berbew | fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
Size

63KB
MD5

827557ad2bf9511c705eba0afe552b10
SHA1

5cd4c3ac6fcbe1b8594c5ae1118c5f3c2d5b36ea
SHA256

fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51
SHA512

755b7ce99204725e2ac4f06e871cd9bc9f62f79b564bc3f3a8df62fb5dab9dc51aa4bf085c8a447467c4fe37c3474fe4c18c4329b3505ccc3101719bacb79199
SSDEEP

1536:wPcEijDQJzm4NgdZ4fSwZ23lTwCl+VGEn9rjDHE:wPej0JabCSwwp1oGk9DHE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2312	Pmmeon32.exe
2304	Pdgmlhha.exe
2096	Pmpbdm32.exe
2748	Pdjjag32.exe
2548	Pkcbnanl.exe
2628	Pleofj32.exe
2540	Qdlggg32.exe
848	Qkfocaki.exe
1952	Qndkpmkm.exe
2832	Qdncmgbj.exe
320	Qeppdo32.exe
316	Qnghel32.exe
2848	Aohdmdoh.exe
2088	Aebmjo32.exe
2364	Ahpifj32.exe
540	Allefimb.exe
2904	Aaimopli.exe
2332	Ahbekjcf.exe
2376	Aomnhd32.exe
2580	Achjibcl.exe
1788	Afffenbp.exe
2392	Alqnah32.exe
2384	Aoojnc32.exe
1480	Anbkipok.exe
3068	Ahgofi32.exe
2344	Agjobffl.exe
3060	Andgop32.exe
2792	Bnfddp32.exe
2788	Bqeqqk32.exe
2564	Bgoime32.exe
2536	Bkjdndjo.exe
3028	Bqgmfkhg.exe
1560	Bdcifi32.exe
2600	Bfdenafn.exe
1620	Bjpaop32.exe
2028	Bqijljfd.exe
1944	Bjbndpmd.exe
2496	Bmpkqklh.exe
2132	Bqlfaj32.exe
2124	Bcjcme32.exe
776	Bkegah32.exe
1548	Cbppnbhm.exe
1660	Cfkloq32.exe
620	Ciihklpj.exe
1596	Ckhdggom.exe
2380	Cbblda32.exe
568	Cepipm32.exe
2300	Ckjamgmk.exe
1868	Cpfmmf32.exe
2696	Cnimiblo.exe
2664	Cagienkb.exe
2676	Cinafkkd.exe
2572	Ckmnbg32.exe
1212	Cnkjnb32.exe
2060	Cbffoabe.exe
1412	Ceebklai.exe
1580	Cchbgi32.exe
2828	Clojhf32.exe
2152	Cmpgpond.exe
2436	Calcpm32.exe
600	Cegoqlof.exe
788	Cgfkmgnj.exe
2144	Cfhkhd32.exe
2944	Djdgic32.exe

Loads dropped DLL 64 IoCs

pid	Process
2888	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
2888	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
2312	Pmmeon32.exe
2312	Pmmeon32.exe
2304	Pdgmlhha.exe
2304	Pdgmlhha.exe
2096	Pmpbdm32.exe
2096	Pmpbdm32.exe
2748	Pdjjag32.exe
2748	Pdjjag32.exe
2548	Pkcbnanl.exe
2548	Pkcbnanl.exe
2628	Pleofj32.exe
2628	Pleofj32.exe
2540	Qdlggg32.exe
2540	Qdlggg32.exe
848	Qkfocaki.exe
848	Qkfocaki.exe
1952	Qndkpmkm.exe
1952	Qndkpmkm.exe
2832	Qdncmgbj.exe
2832	Qdncmgbj.exe
320	Qeppdo32.exe
320	Qeppdo32.exe
316	Qnghel32.exe
316	Qnghel32.exe
2848	Aohdmdoh.exe
2848	Aohdmdoh.exe
2088	Aebmjo32.exe
2088	Aebmjo32.exe
2364	Ahpifj32.exe
2364	Ahpifj32.exe
540	Allefimb.exe
540	Allefimb.exe
2904	Aaimopli.exe
2904	Aaimopli.exe
2332	Ahbekjcf.exe
2332	Ahbekjcf.exe
2376	Aomnhd32.exe
2376	Aomnhd32.exe
2580	Achjibcl.exe
2580	Achjibcl.exe
1788	Afffenbp.exe
1788	Afffenbp.exe
2392	Alqnah32.exe
2392	Alqnah32.exe
2384	Aoojnc32.exe
2384	Aoojnc32.exe
1480	Anbkipok.exe
1480	Anbkipok.exe
3068	Ahgofi32.exe
3068	Ahgofi32.exe
2344	Agjobffl.exe
2344	Agjobffl.exe
3060	Andgop32.exe
3060	Andgop32.exe
2792	Bnfddp32.exe
2792	Bnfddp32.exe
2788	Bqeqqk32.exe
2788	Bqeqqk32.exe
2564	Bgoime32.exe
2564	Bgoime32.exe
2536	Bkjdndjo.exe
2536	Bkjdndjo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pmpbdm32.exe	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Ngciog32.dll	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
File created	C:\Windows\SysWOW64\Qdlggg32.exe	Pleofj32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Pleofj32.exe
File created	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Afffenbp.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Nlbjim32.dll	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Aohdmdoh.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Ahgofi32.exe	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Pmpbdm32.exe	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Pmpbdm32.exe
File created	C:\Windows\SysWOW64\Qdncmgbj.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2688	2080	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afffenbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pleofj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anbkipok.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2312	2888	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe	31
PID 2888 wrote to memory of 2312	2888	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe	31
PID 2888 wrote to memory of 2312	2888	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe	31
PID 2888 wrote to memory of 2312	2888	fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe	31
PID 2312 wrote to memory of 2304	2312	Pmmeon32.exe	32
PID 2312 wrote to memory of 2304	2312	Pmmeon32.exe	32
PID 2312 wrote to memory of 2304	2312	Pmmeon32.exe	32
PID 2312 wrote to memory of 2304	2312	Pmmeon32.exe	32
PID 2304 wrote to memory of 2096	2304	Pdgmlhha.exe	33
PID 2304 wrote to memory of 2096	2304	Pdgmlhha.exe	33
PID 2304 wrote to memory of 2096	2304	Pdgmlhha.exe	33
PID 2304 wrote to memory of 2096	2304	Pdgmlhha.exe	33
PID 2096 wrote to memory of 2748	2096	Pmpbdm32.exe	34
PID 2096 wrote to memory of 2748	2096	Pmpbdm32.exe	34
PID 2096 wrote to memory of 2748	2096	Pmpbdm32.exe	34
PID 2096 wrote to memory of 2748	2096	Pmpbdm32.exe	34
PID 2748 wrote to memory of 2548	2748	Pdjjag32.exe	35
PID 2748 wrote to memory of 2548	2748	Pdjjag32.exe	35
PID 2748 wrote to memory of 2548	2748	Pdjjag32.exe	35
PID 2748 wrote to memory of 2548	2748	Pdjjag32.exe	35
PID 2548 wrote to memory of 2628	2548	Pkcbnanl.exe	36
PID 2548 wrote to memory of 2628	2548	Pkcbnanl.exe	36
PID 2548 wrote to memory of 2628	2548	Pkcbnanl.exe	36
PID 2548 wrote to memory of 2628	2548	Pkcbnanl.exe	36
PID 2628 wrote to memory of 2540	2628	Pleofj32.exe	37
PID 2628 wrote to memory of 2540	2628	Pleofj32.exe	37
PID 2628 wrote to memory of 2540	2628	Pleofj32.exe	37
PID 2628 wrote to memory of 2540	2628	Pleofj32.exe	37
PID 2540 wrote to memory of 848	2540	Qdlggg32.exe	38
PID 2540 wrote to memory of 848	2540	Qdlggg32.exe	38
PID 2540 wrote to memory of 848	2540	Qdlggg32.exe	38
PID 2540 wrote to memory of 848	2540	Qdlggg32.exe	38
PID 848 wrote to memory of 1952	848	Qkfocaki.exe	39
PID 848 wrote to memory of 1952	848	Qkfocaki.exe	39
PID 848 wrote to memory of 1952	848	Qkfocaki.exe	39
PID 848 wrote to memory of 1952	848	Qkfocaki.exe	39
PID 1952 wrote to memory of 2832	1952	Qndkpmkm.exe	40
PID 1952 wrote to memory of 2832	1952	Qndkpmkm.exe	40
PID 1952 wrote to memory of 2832	1952	Qndkpmkm.exe	40
PID 1952 wrote to memory of 2832	1952	Qndkpmkm.exe	40
PID 2832 wrote to memory of 320	2832	Qdncmgbj.exe	41
PID 2832 wrote to memory of 320	2832	Qdncmgbj.exe	41
PID 2832 wrote to memory of 320	2832	Qdncmgbj.exe	41
PID 2832 wrote to memory of 320	2832	Qdncmgbj.exe	41
PID 320 wrote to memory of 316	320	Qeppdo32.exe	42
PID 320 wrote to memory of 316	320	Qeppdo32.exe	42
PID 320 wrote to memory of 316	320	Qeppdo32.exe	42
PID 320 wrote to memory of 316	320	Qeppdo32.exe	42
PID 316 wrote to memory of 2848	316	Qnghel32.exe	43
PID 316 wrote to memory of 2848	316	Qnghel32.exe	43
PID 316 wrote to memory of 2848	316	Qnghel32.exe	43
PID 316 wrote to memory of 2848	316	Qnghel32.exe	43
PID 2848 wrote to memory of 2088	2848	Aohdmdoh.exe	44
PID 2848 wrote to memory of 2088	2848	Aohdmdoh.exe	44
PID 2848 wrote to memory of 2088	2848	Aohdmdoh.exe	44
PID 2848 wrote to memory of 2088	2848	Aohdmdoh.exe	44
PID 2088 wrote to memory of 2364	2088	Aebmjo32.exe	45
PID 2088 wrote to memory of 2364	2088	Aebmjo32.exe	45
PID 2088 wrote to memory of 2364	2088	Aebmjo32.exe	45
PID 2088 wrote to memory of 2364	2088	Aebmjo32.exe	45
PID 2364 wrote to memory of 540	2364	Ahpifj32.exe	46
PID 2364 wrote to memory of 540	2364	Ahpifj32.exe	46
PID 2364 wrote to memory of 540	2364	Ahpifj32.exe	46
PID 2364 wrote to memory of 540	2364	Ahpifj32.exe	46

C:\Users\Admin\AppData\Local\Temp\fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe
"C:\Users\Admin\AppData\Local\Temp\fe1adf344ac2df1a30b8016032d5560606d343bbb164608210dc8d894e40cd51N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\Pmmeon32.exe
  C:\Windows\system32\Pmmeon32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\Pdgmlhha.exe
    C:\Windows\system32\Pdgmlhha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\Pmpbdm32.exe
      C:\Windows\system32\Pmpbdm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2392
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        67⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 144
        68⤵
        Program crash
        
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
63KB

MD5
bed4d1e54bbe41489b19436b4a1bf6c7

SHA1
8c11d4c548866999c346789144fcfd7a364f8335

SHA256
23fecbaad13991ce4a1a98172eff406c22cf545472eaf2fb64832a1c7ce711b5

SHA512
1f2267870902cd8e2f6be5b79c106446c4df226f3d20f7d5c0d7e751eabe75883295de08a423729beb06d56a93a63432067e834b20cef78090f58728073e8027

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
63KB

MD5
6ed0c78574cb604d7eaeb0792fbcf007

SHA1
7b9b1dffc042efa59300dae53374da7187ebe467

SHA256
bf50043e79c4f2f5dd86b706c8f8bc90bf16edf8396e09075c2515524dd14f79

SHA512
015b40b5c12ca85be778db34bbe8c87a004f855505f6bd62957e82d17d26906a86682b6d1fdef9031b6065da3fc3ad1eb4884b3911c29426c5175c82897319c2

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
63KB

MD5
56cfa25f0c2c1189cbd53513f2b726a5

SHA1
86ddc49c7d15c57fc93e6d2dd17f0aec65972b5c

SHA256
f901abd578c4a131a818a593c71107eb35f4c532527541b10025748524efaa2f

SHA512
6c9a6b14abbaf00eeabe022d131b9d6e0e370f0f96c4395108446409ea775683237e5041d2bc9702834ee0373fe37fda002eceaece0537091b0c7c492be7f4f5

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
63KB

MD5
8f65ed8c5f7f07fcbc86fe89401c1706

SHA1
0deb5461c700c3f0050624758c0cfa1a1eac013f

SHA256
605a5cb627218bdf08a758d0540a518e9bf87535cfddd1d03cde3a157d15b975

SHA512
b187d80d4e73d70329c5701951f55b41dbac167a7f30b78c70d5248d1b3591f242c368b48385dda67f295c364b34d1adadfd2e18f5567a780b87c7db9b3f117e

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
63KB

MD5
a37e216ff032aa55a547614769354ed9

SHA1
1e6c939bc4d86ac0dcbfe7fa5b10a4480099b26e

SHA256
2bc39bc810e93a5b93da4bbc9e09359fd54a065880f3eaf91e426bc52340a6d1

SHA512
933df62e5a05c8e47c7dcc81b6cf210cfb00e86910e13301bae1dd27c2f6e8ee8a405c623324a3ef1c7bbddd9ce594aa7293fd92346c1d5323723bc847b2a6a4

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
63KB

MD5
1944bf08f42b8f73a4324f6af0f64fcb

SHA1
1a0925e4e74dfb715d7334b0326f22c6fd4e991b

SHA256
9c8aefff5da4948c08e88cd26cfa360b9d3d4a6ccc0831963ce0e612205c6719

SHA512
0cbfc8c1e401304ebf2fbad3d85e89504f1efacba2486217646d6051469983ca9099a06cff31e1436cbb7fb64e7645efbf2050b34cf9de9c71aaf67e97b57b28

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
63KB

MD5
4a980227b81ee96a6a91d791a481b925

SHA1
8c0b4bacaecdf3ff3029e29f57287fa614eb1d34

SHA256
c565698ced691832eaf8b02f913db927713c4bfa823bbdc3c7cc566c24eccca7

SHA512
e35b7bea474841bbbf0f3f8e49eab1fcb1e547d2c81bf5c6f25fa9568a9c000f2daa6346ea9b12393d78f000ad444c54639b7a6d79e5873840c49643b3679e6a

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
63KB

MD5
4d5d118364c0f4309b81a5f3e50af8c7

SHA1
7d2c2cd45a8f7cd7ab0f0019f9a25e20dd090868

SHA256
b0c41273170a7e8e98446a2e25bf88358723f8155aae13a2d0f0d7580c74c5e9

SHA512
2e68a88b4cacf82aa276d631f66afb85358ff724481365d42ea43885486d6e1c168fa168e4b022dd03b824bc41e55727443c0d007fe7b60d70189f57aa536f4b

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
63KB

MD5
c11ffb0261f2f48257903aff529c664b

SHA1
19c56338470ee041211b6bcedd52518d7ba035b8

SHA256
62b171d96ad7243730f6a6f812da93ebda872c453463034c785bb6725dbfb980

SHA512
325c4be2aaab38559e1283bad5898261265473f8d474dd7763b9a43e49fac2964414ff5c43c51458ca863c9f3e7a64851119764fbf7ad0ce98485a5bfe890927

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
63KB

MD5
0c7d122b78bef2214b93ab46d9ce4818

SHA1
531bdc594beb4fb88d081590682304d3200220ce

SHA256
c5a493c31e5b34c3e5d59502444d9e0eea223b24ad8c993395c04edbbd0ef470

SHA512
4f3eb301c945e0bd04e3fa382f7764a5426a37797b71feed2557c662a48c71e320e1c7e2e6cee7cacd42c7d0d43fe4514d5cd4cc085d24e6cfb500fd9463cef6

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
63KB

MD5
b9d99b0a424aece3780ee6bbdf2f1613

SHA1
f07e85ee483588e17ba33c3f14ddf7b8d2752cb4

SHA256
38fdcdf51d3a8253e33bb796b2f4c25cb0807c594c8d67442f0bf2db5f9ac9c6

SHA512
b8a68e613f2265f6ff45c5787419b41b1b4a1bd3f94c6fa17bcae40771182e80ce3d3cb1948bce66c520dab4fd8d23ae4600dc49d11216edc856eb9f72ecbfdb

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
63KB

MD5
4476c47330a2980018ac68c9d858b99d

SHA1
d21b29311f7e29ab654473d7984d80e3bea5ef1b

SHA256
d8418ac80f6fefbc14b9652ed3aea8e9286869f959f97c9ff4bb00c4fc214edf

SHA512
c8cb69ec4747ef2336a19e11063eb275c00b82cb908dc8a8fbffce72c8b34e5da59f5c777b022496a173614a36574e9ba728f26d7d4c2eff9d2e9d4c8c9bb134

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
63KB

MD5
29f95313b3576be37f0e81f4058dc235

SHA1
7aefcc7bb469311834868d42a853338cf2755959

SHA256
7602531b241303c5212ac179900af9a752a9ffede0d044815c49921d42a8d651

SHA512
eb224ed78b7891208ed5f292f462946b05ce95277d7cdbbfd4768a086e58f21930bd060878413edbe5f5f1ccfa91cd7284befc5bb53c51ffc02e3f59ccd00f6f

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
63KB

MD5
254a86bd39462eec1b114b32cd22f7f2

SHA1
d93b8e22fcd3b421f20023fd4a530460064459da

SHA256
4af7f0fe9a072bf5a94a1b282d3164b54a1a2d06375a92c8b11c498dbaf1d90d

SHA512
2e37465289cd127d5380d92e51ce1ed967c477ab4469e6f956c975543dea7d1388adfdc7f06272b7d19e5df88cf75017e929fbcfa3a33ebe0de41cdcaeec2e03

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
63KB

MD5
6c8e553cd8c4dff5d7216e1ebc68ef15

SHA1
d2dedc76f5c6e7779a06d0b1449681c0e7b7ed40

SHA256
9f6f7173db0d07016b8d0054457c818b735dc55e93667301cbe791d2980a7e2e

SHA512
5932c8970cef841837efe9136807a6bbf97fa7824cdeeac6add5ab6706e78d022093b68a97781a158a9c695106b2d2bc45e5fd9241eeaacf684bf9f4cb0b72aa

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
63KB

MD5
d738d0fbffb65489173211b03b0f785d

SHA1
ceff7ebda193462ab12e1ef33373f4958706cf8c

SHA256
126efb4ac81db758084f80e6537aba59bcc1761af47fe13f28befc182a465683

SHA512
b0025dc365e41e67038b9e0c812a4778b5599cb1450d01a9a04803a8603a51b02da1a28e89c07621322276eeb58ad319871dad6eb6cfb833a11c060bd07b1c7c

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
63KB

MD5
8c0046e51100a7e6ada3311cd4f8320a

SHA1
e34bd06f86b584135150efb2991ae62f08cae657

SHA256
29c247548372bd814578da8b0704e426a4646f62ef550a1cfd69d75d2585500a

SHA512
bb47a567edf746191970a936d6b16ab8b2c0d379a9ad13332981d544cf963683404bda0dca86da6f9de05289c49b529e5cbdae7f2ade036993a8163730b185fd

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
63KB

MD5
4c6c0bfe304587c5d04860c3d2faa0d7

SHA1
0101a8a5015ff9595283472bf36fba3891b6ce71

SHA256
402f932e2c532f750f77fb1016978894ca5e81a7da789179a5468badbb193cc7

SHA512
0bba90f15f7780e628364de6b192b9a22b05522d1f7b56ea25404bc819e50e8dc14a212eadcad585d907e54ca64ee9da49504ab7024629820a12e8d7fd7d18d5

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
63KB

MD5
f33c0284b6845aef3f2a144390b27443

SHA1
cf30339ed0cad73578d8a782d6a1c9ded1ff070a

SHA256
67c73e6cc0445a1903d80795012e97db8c8982211c7084ab0e38c86c74f198cf

SHA512
d8df43cd5a6b1611b8f84820fa29cdbb2fa727994c9f0608d89271bd3c1719b8b902035438b065e3ab8e27fafdcc2dec52031ca517174548a11c078a94be82b8

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
63KB

MD5
99164990d267236875ff8ac5cd7bfae7

SHA1
b2ae0d8555520c916aa3633c9605b64d227e433a

SHA256
4979fba8c3971505289c6c26387167efddd3a6cbe34d2b70fce2abc10e69cc24

SHA512
be91c821fdb463d5cce2db40022c20505e810e38170b32b051e21b71b942fb7ec17d5bc31e70ed2a71931522d78498a18b4dabf787f4b9be44cf4f3160b1cad1

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
63KB

MD5
c4165f370c5e90c02748c91fa16f62e5

SHA1
917ee4c928a456eef1628e728a72a262eb37f8b0

SHA256
dc92b8500d1a59d33222a93119f71bce0e89280394d64a9e23fa2d8e928d86d6

SHA512
7cfcce1f3069b0c314fa8be2ff1bd60bdfc69e9b632a8e6dc1ad7fc093343ac5b57a3cded29dfc4d552cd9af64d715e34a99e7145b3057b118ae6a29d685dda2

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
63KB

MD5
99fee8b2400df31faf44f6dc3a1f0034

SHA1
561e5af1e94b4ad263514ed1151df3975c651ca6

SHA256
0dcdeb3713c5319482daea31e27e7c3d433eaed31f61473f6e361fee907f6615

SHA512
fe1f903af9b6e46bb0d7791240061e836e328405cac7b283a1d7f2668142e48b6410f07a6c904e71023e2ab2dd0f59b36cff7089bc3c2d772cc020ede8f88339

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
63KB

MD5
24385e0d64d5e81e47e52cfdfb0af397

SHA1
abf5b7a35482af6dcae3e0952aee7a649af5f306

SHA256
469b22a78eddb6b65ed9ad558b01f29f5dad0eb79201ec96516fceeefc8f0575

SHA512
f40b6e281a934f0ec5bc76a8aa82d3226fcec2f4c153bd2cc8637aa3f871cf92963204223948e538b973b45d1330e53c796c3dca7fc6d079957859f31a5d6493

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
63KB

MD5
caba95a01a1e18bcfe2a1c179bc7ba3d

SHA1
39a4ca34f82fc6e1a2353abc9c3360ac9b28d610

SHA256
5cf5011a7aff65b85d03998174bfa4e2a585568782124962f7c739c4dc550855

SHA512
6489febb8fb71995e0a4aef108f3d3af5085e6461fb11ff6166a61c5440d76f9ae986486efe35d92f3de5c0485e6975dbf62e279a3c41a0cba84d9bb68b61c40

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
63KB

MD5
c4a84a6aafeb621dfbac01724c05b7c1

SHA1
f0b7b9372c122b0e3d74b45178eb18c6e40791bc

SHA256
9fb24f6c3b3fa80598bcc96497b68f7932cd5df506397683319071d25010d834

SHA512
6aa65e00d7978405ddc33bc9604e3a58a4d6e150c7aa0fc33f210efae760ca40c8afcc1f32d6c63b32ff9027e3f629324b57a220c475c20adc0d0e9175da1792

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
63KB

MD5
8ed1fee593629bf862230573fc94aaec

SHA1
7c982adc59703ffeb04d151e76d0628f01ebddd3

SHA256
dfbcd50865e83271455215613168b525d0a2913676beabff72c07ac35cb66ef8

SHA512
1f3894b9d994a8e986fe95c487341474c26ee9eaefcf7f0d68e68be1ba6892d03d8332cb0d1c1b603c1db102cc114b6619958652ac5cc4a002a11db2be2383d8

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
63KB

MD5
6ea21d8cdb858cd9da43f3e563231d67

SHA1
11b151097e112959e8b4cee9c8fb9020be0d7d4c

SHA256
174803c2b880a7c919892f456f82e398e8a8b187ed5410cc735f34515c5cf7f9

SHA512
122174a65492ab042425c479b4dd8c419feb3b22883230f7e60849a14ef627affe208b1b68e59261f58b11b48d8479aa9906bb400c039d86936e6a13142196dd

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
63KB

MD5
c98889c780c19322f6d84d47b3331bef

SHA1
197d8553eb16d3e0767fd8c10e938b2639bfdbba

SHA256
3218fd48330cf8f46c272c7ef12e529a41ce20760e95b203a7511800ad8ff59b

SHA512
fdc28859e8ec080e0a600a599ad2c923491edf202af465bb5a45bfc7a4389701054cf17aeab5b00ed6e9d271f3fca77a616938dd025ecc21def153358cd1e647

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
63KB

MD5
dbd74941b954f8ddaf59c27f0ede7701

SHA1
0727609cf1e0fa6114ffd7d74b1028bb8198f106

SHA256
07d43e562a9901433b407788ec4a27e58c40179bdfa47ee64d2f3493950a5c1a

SHA512
df65e6a3b4588fa0b82b83fdcdfb0ea01d15e5bd37a2621e1dbc128609f203360b8b4e1d31c4462e5d95b928ce3e2c1f33f46b27c3baf8190910492dab326317

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
63KB

MD5
16077496ba1261a6bd500abf1d0e28b2

SHA1
a74cf5003bb783d43d92badf1380075e8a72e587

SHA256
b0f08552393057b83ddaf4a8da1ce124e86b2e2514ee2cbba2f6c5608d588450

SHA512
f536b020e8b7a9db866fbb9e57e12cf1b201020fe91b66a5216fd79ab356613342f104b6e22b22efaa81aa97f42f9402e2a864817625d034c875a23d42d8bea0

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
63KB

MD5
778f26e103bfb859f42c89126010dc80

SHA1
e43b6ac17f59362d8ec9a69be2a731cbfd86ccb1

SHA256
410ce49ca668a23ad5c0545ec2ae1395242ca5f2c2c1fe6867c9988dc160a908

SHA512
6733e3360bbce0123e0a58bbf5c09f0c4e69ba5f6217bbb2bc70990f69b89d8958bda0a2f21d2fa236fae1cc2031d2c1d60befa9439fe708f9f42cbddd748575

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
63KB

MD5
7ec7dd69588647714a5e635711c47d7e

SHA1
a650aa81827f7b82a02edffa47bedfead1291c22

SHA256
217dd407f9b08f099981b07150ad4a2f8d42ec762e0861272c71b213e66a28e4

SHA512
572d0bf35843ea23bd759aaf988b477ff6519a100c683c52595cd21dbf81741b4af41c135a60acae533a3cb27cd4b20b9a6a5977e8e683d94ad174646eccc728

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
63KB

MD5
253b18e89626cd78e68f61aeea475ce6

SHA1
b8e06a0700528324ee58bc97dc94f167696e1a34

SHA256
1f2306295219b4211e0ac54fc6fe2fb7fb6c7cb9c037c834211262187f19b76a

SHA512
1090cd50af55d21b4cf8a71d71e4207ae43e7a8fb3c0875cdd2b3e272ddabc332adf19657045843b2d512250757e2e785e8e59f711a91068c084711130122f7d

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
63KB

MD5
615f54d8ce1c94dacdab612f4a9efb03

SHA1
35526c7fec19306e1fa6d3f0e4d9095338685cba

SHA256
652649c1dc2f47c0a059e2afe85e5da9fe09fa5e47782aeeeb1e9cb75e70bf49

SHA512
49675584dbaaaab3e8c4c390b4583e6d4ea834ed59fa6d2e9d9236bc20e93280c6f77b8ae61a996c85ec3d28c4c5d3e4429e44bb220c5c9c265ad42d49cae150

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
63KB

MD5
52518916e017ae18e532fb9796b6e709

SHA1
39dd778185e8c1366d5a3782059a5bf8a3c003ce

SHA256
f6b41598dc10cc8eda1b88740b15a011f9942963a8cf9678f436d368956b267a

SHA512
c09be0c40bc366e825e24ea762cc2798a8e682c8816d2ec5570699c1b037564972c5f169f2e90e121ca68cc9d6e1be2e490fa89f5bf1071bdcb75dc02e7c4869

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
63KB

MD5
33cd12f9106857f37b0b6dff1e1513ad

SHA1
09f2223e4c20583e2d5381ab91873585257e9a0e

SHA256
9788bb10df2aaa3bd1da4e7edfb23a74b84576bf030d6a79ec777e488a8a599b

SHA512
f0acf34dc4cc0e99ebe68ffbdd2e88b468b286c33f226008136d653b891e8ecfa495ada85335027d5ac4eaa813e0ec0f7abf9c52c4e06461ff0ebd72f1840dd9

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
63KB

MD5
57307f49f515af5af6a980aa93d05408

SHA1
f0868e9c73d40f5a0b58fd4f61eefad9c2bd9ee3

SHA256
e06f8f9ba6d87b99f14b3ce7304098121186c5718c1883ecfaba53e37905c7c5

SHA512
e65811f92f59efc294fb91552c1a2481174d9d2bdfa53829e8e6154142f35f2cf071872127521bc50769cb459d5f20c48e99644ea4551888b79026e3c791ebb8

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
63KB

MD5
b8cea96be054f47a73b0c9965bffe365

SHA1
b8679e51dd4056afd3a7bcf0a79581d826dab453

SHA256
9560089579de65950353eaef9fd2722cb33a38ad3c4164898611877552f94438

SHA512
292eed6732b2d3df26791def173f5f5b3b420061b19be2fdd5fbe04a15aa6ed3de4d1340f83670b3a05b4e36cbec6686a6e0afddf7a3088353ee380f2b9f0b44

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
63KB

MD5
864277fbd81d8eb696610a2b4b80103f

SHA1
d9e7479d05b6192fcfc52520e3ccb1991382d356

SHA256
bd4ac7ad90dfb3f4c6fa7e89d5985ee53c58e1df6169300299eb69b7c20cbaf5

SHA512
4f905b209ca05f379f083b780be9d97c0087e1fc412219dd7e826eae4e80032256751ecdc19250468645b8c48c8ec54f1338bc9b449a1c152719beb411c9a3a7

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
63KB

MD5
69530b2838e46cb4a61f48dd25557ec7

SHA1
8efa54b88e672bf57ad5ab02bc5140fce52cf9b7

SHA256
9e59a9a4868c4efdda6657eeff999d0b1260e63653dfd60e768421f1113272c8

SHA512
e2c318d31e587bb40e8da0b26a3064e3dd21d9602727942a72e2a3334f2d555f5e486470c3d54b8705f88142c6fe13ef37a05a1f143718d6215883bf324fd916

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
63KB

MD5
e1b5812d5d43f0a1ec2ada276bcf8193

SHA1
9fee9453f6e53b9fe42c249b7dc081b46adacd97

SHA256
18940c6beb3b616e028c37df921829d12ec961d698243be6990cd437b484c1b8

SHA512
6ba909c367840f12fd980f5d1999a8bd42428683c583704f8b548ac71ed9c5735681910788b95d506b068ea34c361026b7fc43d2583a8171c9f5bf93486453bd

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
63KB

MD5
ee5489be1f627d750b7ef8369204e690

SHA1
67f3cdfbb87e99d3806716bd0532cb689bd32ba1

SHA256
893709855b15361abc6630d0ff7a3391dcb58260ffa1a3d77338dca26bd810c1

SHA512
c4f9ad09a7a63dad53bade7d3af256105ddb8580217320fa3e583cf20cf207a9b7d44dc7b56eaf45f0da429b8927105fff1f65e763110edf493e0d892a1406f8

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
63KB

MD5
81f976d3ed068b23dc177fe954ae07e1

SHA1
5babe0b96e87ac0da5e5ef2de8658e2235694ab0

SHA256
13185c9bb8bc3f3dc736e5daf84ab7479f2774130a1ee30a8de0db93c67306e3

SHA512
b82d5bfe3931e68a53e68a2520e5bf4494398cf473f7368a7e9170e5b4c3b312c440b115671155b3c075626fc80f70f9974fb10f712cd85989bb0a637574e52e

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
63KB

MD5
78981a15f70d86bfa8eb9ce10eacbe76

SHA1
df9a640c7f2b8746b0a8aaa6856d384c7bb97d1d

SHA256
80edb05783558591827a72a634480e8e94f21e0481094984e99e2688bf0506cc

SHA512
4b4db3efac190c6486694471548fc8459991ab88f21515fff3bc2a0e782a2ef93412a2bae8d1bc977daa46763dbcb55b5672574ca0d075d216ca33a34959a365

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
63KB

MD5
d2873d4cc8c0bb126bf5871430055d05

SHA1
aa6ff9264f28d586ccb33be9d05992ea6d1b4524

SHA256
8bd549861a1c6324147687c53981a2a81d6bd0e9148e647a5017a0cd310c2b7a

SHA512
a85295b16c472ef12cf6b2dc1b9561a3b71075edc8079ee746cfff2e46560522c57f1d0fd5b2a1a4ba5636e4e5cd662cd6b4dcb44376eed9204dce12d7d7c8af

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
63KB

MD5
f02c79f294346e151dd9522d0ab77a3d

SHA1
72e8a2feeda4bfb9aae6bf4318158b93182789c1

SHA256
9ff0dc6496ddef12362392b353fcc428aeb44e1d824e3f98a942528950293678

SHA512
ee4e5a089ce2e50622a7a387c9fcffe8bee6e0d869bfd8510ce808505f59b3bcda03a7702ed398ad7e7e9cd2bef135eeade37be2d50f1c6ae618dab7b853428c

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
63KB

MD5
80c20d059c4dc892bfae43e0e8fc6e18

SHA1
3dfa9ce4e81d8ef12f3e10c474a697322895e2b6

SHA256
5c21316c1cbe80f0d2baaaaf8322631fe43e1bc3a2f91d39361c5a3a2be147c4

SHA512
687f1fd3731d271767aa7c9d4fc4296148f35855ef6d2dd70d4593100c956a7f02542a2ee6a8cc16e15d793c4521aea7daa5238c33174f9f9d779421cd454f8b

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
63KB

MD5
a23a8aed20deaff6855770daabbdc37e

SHA1
7def9428e4cc9df1bd11ace3071158d2fcc80ddc

SHA256
8c3a88b86f19bf985db0e3c8c57d301418e2fb3a1055fb40cc90ef66695d4ba1

SHA512
5362f0f2e28e1b4f503a4a63e778ebeb092fd67996e44363e72e139f22877e4afea49f1b61edfdeeac1363761b03798b8948da1be1e90ad9cb13c5fabf33c699

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
63KB

MD5
e63260953370f178a9a6457f09a508b1

SHA1
3dccf7dd60ec9df5deab4f66bf873a965e044d27

SHA256
a00d026cfece25ecc8f4bc755168d29343470c401fe7d138c12937f45f34a92e

SHA512
08ab76c4f3972fbdd8bdfda0b546ffca6662764a480b7a0ffafc30ef8e5b21a50bf836d6492566b6fbb089a0438afcfb40ca1d2ab1d99406b9d9112e9314c193

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
63KB

MD5
8ea6e9fd2246957f964135b7816f8ced

SHA1
e80d0d9d2f7529a511de2154452263afeebcccfa

SHA256
b68c01371a7342ee43ddccfb978da33ffeb0c1bc72c6ccb91c100307c747a715

SHA512
7f80f1eda8da42a8112886f909ff1e66c191971c682e9e0d83b469166e9d9667a8774bce6903bd118dab21ab8f1196d4b129b73ca9a0134277d3155327d69a93

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
63KB

MD5
1ae6d6c8a8e745a4bf78238412562152

SHA1
1974279bf818f9893ba54825240213a51ced1edd

SHA256
a058d465ca1a8bfa7131fa69c4d058cc28be8a9bbfd2afa67d9bd2a1590acbcb

SHA512
2b7b6af7034fcd5fd841a9747405583bf63f20a378aaa7fab0c156c03c849e87dbfa7154ab4c7779cebfe0c7c30a498877a7d170bc1512ad10982adf44afd7e6

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
63KB

MD5
cacd40ed1b0f4690939857d671fb6e59

SHA1
47eb109e674a204900563fe99564fca1f1913662

SHA256
55148aafd2d7fb92419a01f94107b5537c45e588147dc7ec8087662438b4cd00

SHA512
f0c05e737f00301cacf9a2cb661af5e679d9060d52a02d489831fef07f54b89532e80b00f12b065497ea8e6462cb0fb05c3f6985f8fa1e6b4c7a1a2173424202

Download Submit
C:\Windows\SysWOW64\Qdncmgbj.exe

Filesize
63KB

MD5
042352f63481039940ad05b6ed7aacff

SHA1
77a41950141fa6f1610c3a2f9f802feeca441fd3

SHA256
985568d937b5104225ed6b8b163a00492a49abdeab4082373cd6b8b4a1626e09

SHA512
bdfd0c6a10a371750ed590c2f420d232c4fa5d1c5e34461cc59d59d8507a4aa52de53ab7dad4558655dc3a38207dbd80c35a8c63e878973691532dc32abeee0f

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
63KB

MD5
88ecbf2daaebce00b041ae84d255d278

SHA1
82290e162e39dc581fcec88c67318119bd747fda

SHA256
cf314fbdbd57be0628a4e5034019eaecdeb9a18065229c2d477556aec71de0a8

SHA512
5ad68085375bdcef257bdc4336a2900a0b004b20e8d4c8f6816d9f77b27dea21d1973d1f441a84f39275e887d687d635998a1d2f44efcf07579bf1570e5f625d

Download Submit
\Windows\SysWOW64\Allefimb.exe

Filesize
63KB

MD5
19fd3d21f45f892bbbbf7e506882d1ae

SHA1
e763dc3130b9b9aa68136ac3de57a73c7721350a

SHA256
e9a35b3d447f10757328d6dcc31edaf972d318ffc38dc6b8f053ab18e411b787

SHA512
a268e32469185834471bc7c2e75fe0d29fe69068bf65c84acc89972f504d53b781842265b2248c5e21627272e5b198f0686928948f057d689379e49da216e210

Download Submit
\Windows\SysWOW64\Aohdmdoh.exe

Filesize
63KB

MD5
c2f44eb84c7baf94f382aef99a0ea9a3

SHA1
f01b3b87e80421fab7b3a1ef59342a6137102719

SHA256
8d39e17903be0172e79d93c241ff9044135de7605cfb3be8b0c23183c8c4c33f

SHA512
1bee58bd830b80d9b20c47f14a4cbd430dc90624fdcee464702780bc611cc645f28715b59afe909868f5e36c3b7c626ccc09708190231fe45f21b26a795d3474

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
63KB

MD5
811f2fcbbc17d895b65227e450f6c9ee

SHA1
735ae76390ea137c6317cebf9eb37e573dc77c0f

SHA256
090a61ac35ff9e461a0b2ab77d490b1bc2d5765b9ec57b868ec8de6ee266c1ea

SHA512
3e340b93a7c720a6442bccb72802ba239f12a466463d1a48caac3fc86c0c6be3c1e661ef776d7f5b35f89ad7ca67939629010bf94f433286669082830e2c4aaa

Download Submit
\Windows\SysWOW64\Pdjjag32.exe

Filesize
63KB

MD5
f3c635da061012389f0193ff75766ee8

SHA1
cd29e5617a2686ae829f998a86b4b379fbb92606

SHA256
03af46221c4e10904e6a02c765ace213257021b3dbc360f2f377104f696bc30b

SHA512
6edd385cb1cb36ff2d772ad84d17ae0b2f4e21c0d5d0b335fbd72a5e95feb605e1d2afb2d414c0edf2c0decdc884ff42f276e8b933645f5d737726cd2596e900

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
63KB

MD5
339ee88cd51f03514fac7dc5400ef333

SHA1
d2ae99569ed13567430fd97aa18d8fa7fd452576

SHA256
0bcaed8617b6f178dae0c57c4a4ea8a7639a17c579ee685f5f20296969e628b6

SHA512
2733a1e7f7be4d42dbe977d9fce4cfad489f6ce65e98fd16205379c21bd6c45b9e0c4d05662cf660f3fae72991f1881bfe46fd2e4f97aed7e379b1571171e5ae

Download Submit
\Windows\SysWOW64\Pleofj32.exe

Filesize
63KB

MD5
1fb4b78ce331dee9b116a5d8cd6bfab0

SHA1
76bbd34ac9cd9a5bb7ee92212a1deabda399b335

SHA256
fd7b6a2f0c9f91059a28601b5697b97f9e37b1e48ba8efbc2a60438b53b88c82

SHA512
1a97576f797c0fe2ae1ad880234b3fb89f2cbc23993d5a514221a27be7c954d102d4d179fd0340080d10f90c271388707c6140c649dfdbe8ca4bb811bc514b89

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
63KB

MD5
701b06c55d5c77278d916dd4a8ce34ca

SHA1
c4bb3c05e728253770ae27bfd3540ea4b2d37795

SHA256
dda08c10f80d7359a712dc682b22c7982b02f7cee69f8e5be5b8ab6c0e7090ec

SHA512
a960e8f97357b81d637e3e0c1adeace3e96dcc3da08a13144cfbd801b93bbfc73a608a8e32e496fdf48c2a6561b6f1c9a664ed40282e09a648712f050f9bf8fb

Download Submit
\Windows\SysWOW64\Pmpbdm32.exe

Filesize
63KB

MD5
73b72db0fd02d624d36c19bf636950ae

SHA1
dce92cfc68154f4589993ef27b482f75b5a8f7c5

SHA256
09c582b1f405f5c5e254bf6588fe2f95eeba7476bab2b6ef3791c1e880e36f13

SHA512
9f97322583051a29f4ff8c9fdf41433b00df1d14fbf985405e21c2fe445828faa97c1c859b61732f67e07b747034f77808e2b4d97fda36afdf3509f04a175b98

Download Submit
\Windows\SysWOW64\Qdlggg32.exe

Filesize
63KB

MD5
83bf5b8cebda85f4e836c6c773beec69

SHA1
f0f4481e616297c6b31aab60c1140172eb627f25

SHA256
5130aa594c35c04665100b7c4928d47f2f8cb508f45f15babf36e9892afb8afb

SHA512
e319d94519b4e9740cbdbb2fa049046a606dda43043a30eca711bc802c51c18c6870962a50bc11bf2942bf84b4a943c3cfa83fc6dc36b185a7bef4a85715831a

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
63KB

MD5
6024b2527c2e1d74eb0a50749edfb853

SHA1
475c632f07aa60422f1272d0a2b9816052b47e05

SHA256
8369548ba31db338be5fc22ee22fa5e87c44bd8367abda3059b8182e0c666483

SHA512
3b38480bf94b20462600188a2276b348b112d8a2d715dadd4d125fae2e0d060d6bd2d2a271b930a5cc8bea8a2f4cdff29cc9eacab0b508a82ef9f81ebe1314f7

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
63KB

MD5
f1bfe3e8915ba8939d3a80b3ab22bdf6

SHA1
aa9247f34c88251200fba28933034c634f7961d9

SHA256
0686ea7fbcc1361b79c98763cdff8d68e12b3e1ab78c071ba0a7758a16522f92

SHA512
5282fe141b3d77eb00a6a87af66bb3a53696af8a1a1a6a868434464a9f00c864c1d3d48ec9d8866fc62ca26c83a26d4fbaa62f7b053f687feb12fd0be85d3887

Download Submit
\Windows\SysWOW64\Qnghel32.exe

Filesize
63KB

MD5
ea2fc8d43d7b847a83b5f27aaab7c399

SHA1
d35a6aee9b628b833b408edf701486bb3ab2c7b3

SHA256
1612a83c9ecfc7329765dfc027b13aac8cb3c3a484780ac71a48a0058567bf18

SHA512
e4b4b65fe5c661f2ff2f13b642619d3b7370b3e8b6b6cf2fef700f3b433099745cb5b82b67ddb216fe86c0ade38290ea9dcf216c1313ebf351ce387542cc63f2

Download Submit
memory/316-167-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/316-159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/316-492-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/320-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/320-476-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/540-220-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/540-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-507-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-485-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/848-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/848-114-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/848-440-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1480-302-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/1480-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1480-301-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/1548-489-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1560-390-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1596-527-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/1596-521-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1620-422-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1620-421-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1620-420-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1660-500-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-270-0x00000000005D0000-0x0000000000608000-memory.dmp

Filesize
224KB

Download
memory/1944-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1944-442-0x00000000002D0000-0x0000000000308000-memory.dmp

Filesize
224KB

Download
memory/1944-443-0x00000000002D0000-0x0000000000308000-memory.dmp

Filesize
224KB

Download
memory/1952-448-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2028-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2088-506-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2088-513-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2088-193-0x0000000000260000-0x0000000000298000-memory.dmp

Filesize
224KB

Download
memory/2088-185-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2096-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2096-48-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2124-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2132-465-0x0000000001F30000-0x0000000001F68000-memory.dmp

Filesize
224KB

Download
memory/2132-459-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-35-0x00000000002D0000-0x0000000000308000-memory.dmp

Filesize
224KB

Download
memory/2304-364-0x00000000002D0000-0x0000000000308000-memory.dmp

Filesize
224KB

Download
memory/2304-347-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2312-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2312-26-0x0000000000300000-0x0000000000338000-memory.dmp

Filesize
224KB

Download
memory/2312-337-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-242-0x00000000002D0000-0x0000000000308000-memory.dmp

Filesize
224KB

Download
memory/2332-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2344-320-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2344-324-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2344-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2364-526-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2364-211-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2364-200-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2376-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2384-281-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2384-291-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2384-290-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2392-280-0x00000000005D0000-0x0000000000608000-memory.dmp

Filesize
224KB

Download
memory/2392-271-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2496-455-0x0000000001F30000-0x0000000001F68000-memory.dmp

Filesize
224KB

Download
memory/2496-454-0x0000000001F30000-0x0000000001F68000-memory.dmp

Filesize
224KB

Download
memory/2496-444-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2536-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-419-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2548-389-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-369-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2580-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2580-258-0x00000000005D0000-0x0000000000608000-memory.dmp

Filesize
224KB

Download
memory/2600-399-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-407-0x0000000000300000-0x0000000000338000-memory.dmp

Filesize
224KB

Download
memory/2600-410-0x0000000000300000-0x0000000000338000-memory.dmp

Filesize
224KB

Download
memory/2628-404-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2628-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2628-88-0x0000000000310000-0x0000000000348000-memory.dmp

Filesize
224KB

Download
memory/2748-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2748-61-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2748-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2788-357-0x00000000002D0000-0x0000000000308000-memory.dmp

Filesize
224KB

Download
memory/2788-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2792-336-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2832-466-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2832-144-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/2832-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2848-502-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2888-12-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2888-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2888-335-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2888-342-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2904-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3028-380-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-333-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/3060-334-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/3068-313-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/3068-303-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3068-308-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads