berbew | a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503

Analysis

max time kernel
87s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/12/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe
Size

93KB
MD5

29945bebe6e65897cd29a19f44a2a29e
SHA1

020338344fe0ed59eece6900386fb1932baef386
SHA256

a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503
SHA512

2b9c5b90dedcc2554627d85568fdef35a213fae85a6a608b05d2cef904e65e17f68744a216c99a268874940b0b6247dfd98942d77c38bd379fdcd806620d95c2
SSDEEP

1536:CvSExtoDI1a8mzfPI2stWLO1+PueujS6Dz1DaYfMZRWuLsV+1r:g1BmnIBtt2tujJzgYfc0DV+1r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1052	Pafdjmkq.exe
2264	Pafdjmkq.exe
1988	Pebpkk32.exe
2828	Paiaplin.exe
2832	Phcilf32.exe
2668	Pmpbdm32.exe
2548	Ppnnai32.exe
1944	Pcljmdmj.exe
896	Pnbojmmp.exe
1940	Qcogbdkg.exe
2360	Qkfocaki.exe
2516	Qpbglhjq.exe
1744	Qcachc32.exe
2764	Aebmjo32.exe
2148	Ahpifj32.exe
1020	Aaimopli.exe
920	Alnalh32.exe
1604	Akabgebj.exe
2144	Achjibcl.exe
1368	Afffenbp.exe
1536	Adifpk32.exe
1652	Akcomepg.exe
2248	Aoojnc32.exe
2396	Anbkipok.exe
2488	Ahgofi32.exe
2316	Agjobffl.exe
2468	Akfkbd32.exe
2656	Aqbdkk32.exe
2876	Bjkhdacm.exe
2868	Bqeqqk32.exe
2584	Bkjdndjo.exe
3044	Bniajoic.exe
1920	Bceibfgj.exe
2784	Bjpaop32.exe
1760	Bnknoogp.exe
2492	Bgcbhd32.exe
756	Bjbndpmd.exe
2872	Bmpkqklh.exe
2152	Bqlfaj32.exe
2412	Bigkel32.exe
1112	Bkegah32.exe
1784	Cbppnbhm.exe
1424	Cenljmgq.exe
344	Ciihklpj.exe
1804	Cbblda32.exe
540	Cfmhdpnc.exe
2420	Ckjamgmk.exe
1164	Cpfmmf32.exe
2444	Cbdiia32.exe
2756	Cagienkb.exe
2684	Cebeem32.exe
596	Cgaaah32.exe
2528	Ckmnbg32.exe
1512	Cbffoabe.exe
1436	Caifjn32.exe
320	Cchbgi32.exe
1984	Clojhf32.exe
1768	Cnmfdb32.exe
1692	Calcpm32.exe
2796	Ccjoli32.exe
816	Cfhkhd32.exe
1320	Djdgic32.exe
912	Dmbcen32.exe
3024	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2612	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe
2612	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe
1052	Pafdjmkq.exe
1052	Pafdjmkq.exe
2264	Pafdjmkq.exe
2264	Pafdjmkq.exe
1988	Pebpkk32.exe
1988	Pebpkk32.exe
2828	Paiaplin.exe
2828	Paiaplin.exe
2832	Phcilf32.exe
2832	Phcilf32.exe
2668	Pmpbdm32.exe
2668	Pmpbdm32.exe
2548	Ppnnai32.exe
2548	Ppnnai32.exe
1944	Pcljmdmj.exe
1944	Pcljmdmj.exe
896	Pnbojmmp.exe
896	Pnbojmmp.exe
1940	Qcogbdkg.exe
1940	Qcogbdkg.exe
2360	Qkfocaki.exe
2360	Qkfocaki.exe
2516	Qpbglhjq.exe
2516	Qpbglhjq.exe
1744	Qcachc32.exe
1744	Qcachc32.exe
2764	Aebmjo32.exe
2764	Aebmjo32.exe
2148	Ahpifj32.exe
2148	Ahpifj32.exe
1020	Aaimopli.exe
1020	Aaimopli.exe
920	Alnalh32.exe
920	Alnalh32.exe
1604	Akabgebj.exe
1604	Akabgebj.exe
2144	Achjibcl.exe
2144	Achjibcl.exe
1368	Afffenbp.exe
1368	Afffenbp.exe
1536	Adifpk32.exe
1536	Adifpk32.exe
1652	Akcomepg.exe
1652	Akcomepg.exe
2248	Aoojnc32.exe
2248	Aoojnc32.exe
2396	Anbkipok.exe
2396	Anbkipok.exe
2488	Ahgofi32.exe
2488	Ahgofi32.exe
2316	Agjobffl.exe
2316	Agjobffl.exe
2468	Akfkbd32.exe
2468	Akfkbd32.exe
2656	Aqbdkk32.exe
2656	Aqbdkk32.exe
2876	Bjkhdacm.exe
2876	Bjkhdacm.exe
2868	Bqeqqk32.exe
2868	Bqeqqk32.exe
2584	Bkjdndjo.exe
2584	Bkjdndjo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Ahgofi32.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Anbkipok.exe
File created	C:\Windows\SysWOW64\Akcomepg.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Aebmjo32.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Alnalh32.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qpbglhjq.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Pafdjmkq.exe	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Aebmjo32.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pcljmdmj.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Ahpifj32.exe	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dahapj32.dll	Pebpkk32.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Ameaio32.dll	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bniajoic.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2472	3024	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll"	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1052	2612	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe	31
PID 2612 wrote to memory of 1052	2612	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe	31
PID 2612 wrote to memory of 1052	2612	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe	31
PID 2612 wrote to memory of 1052	2612	a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe	31
PID 1052 wrote to memory of 2264	1052	Pafdjmkq.exe	32
PID 1052 wrote to memory of 2264	1052	Pafdjmkq.exe	32
PID 1052 wrote to memory of 2264	1052	Pafdjmkq.exe	32
PID 1052 wrote to memory of 2264	1052	Pafdjmkq.exe	32
PID 2264 wrote to memory of 1988	2264	Pafdjmkq.exe	33
PID 2264 wrote to memory of 1988	2264	Pafdjmkq.exe	33
PID 2264 wrote to memory of 1988	2264	Pafdjmkq.exe	33
PID 2264 wrote to memory of 1988	2264	Pafdjmkq.exe	33
PID 1988 wrote to memory of 2828	1988	Pebpkk32.exe	34
PID 1988 wrote to memory of 2828	1988	Pebpkk32.exe	34
PID 1988 wrote to memory of 2828	1988	Pebpkk32.exe	34
PID 1988 wrote to memory of 2828	1988	Pebpkk32.exe	34
PID 2828 wrote to memory of 2832	2828	Paiaplin.exe	35
PID 2828 wrote to memory of 2832	2828	Paiaplin.exe	35
PID 2828 wrote to memory of 2832	2828	Paiaplin.exe	35
PID 2828 wrote to memory of 2832	2828	Paiaplin.exe	35
PID 2832 wrote to memory of 2668	2832	Phcilf32.exe	36
PID 2832 wrote to memory of 2668	2832	Phcilf32.exe	36
PID 2832 wrote to memory of 2668	2832	Phcilf32.exe	36
PID 2832 wrote to memory of 2668	2832	Phcilf32.exe	36
PID 2668 wrote to memory of 2548	2668	Pmpbdm32.exe	37
PID 2668 wrote to memory of 2548	2668	Pmpbdm32.exe	37
PID 2668 wrote to memory of 2548	2668	Pmpbdm32.exe	37
PID 2668 wrote to memory of 2548	2668	Pmpbdm32.exe	37
PID 2548 wrote to memory of 1944	2548	Ppnnai32.exe	38
PID 2548 wrote to memory of 1944	2548	Ppnnai32.exe	38
PID 2548 wrote to memory of 1944	2548	Ppnnai32.exe	38
PID 2548 wrote to memory of 1944	2548	Ppnnai32.exe	38
PID 1944 wrote to memory of 896	1944	Pcljmdmj.exe	39
PID 1944 wrote to memory of 896	1944	Pcljmdmj.exe	39
PID 1944 wrote to memory of 896	1944	Pcljmdmj.exe	39
PID 1944 wrote to memory of 896	1944	Pcljmdmj.exe	39
PID 896 wrote to memory of 1940	896	Pnbojmmp.exe	40
PID 896 wrote to memory of 1940	896	Pnbojmmp.exe	40
PID 896 wrote to memory of 1940	896	Pnbojmmp.exe	40
PID 896 wrote to memory of 1940	896	Pnbojmmp.exe	40
PID 1940 wrote to memory of 2360	1940	Qcogbdkg.exe	41
PID 1940 wrote to memory of 2360	1940	Qcogbdkg.exe	41
PID 1940 wrote to memory of 2360	1940	Qcogbdkg.exe	41
PID 1940 wrote to memory of 2360	1940	Qcogbdkg.exe	41
PID 2360 wrote to memory of 2516	2360	Qkfocaki.exe	42
PID 2360 wrote to memory of 2516	2360	Qkfocaki.exe	42
PID 2360 wrote to memory of 2516	2360	Qkfocaki.exe	42
PID 2360 wrote to memory of 2516	2360	Qkfocaki.exe	42
PID 2516 wrote to memory of 1744	2516	Qpbglhjq.exe	43
PID 2516 wrote to memory of 1744	2516	Qpbglhjq.exe	43
PID 2516 wrote to memory of 1744	2516	Qpbglhjq.exe	43
PID 2516 wrote to memory of 1744	2516	Qpbglhjq.exe	43
PID 1744 wrote to memory of 2764	1744	Qcachc32.exe	44
PID 1744 wrote to memory of 2764	1744	Qcachc32.exe	44
PID 1744 wrote to memory of 2764	1744	Qcachc32.exe	44
PID 1744 wrote to memory of 2764	1744	Qcachc32.exe	44
PID 2764 wrote to memory of 2148	2764	Aebmjo32.exe	45
PID 2764 wrote to memory of 2148	2764	Aebmjo32.exe	45
PID 2764 wrote to memory of 2148	2764	Aebmjo32.exe	45
PID 2764 wrote to memory of 2148	2764	Aebmjo32.exe	45
PID 2148 wrote to memory of 1020	2148	Ahpifj32.exe	46
PID 2148 wrote to memory of 1020	2148	Ahpifj32.exe	46
PID 2148 wrote to memory of 1020	2148	Ahpifj32.exe	46
PID 2148 wrote to memory of 1020	2148	Ahpifj32.exe	46

C:\Users\Admin\AppData\Local\Temp\a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe
"C:\Users\Admin\AppData\Local\Temp\a6d14ca977d451921aa827d202f231777e9c7813ead2ccf974ec3fc3cb87e503.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\Pafdjmkq.exe
  C:\Windows\system32\Pafdjmkq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\Pafdjmkq.exe
    C:\Windows\system32\Pafdjmkq.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\Pebpkk32.exe
      C:\Windows\system32\Pebpkk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\Paiaplin.exe
        
        C:\Windows\system32\Paiaplin.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Pmpbdm32.exe
        
        C:\Windows\system32\Pmpbdm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        47⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 144
        66⤵
        Program crash
        
        PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achjibcl.exe

Filesize
93KB

MD5
6352b2cd3572a5047acf2e8312be94b1

SHA1
ce21a96a72d56c9162e4c91dd035eff6ed4670e1

SHA256
bfe943df465d31667545cb6597800d1d6bb959c3074f959420c09e42309bd3f7

SHA512
c2530897c0cb04cd367d692b2a2621afaa79d310173a190d1e8759b5cc5c9236c3219a778bf5be3088357d01877ef400607dd769d62f8a0b3f5b78dbd2332636

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
93KB

MD5
3d7bb89b1bf8fcba05bdbb5f37a332a4

SHA1
d30db0912a69c17cf2bcd1768ec11de0b25a31be

SHA256
249ba4e70a128d18a86a7aac1368b1f550709fa3b3b109f61c49d7058f7db5c7

SHA512
dbffa872387b1362601a43c507a9566015566e927bee413f24ba881dbfbe09da490989c21f141212f5e57e6e22968c92a9020cc6bdb3e4c798853f5fd3acd559

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
93KB

MD5
4d52382db3fa7ff17086988c89e7c6ad

SHA1
2b91cb7a146cd514980983621c9fb3f3947d6dea

SHA256
3408ab21034d275f602ae84016746570d4b039f66594d1b28a89ba25d21f2c04

SHA512
6eeac1c329ed951bff0d570ede6a38406916098fa6519b6b21bf3159e1b82b73e085d7ebef4505184015f33e20316d3e86320fb179068a64ba849b6ecee67a99

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
93KB

MD5
622d74edf772939468e787a7c5ee1f3b

SHA1
796fb815ec663492a8add10a8b25e35618efca64

SHA256
d93f8487bfaba49dcd90217ba592a6da1e55d8b2f2bea6cdb28ccbbaec14c9b4

SHA512
6715d412d7f59d7b33e597a2756a2462ab5277a6e2549fa47d65dd4c6337f9a263f4e8e75c8d3d8346ee79b188a88c58184065a312c3bbc9f0532ee52947555f

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
93KB

MD5
328613c85c260c67a190efe61b9a4813

SHA1
aac9bcb2e33b0d519f1f3c300d0a25e046072bed

SHA256
4674b186d1c116850f1caecfaf1a66614cc0946e78441a76933570ce9ee0e251

SHA512
66832944a7491ef14c320cd2846c08805833ab1d6ce035e31308600356222f67ac77a13f5548c85fca05127ceabf174d3794aced320cf597c38217001e32e9cb

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
93KB

MD5
3fbdfc24156f626cd42b2c69e2a1a23f

SHA1
f2ed1349e33b5aab1c582fe1fd274ed28a9f905a

SHA256
e78e469b5d57c48cd49733e5af66b2ecfc40b2f38429bee379a6970d29035d52

SHA512
da9abc23239a9a12d60b7082c0b8ed5678e0341c4fd2efcfb5a40ed546379139e5b1a4459239652269d856c0bd487b091e01ba2fc2efa9c3609cc93c7bac3df5

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
93KB

MD5
f25b0f8c0f77b375de421cdedb2e80ea

SHA1
f3ae84418ad5a6d54899050f61572a610ba4102f

SHA256
439063566f1660a69ac6581b0e3c979df24cd92a8c5c881b41974d56cb779b3f

SHA512
1e8a74ce8dac3d6325d3c86d7ca14ace255b4618b00f313b2f86567e97827a63940698a4c682672407a772efdf8a2b4ed0516caed1cd1c6df6667c6a05bcf550

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
93KB

MD5
59c7e4de763eeeaa13075ddb87141bea

SHA1
40976d8c6aefec9284fa621a645bb76f072fb667

SHA256
7a23c9889b9af5f5ccd1e907a91741b2b575e24f11b261c4746e728ecdf3ad50

SHA512
e3ae34b9056689b45c646d5275272817ad7635ad98d2fe2dd9b317b22a2bc8ce2ca18633675486a31ead2ab8af42c637dace3251f2d1eb7bf251d2f69128a30a

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
93KB

MD5
a2bf1ed2906e2bbf9d07a6de1086cf0a

SHA1
96bc7e8c11c2a77b03deff139591270c4572b969

SHA256
b8d7db09cb01e5a710eab197654e85914cd37f05bcfdb87a07e8e0db9550a241

SHA512
e631a756f0d03cd296aa3fb4c2a9aa3b582191f289236e2e301d97b26a7eda2e18ab2aaeb6f4c9be08e3d5112b9b100b647bd6483fa7ed2a414af67b22b9bebc

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
93KB

MD5
9e1219ddb50d1dc5b168b646db4422f6

SHA1
f77d1e64c142365c453b471ddef6e2b6597dd35e

SHA256
615fdfd55bc8cf8b705b6d60b4d3ea6923c9702a0ab3dc19cd5dd9111e9e3c3f

SHA512
ef9976e7b91896c113c00b1f215139e5b430b5f19e366f9dd36895976c47c7140d47a195aa982ca0f8f6a1e412a8334c4da5aae66dacc32a3b3595917fa10582

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
93KB

MD5
45b0cefb5a82f4210c352c36fb496ff0

SHA1
619a69fbf8ee71f9f480b3eb05f474b071860dfd

SHA256
cdc43072833b3a8e671dfa04c656b3db510a452043bf9d06ca5f64b91659cecc

SHA512
28f5e13ec2870e99f37fc83528a0ce399460d563cadf6cd02fd00c9b550461859b7122431571bffbbd9d688d8d2177e6138e1e794023ac8186cf89410d81f60d

Download Submit
C:\Windows\SysWOW64\Apqcdckf.dll

Filesize
6KB

MD5
472f9dfc22d5cb118f15ddbc07627728

SHA1
786d8c4e95748b87c688d2a01ed8775faf650147

SHA256
391a55ce76d4431ac7a2b3d4022c42ccac68e36ddd9307d536cdf9da1e4a7c4b

SHA512
ca9ba3d0d486db663fc2b3a44cd7cc23c5bc5ffb3862ea94ddd8e1a7785bf07c016d09a7da1735354f69e1f349fa473945b6b4861168c593b8eb98d4b964c0df

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
93KB

MD5
ae2d4cb0e0bd9bbe36d5870dd202bd0b

SHA1
8eb4f4d359685a77585d97c0b250f21167b20a89

SHA256
07366855c10697f84bedacc759a6c578ef9df31275ccaf49525d3cd07ce0f1fa

SHA512
da031d2ea325bf2d53ad52203c559b44ba681cdb1f5fab86321ed2d929f39239d71dae032586602e04028e7c7606bffcae5ba0b132ef12499a7bedd03e48c30f

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
93KB

MD5
b7501a9a8d3d0eaf8f1c926f056663ce

SHA1
84b59886643c7eb0d070a3789998c8c451907281

SHA256
be70ba64289608629b033ad44a0776ae6110157797387ddd16b710d51c252958

SHA512
23db918f5d2ac42470ff46ab74f3367bd34b003a3ed4201fbbaf08dfb5b912ab4ecb54cd9b89b5ab58e7d7a88edce6c7bf7e03cfadd161b2c055126d3c6a9945

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
93KB

MD5
43b97583780482a0b873d2ede4e28493

SHA1
d1f03c4a0df7a4bad7c13d0a6130ded0faf0d44a

SHA256
9600cad084ae1ff1435f3dd5e36df4787a0007dd1b22749ca6cbc983f155f1e5

SHA512
97faaa6f0f9bb25c912f71440639c2d9361016e423c302dba28ebbf26b12d3b17507c5d53f8fd16eba0bbdd5382d3ec6b87acf7dedd680bcf85615bc80c3030a

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
93KB

MD5
cf4fbd793d29575b5d4f62f3d26d84a1

SHA1
25e1f6e49b71866ead2e2e8363b855728a036579

SHA256
2eff98a9897bf00ecddd7169253debf2d613459d65b54f6f449e2a8103374288

SHA512
a9cbc8969531699cd9a94c2497c5811ab3c944848d28fcdc0a69fdf26edee5430d9c7cdef813458989dea7c447b1ed13824971ab8c451130dc183a7485513df3

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
93KB

MD5
0a14daea6e58904ff7dfba96ef2d6e3f

SHA1
e43b06b22dbbe6206ab51b1a0a00394bbe4d8e2d

SHA256
f4118f1274f0e08c3f1823aae74defa2ab2c1bb015f9026c4b3c4be74cfa5063

SHA512
78d72cff42543fd3ec3e9b66988b8c3a36d9329fa5e3bbf050facb034cf411fdee667e1abb6c7a35aaffd4c95aa49b5a08c7ed181d6d210be1e1b87a6dcc5bd6

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
93KB

MD5
ccda45de84358d96767951b24eb5e4de

SHA1
bf751eca879ac2c6d9dedb0f3cb229da7061549d

SHA256
9c07c83b5b0683d6fe371840d261a4c10565d8ad80988add39199cf07e230226

SHA512
4861caa82d78f7e82091eb0ee2ecb80df2096c68227c06d3b6b4a0467384b8c59baa6e3527a9ce08f886c5af1a2b0dd60aeb70a60c56a7d8e15b8a47e1de12e4

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
93KB

MD5
6d57b13fdaef44ab75ce8c94c586fa31

SHA1
fe3772f192cfb3fdfed32aa5277b2c15d398988f

SHA256
eca2de30bfa5afce9d8080addf5607321023467c74c8fee0fac0d446b1e0c8a3

SHA512
42a969ea58bfeddaf1cfec2b2a42c8b40a9c1417c2140395a8c5bb161dde4b44b756de307f6a83d6efdaaab486d8d48fd85634f5016019017daabcc9df211fd2

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
93KB

MD5
2ddbcf5fc289460bf62d4ee9e524dd17

SHA1
c28ee3b9ffb12f134eb7fc0b1548cedd81f04924

SHA256
9cd20a7dbc70e401f3761c01b9d75e2c9badf37160cbbc9dab08ac69056d9463

SHA512
520693a67ad292073f70fa006ecd47163101aef7302f9fcd31c1efb88b7e7747c46fd4dc296ad2bf1484c5292cea934876de76a1b77032f0ed5740922f0d88b1

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
93KB

MD5
5f37cbae46a6d992174a7821d8e9f7d4

SHA1
c2455ac2bd9277a7498422b3f2412cf229285cf9

SHA256
1ca145138b01be3d740b3bea5bb9a1051a6477c9b23461001aa7b73a639e6aa2

SHA512
ad62183822d1341527ef291a8bd557e09ce3b46656fc0ca759e165cf93b7c8193ee078ef66d3b5d9f6a7d57c66170b1641826c86bfd29e3f5840a2fa9784b760

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
93KB

MD5
a08bb247bca2f77736c87d37489a33e8

SHA1
52a753d0b1cbea393eba4fc6c554a11b63d3194a

SHA256
3fc9c6cafb9c0fb96bc0d85aff5ef1b10809ed4c3bc261a8a71c766639266df7

SHA512
8155b21e5ddec85cfd4611cefd0887adaccf927c5f6276f9defdb46ee7ad1d03107c01915bd31d97306958e0ace893983e607c61bc3d102a8cb9c85678f423f8

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
93KB

MD5
f430a10e009918c5979ac7583a67ce4a

SHA1
45283daddcccb621eafa9a65d8b7042dc6bc81e3

SHA256
300318fd6b970429d6402ab51d318fdaf1ac816e30c6f19e07b1072d4e797d86

SHA512
619dbff1e611c0d50f7cdfcb18b7b0c4e98f79582e515013d24d2c3246211ebd0aa5a448eac4960d34c1328f3bed9518b1e32e85f986de9a96a305873a9eb7b0

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
93KB

MD5
d41277fe42826127f2984f0177685ded

SHA1
e1012b99e626ccfc4052624664415f346fb97671

SHA256
bcedb730a3eefd44b6ae9edea052aee218bf41187cd2e96c6755cb6d9df20704

SHA512
8cd3afcef8bc83387aaf473188545da60a1f6c566d718e5b630ebad3034cf8e3d6cf125318ab01f02b3df08f68212f26aa444033d24f1b35a6d693a50aa98e72

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
93KB

MD5
cce4714127d882b9263986b40f3c8ffc

SHA1
bc28850e8d009a46f13b5c4cd6c3274208157744

SHA256
46dfc7a8ca96583d39df2906b5571a786b2dd168dee6f738e068c992032e1294

SHA512
2989e7a9bb28224aa2c56231abf0717ff58768a7faf137f97081029a939bc7d1d9ef0c17e5f3e23ce44854babed0fc47f518559b5cfe04109b993dca069de372

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
93KB

MD5
6150a5dba83eb3efbb1183994a603b60

SHA1
b66405bba84f3ab0f6cb2480d5655a59bf17d931

SHA256
feaf914e9108a7ca0830af9eb83548c28af998c2ff2e73f5fea88cbdf5d1d57f

SHA512
ed4c6cddf9e82360f1eb2868d8dcb9b9112bfc7d7bd6e7f1a5e208ac650c212981081977fe80e6474fec5cdbb7346cd923333b54ad8b227a1e87a8c447d8fee7

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
93KB

MD5
1e2c288ca75b3348531e137c06016a5d

SHA1
cb0e7b3cb7d74ccfa062385f4480677f2d2d7eba

SHA256
12ec13c9996062a8b48b86763c7c33a04ae858529e89cb4d478a0064e127c017

SHA512
810e4406ab690159dc63c33b7411d958b766968c455300586ef46d2fd9f706dc84f092b04dbe8e89866292baa0492e9efe466a857155bb2aecc990fe03d612ae

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
93KB

MD5
12380618344317036ca83b84875ea53d

SHA1
8641626e675a7d3f18f11df9f7a3b2e5a1926617

SHA256
9ccd3e944f7a0541f0be6d79d0f8aaaf8cf9365baa59cd7a6b2882422fc778fe

SHA512
19ebbcbbd7a07bcd9303fa45ee235ca3c733f4ddb8d40e46fdaaaa948c4b07ee4403b3325aeaa27f7a28d50f9adc081b8d550f8e6b31d5d5e2d72460f4441d10

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
93KB

MD5
722c7fc8d9686c7fd7582cbcbf1eee7b

SHA1
79c0e85f715f9fba68d1cc031aa97bdae1ecbe91

SHA256
3167158d2825331a0563faaffe6adc2d970913838cefc21badb71ee07f7a918e

SHA512
3d43bb52f49373d2e0a6c65fcc862c22f267d4a9cd7567a9be490e078bd583c75652fa9ad572c766cdff5226ebf6d677a4185d465522c426ec60735c88a7ec33

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
93KB

MD5
3f0ac1d293f5102e5e2889ad10ec8356

SHA1
7f3cb0fb204e484ff86d05d33a47328171d31603

SHA256
ab74362a3deaf20f089e1f54f9f34e4d466d40b65373bbcd4dc75c1a8015834a

SHA512
c7b0be08b0f7129fcab6bc0dcc86a41a55824222ff616dee9c53ed6f4be96e15904240a8a2a81d0a4a000d73b3c6f1586deb6ea9aaa18e250c6e1aab9bca39ea

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
93KB

MD5
3bb48ca616dbd3cb5990801583b88d9e

SHA1
2685b0e29892addb1121e06a12886c147dee47b0

SHA256
87f9fa53820d295b618d2876dc0c5d61ad24e4cfc4abfc2d53f202008c397298

SHA512
2a412c0b98f3372d23baba75b1748b72867b787a06bd31b989c3747811eae8929f970fbd360066dd2f98cf709dcb9ba25434646df07824dce0bbc4d6d2fa7f4c

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
93KB

MD5
bd33d4ad4ae0d4e2397f0290455dc29a

SHA1
e4afee8328e62f7e2f20aa6839ffc86e3cac7fd8

SHA256
2217c14106fe4c3474650d2df283dfc4cc1b11b71142f633dde6d395ce3b2f09

SHA512
e97636580732cb86cbe76a0cf0fa4e1275c295e889aedc69b8e55d2ff325ae30379d8d569f729855272f59528b4da221f7dd8811442e9bbd7c59f648ef57c28e

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
93KB

MD5
1e04aa6f977d5c2dd6a825b8b02f46e8

SHA1
c78549ed6301bd4cde5409978ee0ab75789d187b

SHA256
5a01a378f249d0901760d5765066e49311a873a5764c09b6a815f0fb6a852542

SHA512
4d5e13e5b0224419a5c82deaf8b12b68061959ca3544e21c855909ea6259e8c3e408979033c1c1c0a310120b6caa43d559ae8592b6244d112dc458bde2cf1fdc

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
93KB

MD5
166dc53860e98086cc0eb3009d7a3e24

SHA1
4fd16fe2b9eee80c7e9cde2d3e30421989d7c41b

SHA256
322e99e7ce6a7fe6a04de244986e32f822c809e2ae182b9435947224b56fad91

SHA512
a30dd3d2695459f96e7f783ae0db848ab7d367dcaa56bd24b143971bcf932baea585dfa9195ead1473fc70add4a12d15e296478432db650fabe3d8351c3995a2

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
93KB

MD5
7163b6cf1ab8dc1207dd5cd76eede3a2

SHA1
7a261b8267628bc05731615c40383071a1bc1eca

SHA256
65e795c10216a21718ffc5c61b5afe31861e9747daad48e947c8809b3741e52e

SHA512
c0fe55fa7eaca9a50bd0176ff319116af1e53da0bec538eb7efa1013b278a3fa5230bdf9ac4c1e1054791d5e4f3260647cfff5e2b59de342bf0b39f7dc07142a

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
93KB

MD5
ed9016cb08fbfff5304c35c7b93cd158

SHA1
373527dfb2b562d1ab679b7d6d8e9869701782d6

SHA256
7a17979f94373d5e84fa6286f3fad169c0c447be38a3fd2e45f9e897e9b98e39

SHA512
c96e29a92ffc3d743dbba7ef0196659dc4cedddeb28c9b021675d4ca8edbd76d6b7af6d1b25558211327a1ed8c8ef093ba9d0b0b419d3be95c5089cee5493d14

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
93KB

MD5
78450c9e7df08c3356777b5249817aef

SHA1
139a85973d8c4396293ede4c1af169d6a1c65ecb

SHA256
cc4414ddeb293de25aea78cba88b72a0b3db6fc439bfd5d540fc2b545386775f

SHA512
95dfe8aa882c8a6a42f7dbaae54abde2e6a1ae7633dcf23dfe3a5de45e06598c3954989406888e1472d782e250d1e5355d564746ccc18fdd8fc8e967de2b6a03

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
93KB

MD5
1307ad7f34a8565f65116c235e7ce4e2

SHA1
dc192d39bb033752f1486002f78e20f1ad39d865

SHA256
15c2d6c834d891a9ddc2cbc50f742325e36b3cde7225ddf9c094bb4c61409c0e

SHA512
eab24b1052820adeb14d7a381b83fad17ac42a4233d647ab629d430790e4550862c2ee32f36552b4f05289bc35819509b86a1f45829c08baccfda0f590733ccc

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
93KB

MD5
525d2a9b84b39fefacde609e8f9fc290

SHA1
0b38fd00fd1cbc9199563ec9b932e51e4be55292

SHA256
9adde9d77470fa72e9f17a66b970aa93e3cde6adbb55743ba5d4b3447e91d30b

SHA512
c580ac2a784b4c13148f22a61d5690b647670ffbc73891006b97db558777a657b57e5da198f12ffe232943e1d27750e7c52b2b809e21b6721d7ce5b096356fd2

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
93KB

MD5
b8f30a35029882420be6cc0a961e1aa2

SHA1
225b1b659205267c216c8559da91a9845b71623d

SHA256
b6938520e8e418d7d7e4a8ef6b058d318034d457d99937c93dc810fc8dad79a8

SHA512
00d233096264bf0a76ab3d987f49728568b4c57ba6fdee54ab2a5bd17cc215684f48643d56bb07c31ee369f8173ec5133b40ac407fb9cfefc249d36745c017ef

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
93KB

MD5
2d9697a3e21b48906d1e2586607fdc76

SHA1
1b33f3da1a77ce997e55c439fa6941720434abc7

SHA256
9fe2df82e504bda3379d134bc33fb89a28f617ccc42a9c1610860b0f4628bdd7

SHA512
dd89bb8b73eb7010a1b937c94482c0eb292b10678a2499aa5eb779c3dfe748355900371365863c8284d51ef4f7b6ac0ad1727328d264283a7a7685168bfca369

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
3a32e620fd009740b92a2cd82f4b87d4

SHA1
04378b0e0b9bffbf7ab34c5cac07f7869d0416d9

SHA256
a87ad656c156f588f04cde888c9992863fd9139b976c36ee1b6da3f78d7b2962

SHA512
9246855a997a88d5c4dbf978e822d74188b235ba1e86d75373b297f08866d72c973aa9f34808d035772bd85ea51c2094b36fa82c17d22c295d53bcf1250ba4f3

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
93KB

MD5
7d2859259be4574e33e41403edcecb40

SHA1
fe643c6cb733bcf77ba93cc5d224e34f634d5859

SHA256
9f6ebb04fc1ebbdcaacf2a76f2116df6cd9b8f4a13bc787138183e940d7bb139

SHA512
27f56440b0356559fe2f6dcfa41481431ef5fd2417c1ab44c2dea7de9bcc5cec0cc638d677f4757ede1ca9a905fe7e09688a6d7b1047c7cb6d3b28080b5dc1e8

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
93KB

MD5
284de19ecb3bb8c303aec1eaf6d2e05c

SHA1
7b154458bf3f63517cc95a9560972014b06b7d49

SHA256
2674899666c5b964208829f90f4089f0fb2b7f55af221189a722b8a93bf4d737

SHA512
582dc34296c995ac2d5f1aa31469835ce1d9209c173c0a684803aa9e6bd4489458b2038d627b7fde6a5dc26dfe780000879f3aff32fad86c4c967b9111dae5d5

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
93KB

MD5
5275b2b5e2c0f3fe15792499bef4a670

SHA1
26a32ced1c1b7e92ebc442a6cc1f003064a721c7

SHA256
106cefe7ffa0f64f8bebda3b627eb005c0c74185865bd8c5914ed6160440da02

SHA512
69a20caaf43213e5122b30de35c750723639b5efc4eee81e0fd21e239aa38f69ed5fe502b40e86cc284109d2348a5d5335bb23e94808a0f397400ac909a3974c

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
93KB

MD5
9d8762bf8bee6f034ff135fdc205f1e1

SHA1
3e7931c276322e2bd7f449c33763a841f7168c19

SHA256
c821321ac00f9d717fafaf755ed05731746ef6fe7fbd592c2838f13f465779d0

SHA512
f284a3b830a10530775baeeb25d81a152d9e7e4c4dbbc6962ee76c946f60f928c812dd05c0f86d45953e2834c1a18d2b1525f57cd5ba92aee2591fc00684ac52

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
93KB

MD5
5877b9418588b4fee921d951d24e94a9

SHA1
28df8f655799de84aca88a981e8b06a8a80764fd

SHA256
b4073819de21b43b93b8f8ad24ee6620594d8e4ca37bb5bb96f976b264e6e669

SHA512
187b878f20185311c7317fdfe5d8bcb5463c59a21db59bc93e6c72e5e14b860b43747bd4fd7819c34ba68c5f33fbaee5b48b1434aa95ca63557985d80041f7b6

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
93KB

MD5
b2f7dc658968fcf3c43a45df9433142e

SHA1
9fe50e0d15fad629383e8c1d1d0c6e3ce8a3df31

SHA256
6b464460a5e2a48e375af964d6ce152bffe90fe0c006bdb8002549634af5b013

SHA512
70afeb09f5935ca7aaf2e6d63400027d7e9f496474bf90b2be0164e2c0384e5ac3b7f8e69f44af0939eb71079d742e5ee330668ffd73c58d7dc6d7203af3b842

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
1ed0459e205ae24ca4cd63e196fb7237

SHA1
161845c7425a6210ad6a8d559f6c89d2fe050d00

SHA256
f5408b31c55d1e028e18ebb1eab34252d5c5a7bda53fdc029206602f432b400c

SHA512
b165fc2f14289cdd1746b4211ba2f3ea25d4bb031d75bff293b8dae5a535c47284a02c834d10f3b649a4571ef8eb40978bc5f73a7061b67ada940096033b47ad

Download Submit
C:\Windows\SysWOW64\Pafdjmkq.exe

Filesize
93KB

MD5
baaa358decf41e91757bcf4259ded413

SHA1
bb6227969bfc587085aec7848bd7ae1f1d6463f9

SHA256
c0b2eaadc5a2c19c5d767fa7d674459065da88c010be4c17cfccdf673da169f4

SHA512
79270003017b71d104507f4b3c7a1c6646a2be1eed00e0a18be2146777cf91a908dde0d0db846e78e956e7e4295b76d676fce453cb4a1018014c624970d34b49

Download Submit
C:\Windows\SysWOW64\Paiaplin.exe

Filesize
93KB

MD5
6a440fb09696b2184aacce46044c27cd

SHA1
52a91e84599cfe22531b3af77a09fbb740867338

SHA256
40d668ae02a2fa8a272e0bcbc187ac5c924980e9b72ab818718d23935c247a46

SHA512
5b0da6b5e8fdf14b303fffa464cf2658c4551b59ef998dfb45de1266a6282becd74c29bf7c6509ce73fe87dd6c86b007d4f7843525c45abcf7844c5f0ac298a9

Download Submit
C:\Windows\SysWOW64\Pebpkk32.exe

Filesize
93KB

MD5
7e6c6e7d4f0db79f87a7e7b5c96f59f8

SHA1
5201bc8e78fe79b4b91c79bd0fec071a9225b14e

SHA256
f14b8362858938e392e1f00104516cee229d0195cf30754223444f845759bafc

SHA512
825f50c95b4bfa70664bf4e8cb3ca259201ecf1ddc1b53a480ba1a7b9082338d7a0d1b5ab9c16a13d195cc379407add0004346553760f4d9c6ef043f9ea55c36

Download Submit
C:\Windows\SysWOW64\Phcilf32.exe

Filesize
93KB

MD5
722a3c6cc01f20c5cc93e0c80baa0827

SHA1
0d37917a936f19cd0647c8ad06e42bb8b0d924a6

SHA256
fd07d906d7405d91deb58c9ec43d801ebbeefeafe9f8696f71a129c5f621d0de

SHA512
11ebc755f4a323e37503c5c0c2899f26a825b4ff3749f213d22ae06bcdb3fee7c18245f90c2bf0d90eeb08b0fea9f781dc7bbd037ed2da4553451e50e2ee8c39

Download Submit
C:\Windows\SysWOW64\Pmpbdm32.exe

Filesize
93KB

MD5
40fafb47106afba9d4eba0aec3bb3386

SHA1
3e28e2095a84a9f21bebc83b0b140c9f98c44ab7

SHA256
ec44d6d72e67907b84852d1981ffd8207418f0ffd17ee3d9f37dcac621283f34

SHA512
61bebfa4002dba9efb5ca4452ebe24062a50acdaadd6614aeda0a9fb9619e25099f148a925cb90b5472a422db1d85d125a9d37e8677ba6a279933ba31b80ff2e

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
93KB

MD5
a769cd5241c5b6a30245b4d2c212321e

SHA1
60aac02b5dbd1cca6112e73bfd52934c475dc40c

SHA256
b12ad8c3a282b410c2293d2d752267a0382cf51aa264ffcad7333be900e9d733

SHA512
ad84d6c63e38becbe21cbddfab854e5174ce6bd44b6244f8bf7de32583e413f9b9388dda0baf0d7b2ba2e50bc6b39a35060124bcb6c1fd506e3320cf75ca0759

Download Submit
\Windows\SysWOW64\Aaimopli.exe

Filesize
93KB

MD5
a4df3f6ee8671e6afefcaa55649e6beb

SHA1
8bfd179162ee9db6e4aae41a91d5584032227567

SHA256
15a7257684ff9913213e94f9a5e4d005f8acb702a84ea6252ca83a13da7e4527

SHA512
a4335b1ca363bfc892a1f32360108af7b0b51d398b3fe2f91512cc55a68ace6fde248eb84083df723cdcceaf971b2b7726f28748bfd1e55f541f39cff64969d0

Download Submit
\Windows\SysWOW64\Aebmjo32.exe

Filesize
93KB

MD5
ff4b26eb06bba8e4f0fa7e7c03eae32b

SHA1
966177f877c6621da0a30cd69a3cfa2ffd2e468e

SHA256
b17345902e7af464b0803147aacc2e34f6125911de33d76e4c32edebd1cd3a85

SHA512
639635159d87286b40f9695d751a385ef270e11355d2cbab996da83ac5ed9da87477f6e0436b33ea88c3c8d4936cd9a42990ab7e4712babcab01ba8271dc1012

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
93KB

MD5
4186705c0345bfbc0c0a7746bc507fb9

SHA1
bcf993923f795ed95026d76f16ae6a3167760aef

SHA256
32882584253727d904adbabd78fb7ddda3a1a3153a552cec850555a25cf76581

SHA512
4ad2b41dc242793f12e747606cb70d6b43caf96703af7e39c09a8c5c900c358004c4b68ff4ff1496f3d4cd37d9ca42fbc3ba51c190221389af964d179690d9e7

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
93KB

MD5
686f697fd43149da07dc17900afcf211

SHA1
ca020cc899164179906329d6c9e32e265b1fb832

SHA256
a3dfa30536152b9126515a195726f4d501935bd23691e71441e07d91159a7510

SHA512
e028ae11b4e292e0c3215accc6deeee728e9b42b472b483a73f3278629f5f3cf80dbcc2a48f9695d0fa8a102b987d46f3ee99dc08143b669cf9a8f7a6b9a38db

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
93KB

MD5
9517bc2800e1a2a2871809d182feaab8

SHA1
1f88ad6c1cd23b29cd14c49e4891004355562aa4

SHA256
9a12d7cf41be7bba9bca28bce1f4ab9f707a235dca061d6a2e67ed2863642f87

SHA512
00319bdfc4696dbfa05127ad0ae1ad74d10dbbb47dfdea784a8bc851c2b21543a6bd4d27cdfca2003bc6edd42c40c6fdffdb39432861d6e5635a2c1c027e6bbb

Download Submit
\Windows\SysWOW64\Ppnnai32.exe

Filesize
93KB

MD5
9a2a2e969ff332200763270f978ee2c5

SHA1
adbee46b64eb67bc2cce5b54e8c6f7a2037c7a07

SHA256
4f4ef34afbb33fe9161302ef6d915c1194db8d13a1b4f562704e5b90fbd9bbb3

SHA512
bdcb5075f425466a636e48dc11a761669b4ed4c7b31c7648699238aa9fc3bf96de8fdc069063d100f60614f175c11431a0d91ba71a2414a4e32025ea017773ca

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
93KB

MD5
352e3dc1612a1592099b001a6efaeae9

SHA1
025551982e4740ea924ff774e62975f848ddbf1f

SHA256
aef0c4cfb446e83bc78baa292dc5639d3f9653deee2958dad4b42d0b81428443

SHA512
18fa17943fd0ca117f7a29a4cf97044768057663c653cffc1674dc8d5e05ff41e1a1428c8b7d40f16ece26e2c2ac2e254e79e2067d2cf3e8f4402293443c9257

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
93KB

MD5
1cf6c6a60ad1f1a848b2c6dd7098ec18

SHA1
ed336cc8df951afe2b67e318b6a422366464f291

SHA256
8287c700b6fdd94462b5b9ee3255d69299e7d5acc637176587cae2af9ff7f4a3

SHA512
606143479777570ce38ef658d21738a2933b29ba26c942383851cd1dd1bfa67ec1cf6988e1ac8ec6070b0fde49e7286d19749b90b06b337746c8e69bf7a2e8dd

Download Submit
\Windows\SysWOW64\Qpbglhjq.exe

Filesize
93KB

MD5
588ccd70fbf584771e386f40e5032c6d

SHA1
acebae24987b01889252827e87f9f94c5dea020e

SHA256
1a3791e12b3125293a8c16305a001f64b197abe9e760640b82a96c042c8a7ceb

SHA512
198490e9bcb66d4eb4696697aaa5b0b07f3f30ca085d2cc86572cc7169de0e2feea95eb0a5b0e863179127fef71a2603957ad1389baa02611348031362db3583

Download Submit
memory/344-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-755-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/596-800-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-806-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-438-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/756-443-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/816-750-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-767-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-757-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-498-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1424-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-768-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-761-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-263-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1604-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-183-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1744-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-809-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-392-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1920-396-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1940-141-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1940-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-764-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-433-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1988-52-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1988-41-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2144-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-206-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2148-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-468-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2152-765-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-282-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2248-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-286-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2264-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-319-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2316-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-318-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2360-154-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2360-155-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2360-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-301-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2396-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-299-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2412-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-754-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-758-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-330-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2468-325-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2488-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-304-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2488-308-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2492-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-773-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-170-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2516-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-803-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-462-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2548-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-96-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2548-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-375-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2584-373-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2612-19-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2612-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-18-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2656-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-341-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2656-340-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2668-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-804-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-774-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-407-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2784-406-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2828-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-442-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2832-86-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2832-448-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2832-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-362-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2868-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2868-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-785-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-355-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2876-347-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2876-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-753-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-384-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/3044-385-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/3044-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads