feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa

Analysis

max time kernel
75s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Size

56KB
MD5

7024fa26b739a22fe5ecf4d3920ad0fd
SHA1

2cffabaed2a5008c2439a62e91700d5297391483
SHA256

feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa
SHA512

c87740f512a0991eaa7df0cd9a308154d4ea546e7a6689c3aaed8f0498326265d46406d2e24ebfa994744a85dbb34a810e937738bb10958cd1582e6b88a29302
SSDEEP

1536:+FOLmmx2LMJkl26tk3R6IniSO+Zb2HLjEVcAVi:hmma0kHtk3R6g/aXqPVi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cgaaah32.exeCkmnbg32.exeClojhf32.exefeaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exeCiihklpj.exeCocphf32.exeCfmhdpnc.exeDnpciaef.exeCfkloq32.exeCocphf32.exeCcjoli32.exeCnimiblo.exeCbffoabe.exeCjakccop.exeDanpemej.exeCocphf32.exeCgcnghpl.exeCgfkmgnj.exeCmpgpond.exeCepipm32.exeCpfmmf32.exeCeebklai.exeCfhkhd32.exeCegoqlof.exeCgoelh32.exeCebeem32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe

Executes dropped EXE 26 IoCs

Processes:

Cfkloq32.exeCiihklpj.exeCocphf32.exeCocphf32.exeCocphf32.exeCfmhdpnc.exeCepipm32.exeCgoelh32.exeCpfmmf32.exeCnimiblo.exeCebeem32.exeCgaaah32.exeCkmnbg32.exeCbffoabe.exeCeebklai.exeCgcnghpl.exeClojhf32.exeCjakccop.exeCmpgpond.exeCegoqlof.exeCcjoli32.exeCgfkmgnj.exeCfhkhd32.exeDnpciaef.exeDanpemej.exeDpapaj32.exe

pid	Process
2132	Cfkloq32.exe
2636	Ciihklpj.exe
2776	Cocphf32.exe
2676	Cocphf32.exe
2240	Cocphf32.exe
2632	Cfmhdpnc.exe
2816	Cepipm32.exe
2972	Cgoelh32.exe
268	Cpfmmf32.exe
2272	Cnimiblo.exe
1624	Cebeem32.exe
2280	Cgaaah32.exe
476	Ckmnbg32.exe
2212	Cbffoabe.exe
2880	Ceebklai.exe
2332	Cgcnghpl.exe
760	Clojhf32.exe
932	Cjakccop.exe
1644	Cmpgpond.exe
1288	Cegoqlof.exe
2220	Ccjoli32.exe
2292	Cgfkmgnj.exe
1660	Cfhkhd32.exe
296	Dnpciaef.exe
788	Danpemej.exe
2696	Dpapaj32.exe

Loads dropped DLL 55 IoCs

Processes:

feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exeCfkloq32.exeCiihklpj.exeCocphf32.exeCocphf32.exeCocphf32.exeCfmhdpnc.exeCepipm32.exeCgoelh32.exeCpfmmf32.exeCnimiblo.exeCebeem32.exeCgaaah32.exeCkmnbg32.exeCbffoabe.exeCeebklai.exeCgcnghpl.exeClojhf32.exeCjakccop.exeCmpgpond.exeCegoqlof.exeCcjoli32.exeCgfkmgnj.exeCfhkhd32.exeDnpciaef.exeDanpemej.exeWerFault.exe

pid	Process
1916	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
1916	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
2132	Cfkloq32.exe
2132	Cfkloq32.exe
2636	Ciihklpj.exe
2636	Ciihklpj.exe
2776	Cocphf32.exe
2776	Cocphf32.exe
2676	Cocphf32.exe
2676	Cocphf32.exe
2240	Cocphf32.exe
2240	Cocphf32.exe
2632	Cfmhdpnc.exe
2632	Cfmhdpnc.exe
2816	Cepipm32.exe
2816	Cepipm32.exe
2972	Cgoelh32.exe
2972	Cgoelh32.exe
268	Cpfmmf32.exe
268	Cpfmmf32.exe
2272	Cnimiblo.exe
2272	Cnimiblo.exe
1624	Cebeem32.exe
1624	Cebeem32.exe
2280	Cgaaah32.exe
2280	Cgaaah32.exe
476	Ckmnbg32.exe
476	Ckmnbg32.exe
2212	Cbffoabe.exe
2212	Cbffoabe.exe
2880	Ceebklai.exe
2880	Ceebklai.exe
2332	Cgcnghpl.exe
2332	Cgcnghpl.exe
760	Clojhf32.exe
760	Clojhf32.exe
932	Cjakccop.exe
932	Cjakccop.exe
1644	Cmpgpond.exe
1644	Cmpgpond.exe
1288	Cegoqlof.exe
1288	Cegoqlof.exe
2220	Ccjoli32.exe
2220	Ccjoli32.exe
2292	Cgfkmgnj.exe
2292	Cgfkmgnj.exe
1660	Cfhkhd32.exe
1660	Cfhkhd32.exe
296	Dnpciaef.exe
296	Dnpciaef.exe
788	Danpemej.exe
788	Danpemej.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe

Drops file in System32 directory 64 IoCs

Processes:

Cfmhdpnc.exeCkmnbg32.exeCfhkhd32.exeDnpciaef.exeDanpemej.exeCfkloq32.exeCmpgpond.exeCgfkmgnj.exeCocphf32.exeCbffoabe.exeCeebklai.exeCiihklpj.exeCgaaah32.exeCjakccop.exeClojhf32.exeCocphf32.exeCgoelh32.exeCpfmmf32.exeCebeem32.exeCocphf32.exeCgcnghpl.exeCnimiblo.exeCepipm32.exeDpapaj32.exeCegoqlof.exefeaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exeCcjoli32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Aqpmpahd.dll	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Aqpmpahd.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Ckmnbg32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process
2668	2696	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Danpemej.exeCfkloq32.exeCocphf32.exeCepipm32.exeCjakccop.exeDnpciaef.exeCcjoli32.exeCiihklpj.exeCpfmmf32.exeCgaaah32.exeCeebklai.exefeaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exeCocphf32.exeCbffoabe.exeCgoelh32.exeCkmnbg32.exeClojhf32.exeCebeem32.exeCmpgpond.exeDpapaj32.exeCgfkmgnj.exeCfhkhd32.exeCnimiblo.exeCocphf32.exeCfmhdpnc.exeCgcnghpl.exeCegoqlof.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe

Modifies registry class 64 IoCs

Processes:

Cgaaah32.exeCbffoabe.exeCmpgpond.exeClojhf32.exeCiihklpj.exeCocphf32.exeCepipm32.exeCeebklai.exeCcjoli32.exeCgfkmgnj.exeCfkloq32.exeCgcnghpl.exeCjakccop.exeCgoelh32.exeCnimiblo.exeDnpciaef.exefeaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exeCkmnbg32.exeCfmhdpnc.exeCocphf32.exeCocphf32.exeDanpemej.exeCfhkhd32.exeCegoqlof.exeCpfmmf32.exeCebeem32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cocphf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 1916 wrote to memory of 2132	1916	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe	31
PID 1916 wrote to memory of 2132	1916	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe	31
PID 1916 wrote to memory of 2132	1916	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe	31
PID 1916 wrote to memory of 2132	1916	feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe	31
PID 2132 wrote to memory of 2636	2132	Cfkloq32.exe	32
PID 2132 wrote to memory of 2636	2132	Cfkloq32.exe	32
PID 2132 wrote to memory of 2636	2132	Cfkloq32.exe	32
PID 2132 wrote to memory of 2636	2132	Cfkloq32.exe	32
PID 2636 wrote to memory of 2776	2636	Ciihklpj.exe	33
PID 2636 wrote to memory of 2776	2636	Ciihklpj.exe	33
PID 2636 wrote to memory of 2776	2636	Ciihklpj.exe	33
PID 2636 wrote to memory of 2776	2636	Ciihklpj.exe	33
PID 2776 wrote to memory of 2676	2776	Cocphf32.exe	34
PID 2776 wrote to memory of 2676	2776	Cocphf32.exe	34
PID 2776 wrote to memory of 2676	2776	Cocphf32.exe	34
PID 2776 wrote to memory of 2676	2776	Cocphf32.exe	34
PID 2676 wrote to memory of 2240	2676	Cocphf32.exe	35
PID 2676 wrote to memory of 2240	2676	Cocphf32.exe	35
PID 2676 wrote to memory of 2240	2676	Cocphf32.exe	35
PID 2676 wrote to memory of 2240	2676	Cocphf32.exe	35
PID 2240 wrote to memory of 2632	2240	Cocphf32.exe	36
PID 2240 wrote to memory of 2632	2240	Cocphf32.exe	36
PID 2240 wrote to memory of 2632	2240	Cocphf32.exe	36
PID 2240 wrote to memory of 2632	2240	Cocphf32.exe	36
PID 2632 wrote to memory of 2816	2632	Cfmhdpnc.exe	37
PID 2632 wrote to memory of 2816	2632	Cfmhdpnc.exe	37
PID 2632 wrote to memory of 2816	2632	Cfmhdpnc.exe	37
PID 2632 wrote to memory of 2816	2632	Cfmhdpnc.exe	37
PID 2816 wrote to memory of 2972	2816	Cepipm32.exe	38
PID 2816 wrote to memory of 2972	2816	Cepipm32.exe	38
PID 2816 wrote to memory of 2972	2816	Cepipm32.exe	38
PID 2816 wrote to memory of 2972	2816	Cepipm32.exe	38
PID 2972 wrote to memory of 268	2972	Cgoelh32.exe	39
PID 2972 wrote to memory of 268	2972	Cgoelh32.exe	39
PID 2972 wrote to memory of 268	2972	Cgoelh32.exe	39
PID 2972 wrote to memory of 268	2972	Cgoelh32.exe	39
PID 268 wrote to memory of 2272	268	Cpfmmf32.exe	40
PID 268 wrote to memory of 2272	268	Cpfmmf32.exe	40
PID 268 wrote to memory of 2272	268	Cpfmmf32.exe	40
PID 268 wrote to memory of 2272	268	Cpfmmf32.exe	40
PID 2272 wrote to memory of 1624	2272	Cnimiblo.exe	41
PID 2272 wrote to memory of 1624	2272	Cnimiblo.exe	41
PID 2272 wrote to memory of 1624	2272	Cnimiblo.exe	41
PID 2272 wrote to memory of 1624	2272	Cnimiblo.exe	41
PID 1624 wrote to memory of 2280	1624	Cebeem32.exe	42
PID 1624 wrote to memory of 2280	1624	Cebeem32.exe	42
PID 1624 wrote to memory of 2280	1624	Cebeem32.exe	42
PID 1624 wrote to memory of 2280	1624	Cebeem32.exe	42
PID 2280 wrote to memory of 476	2280	Cgaaah32.exe	43
PID 2280 wrote to memory of 476	2280	Cgaaah32.exe	43
PID 2280 wrote to memory of 476	2280	Cgaaah32.exe	43
PID 2280 wrote to memory of 476	2280	Cgaaah32.exe	43
PID 476 wrote to memory of 2212	476	Ckmnbg32.exe	44
PID 476 wrote to memory of 2212	476	Ckmnbg32.exe	44
PID 476 wrote to memory of 2212	476	Ckmnbg32.exe	44
PID 476 wrote to memory of 2212	476	Ckmnbg32.exe	44
PID 2212 wrote to memory of 2880	2212	Cbffoabe.exe	45
PID 2212 wrote to memory of 2880	2212	Cbffoabe.exe	45
PID 2212 wrote to memory of 2880	2212	Cbffoabe.exe	45
PID 2212 wrote to memory of 2880	2212	Cbffoabe.exe	45
PID 2880 wrote to memory of 2332	2880	Ceebklai.exe	46
PID 2880 wrote to memory of 2332	2880	Ceebklai.exe	46
PID 2880 wrote to memory of 2332	2880	Ceebklai.exe	46
PID 2880 wrote to memory of 2332	2880	Ceebklai.exe	46

C:\Users\Admin\AppData\Local\Temp\feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe
"C:\Users\Admin\AppData\Local\Temp\feaa8b97324b800bcaa364c4003e4690ff4dfeac51dd5b065c154602a3958ffa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\Cfkloq32.exe
  C:\Windows\system32\Cfkloq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Ciihklpj.exe
    C:\Windows\system32\Ciihklpj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\Cocphf32.exe
      C:\Windows\system32\Cocphf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 144
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqpmpahd.dll

Filesize
6KB

MD5
055167e1eafd367984c59cb96b422b91

SHA1
ada3fe820183657feac1a8be22f76743b7d58327

SHA256
26e537d5a5523123be47d4d2cfb902312ad0fc3779f66553ee18e3faf300cb85

SHA512
4bd3764c404d226f720bc5f1c964e42b1ca3554f321a1760f7042b6142ad09349f22d5d9d7b7da1a31c0b3b65037d0b37b20996c5e7be880325b897c29e68a44

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
56KB

MD5
bde4cafb13c6736d1d2ebd1fa25729ad

SHA1
6dcfdfbe6da0e3e51dc0af8fd088a20120e637ac

SHA256
3d816e1e2a88b43fdbb25c338dd0f5f8f2ef24214893fa38f645243302cabb3c

SHA512
8e70e06a114a5e24d58d770c11bf0f288bcbfbc8d5fbc3c8c7bf3fd8283ad8d54894e49e17f0d332007224dbeea9d385ed4eba2772c7661204cc852fb2cb6a49

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
56KB

MD5
e929cab829b2c7ef1ec31f585227c740

SHA1
938ade9d0b80f7b79fa00a5ff6fe32bb3057ba4b

SHA256
7ac9de66d3ff1b9ca48c6e3399f153a99fce3f0f39e58101527590a6849ae53a

SHA512
707197335dd131a986fa6252a804492634ed59fb016f7d704595f9fb2f2d2d7d909638b41f5521dec869874460800679f4b33d17dded7d355cdcb35474bb1df0

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
56KB

MD5
3f737726e55470c43e7231d54978e22b

SHA1
84405462078d054e572ff31cf714237af058ead6

SHA256
140be11330c34c2800dc495ba0b9911cd4f7bad1b3096e30c8865d52e0058779

SHA512
9592dc2feabe13b2980f27d89bd04e4dc71363f187bf4253574b229a01b36aef95a5654be7bb25fe9a8f3d493d323ef04046d0dd3191a35116be1bf598c2d3b4

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
56KB

MD5
35492b9a75955db7ca642aa72422b977

SHA1
d5bfc3e01dd1d50c627defcc7532ee8ae9acc85e

SHA256
a7925e2de1fa97181a7339223f94be4f853a435d2d9693fa14ce26b7bb1f826e

SHA512
4e2d07db3b05cd47f35ff87d9582be7f565551e536b1ebafabd0b132d7416c3f3691fb72e90dee39bd37c99b8ace8d828dfe7f13ad0f7634d536d65454d242eb

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
56KB

MD5
38e624b1f38820ab1460aed8e6f63973

SHA1
95e4baeea73cc1e9bc52af1ed5e92886a56cc7b8

SHA256
eb65c541f8b36d3750bce56dde8be8df520e207b006e6e476067aa03098ca028

SHA512
4262fa83af11932e2819ab573d2c6918d6a443516501860df334001a28e19e0b2cacfc4a5ace833fa042c4e07a47c3824752d38c5b473268eab9bba069f4d39e

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
56KB

MD5
749ae72f5ac1f2c7f38c9a6dcb02a37d

SHA1
39ea8270beb7aea19443c5cf64aa852a32411d80

SHA256
fc5cbe9991b8d93a9ab46de38bf40d8691bb3119b1cae8487bea2d93c4388662

SHA512
74557b5f8bdf17c18a9ae60600ae82269eb4ba86ba191b0840ecf1fb8e83201c94ade6f14e00bca1248e70a2c98d6d2041f80016465142f6be7f910a474d6a12

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
56KB

MD5
9c1bc83a225808afd83ddf9d7dc765c1

SHA1
2425a8363e439b9a1abf19f982ada2ed95204ea5

SHA256
9813fddf94c35c0648ca393333caf1835cf9659197aa08ea555fbaf56497bd74

SHA512
258abd7d6f6194c98f61bdebb1455e960132ba45f7fc0b693d5bd6c4ab16fbddf9811adb65c4bbc10e432c5885d00ac68185bfe3a1c2ff13894b665a547fd159

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
56KB

MD5
4faf56efd8c3cbc147e161a68111c3cb

SHA1
909fcef1151aa9b33f074949cb6dce73982ddc09

SHA256
c328c82aa5cae2d27c20611c62f7c6d2ef700dd33fb13a2edf7de534066949c6

SHA512
834f5b77a696aba08fe572dca636bfcd186363f737d5eef66c0639f041d21335b6c5aa5aea9146ad07717981e6e39cc6c207ab129ad9b64068df6ae712fd1582

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
56KB

MD5
cf94a8127ff546a7d57f200c4dc6c87f

SHA1
f5f7f498b45e001cfacf13dbefc0f200636dae4e

SHA256
bf7066a5c4dd8b1f4554d1462f00480c9b409d207332fbc0465dbd8217146567

SHA512
7a02a4cf82bd9a0dfa2a3fe843405991267d85b259683dc8ef212e4baef7e439b732eb7241a6a6837cba8ef493aae2dd47e9a4f208400d643cc930cf5b26b653

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
56KB

MD5
b8d7f307d7eba314a9b60301f221cee0

SHA1
d277c14a84d72b18215f7978428b7b28d6a04a20

SHA256
a65e881a72e276c209575acf81d4e0f0d38617b6f6ec5f28ab6e30826a3eee7d

SHA512
0e1ef9779ebf3130c554911313c1e82db4d4cf97f9c0e24e9c9b77ae2c1868710fbb2dd5d7268f8a188222e96481f5f5c9422db96b2b92ea81ad67883ab1e90d

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
56KB

MD5
e5d07aa1c512b44aa9142bc5e47aac98

SHA1
2d38f5849e4c085929b1dd50a802beb1e3466287

SHA256
51b2faa21ef21a2c46c3bde2402d15f86310e574c9e154643ea804772ae809e4

SHA512
686237043cdc3cb9a062c063b7fa40b3354687b02c008428ab92905d88f079b9792e83dbf7f191ceb67501b57c83a3f2999353b158214de9c961edbd724526a9

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
56KB

MD5
39692df66b4e1636fb56ce105d55ad53

SHA1
967ee95838c31a11e745fbb026e14c590c7bcff0

SHA256
33b766dbfb370911e57f5261b0b28c82b66a0d2f6c8b42e9b52ae679346c98ba

SHA512
606fd404a1220b640746a733f96d17f6ba61712461e906dea588d13adba6b0301002d7b8e17dca4d6e8a7f49da21375b12359400983fc84048210a12659aebcb

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
56KB

MD5
e48043e178088b35f9419d17f15f70b5

SHA1
724c6772375ca3ced28c2bb6f438242e1c8c3640

SHA256
683b99f90a3c74d442ffb231f94cc7e0bf18bbda0ecfbbf24a62ee3d7e66e5b5

SHA512
ad515e4b16d672d10e886670ad9d056a95a0ffd77a82cc4982c598db2c5068c157aa119b94e0e85f786068181b5fc24ad2508a531e3cc16ceb18d8b7ef8bdd01

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
56KB

MD5
03e217335197fef5254cdaa3205710f9

SHA1
65dbf813fbd45fbd7abdc7607a5618f7940238d3

SHA256
308a20c8f0eb523ea5dbe3a42611e31ed512cfef86c6b11cf57f825dbb0ccea3

SHA512
4cfbe1152aae8a4e02d27ae5c89e3d3318410c3017cb18424116d3c7e23bf9abe7cc6f1671261bdb789312768dd16df19afba168b7f25a79023f6144f89dc35d

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
56KB

MD5
3b1f29f3f0e6e3bc68970301fae48c9e

SHA1
176c950c0a83df391f72a43bf02edeba0728ab80

SHA256
9dc41ceb35a0bd997721218b87a459bfa1c07a8f005908cff1f786eae3317a2b

SHA512
e2d4225ddc6d56c60629d788764dce7f4c09c7d9118e850482672e26dde160848caa54946acd0096ca4b5a554cb7377ee3b600eb8497c2dd4a46789f64932c3b

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
56KB

MD5
ba5e733145983605a6a6e397de027272

SHA1
a31bd59ad3491ed1dc3947a36d53c1fb5484cf56

SHA256
55eb543c3431ae32586b77ead7dc26df5ded927f73d78f1179e942fab1c1cfd3

SHA512
400816d223c13e5d756343fc3069d9d4d15c8e8e42a94a0b98cd42f7d780e54296aa0ba3dd04d0d21b12c5dcce5f3d835a0c0fd0f6ef992e392e6fa17ae07250

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
56KB

MD5
ba11e75975a9b07016303281da20f024

SHA1
2a06b9bb8629a0460cee342fd942cdb7654bd3cb

SHA256
f6e5ffa62f08b87ba92cf0719ffe576231b931db58a0cd62661290dc0102f50f

SHA512
26ac28510e892ca012549eea8ebdee2ff9419318e48f98e18d458833d8dc912c187730ff1a93d0f1fa056baaf2dfef75b3fa1d4cf91da18c81dadb904ced8948

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
56KB

MD5
a83b153b41fd7e1b17bbf71ac0a620e4

SHA1
aa333c814d11d804c0c3c2cc729579317962d42c

SHA256
4d08d4bdaa14d0d1de44a71e68dc0a2fb181688260c76a83732f06aed2da6448

SHA512
308311dd8ad1ab98ec0e7235638f3df386438f531af97462c9633cf5e64104e5f8764bd787dca78788779121b93da891a908a45585eb01fae457c458863e0aef

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
56KB

MD5
831361172e88eb2091bbcfa189cf5215

SHA1
5eb54ab9298b317814e45ba8186ff259ff9fd927

SHA256
2776f51e24afcffcec91b4eb83a725837d6499d2fdd0f4afc712ad5b9c464f8f

SHA512
18c3ca8007d91e4946c9ed1241245e249ea63d476104ffc8beb4e70de63484de54ca9f6bae38fb2762a9018df4f39ea6874b6ed16734f86d16535c80584ca946

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
56KB

MD5
640bb946c145471501d604fadb4b8f77

SHA1
6d62aab3679e45c761c9d484c6067a0c51ed5c46

SHA256
e537149631fa2d29eee07b7e3d0a77913598f7a0546277af4f74ef98143f56d6

SHA512
db2894eabfa204dd83b6f78a5a5709c0a3eaa6d9b17f1b221841743d4e02553c74dc49bd9e31e63e5f758d1b42237de3d367ce17de13ed898daf071c1f1e6284

Download Submit
\Windows\SysWOW64\Cebeem32.exe

Filesize
56KB

MD5
dc53a37fdc8c62f5677d5162d60d8dc6

SHA1
ad3f34b116ed1d71dc23d6daca6adf78844a73de

SHA256
7a75f041e7e765e0aa32f2b8e0e6d9701539f900e2e307972d84698cf4db4a76

SHA512
4b37d9118ccba6648905cd1252581a94b156d6b2e11419c6260ae2e92ed8b9e1d42d756b20bd72e4dcbfe4fc64279cfca3e565afd81f447705a4b8241854d512

Download Submit
\Windows\SysWOW64\Cgaaah32.exe

Filesize
56KB

MD5
bf328e4211a8640ed13e47859167defc

SHA1
229c0cb1be4a1769ed6958204e9900a65f9a28c6

SHA256
2b8bb1803dd1687f895187cb93b142fb0967f9ddcda7f32f84cba041acca1193

SHA512
89b3a78bdad2687d3697e0a2b88382120f8a9ec4d9bc0f104bf47089ed1040291815e241f5b786c2103040e9a97942d9cf0094672c70b8dc1956922d9e508967

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
56KB

MD5
cce39397b413934b5b5c5d2927c5d38b

SHA1
2bf8aa2c078b2b4d96bdaaf7664d81e31f13b99e

SHA256
4c20b1bdd6876cd31c72c455e14e3c1550d3e11b6099996b614b03538e4bac71

SHA512
acaaaaf6fb3c497dc7f50890dc344af43a272a1b4ee0ebda320644fb357ca2d6f6ad94474506c5507b5b68453e6006d3d173ae36a173c3054c5cfdf89dde1de5

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
56KB

MD5
52daf7860f7ffef3fe9661682bb7d85e

SHA1
73086a96188fbde025695dbf2aa1be4f529ddd4c

SHA256
e537e1e51ac3f11355aaa1e4ecc31bd9297565638338693548889974e1e854b4

SHA512
bfb0ad60cedbeecf2273e4736f13a959a094bdc2bf3f3fa2d46a13fc89205fc969070a5aa4fa97972ec8fe6161c7aa5eba11712af0f656a8a5bc46f8f18e4eb3

Download Submit
memory/268-119-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/268-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/268-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/296-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/296-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/296-304-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/476-176-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/476-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/476-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-230-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/760-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/788-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-240-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1288-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-261-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1624-148-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1624-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-251-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1644-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-293-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1660-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-29-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1916-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-30-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1916-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-197-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2220-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-271-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2240-60-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2240-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-139-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2272-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-321-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2292-282-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2332-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-220-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2632-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-79-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2632-73-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2636-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-89-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2816-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-206-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2880-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-161-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2972-110-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2972-109-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2972-162-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download