.exe
1160	Bffbdadk.exe
2124	Bqlfaj32.exe
2216	Boogmgkl.exe
2192	Bbmcibjp.exe
1344	Bmbgfkje.exe
936	Cenljmgq.exe
1636	Cmedlk32.exe
2136	Cfmhdpnc.exe
1576	Cileqlmg.exe
2924	Ckjamgmk.exe
1964	Cnimiblo.exe
2144	Cagienkb.exe
2792	Cinafkkd.exe
2688	Cgaaah32.exe
2076	Cnkjnb32.exe
2596	Caifjn32.exe
872	Cchbgi32.exe
2620	Cgcnghpl.exe
896	Cjakccop.exe
1268	Cmpgpond.exe
2892	Cegoqlof.exe
1676	Cfhkhd32.exe
672	Djdgic32.exe
2376	Dmbcen32.exe
1860	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
548	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
548	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
1792	Phlclgfc.exe
1792	Phlclgfc.exe
3048	Pkjphcff.exe
3048	Pkjphcff.exe
2680	Pepcelel.exe
2680	Pepcelel.exe
2676	Pohhna32.exe
2676	Pohhna32.exe
2808	Phqmgg32.exe
2808	Phqmgg32.exe
2696	Pmmeon32.exe
2696	Pmmeon32.exe
2608	Phcilf32.exe
2608	Phcilf32.exe
1720	Pgfjhcge.exe
1720	Pgfjhcge.exe
1752	Ppnnai32.exe
1752	Ppnnai32.exe
996	Pkcbnanl.exe
996	Pkcbnanl.exe
1508	Pleofj32.exe
1508	Pleofj32.exe
1632	Qdlggg32.exe
1632	Qdlggg32.exe
1164	Qndkpmkm.exe
1164	Qndkpmkm.exe
2384	Qdncmgbj.exe
2384	Qdncmgbj.exe
1788	Qeppdo32.exe
1788	Qeppdo32.exe
2940	Alihaioe.exe
2940	Alihaioe.exe
2628	Accqnc32.exe
2628	Accqnc32.exe
1452	Aebmjo32.exe
1452	Aebmjo32.exe
1744	Allefimb.exe
1744	Allefimb.exe
2492	Aojabdlf.exe
2492	Aojabdlf.exe
1304	Aaimopli.exe
1304	Aaimopli.exe
2292	Ahbekjcf.exe
2292	Ahbekjcf.exe
2956	Akabgebj.exe
2956	Akabgebj.exe
1784	Achjibcl.exe
1784	Achjibcl.exe
3040	Afffenbp.exe
3040	Afffenbp.exe
1600	Akcomepg.exe
1600	Akcomepg.exe
2992	Abmgjo32.exe
2992	Abmgjo32.exe
2748	Ahgofi32.exe
2748	Ahgofi32.exe
2540	Akfkbd32.exe
2540	Akfkbd32.exe
2668	Abpcooea.exe
2668	Abpcooea.exe
2576	Bkhhhd32.exe
2576	Bkhhhd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Mpioba32.dll	Pkjphcff.exe
File created	C:\Windows\SysWOW64\Khpjqgjc.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Ahgofi32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Nlbjim32.dll	Pkcbnanl.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Pleofj32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Phcilf32.exe	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Pleofj32.exe	Pkcbnanl.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Qdlggg32.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pohhna32.exe	Pepcelel.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Pgfjhcge.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Nhiejpim.dll	Pgfjhcge.exe
File opened for modification	C:\Windows\SysWOW64\Pleofj32.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Akabgebj.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Pkjphcff.exe	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Phcilf32.exe	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Cofdbf32.dll	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	1860	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkjphcff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pepcelel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phlclgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll"	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll"	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phlclgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1792	548	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe	31
PID 548 wrote to memory of 1792	548	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe	31
PID 548 wrote to memory of 1792	548	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe	31
PID 548 wrote to memory of 1792	548	d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe	31
PID 1792 wrote to memory of 3048	1792	Phlclgfc.exe	32
PID 1792 wrote to memory of 3048	1792	Phlclgfc.exe	32
PID 1792 wrote to memory of 3048	1792	Phlclgfc.exe	32
PID 1792 wrote to memory of 3048	1792	Phlclgfc.exe	32
PID 3048 wrote to memory of 2680	3048	Pkjphcff.exe	33
PID 3048 wrote to memory of 2680	3048	Pkjphcff.exe	33
PID 3048 wrote to memory of 2680	3048	Pkjphcff.exe	33
PID 3048 wrote to memory of 2680	3048	Pkjphcff.exe	33
PID 2680 wrote to memory of 2676	2680	Pepcelel.exe	34
PID 2680 wrote to memory of 2676	2680	Pepcelel.exe	34
PID 2680 wrote to memory of 2676	2680	Pepcelel.exe	34
PID 2680 wrote to memory of 2676	2680	Pepcelel.exe	34
PID 2676 wrote to memory of 2808	2676	Pohhna32.exe	35
PID 2676 wrote to memory of 2808	2676	Pohhna32.exe	35
PID 2676 wrote to memory of 2808	2676	Pohhna32.exe	35
PID 2676 wrote to memory of 2808	2676	Pohhna32.exe	35
PID 2808 wrote to memory of 2696	2808	Phqmgg32.exe	36
PID 2808 wrote to memory of 2696	2808	Phqmgg32.exe	36
PID 2808 wrote to memory of 2696	2808	Phqmgg32.exe	36
PID 2808 wrote to memory of 2696	2808	Phqmgg32.exe	36
PID 2696 wrote to memory of 2608	2696	Pmmeon32.exe	37
PID 2696 wrote to memory of 2608	2696	Pmmeon32.exe	37
PID 2696 wrote to memory of 2608	2696	Pmmeon32.exe	37
PID 2696 wrote to memory of 2608	2696	Pmmeon32.exe	37
PID 2608 wrote to memory of 1720	2608	Phcilf32.exe	38
PID 2608 wrote to memory of 1720	2608	Phcilf32.exe	38
PID 2608 wrote to memory of 1720	2608	Phcilf32.exe	38
PID 2608 wrote to memory of 1720	2608	Phcilf32.exe	38
PID 1720 wrote to memory of 1752	1720	Pgfjhcge.exe	39
PID 1720 wrote to memory of 1752	1720	Pgfjhcge.exe	39
PID 1720 wrote to memory of 1752	1720	Pgfjhcge.exe	39
PID 1720 wrote to memory of 1752	1720	Pgfjhcge.exe	39
PID 1752 wrote to memory of 996	1752	Ppnnai32.exe	40
PID 1752 wrote to memory of 996	1752	Ppnnai32.exe	40
PID 1752 wrote to memory of 996	1752	Ppnnai32.exe	40
PID 1752 wrote to memory of 996	1752	Ppnnai32.exe	40
PID 996 wrote to memory of 1508	996	Pkcbnanl.exe	41
PID 996 wrote to memory of 1508	996	Pkcbnanl.exe	41
PID 996 wrote to memory of 1508	996	Pkcbnanl.exe	41
PID 996 wrote to memory of 1508	996	Pkcbnanl.exe	41
PID 1508 wrote to memory of 1632	1508	Pleofj32.exe	42
PID 1508 wrote to memory of 1632	1508	Pleofj32.exe	42
PID 1508 wrote to memory of 1632	1508	Pleofj32.exe	42
PID 1508 wrote to memory of 1632	1508	Pleofj32.exe	42
PID 1632 wrote to memory of 1164	1632	Qdlggg32.exe	43
PID 1632 wrote to memory of 1164	1632	Qdlggg32.exe	43
PID 1632 wrote to memory of 1164	1632	Qdlggg32.exe	43
PID 1632 wrote to memory of 1164	1632	Qdlggg32.exe	43
PID 1164 wrote to memory of 2384	1164	Qndkpmkm.exe	44
PID 1164 wrote to memory of 2384	1164	Qndkpmkm.exe	44
PID 1164 wrote to memory of 2384	1164	Qndkpmkm.exe	44
PID 1164 wrote to memory of 2384	1164	Qndkpmkm.exe	44
PID 2384 wrote to memory of 1788	2384	Qdncmgbj.exe	45
PID 2384 wrote to memory of 1788	2384	Qdncmgbj.exe	45
PID 2384 wrote to memory of 1788	2384	Qdncmgbj.exe	45
PID 2384 wrote to memory of 1788	2384	Qdncmgbj.exe	45
PID 1788 wrote to memory of 2940	1788	Qeppdo32.exe	46
PID 1788 wrote to memory of 2940	1788	Qeppdo32.exe	46
PID 1788 wrote to memory of 2940	1788	Qeppdo32.exe	46
PID 1788 wrote to memory of 2940	1788	Qeppdo32.exe	46

C:\Users\Admin\AppData\Local\Temp\d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe
"C:\Users\Admin\AppData\Local\Temp\d55280dab0ef75d22882980acfcd74b8f6cd2babd8c987c5e9acbfa1f5054cd0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\Phlclgfc.exe
  C:\Windows\system32\Phlclgfc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\Pkjphcff.exe
    C:\Windows\system32\Pkjphcff.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Pepcelel.exe
      C:\Windows\system32\Pepcelel.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 144
        64⤵
        Program crash
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
112KB

MD5
0dcb2aea2bed210e85f6bd2fd7734c6e

SHA1
e0538d347269def881de3fe3c82b3a04ab4fe554

SHA256
54c14a13d73368a7707001059b79be5c03b2c7da233396b16bcf7d5f65185a9a

SHA512
988b016d0b2d01dc2802043271b242a24f82473ab66d4c793550d2145d88c7ec6c5560a67ab28002904149f9081d2f9c0fb55502f0dd8988788a5f5e06257633

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
112KB

MD5
769d40eda9f66d992e87e6ad1e55d714

SHA1
b717769b5da463de7693b8ed4050b00ce6f3f07d

SHA256
86f21fd8b73ebc0e749e118b80e4d01a82d6fd9ff3102430c443d0b747579e73

SHA512
3b81ea3ce5741f68ed04e0285ad944dfb15f4d48a19c03f3347349edc3b7ba2fd7713cd31f2eccded4db7c46c7ff60fdc93db9a10f8ea7531f37bcadcc075198

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
112KB

MD5
0a52ee09ef27bc86a2f3ca3dfba6ef28

SHA1
e08a8b338cac40090e416d29cab98a34d3cee397

SHA256
9eeae827c061c74baba865badb378cf354576206140ea981ece10f69247f2bc7

SHA512
763b97f68ea65020dc5b21fe5d85416483897daddba67371cf9292855b2218c3c4c877a470838e27716beac8f0758121202e3c01e6659e77032ed03936eda44c

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
112KB

MD5
ffe18d0d18dfb4555b0a8bc89c24ad85

SHA1
d1a59a6b38e9671ed8fd38d34503bc3e4bba20cd

SHA256
d11b12943e094c805f9132396970e30f7e301dd517ba5b7f4f12942004d6246a

SHA512
a54bafe733bff717f4472c0edf21cde60f51648031adf1e1410a6595f5795c6920c5e388d96805b0cbe6246accfd601927368199f112601f6686693736fbe305

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
112KB

MD5
5b2face12b61b2fdcaa89e49fe8747bb

SHA1
26a1a36341fbd8b4d2981cdf9499fa16991560dd

SHA256
751981fcc1ecd3510323e9338c7d7e3731ffd75cfa0150cf215be893a699951d

SHA512
397439b88bc383788578a46e1b10341f3a840dd87f7d5b6471a28a56495945001b8a67ef292b1b7bdb93529d653b2589369ddbdcbb71a9eba5f95a746bcfe37e

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
112KB

MD5
c2394ab625ef41aa3f0d961bc8678448

SHA1
c1ccb1bc0cc99e736f63ca5a50c4bab15f396470

SHA256
9de853bce3b28affab5d8a87d1279d27fad1bddf1461422b8e656cf0c2d2b0bf

SHA512
313a183976d4165878a23f6ac4415f31efe6ac55aa29cbd385e2406aee8d7285e6098c714cd32b553162ed43768ca8d3767885b5b6b655fbd17facf38ef1ae80

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
112KB

MD5
2cc62d88a34360642e7b8d9feda938cd

SHA1
84b69378ee98a644b5774569dfdc9bb1a2ba827a

SHA256
4cbc09e3a4b3a06d0b36dd11c707495fb452d8c68c8f9aad9b6c297f94d57bf6

SHA512
6085677d2bec7cfd7d1db0dca914d06c1de88ef1b8406adb027c69f7518bd1fe91039c7f148150a5f4bf82b5df463beb6577b77f21455294fb458de6f24bde84

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
112KB

MD5
fac5aa7e95d4b19a6aacdebc0418ea42

SHA1
1f7702f971c1e15ca0c1506d700a8dc3368a70b8

SHA256
7ae4275a32496b84c70576ec3a974991c4403f52293266786f0adfa529cca8a1

SHA512
c9d64a9c93a6a7f1166b3a824145fb33eb1be866de60837536a15de4907f968676dc38cc5e6adf698efac7cb00504c199aa64d2eb95a66b830bd86afdd997c9a

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
112KB

MD5
c2d82c75b08b75dc5719fcb22d727193

SHA1
771a913b881e71e71876694eec5561bdec25b285

SHA256
3c0b54fa36769faff639fa7581b9d47b66c157d961eb89ee3d15111d8a8a6a7c

SHA512
f7ae68b899cb5d626a22bf616b66f11aadbfacba89e944dae213e088bb820679012528cba1161cc5163c0ef8dfa91cf76dc609d24d0e1a33837305b81cd4a0c1

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
112KB

MD5
955a0cc89125f128d47c31728844a6a3

SHA1
03ffe62777a247683741ea2210f3e3bcae7ddd99

SHA256
0a758cb0618c853981d3bf2a58912e038c21556b7bb7935dc4be493295bd59ac

SHA512
3409a2c64318dfbe8d60c9c2cd7301f7c2313d38be4ac7ab3af44485c6443983697a5032d820fbd7f898be25e6c8407cb89f759e3150701b6f187f70cf6eadca

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
112KB

MD5
e86ff1b0b790a2e4cc89ef8995b29ed5

SHA1
662425f764eb662eb56fee1d52f7939ad9dc741b

SHA256
50ffd7aee7c7d592907aca6d6ae9c067299bcedcce12a9008b5cc38a26f91e01

SHA512
0f7262868b8d327625797bb6624f9c77b4439cccf168f59fa8783340b88158759a0582c998193a7ae1ead58b4723c1c9d37bed7ee37fc46b8d46fd3adeb35fcd

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
112KB

MD5
3ea54a831cf122e8e04c6bbfb75587e6

SHA1
475ce01ed5541f20f69000375b91abdc72c99327

SHA256
ccdc4a6e6c33ae2b1264cf984a6f1561ffbff23a0b95f9eb78faefb758d12b70

SHA512
92f144b695d0cea5d7ac547b2ca243aa220acae272b2260393141e5adf25b2386ce856606f3b89f774edc91b993812f590dc8bcf95219a07608490beca4ba7bd

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
112KB

MD5
b37d55970bb3771d21a8565f1cd53b73

SHA1
ef0ea73855e7a341c22d6aff8e3506307863a9f0

SHA256
0592003cb257f6a3345e1d07d730f48869b3de962ec40ce20b173cd2ed6010ce

SHA512
9ad59b41c9164f160e84691191f65d4d4959256f224971056e9c8febc112c8d36cea9100e212ad7b7336ca8a12f19a8481906bd870ac480fc1d364701c19c262

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
112KB

MD5
520c4e0a7db75119e009baa71d7e5f53

SHA1
09859d22a09643ab8fa189725a015d36e4eb4d86

SHA256
f72f1ef61d44b6bf5e357609ee40722b1a6d1a3fc9e052456c5927a63fd189e6

SHA512
b9071bc2df7950f8d4248a3ba000f8eadc6a6624a0b07fb1cc8dbe70ee848428b7684fd2699f4574b754e66a13d0ecc1fdf34d7e17374c6b18827a147f008526

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
112KB

MD5
01e334900ed6705c0cecb1384e63dbc5

SHA1
589b3813079272629786222d1f0dab0a6295bf16

SHA256
5148305753cdab3012a437e4400cc5fbb7814296f9df5f66d44c53136db7ec8e

SHA512
865e541966ebbb641a9ac96c292a26780d8b4e67a384dff28b5bde49233c5a611e594c53986b0751e2522aa922d3f2fd7a790c878f8f7e822816f50dff33ef81

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
112KB

MD5
c590648d719a48ac65a6410c82c082f5

SHA1
bfe8f6b80f70e10bdebaff375f3d4c69c4814014

SHA256
f9ff384a13ac4818c866a3d63e98c9b25fc07a59fac3d64e768d262a31b7cfe4

SHA512
3032e555a7375638c1983fd66615611629877a0194bb58e3a1a40ccccce6e33e5e52befc42334ab785505caad63860f51e9e465ed11b1739bfd483c0f782094b

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
112KB

MD5
c4701976646b7a01761e7e4a92d4e568

SHA1
37a0d3cdac08af432e072d8156a243713baf00b1

SHA256
d97308917b793c81b64ea3c03acfbe782c828d08021035b0d8a624909e352b97

SHA512
029f0efdcc9bd4e1fb816ad54e84075d91b8dca4e04002cae152362965ed1291a42127dc4e6253a473e703a9dc84ca77c077057bfa270942bec2958efda02e46

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
112KB

MD5
4555b59a4ee50c486354ee394f1669fe

SHA1
2e73a2e4a21f55e3d11eb56e2bac5698f3e324b1

SHA256
9aeec71d2f36d3362802b9b5f1294e2215230067dbead970ee07dbb8300bf026

SHA512
340d1b22f6a852c847929341dbdbdd3b6db93709a573eb97f1651b64b0325464189aa94e7099fc5a3cd091ae396901b9cf480b954dad98f34f38053f31b3a850

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
112KB

MD5
399e35967890bbdffeeef5f7143da210

SHA1
22b0ab1b2a6f858a3bff5f2c961352d74786ec27

SHA256
7c70fd470bc715b4b672c71e35b476ed4e2b7a2d1b57773e20c5b77b509894d3

SHA512
c1af396baa45251d5aba0237a570a7e1aeb86b55cc36dadfe0bcf9ec241e7f69a68f194fb17a990817b832fa232035de15241e6603ce7f78b4adde15848a1c16

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
112KB

MD5
e61b4f132b708e787e6d85e2d535b74b

SHA1
31c9b82b03f150fd4d9d876f1809a372dd83a009

SHA256
a1e79eee55364acbf75f883d39b7f3b840c707a8a328b304a6ff5bf3eb2d827b

SHA512
9fb028064accec0e0efe97043488b4b42e16bc81d8baaa4adada1f9ed501c526144419c36b7040b401daba01d0002a68d382aef96538a232fdb3c84e674bf767

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
112KB

MD5
af014200966170a8e915a380deec6f95

SHA1
4c0813096c2f5bf17298a8005a58cfc17745f178

SHA256
5d0e3caa653e61af2ed65fb2c9bea5978ad73370e4c6c8fc91d572d339e79845

SHA512
e2b5f465e072f309db496d7b806a032a8cf9cf27e74081d06970c513842954c26dccce95ec4bc7e2a11412d903b2c1d67f1ed96d1d28ab3ac694f3631273e831

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
112KB

MD5
6a57bba0fecce0460fec48090a482520

SHA1
df77bcd9ca01ae4fa15045998416e3d48a7a6f5f

SHA256
6e20ace7f243b472f5869af40083d619a09b1bbdf7719330148a084073cddb70

SHA512
1e6839549179d1e40dcf2305b615f7170cc13a979e20fdce2d967d5f12645a64d4f79a8f1ed097fa6c1bfd250454f2689e281912e3a1c6742e6fb0e85a1421ee

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
112KB

MD5
46ee808982fdd23c3400f04a04d79dd4

SHA1
987061d12260f00b067b0bdc070d3819111053c0

SHA256
4e3d5387d1f99799d0c79178ad81647241e2daf97df0271225b25191c8495d1b

SHA512
a8d8b13f65297975c63137db32c72f893b2ae8b17f7e1e7b40fe97cdd4d6a82bcfe1eb72cdc4481c2ba9959afbeb70749ae30230073615d661bee7d748fc2a27

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
112KB

MD5
2f671a4c41a44b0c2ac886f9653a9ef1

SHA1
6fd412209e0e48e9abaca41511906ef7ca9055fe

SHA256
f008838b2d27649d5e7574602bd5076e165fd5cee7ffd4277fdacd662f5c2ce6

SHA512
d0af40082ef3ec01529c96105e088e28f70567fe8e64531e9dcb0cc57eae859e35e058a8ee3dc709eafa8fac7c363d7dc998d4a2381d2b29ccd47fd05dc1e9f4

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
112KB

MD5
67b9425e8170c62ff1c82effce872c6e

SHA1
8e621465317a29e16704d54c7655c91ca1af1650

SHA256
f0e3d12b65bcd612dc252c07e7671d754270bb174fe28e508f36f2eb2db5c9d0

SHA512
f90269d9fd6aa0f1c25da0692f45210dc9bb6aa4e48a50fb559554b8193a5a1452eea6eb5723aba92a3c4013be843790d0f9669bc755e8eb52f00aae58519f57

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
112KB

MD5
567f58320e20abf61239c3e2ab1d3261

SHA1
222f16570d7357002b90fd2ed7293bdd926995e5

SHA256
b917105e27105a3454002b8bfad52604314c18816e10d63c11babdbc0a00fcf2

SHA512
c7c8cee407eba75f1661f465800704cfc6793f516a6a4beb7e77e01a9f1c3e742182a7f175c3011a0f904df64c3a41d9b1a1c7cb8e15db4bd0173e39bc77bc4d

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
112KB

MD5
effb15598300997c1cb943d58cdc4952

SHA1
b934a351fd1e4264d8f19a53f7760ef8a37811d6

SHA256
03b29d2595fa6ba0d5b1f5fa22bb4a65198f6683c7ebce0a506ad041e4df955a

SHA512
57cd06b4edf885fbcf031c6b72f31cfb06d9fc403a41d1dbf72751b5186d91daf561cbb9b590cea3c7646412587171b1ba35a6d5e6626fdd3df05646f0dbeb8d

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
112KB

MD5
96a2b9b17cbdb69f0de8839b21df0dcd

SHA1
2e1bdf2d2db73ebe10ec6d2afa0ff87766eed507

SHA256
22e27d1ce2e6590d70c786ce52bfbb7cccdbedf3b882d6ec4021e441c4b2427c

SHA512
6db91b4957135158801f795cb9f65e458c69ff11324c089cb67740c6390ded9aac49e2008a30cb329fdcb1390ee4427ef01e5446bb81abc92c0719f39f3ffe14

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
112KB

MD5
845d5a30991ccac4288853b68312b586

SHA1
51db260c3076e2eda1196c0a5f5cbd70e7e20a5f

SHA256
db0f5603ee603e6f390aa48969b69e5ec1eeaba556d3682b60cfc7525546ce46

SHA512
119bbebd307ee2f56bcab5faf64fab82f2549abc5310da0fa041339bff27bc37ad13afb06619eac30f9efc49672add8fe36f5944115b77a1adf5a163818c2b1c

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
112KB

MD5
9eb9193c52866a2a3ff678998a39bd3c

SHA1
e81725c76c5205bebcc73ac732f53450c4eac434

SHA256
1804ae051bbd79a262475931c5e59d7a6d66e4e852dca091e4dd173ba4cda09c

SHA512
a75fe4d361ab0e20e51b22483ca81824f00bb05f2767afc9782a3a1630b2aca6b9e60a5febcc2f95791a704f2f49d161e801edbaa981fdfe9af3aadc109436d2

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
112KB

MD5
12e17e5d521a798690e0dcc0f17e5f1a

SHA1
214e73ec509d0ac651b1878a51815837d45415c4

SHA256
fe99618af5c74fa8fc504ddb969fb4809f0c22e6374edb3ea7b6815daeabc297

SHA512
1feecf20f9cd21763933327b9ec10c8217ddfe67e4e0f7658597302bb9af5ae85a7016f65b80aa7e50451ed3fddaff6cd011722769828cbc8b953f4d4bce3236

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
112KB

MD5
d2dd78c930e660af4bbf9932064c4bb9

SHA1
0a2b36897931b211e657be6505308ffc78645a56

SHA256
e09d84601d1d6427c505268b9b57ddc033e3646deaef83fb1ba46d04ec551452

SHA512
a6ca804c2a4c231bbad78df30173da7b2e228a2d576116fa9ddf1ad63536ffb1482131ad37108b27940f7b334d11ca5c8b87e623108a2c4df1c3ea37b6d1b042

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
112KB

MD5
14441356782c8b3fb8c75e8fe7179a67

SHA1
57f00c4b9e5e4c9a8d80c9ce1e3842545d488a78

SHA256
58d503b4aca5aa9cab555e1c388adc822b65970fb15c04a568f9a7abcd7d9777

SHA512
fddc0fad2393fb1fd26d4ffa906790bbce7cca7c778a55d8af31ad3b78d8b48b06bb6b0f489c85601ade870b446ef8387a824e932dc12edf8ac2574a780314dd

Download Submit
C:\Windows\SysWOW64\Cfibop32.dll

Filesize
7KB

MD5
f509753bce7453d98df910b2c5115ee9

SHA1
34251857086cb4d1f1899570effca278937d960f

SHA256
4fb0c71f70e6f2bbc9665fbe5b2a9a865e7cb76d30e2d91c6bde7d7659b99da3

SHA512
de7fad98223e19813f5a62a62c85f2f35f29cb2b474c66c658b25323fb1be3736db958099c044ad79a3ceee2d26f8e827d2269b06a2bbcc66df1990cd78b7cbd

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
112KB

MD5
c201fa1c72737f67dd578178e712112a

SHA1
54f75ee98f2323d1ec4c027942c397fe723ddb52

SHA256
08ff7f3c17f86b980804345adc177baa7f033b52cc9841dec103b41ea5211c17

SHA512
9c94376d62189d5716d6c85da6f8a2c5ee1e9998e02bcc246d4210515101328cc7ee3a5763bcd7e45f0e6d6f2c9d46c283dd811dcbe162d602f880d5586d3933

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
112KB

MD5
57ba00ec4a8dbe88365f5b10010f87d4

SHA1
97b87e1f9810fae6a21db417b4b99c2332e7623b

SHA256
941adac918c9ac20c1ac3f51238565173a1cfe623c77f63a185ca5f818250b3d

SHA512
1b5808eb5cb0dce9cabaa072077f223908283d9f273690826a556c8cf40cae6cd1b00525af20632a8009e63812533e47cdfaa51498ad180e6869529f98f5ccf3

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
112KB

MD5
7f377068a9ae8b95769334e308b1a2ce

SHA1
d9c54c8ce4bdd3d07d4fbf9cac30be502e734a69

SHA256
dff413efdf585e51e9e1c9cd96ed2a43b251bd1c0986c15aef093a130279da54

SHA512
3414162db72ef0e341025842c893f87004969345c2a2426736b0b8c1091abf64326237077db8def757e75c9ca441cc7e165277454196dfaabae8e91620e8b0f1

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
112KB

MD5
b7ed7971ead1db856b655571c47c0f00

SHA1
fa8660fac01c0bb3459b6d29cb0c0685e76a0e8b

SHA256
eb9986fc7be178ab11f0eb4b78d5d71799c56c601eeb5ff227baefec57a25f6f

SHA512
b0d61ddc79aee8543f661150fbffce6ee493ffbe78720f49050fca77ba5355faa70bea68ba99aedcf713ab8a9f07091590ab251c20a6a2b36be7f4a90390bccf

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
112KB

MD5
0f780c555a3ef846b9c4988604659498

SHA1
47eeae88b0f459a5b49389ec9e96510b76ced5b4

SHA256
03660bbd0b3677b7c78b5b70ba821592571b819b8a5168720343f85cf7c49338

SHA512
489ceb298e076170fef346bdd017879dfdb0532bc1699f70449a5a6c72979f90ec295aaf71ac48d34cd6cc0fc69521bf661935dd143f3e59a2be3cd130cf2c82

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
112KB

MD5
04c33631ee831bb5f6f6c8ddf92aaac0

SHA1
a82efedeccfcb8da5d9c0da8384724caae806fd2

SHA256
756df454792ad73ab888f3f7a3274b49a3a7995fcadc2dfca76028f8a656f969

SHA512
ec0648b6ed30adc175a915f9a36ba76c838260e155ebc543204d493fefba34802d4cf29077cf57cb05cf33ed9b56680d20e431241b0d8da5b216e5ee09bc3521

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
112KB

MD5
e5efe0e7b2ead40faa4663d365be0f6b

SHA1
5048b7293e4222c64e8ee7fe5e9d5532fc195499

SHA256
898cef511ddd8c631716dba710a9523e7d22146c5b784970a7d50e4368b25ef2

SHA512
3b53bf90b636ce38d8e03c43e2666c02a141def747237d2d293f69679c12c0c51d3e647e086a3167da307419f96dc836fbdb4947d6f10d21073c15f78b3c633a

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
112KB

MD5
28b36de88fe2cb3098fbe1172ba0b458

SHA1
b39157da5429ffa351ab50b9bdf6b498b95b03a6

SHA256
61b47b841c1f0a5c47626b59efaaa8159b9f5cf430b4101c785b358da33a364c

SHA512
8f47a822323dc2efcb1ce602a1486e33ceab08b0bb2179ba4d479cb97576cfd15a9c4d54c66adaf00927f9b3cbd5b3688f4359c416bcb0fce90f4ac319215425

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
112KB

MD5
5999c445b333c359b9ed0dac3fc81e5a

SHA1
264435e13680bb31b89b603d0823f846228c4c48

SHA256
1ce864aa322e7deab536894871a23dbcf124859c4a89803e5e3cecd41819eabb

SHA512
042bfe37cc5aad935d7b0433b21c4468c4c5305166f1cd06a4b68b3d47d93fa9c8f994bb8f7287cb32190f56e8b061f84bbe44f1f20e2774a293074ed76a40d0

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
112KB

MD5
1eec761a927747623a8f1ca18c583585

SHA1
2494ba443af3f0b6fd3ddb38c7d4b94857cf896f

SHA256
472f6b12ed5d46e30b946dfb341b608dd3334e1615937df4004be6aa28162f53

SHA512
e4b9a43cf2ce453f40733afb8723478f7728d2a677a8a752382b9cc16ce69592c993b59c592e9d8355963ff6f1c9715901153c79d1acd2125262e92aaee444b7

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
112KB

MD5
7a67b797e117f556593e7a990507565e

SHA1
e4ddadca645d8c01bd229295ffdb9a36106c7e4e

SHA256
52e723cefa1ab291dc0d13ae2decfc4006e52707eae3fcd2609e0f93cccd89e1

SHA512
bed79c426da1d69daa7612accf83b97378d273694c85db6294b14c1acf57e5e1259f1f07333acef5b1f17d6dc76d2a07961c0a4a3912b414b695712921b3bbdb

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
112KB

MD5
fb066c078231ba953d7ff928ee0f81f8

SHA1
b0455edd2c9de9aea9d515f9357a7a8b2f458540

SHA256
868ddbbedf15f2e6e996c952e4f8cf3f92da33c297ae96cf8e29ac85b8bf5d0b

SHA512
3412166b391ceb153939602ea4c325aefc312e1a4e299deef06cfe1a1ff97fcb1a9e1ab6619fa2757ad411f14a932ca794cde2a97f2957945ed91182ee2f09fd

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
112KB

MD5
26f61bc2c4ce9d22b7c212c5877b057a

SHA1
f891e3adb3e98d8be4042b765b2c430f3162e1b3

SHA256
46e915bc8ea2f8b89954f54afbbfd966c739cd0fc215510e430c447676145a63

SHA512
80f427460e72f671af9a6a9336a158d90c8348106e37001335bcc17ac6eccc9bd1b7668f07f6bd099a392f9a9b5c9d7d0abfb3a5a11d5196cab559ee58a3bab6

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
112KB

MD5
cfca8409f126bef42470a3f00bea6677

SHA1
0d5ce81b07dd781bc4d22ca0f6f36513b230ab6e

SHA256
c056adb965173464f1322aa04ccb3b5155222d4ef7de57b41bc50fd09d9f98a8

SHA512
2421c6fdd5d26806b9e874a111d88bd59738ad7c0d6293622d3884c3b22e19249854559860c9c089ba055dcae0dd48ae1aa74ff47153245034fdbe90a7ec6329

Download Submit
C:\Windows\SysWOW64\Pmmeon32.exe

Filesize
112KB

MD5
d8714013654aa7ca2c9529e4735f74a9

SHA1
a30c675eba39cbad56f1e9751fa5634f26f246c8

SHA256
4b2b35de8ae88664088c69124ac6b1c85999433cd1970bda73dbee1ef319a4e5

SHA512
5b3d4f58c6267d11774a8aa5d9843d88d7a222f633be09a9461e90e8164f4d1a6234ee4bb5ef24a89bc0a5faf925885cda45b9da859d9b7f8681c9e5687c40b5

Download Submit
C:\Windows\SysWOW64\Pohhna32.exe

Filesize
112KB

MD5
77caa5266797fec8b818e1758e6b6a84

SHA1
b6d43aefecf2a7a0631321eaac0be6f8b6a757f8

SHA256
b7e04c78aba17c7a16c14f27333fe1a3d70f09e5fbdab10c31395dd22f1e1391

SHA512
d49ae22ae2158d765850a75c661a20911e82f3aead67b5f5d7a0a51327a43a76e93324665202d6154ab8624ea3185a07170372d60471b97054f0bd407a8976ef

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
112KB

MD5
90a547033252120d974b7675e14df075

SHA1
c44d778067e93a0fef06ce19837b1ba0d520bb3e

SHA256
8eccf4ee44393b6221f43c90d53e01c02ef7c51b29de46018ea511bf38753ff8

SHA512
331f55c5f7a7b92f50354f762373239c40001d88fa47a0d19c9cf06901c2a53e3cbd751f53e9a46711d3b8d1d177d6acadefd32997ad9a625eb8384f515d13cf

Download Submit
\Windows\SysWOW64\Pepcelel.exe

Filesize
112KB

MD5
2bd3fa5930a7cc9b7549f0010b5372dc

SHA1
0bbda76263c6b2ca0bde96fa4893f3c7a8b8b36a

SHA256
7c96acbb60f839486006041e752ee2dc6659e9e24dc847c4f2c494bc40f962d6

SHA512
d88ecc8442c932ba31cf217c455af24b1b87d75b524d56223c9f070a1d9cc65bceb781c2f83cfbfab626905bdeba9205cf422547a572c881221625dbf7b141f4

Download Submit
\Windows\SysWOW64\Pgfjhcge.exe

Filesize
112KB

MD5
3f22b90348a7c72d7aa4c74b6c42081e

SHA1
f3160613d1b0ec955f4c5348d5575103c75eda58

SHA256
483c91f2cef6e2fa8f865449db33769f5fecdd0027783e47c24c0ff6af70b6e5

SHA512
6d39630fd3f37cdb394aea28b40f307b7234696ca9a0bce076d0d68487559469ee8a12cc4d9058ae49a0118066009b38983c2607ec8768b6c247cf0605da92fd

Download Submit
\Windows\SysWOW64\Phcilf32.exe

Filesize
112KB

MD5
98ee1d5ee43c9cf5cf880a8f46c90ac9

SHA1
573a9fb6734e4f915ac0497d6c7af071a4f426f3

SHA256
77dfe357de30ed48cdee1e67ef2165d086f3b4be8800f4adf7b8364acd52ee61

SHA512
959cb533f25e5e0385c2b09ad7478da755101d59a852f44b9786abbf599130ccd699bb537fc7a5178b7210921ee51f7ff094f9a3c29749abe7a381870ce29a33

Download Submit
\Windows\SysWOW64\Phlclgfc.exe

Filesize
112KB

MD5
f4e8e1fcf579449ab2a27b9f9b268c76

SHA1
2140f595819a2364a3684845cefcb676ad6f85e0

SHA256
4ca9dc55f764c022afae96124a14746ab1ccdd361daefd63113862e8c900b293

SHA512
3ff0ff71dc1543171328824a86680d33e0de85f023cd555b05f20dc80d15657d766e072642e35ea6f2fedaef9a5424d2af6fd7efe1b9006554c258df3f814e0d

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
112KB

MD5
61334ac35133af7ec28e00a00035a5ff

SHA1
b49c1dfc47f521b0b5a2fc6c6ac694ba1c228ca5

SHA256
d98823aa9169f79d6c25d0ef3021375f9a1f48b3e9a778a629346f51f7febd51

SHA512
103e6040c7e861e03b1fe3cfd57009b8ae23dad7f7d1d68d4fb40eb340f096dd8fa585123ec20de436cbe233ff418bbc77be40a13c76c99b3fd894f1c90905a6

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
112KB

MD5
db6e44854c0bcd8469c5d7526146f97e

SHA1
10bb5ea2fb467da799b7a6ff9ee06345e095134c

SHA256
8d7919021e0eb42d15aae61658f7e4fc7ab24933abb2eb4082f6c609780ffa1b

SHA512
1622135aa1b21aea730ed934d3a7226de45323a2910e976d6fbeda7b7b3de20dd605b1e57baa690f6d1d70a3970ca117b251c62efca0ef3c160766d41ecc6ff9

Download Submit
\Windows\SysWOW64\Pkjphcff.exe

Filesize
112KB

MD5
859ab995040fcad549149efb0b356216

SHA1
79b6888761ece5991468569ce5be971653bc7d71

SHA256
0fb432ac3be8d3388325f6a737902ee9b2b5998b8e0ffc3d8c096f73d0480563

SHA512
ce93ed1b6e459cdd21611e5fd2d41390f4221650c2c0e9a59286cffba1c7ea06bdfcf5504ca576394d1522dc25f80f5610196db9fe728027c2cc3a9c23f56dbe

Download Submit
\Windows\SysWOW64\Pleofj32.exe

Filesize
112KB

MD5
a9b80c4f4b8e308d58cedd48b6fb20e9

SHA1
ee28bb3f9e12d8731b8e07e9627379d48508d745

SHA256
644412f6ff5464877c5bb3fa316381a4092592369057ff3c0d5b67e4ad11a018

SHA512
d052a12b458aae60f97b6ba549e5407db570428e691418cb95d87a9f84e9a68f114362ee80656f18ee1258152d53a02fc2d88d489929030e458dc041225ae7c9

Download Submit
\Windows\SysWOW64\Ppnnai32.exe

Filesize
112KB

MD5
67ce2dc9de114d042a4f989dfde1841e

SHA1
8c8495160a858ffcbd8533ee93579b5dbb189b52

SHA256
d954721e801371fc6b9b15c80b3a44acc1954cdb1770f177b5c6905b3a5f3268

SHA512
4c2a8e8c182163096f28c560e6f6260940985fe3e02edd0875318d5fcc3ea32be99c540d73b4ec4727593bb832426c0d519fd08feb7a79b8fdc0923ab8905d69

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
112KB

MD5
eea79b4abf9cea9b850cca58257cada4

SHA1
eba753fb01cb69d19e1a78b13dc1b1dbbf7595ce

SHA256
081e491d9d66d05ccc27c3558c20a711adf97f746a79d258b3cf1230bdb8dc40

SHA512
cdd6f9fd5496a5f0d6c826c1e5d0425bb69786065ff64a7577f73343494ec3c0bbcfc630263f0e627c4934d206e75de6b61946d36b876b52e8a192af5d47c5b7

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
112KB

MD5
a653aed227f348b1b1ff9e050f1a0a54

SHA1
ca39c294ab5637d84611e3e83f219e9ccb5d4717

SHA256
804137b05a23e66afe4f23fbc8e47736379dd1171d21ebefd221e31009a58838

SHA512
04173672eacc2d93a8183d3469f90cb27d61472608d0ea98d14f497fda16bf8104ce9ca1229044b276a8db9e2cc378b377d45dd1856429a84150fb53fd1dfffa

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
112KB

MD5
24e5302893ded14e26980d515b735930

SHA1
0f5f8246c94dea76ce600fd88c66dcba7a5db883

SHA256
edeefc552bc9b1cceae9c49e8eeaf1f0b1648893d28245833e2f5ba1363d4f05

SHA512
b1e7d5b4c624de2e1716a0bc709d52f175bf2b38c46db5a55525d8a5b49e34a8f68216413c9b673d1a5a43001467ef78ebbcb7bab19706b523792a749f9995c3

Download Submit
memory/548-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-11-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/548-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/548-342-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/636-440-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/636-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/636-439-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/696-417-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/696-416-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/696-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/936-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/936-505-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/936-509-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/996-139-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/996-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-492-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1344-497-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1344-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-236-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1452-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-320-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1600-316-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1632-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-165-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1632-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-113-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1720-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-295-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1784-299-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1788-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-405-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2124-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-461-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2192-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-485-0x0000000000380000-0x00000000003B5000-memory.dmp

Filesize
212KB

Download
memory/2192-484-0x0000000000380000-0x00000000003B5000-memory.dmp

Filesize
212KB

Download
memory/2216-473-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2216-468-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2216-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-277-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2292-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-273-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2336-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-425-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2384-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-191-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2420-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-393-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2492-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-255-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2540-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-378-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2576-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-372-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2608-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-61-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2676-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-401-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2696-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-340-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2748-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-210-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-217-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2956-288-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2956-287-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2956-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-330-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2992-329-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/3040-305-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/3040-309-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/3048-34-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/3048-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads