berbew | d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe
Size

64KB
MD5

df877a416b28add4f185abe5016b7b44
SHA1

e11a7a839a135a29650a3b9a8f4cb46b7aceff8c
SHA256

d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5
SHA512

4f5542d20699648bc829a95dae6dc1d9bc960f1606612c775cd6c136396d09162e3224fffc0870d02a0bfeecb1a678161ccc29cf3de8905721ca933204689108
SSDEEP

1536:KVk5dZZOdqnuoaLbqRoK+Dg3b4Y1YlLBsLnVLdGUHyNwy:KoZYdOusRoK+Dg3bPalLBsLnVUUHyNwy

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2836	Pgcmbcih.exe
2084	Pmmeon32.exe
2680	Pdgmlhha.exe
2696	Pgfjhcge.exe
2832	Paknelgk.exe
2588	Pcljmdmj.exe
2660	Pnbojmmp.exe
2272	Qdlggg32.exe
1904	Qiioon32.exe
2020	Qpbglhjq.exe
1908	Qgmpibam.exe
1252	Qjklenpa.exe
2936	Apedah32.exe
2136	Accqnc32.exe
2148	Ajmijmnn.exe
1600	Apgagg32.exe
1624	Acfmcc32.exe
1764	Ajpepm32.exe
1972	Ahbekjcf.exe
1676	Akabgebj.exe
1892	Aakjdo32.exe
696	Adifpk32.exe
2108	Alqnah32.exe
984	Aoojnc32.exe
1552	Aficjnpm.exe
2632	Adlcfjgh.exe
2260	Agjobffl.exe
2692	Akfkbd32.exe
2820	Abpcooea.exe
2816	Bhjlli32.exe
2536	Bnfddp32.exe
3048	Bdqlajbb.exe
2868	Bjmeiq32.exe
1792	Bqgmfkhg.exe
1652	Bdcifi32.exe
1912	Bjpaop32.exe
1524	Bnknoogp.exe
2924	Bchfhfeh.exe
2212	Bieopm32.exe
2976	Bmpkqklh.exe
1736	Bcjcme32.exe
652	Bbmcibjp.exe
1584	Coacbfii.exe
1540	Cfkloq32.exe
1900	Cenljmgq.exe
1548	Cmedlk32.exe
2860	Cocphf32.exe
2944	Cbblda32.exe
1708	Cfmhdpnc.exe
1488	Cileqlmg.exe
2960	Cgoelh32.exe
3032	Cpfmmf32.exe
2604	Cnimiblo.exe
3068	Cagienkb.exe
2052	Cebeem32.exe
2348	Cgaaah32.exe
1664	Ckmnbg32.exe
2636	Cnkjnb32.exe
3052	Caifjn32.exe
448	Cchbgi32.exe
1528	Cgcnghpl.exe
2496	Cjakccop.exe
1448	Cmpgpond.exe
1096	Cegoqlof.exe

Loads dropped DLL 64 IoCs

pid	Process
2504	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe
2504	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe
2836	Pgcmbcih.exe
2836	Pgcmbcih.exe
2084	Pmmeon32.exe
2084	Pmmeon32.exe
2680	Pdgmlhha.exe
2680	Pdgmlhha.exe
2696	Pgfjhcge.exe
2696	Pgfjhcge.exe
2832	Paknelgk.exe
2832	Paknelgk.exe
2588	Pcljmdmj.exe
2588	Pcljmdmj.exe
2660	Pnbojmmp.exe
2660	Pnbojmmp.exe
2272	Qdlggg32.exe
2272	Qdlggg32.exe
1904	Qiioon32.exe
1904	Qiioon32.exe
2020	Qpbglhjq.exe
2020	Qpbglhjq.exe
1908	Qgmpibam.exe
1908	Qgmpibam.exe
1252	Qjklenpa.exe
1252	Qjklenpa.exe
2936	Apedah32.exe
2936	Apedah32.exe
2136	Accqnc32.exe
2136	Accqnc32.exe
2148	Ajmijmnn.exe
2148	Ajmijmnn.exe
1600	Apgagg32.exe
1600	Apgagg32.exe
1624	Acfmcc32.exe
1624	Acfmcc32.exe
1764	Ajpepm32.exe
1764	Ajpepm32.exe
1972	Ahbekjcf.exe
1972	Ahbekjcf.exe
1676	Akabgebj.exe
1676	Akabgebj.exe
1892	Aakjdo32.exe
1892	Aakjdo32.exe
696	Adifpk32.exe
696	Adifpk32.exe
2108	Alqnah32.exe
2108	Alqnah32.exe
984	Aoojnc32.exe
984	Aoojnc32.exe
1552	Aficjnpm.exe
1552	Aficjnpm.exe
2632	Adlcfjgh.exe
2632	Adlcfjgh.exe
2260	Agjobffl.exe
2260	Agjobffl.exe
2692	Akfkbd32.exe
2692	Akfkbd32.exe
2820	Abpcooea.exe
2820	Abpcooea.exe
2816	Bhjlli32.exe
2816	Bhjlli32.exe
2536	Bnfddp32.exe
2536	Bnfddp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Gncakm32.dll	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Ajpepm32.exe	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Qiioon32.exe	Qdlggg32.exe
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Acfmcc32.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	Acfmcc32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Paknelgk.exe	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Egfokakc.dll	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2556	2676	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmcef32.dll"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiioon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2836	2504	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe	31
PID 2504 wrote to memory of 2836	2504	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe	31
PID 2504 wrote to memory of 2836	2504	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe	31
PID 2504 wrote to memory of 2836	2504	d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe	31
PID 2836 wrote to memory of 2084	2836	Pgcmbcih.exe	32
PID 2836 wrote to memory of 2084	2836	Pgcmbcih.exe	32
PID 2836 wrote to memory of 2084	2836	Pgcmbcih.exe	32
PID 2836 wrote to memory of 2084	2836	Pgcmbcih.exe	32
PID 2084 wrote to memory of 2680	2084	Pmmeon32.exe	33
PID 2084 wrote to memory of 2680	2084	Pmmeon32.exe	33
PID 2084 wrote to memory of 2680	2084	Pmmeon32.exe	33
PID 2084 wrote to memory of 2680	2084	Pmmeon32.exe	33
PID 2680 wrote to memory of 2696	2680	Pdgmlhha.exe	34
PID 2680 wrote to memory of 2696	2680	Pdgmlhha.exe	34
PID 2680 wrote to memory of 2696	2680	Pdgmlhha.exe	34
PID 2680 wrote to memory of 2696	2680	Pdgmlhha.exe	34
PID 2696 wrote to memory of 2832	2696	Pgfjhcge.exe	35
PID 2696 wrote to memory of 2832	2696	Pgfjhcge.exe	35
PID 2696 wrote to memory of 2832	2696	Pgfjhcge.exe	35
PID 2696 wrote to memory of 2832	2696	Pgfjhcge.exe	35
PID 2832 wrote to memory of 2588	2832	Paknelgk.exe	36
PID 2832 wrote to memory of 2588	2832	Paknelgk.exe	36
PID 2832 wrote to memory of 2588	2832	Paknelgk.exe	36
PID 2832 wrote to memory of 2588	2832	Paknelgk.exe	36
PID 2588 wrote to memory of 2660	2588	Pcljmdmj.exe	37
PID 2588 wrote to memory of 2660	2588	Pcljmdmj.exe	37
PID 2588 wrote to memory of 2660	2588	Pcljmdmj.exe	37
PID 2588 wrote to memory of 2660	2588	Pcljmdmj.exe	37
PID 2660 wrote to memory of 2272	2660	Pnbojmmp.exe	38
PID 2660 wrote to memory of 2272	2660	Pnbojmmp.exe	38
PID 2660 wrote to memory of 2272	2660	Pnbojmmp.exe	38
PID 2660 wrote to memory of 2272	2660	Pnbojmmp.exe	38
PID 2272 wrote to memory of 1904	2272	Qdlggg32.exe	39
PID 2272 wrote to memory of 1904	2272	Qdlggg32.exe	39
PID 2272 wrote to memory of 1904	2272	Qdlggg32.exe	39
PID 2272 wrote to memory of 1904	2272	Qdlggg32.exe	39
PID 1904 wrote to memory of 2020	1904	Qiioon32.exe	40
PID 1904 wrote to memory of 2020	1904	Qiioon32.exe	40
PID 1904 wrote to memory of 2020	1904	Qiioon32.exe	40
PID 1904 wrote to memory of 2020	1904	Qiioon32.exe	40
PID 2020 wrote to memory of 1908	2020	Qpbglhjq.exe	41
PID 2020 wrote to memory of 1908	2020	Qpbglhjq.exe	41
PID 2020 wrote to memory of 1908	2020	Qpbglhjq.exe	41
PID 2020 wrote to memory of 1908	2020	Qpbglhjq.exe	41
PID 1908 wrote to memory of 1252	1908	Qgmpibam.exe	42
PID 1908 wrote to memory of 1252	1908	Qgmpibam.exe	42
PID 1908 wrote to memory of 1252	1908	Qgmpibam.exe	42
PID 1908 wrote to memory of 1252	1908	Qgmpibam.exe	42
PID 1252 wrote to memory of 2936	1252	Qjklenpa.exe	43
PID 1252 wrote to memory of 2936	1252	Qjklenpa.exe	43
PID 1252 wrote to memory of 2936	1252	Qjklenpa.exe	43
PID 1252 wrote to memory of 2936	1252	Qjklenpa.exe	43
PID 2936 wrote to memory of 2136	2936	Apedah32.exe	44
PID 2936 wrote to memory of 2136	2936	Apedah32.exe	44
PID 2936 wrote to memory of 2136	2936	Apedah32.exe	44
PID 2936 wrote to memory of 2136	2936	Apedah32.exe	44
PID 2136 wrote to memory of 2148	2136	Accqnc32.exe	45
PID 2136 wrote to memory of 2148	2136	Accqnc32.exe	45
PID 2136 wrote to memory of 2148	2136	Accqnc32.exe	45
PID 2136 wrote to memory of 2148	2136	Accqnc32.exe	45
PID 2148 wrote to memory of 1600	2148	Ajmijmnn.exe	46
PID 2148 wrote to memory of 1600	2148	Ajmijmnn.exe	46
PID 2148 wrote to memory of 1600	2148	Ajmijmnn.exe	46
PID 2148 wrote to memory of 1600	2148	Ajmijmnn.exe	46

C:\Users\Admin\AppData\Local\Temp\d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe
"C:\Users\Admin\AppData\Local\Temp\d2c41be5c3748f76dc1b888cddb5b054f37c0695096d2b5d7f3a06d8b091feb5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\Pgcmbcih.exe
  C:\Windows\system32\Pgcmbcih.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\Pmmeon32.exe
    C:\Windows\system32\Pmmeon32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\Pdgmlhha.exe
      C:\Windows\system32\Pdgmlhha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        70⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 144
        71⤵
        Program crash
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
64KB

MD5
4c135e7d738e8e2fab0a0ca9d103c70b

SHA1
91a14ebc664274317f3956f6b56c8f824b9b3de0

SHA256
ec2fc70f19292b3ab1ff461de5967b9012517f578eab39d2938a00667d91223b

SHA512
6dc1a37c769e4282fa4117fc5125c808d38c4bf814473dbbee8c76c00b96c78dd7a8882401fa40c4a183958dcdd19c3ecd4f592fefce198edebd8a6a079c9034

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
64KB

MD5
a1fb54a37be90811987330b85b2436f1

SHA1
f35281e1353509e300f12dd6779c98230302c9aa

SHA256
5a923071c4a564fc1fa2f70c093d5ee0a4390289cd45cb41665ef687e97aaaf9

SHA512
cb31b5e61619badf0a2d6139b7d8cd022932856dba1f69b4be847fee68d8570482d86c62c329dd6a07b68eaaec340f439546684915e79f1a4241012d584323e0

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
64KB

MD5
6c769c7ad7474403ed7474147a00a035

SHA1
7234ac29b566bd63b8ae5e2dfea745d0e4d6bf40

SHA256
935f8e3fc73b53e285a1938e7f38fdcb2af8e02ad0b1c6b13795847a1b532c6e

SHA512
cc2bd5daaad6561e7f5a372490e7f21477923fc5d9ad83f9e223cbd51cfdfbf9c1681ff5be65489b85d44016d09b40c7551ad56900a03c257bc34697ab349f57

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
64KB

MD5
fcd641c5e8d7216a123a304128b3c10b

SHA1
fd670c32e8ccd871f16f6a0a332e2a4ca4d71e28

SHA256
23d52b2408daabcb4810c1e5de39e40d76ba4f245b1db7306b56ed6d3fe96155

SHA512
f72b28a9f126840b29dcea87e6dec8b472702076cfa162c781c4a6365a8f201b9cf92b730ac3f9cf7b385ac1e1edb2e4c3e5c5bd66c1a351c62b5ccd719c2cbe

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
64KB

MD5
9944413eb44e1f317b84f4be0cf5f485

SHA1
d9f02e73637ea181b06fa104a01ea97c0616a077

SHA256
02148d75ec0766203da89c02639465fa0449615a952c33e404ff330aa79f8099

SHA512
c03562062092d1b5f220dd2d5e4f676e25f99e577ef415f9fa3bb5018fc3f6f11afd87f4033a3cea7ef00d445f5f7118e7db88d3de4ccc7cca5483fd73086a1f

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
64KB

MD5
ed1daf4f5a22f7b61f3e4edd1de91555

SHA1
123b8963331f77eaca935f05f23fc2fa186861a9

SHA256
67e6f8994252a4d44f18a588869599c8b67e8a1450661fff51d620e6b31966eb

SHA512
96f950b4f574a457f319f8f90d4975963a28ed807c654edcdacaad3c43029970775f106f850379c9b1486a3dc4b1517a397d031b9a7756bcb41686f1c1243138

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
64KB

MD5
b55eed67f2184a55cbd8b972300241f5

SHA1
8b9137818ca650a64538f3c11614fbfb7b1404bf

SHA256
f8205774d52cf0b750f61f79715eacded41e1c7f23a9276ee8ab1bca3990a0da

SHA512
cbe7a8e842551ea20615a4af684dec631d0db48f91eb1472e089997f4446399a3ac7d8aa7ae0954e18a642641e5f072e5796324e2d6a140f002fdaf5f40beee3

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
64KB

MD5
ee938e7bf4c74e58819a10e1cd0bb8c2

SHA1
4bdf1b001896837bcdb88e30ba1745b084f2daa7

SHA256
2db2c40939ed053fa5708dc6dccfd5952ec893b33c378cf002e494fc810d498e

SHA512
0c6563bb5c92a350f54e00a9ebb0be2888d1ce014d43f175ff3a1fafcd972c9eeb4b71e938a208f064e540f074277994834faadd5bb3560ab890340b04d09d28

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
64KB

MD5
838955023a6ca5bf8fe045f1f6423f80

SHA1
349844cfda26bc08a7816bf73eb4b61d20219af5

SHA256
5763558de0a4aec00b01585ab8bb2feab519c20607d4a0ec270ab3a8bc8767bd

SHA512
4cf97fb11fc5821976fb2ec0c2621766bb78b8b2df513ac3cd33278b9c559a0fc78bf6e453ee9b489d40f82b9e7e941b52676a0603ba9fd732f3692775437ea7

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
64KB

MD5
3243fe97bf726eebeb752fe578f3cdfc

SHA1
a479492489801b052c27ee840dc938c86a189222

SHA256
c6779491137193e225bc1edc216ccc4b953432f58d7c815e8256c931f37ccf00

SHA512
2251323f872b48b348d3d5568fb6ba6d136ff819ee3d7c1255fb21f0722918487107434bfbb941e42d431afcbb432312039ff80270d97e9169ae7ce18dde3503

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
64KB

MD5
5a6769806d3cc50fb8bef242ce34771e

SHA1
4d95b36f298e697db67fbe9492208b0d62c67443

SHA256
2ad3697ca2191917869be9521025ae573ccb951a5f6b98b79f8d38daf47459b7

SHA512
3011b553675a65e3debe7f96089f00cdc0c2839ff042302f5600d09942ef3b34af6fd399ae825b51fefd1891200146655149a2ac5ccf750d05d4ac3ecd0e8fca

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
64KB

MD5
c550a7d1b5aad97fbc9653a380ad41d0

SHA1
966e9bc1c4de94e2235a27482dd600723a152ccc

SHA256
157cca4c83c20a75f39d74a9ebe9d6d7aeb44d31d470e5487f5bfbbee4f5d0af

SHA512
54c37eeec9a8e02951507f0c63d2498b63b0c12f69123d01975646deec16f42c334aa4c56bd9d1d9fafe473035daad15c1c97c9601517d0e4226da84daa288af

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
64KB

MD5
40e8929e4dbfb1df35a7e0856fbb771a

SHA1
846cecc4ea401fb2e896dc0ab32780908c03c3a8

SHA256
5f5fcf12f303f76e5032b56fc1525a0bd79146c2abb82ba2a886eb07c487fbc3

SHA512
1cdcf26752c8455673a2431e1cee9e500433ed5f67b042278c91eea66a15fb31551fc97a42e1b04cbc9f8d065c7d950b6e73ae70857773f6d10022709022c858

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
64KB

MD5
d8a1c60384f53b77d2c7bc9a9c8aa03a

SHA1
11d216bd1aebe5e26422b1c555dcb3051f4fc08a

SHA256
b74de9a5db644b907f084fe2147fef871e022d7cf942a95f4cbcbfdc8d77da25

SHA512
0a6c6be8533007aabe7c2c06f179c1fbc99cf53d613550276c02b291647e2c2573cc86fb469820ac01beed47b65a6bf1da87316da4f5bfa99a4442e699b03c4d

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
64KB

MD5
4b6df1be713f01c80af0be15324f278f

SHA1
dc7f73d42c7e648f8eacaf21017e1904db9869c1

SHA256
8a1cb1b4c14cef7d340b148f53e8c1af27ae4d703ce91cb4e39a1bfdacdbb7fa

SHA512
ed6bf28422f5cd40a1c857dff71eedaff0fa7175a86bb5d853b8dd6ee0539d8a8905ec9206c572e998c253a6ef7a74191ddd9c90df6e3ccac8140370a933db96

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
64KB

MD5
550feeab4b6017a3776047e776e768b9

SHA1
7f82b9cdd5450b60f91122fef0875691a1bb5b28

SHA256
e4eb34049a2cb4705542ff0a749ffcbc462beb003b4ece768a8af5d9cf8c70bd

SHA512
a7d4f918f2c6efbd77c4e37aeb08fdb95c493e33801af5e15035748fd289a930497b50cecc7240d3e93a264e260f50945819ee47f5dba9f0f147dc8dc9694f2f

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
64KB

MD5
e1da10ccddfeb6f3d07d937527181c9f

SHA1
723986f9a7d748ca9b9841dcb8bc1770554e8e5b

SHA256
4d710b82c81467905b1bf15eb704ea26cbf8601ad133231c953a5da563e5404c

SHA512
155f7c5ed2efe026ba4b771b482435b751887472aea8e18eee1bbaebad2b1bab41426111eb4d9df7e5cc4d2ef6edf736e0850572478ae0fb1af325de0bf1c4d4

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
64KB

MD5
c1bd9bbd7f2d199421993ec4f8232c2d

SHA1
c122898c80e7e0f2e22c76242a9f36894511e586

SHA256
755083c933d5881c0dcb4e52b09866f667c445cc6e83b4b22816b4b046128018

SHA512
f8b77555eedb5de5a91b0a14f66097f62633a59d6d1c3385bdb52e1a353562e82d8415b6048aab16d07b5e0062b9700d41c974cf70232fa7b9faabc2bb0a9dc8

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
64KB

MD5
5af03872a892dc4a9d82150fe0a40104

SHA1
dd77230e43f4277592405dfcc03b858ea9bdb1b0

SHA256
87eb9d131603fd35c867ee5e44375600659768f3ed6401483725b780a73327e1

SHA512
e0863966c86c6fd80980cb0e36d3505b92f4f93d00d6eb96c2b04f6492f565b76abecc739055021a69e57ea369e357375a7a18be4bb3b72ca652866275c4fe77

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
64KB

MD5
481746c3efc6003ce330ad86571afa16

SHA1
da5003e2a44aa073e2de46ffe76f405bc7cad416

SHA256
585aa3e66b17d463443592092e8761e09ae38c4dc37b32f5b78fc2e08384332b

SHA512
9059d3050b8fea28ee4a654ec113adff5cbf16e80c280cea4065b29f7e9063a76eb0bf63e5f74c86fc3867375632aa2eec4a6f740f19448229a8841af56dbb64

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
64KB

MD5
dd9c395719d1b8ee4b886c91dd1bebd7

SHA1
e5bc497b8c6342894109aa43b4d29fae1f398fd5

SHA256
fe88a995e09427f31250a1085757dd02b96b2722c9fc1b7edb0d34412f7e4907

SHA512
e61d73e3f04ca6f01195b8479c25c51b5a13c9d025e8e2cb7add4efcc702b011144f4557295c2cba86d4cd5acae6407ed592c4fac7bd38de98f57e609a240c5a

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
64KB

MD5
7b22999e824981942febdb246164615d

SHA1
2243165af4af686197cbd5fff81e79484aafb011

SHA256
650b41847f4025b000364a922ab11d1a417f8771548d0e745d2f9785710be36d

SHA512
33792fa72a7e358df453adcad9666f80f9f640ac38ae46a699b5b89389c760e47eaac5499ccec2483d80c20a53e6f8ca19ba5b51e6a38f87806d2f5c05582247

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
64KB

MD5
a73134048c241f1eb2fa7519778ba545

SHA1
67b05dd162284448728a6d2e6a5bc9bbf18dd138

SHA256
974e8086f024f18e8dafcff1b226a8fc3775c2ffd6a82535052836360e772f1a

SHA512
20af1ca8b21e87cb40cdbfc8c944c7fd78e60a22db3ac564115a6d05268d3aa8e71ac825d732b8f3e381476c4f509ffa654030cc467d50dd7e67c392b5748b7f

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
64KB

MD5
c96b985d692089c8d775f9637e8a6cc1

SHA1
799942c7dddaee81a23e36056459d75a654d37a0

SHA256
b679bf5b7d36a9547165896e396fcbf0d016c197a20a302c08947cd289581c83

SHA512
4e844c31cf944bf7e67a8abfc765d06db7c8bc78d45ec88f15d85dbb3ee1d9fc8577fa03f293a560c0d90ed7bbcaa8bf136b4d80b64375e8436101007791e84d

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
64KB

MD5
0b0faaffbd7d4dfa6954e2660533ac87

SHA1
e42c67d27dccc1eac215be9d24345a36aeff3636

SHA256
22b43054997e6d9764fd630ac608c2be988b1b3b74b8e1f62ea5909094740fa3

SHA512
6e0e1a1e4cb80493e625805f90114a485c8c6bd2ae4044103e8716065c21d400fe7aeca619f77635354a7a53e65b83dd26bd83fe4aac23bdc7e3c20114158dd0

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
64KB

MD5
a6eb280e2013df0abc94946081a7566f

SHA1
7b2d4453b57e8959bcd8876287e87e32b367a932

SHA256
d82588ae980f06f3348998eb7a35b0043a91703c5c6d7d7068d6c865ccbc6a85

SHA512
ab414172968aba287593060b713a0e3a3e8ce510d46060523fd3933f8e48f13db300f352a8bf464313a882b318b821c1f4a477489a416a2a1b5f3b085568618c

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
64KB

MD5
db221349a4a6bdbe161cd88991afd070

SHA1
f83e15b9f495db64ce2d734b07665c5000f93a34

SHA256
1bd3d99aa1d1294914920660fe2c29218968b4cebe1916bdd4435c8a64c94279

SHA512
8781706c78a8ae65f81230228948e613416edd5cbfbef0970cc907005badba8d4ce1c492625ed867aa67cc9286f6af9ad542cc6b253b5d755e5e98c721bc7bab

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
64KB

MD5
8344429014869cf7632c2f9a7256e332

SHA1
5d26079dc0d6b1b1c2e73bea2ce2cbe7f56c286a

SHA256
fcf7dcea11d256ce91de8d9bedfd3aa328537b773a56dec44f52f12c53785cd0

SHA512
17dfeb1f677c089b6082166f952dc293b5694ebb0647566c3fbae9d50c25ee1a514c0c5eebb305e5133ff4dceb4eb1e054bf5dfa69dfc568e69e7042636acb0a

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
64KB

MD5
5bdadc5b36230b7608f2332c6396e8f2

SHA1
8d36f9061bc83917f3fefa62ed349821fec412ea

SHA256
2d6bb635491fb6b5f0aefa98e2829042c98f4e711682c730b97a6fb2b3df22f4

SHA512
b1128ac41064958bf0c87a4b35fac00f0c30a9495aebaeea59557a5589f6669e79699cf453b8c40acb8a286f4428a2506aa86aa5ff3e98910ef563e6b7aa8227

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
64KB

MD5
c395eeee46a2700d0a37bcdbfe78bbc3

SHA1
b44f938e9c63b0993031b7fa1397e931c1aa4b28

SHA256
fd3da475dcc547f1d4546ebf851ffba1e4ef6139d6c1511f19c562a4f42dcc67

SHA512
4b6e46dcd2019ebd9885c8ef8eed65fad331791110810b6e53b45d95202039bc8d8636bf92739056b2be9e1155d85d7c2ea6d1e75f28a49d4babc16331026d26

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
64KB

MD5
c78ddfcc29b47d24ef80d62cd5c1a243

SHA1
4a66313dbb0a30935f9bed7f703ef0d68f3d638b

SHA256
bde7992cdac15dea0962769a271840f302d56c18ca608f6283d9d3512473be6c

SHA512
cb76a3b43fa81c531950f00490d2b58ab95114f41ffc3818396ab43439fbb55a5a16c4365f0368b711c30f02ef330ce7e85dc7ad44fb6a9b6af29be372052bd0

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
64KB

MD5
35440236d27e62d907aef6f682e9f716

SHA1
9f6b63b382aa450a1a7c2b6bcddb223993d5f699

SHA256
0da94205aeb60f1f70732b556249e7f89126a0fff1cf76d0049dc73ed69ee53f

SHA512
954eab6c20502e552f91694851523c1a4ce5ba19bff6b028b8c0318865e4c3ea876174fd1315a00d6144425fa33b1f9b1b08ac9d9757ef040868755d06ed7b58

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
64KB

MD5
d3f93c9e556dd8d538c99c3451f78319

SHA1
815800aa713553abdfd59ca31ac8199620362f47

SHA256
2f7fa62762dba223dfeefe5a8123f9ea1c58c311ad2e37afc7f60e69f741cd41

SHA512
7d69482e78eb356924a40c82c443b8b518a372b275cc9c0bd7e29f207f2b5f19eb16642591d1ed1477bd15d203b33f8dba2487d44a64a3f32327aabb8b28d348

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
64KB

MD5
f7e3a50db8b9446d88c4afec7683a30a

SHA1
9b891b545f651975ae46ddbe8d701ac24d7a80f3

SHA256
b5a3822870cdf622b2f393600644402194a1b4e886873e59665ef7e72a39b45a

SHA512
0e75cfc7299b50aa5cde42137bdf9248786c5beb91d0b974575a04b943cbab2cf71cc71e9f31052a0489bb80fd36a0490c11e1b8fd8d3deaca247b1cca2437c1

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
64KB

MD5
55110cc2d297e587a75d834494de2f6b

SHA1
4be6b0b99f7561cc44ae026c3bc2defd6c3f62db

SHA256
5654895eb6c1f71749c376d5c0e1a039b7d68f26fc6619bc3ac648ae7e5f7f38

SHA512
e8f53bcacc21649101b9cae6234553370d813410f7364c2229fe96e19f4e5fd1b5f72cd3045586c7b99524b527fd03b9420778197bebc2fa06cba0a115d761a1

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
64KB

MD5
1ed94e2fc8f78cefc6cd66b0696307c7

SHA1
4bdfbb12d8aaa4fb4b2d58a93ebcedd1749ec4bb

SHA256
494b0f858e515c19fc8308a7ea73a6f51763e976949414e459ff74a724d84cf8

SHA512
aa923e487f7d60e96a418a9d84c4a80b91a2f12eb98a26065e902ee1546cf8d4867a18fb0e05562e1505535a50afb18f1669db7b0b82717e376da17f3bcafd37

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
64KB

MD5
f7dda14865a950688de5e122fc3b121c

SHA1
b96cfb3983c70aef56ec5dd07a491b9b5752e0d3

SHA256
09f0f1e4c3d94e94173801fae58c018826168ce2dba13bf6936fb10d0a49ddb7

SHA512
af04db7f854ef2e5f3d1e822372c65a98de9f3b98f0f80bfb56bfabeec5bbe334c0acc452986e4268508086cd1e7d8694a20f7a291606f15276df6d5aa51fa8e

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
64KB

MD5
2c5c77f0d7f50fe6e2510c5b402b7a4f

SHA1
8aa6cc6db6cae4f8dd4327c24c243d200832e2bc

SHA256
931420a15f7bee9348037118632bc25ee3404e59a4f14fe2c6c4fe8201976c81

SHA512
9ef0e4521c5d87a0b302d6762ff854de0ae9d2d278029e848d01bc3d1f2591ab7554d94cb7fe5b08628c95afc511ef264f22cb42e6b0e72e9903f2cb587c1ac9

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
64KB

MD5
da6cafe05eadb0ba6e44ed38e2c62cfc

SHA1
e27b08396022e64ae942568f9254f47abfd25632

SHA256
de4334dfeab4291e1410e39fe6c29b685e6136fb8cbb6816290bf808196b7855

SHA512
637aff56a44e70252ac2a9080c860988ab910d29c20b62a00a13d4694fa6c2e491a0572381858a8489d054273cfed0b1de7c9f20a10ae980e43bdf2f1ac8567c

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
64KB

MD5
898e56ffb48109127cf5765255e11037

SHA1
8484a1ba8250fb7b212d9013fb474c6b513a0925

SHA256
715af06b50aff4423e369143884c4f0946d3aa886aa00922c17c14bfcc777816

SHA512
eb044ceb6513617dea4735c4af191d25a664f454a8cb7624352b4027413c4884f7f989481d68107769152abcfe0cab8bbac38dc95d11a1686c28d81055aea963

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
64KB

MD5
c3750033a094e3d4318016952f224c9d

SHA1
2cd8d3ab6d60127e1a24ed1dd033056e4c80782b

SHA256
6251b1a94bb4b06e13272277449b12ecb53ce1f267949bbc84ba56494530170b

SHA512
5a337155205959d396fc658035e98f75ca835c8e48809255b682f4263a5f2a60c383ded6dc1ef55150933a1ab707908851c27830803220ea25b9b5e6282e7b3b

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
64KB

MD5
bd6c5971aa32ee04de8275d4efeb349e

SHA1
710d87e74553b6c056e39a6ed25c8804c6a03c7f

SHA256
81c3a4b0405dedfef84dadb6d4ec95153760616b4cc2f02f095a4917200ab876

SHA512
454b9cb4a5da88378809f7ee899b3fc689f8c5c116a06282666057503a92a8ef7fd366e8c301443a05148716788cfbc28950679a64e35dc15b08156d4689585b

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
64KB

MD5
c7e6f873e3a2606efca1c6bca0331067

SHA1
18776b90b40ad85ebce77e04abbae83d2022c1d8

SHA256
121858c819cb304e14fa31d8a723f2fc253e5c4727640e0f945cd01111fbe2f0

SHA512
8f5f7a09ae91b26f3d8c41d52dbb2ba5f4400135166e23cec3f71359455a266f8ef786aefcdd5ad57abc41113844abe5c4d4a223dc14d98a4958e9441f2b32d3

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
64KB

MD5
9857252800ff3abcd3d26eb2c92f3af5

SHA1
b198557203d1fbda00859622d3d8db290cf20262

SHA256
7e06af4af72c06a28df0f83924efdcad8c44b2e26398fd8561a08dc794dc2ff4

SHA512
cf5df5f0884f87b3debc83141e3bbce6cfbbc8a4feb23305965d2c282f4a164471d954426136a6a1c11aae3ff7b790f1fd64ef62b945f61694af3070a0886c7d

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
64KB

MD5
baf5489eb906c2c03c7fb35538dbd46e

SHA1
ee834b9752de5bc85f3999e453864f9a1aba785a

SHA256
cd63cc2422719d2c3d0c768cef4ba67e4242082a4a413e82d73ca0dc25315e19

SHA512
d4f324d75e87aaf5e0013a69d350dd2fe9e0b47acfbf1075b4277c39577abfb93e21ef58ce8b73ba29ff866d52811445408c2aa7b54d3e4011e056ae8db158c7

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
64KB

MD5
f2dc52dcbc7638e4b8917452cdf8b619

SHA1
f2827c1ca4b524de7dafda17b0962b8d84e68871

SHA256
bb772ad4d7d38e61f8d79e0e2004f4d67b65cc2d2f49d378c2bf5c7d15145989

SHA512
21777810d80b8d122651c10b63f44008d6b7c328614e54adc5d0d0982ce2fd2bb5fce3fe684725021048fea5fab73f40f3b6b3a2f0c3793924d0445383eb2f1f

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
64KB

MD5
e0198e1f0f68afa5579ab2fb1b70a2fe

SHA1
85c207aafe4108b1d88110aa54efde1ae7a9efd0

SHA256
660762e5aa8d136066f90db67b113e46228f7da40d25cb7d734dc18ce1beac1f

SHA512
1c0fa7267416be08bf8cb4017566349da3db56c261294150669d80fa6d70bad661f9c7d6476c540c0ce5cf45bb503c3baba72178f7e900a2f10374b2dbdb4b79

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
64KB

MD5
90bd38f533f312d44e23a960491d3c98

SHA1
a4a0f26767984b09ce0c3d2a4dfb7481391dfb59

SHA256
4abc46914a03f3a29a9d16320dd4d4d6ff10f53323b0e6c3184784c56f69f263

SHA512
5f0e69594823aeecd4ab22e07580e0764a8941c88db948ef61bde651badc9f0b8fe4d6784a319ab0081e5134f38ca7a7e8b565e5dbe56c027ae73b147ccd83f8

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
64KB

MD5
3cbc317234832f9a4844722ca4e7d40d

SHA1
67add6340f52828d2fcd643a3b0a7f830336e3d4

SHA256
1b07c4047758f356b68e4c46f2f48924556c654f3e4bc35b5401e3923cb1c9ba

SHA512
7fdb934204e74fc0a9485055e86e7028e592ddd71951d530e0be9a9fc885016c80c3303773fe2c02d31c10b567e0d2354a0dff0c8ce2be98a6420b58fce10cfb

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
64KB

MD5
617808e9265bcec4244ce871b6beb79b

SHA1
46848fc62dc6858f33c808522e03361c74578d39

SHA256
76c04e6cf3396d98a030773a1bf405950b01133c06fb145ab7d47986617a5467

SHA512
bfb85eed1887707863531b20d979f32efd96423408cd5b751c959b853047be99ab1cb112695283504d10f5f363770b2b93b0b01263dd17cbe7a0e17a245cb216

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
64KB

MD5
a35fd3947f1740d2ac77c84c9038e55d

SHA1
55979c80ac49002e8064d8e394b50a246516a2e7

SHA256
415563eafe347dffe54461cd298642e94516bbfaa9031e3e9df4dbd2416ad650

SHA512
841c77a480bbc20e0c57a14de49e547a3a468cf4798f3051294327931199f15f0a16cf34e47b160bdd8448b99c03a8c8eabf6f1f5d127c0daa1b496ab7f8edc1

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
64KB

MD5
5cdee9a6586697e666cc8d02fe95e0c3

SHA1
f252f07da8f625ccb8fd9d54d80938a6f26b63cf

SHA256
b1af19d9c0934f7a6b2bba8a0eb65d2f5d094a72c3b862cdeaeacd222d495946

SHA512
cf61a8c0d6fb6f88110e2ff0bc8b64be4ce28f5eecfe77c9e6e9a9319bd4126ebbb718e6d79ff379892010447497a98783b753eedee5260373c3abc4c44d3a10

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
64KB

MD5
9eb067e68c6b7196afc7ce5a1085243f

SHA1
00676f3db97261c50d76f6e2adfff13433481eee

SHA256
d4428127f7a8463c6862e2180bd3faf2708be5c07bec095929455a4ebeff9d99

SHA512
eb7134d8b202616c43bc051b1cbd58a8c95efe648fc726cbb54acd9c5e9562513e117ebc286d76282cadb040856c58b09bd345c6e26f06aa3f1970bff02245eb

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
2e6234737dda08b1f49b0f2b7803cc57

SHA1
b41a449ed846caa7e2af6e4cd4efc6a037bda0c0

SHA256
4346019686053e0f092df2f85e7ebd6b6074cf5411e0637461acc621e128aa7b

SHA512
f48d6d58356965602265eef3fcaebd83cffd3bfeb83b0b6f94d5199f63b3d38f16f337d59860f1b657da0a66fa2bce340e80e289fe5cfbfabf626c7464b00f37

Download Submit
C:\Windows\SysWOW64\Pdgmlhha.exe

Filesize
64KB

MD5
5256081ca3ee00e2cb758bc1de3b61ba

SHA1
0b4b7b3321b258239d07ec88b88777c7da49ba0b

SHA256
db869594f668fd61e55eb0706ec3d58c327a19f85d09344c5b0acbdb6e4e05b5

SHA512
30cbc57dcdb09982dfc1f02e38015e082e33b37e5443f2a7667fea4025bea9d495d2930a14580234b46760d7a92e1243048dbed5a7c11bba566c68c4b6e7071b

Download Submit
C:\Windows\SysWOW64\Pgfjhcge.exe

Filesize
64KB

MD5
9283c305057663c2139c7d6145d04018

SHA1
d78488b1f438f4a32fcf6c392ac2d5b4ad0d5492

SHA256
8b3373875c2e0b99e3ad4ff918bc09711d0ad96e2fd681ae9d498297fa753246

SHA512
8cd39c0118020513c943780e20638801c42fd7710469727e27c47eed4a4717003b39c35f0be0cdf05ccfafc0f476c3eaee591a92c4ed8b49dfba155f7e446620

Download Submit
C:\Windows\SysWOW64\Pmmeon32.exe

Filesize
64KB

MD5
e39c9a3d4a7518d13831e4a521dfc4a1

SHA1
9e502d381c93814e9a0fc3b2e589d79f0e2bdbdb

SHA256
42e1d6023e8d5a5011ac6d2f458970cd174e7a382a4d9e4cea192817c8e23c24

SHA512
9fe3bacdfacd8e6ecca8fba5c17a593ef205ef9b226aca0252a8fd13ea7bbdb3df2a9915cee79c7eb945bbfe3dc1baba0dd320c6697f06e91361f37d789330c0

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
64KB

MD5
250e70cbf772e0ba677343436973e514

SHA1
008fdefae697ea8482e5e3dcb7d7a1649e3a8ca6

SHA256
c0336c2698da4fe44cb5833417bca32a57f054e8ce3353bf174e8c4241a22e21

SHA512
c7b39d0837e38369f47e0c190ec6ae6f28c51968323f034001afdfa5b7e537e1dbd6286c9913dafd7f839241239ea057a676b734f2bbc136dc21340a76a1127b

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
64KB

MD5
34564dd15c701dc4e756282ec615b9f6

SHA1
f57a430401bac2394821d7a78e745ef52c3a74fd

SHA256
88e10182d70140a7f05a3e407d372a20e64772e938e673ade0ece117413271c3

SHA512
83ba2821d4f2975e1f37e785c824dc75b453a4129bfebdf84eada811c92be07e2023607423ea5c8155734bff47a91c1fef83fb0cf19c89bcfea9764931a21c2b

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
64KB

MD5
362eb0861bf4c1ae318afb8f5110e64d

SHA1
238bb06344f4ab737a855f297d3c3cb6d0ed12a1

SHA256
9a36c6a9c29ec06863d0972801789ef0b25993924e464448294dadf0b288cead

SHA512
122943f59d24adc9756e1955a7ca2e0f55698a9341cd21d2a40823ea507570f9ac663bbf6caedcf474c76fff38bfb04f9d4918c3b38dddf3a29aa08411e219e7

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
64KB

MD5
13f880586c8e1b633e31c43e316457a8

SHA1
5f0af0380c4b8dc7e51cc17d5d040328df012f6b

SHA256
1140e8cd445ae90629c51b7167eae0a6b90e27f2dc060e9f13f249a53bcd67aa

SHA512
2e0d6c9cf30625a21f0f9da9a22ddb880879e7b4ee612f912ff82857d61c91e1f2bff12fa9a49beed487fa8d997e9c2af7dbf3554fac27c5dbad2f4812cd81e1

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
64KB

MD5
6dbf098aaab074d5a98e4be621d38b3e

SHA1
43f105541a7232495c401ee3f41cad2d6f5d625a

SHA256
44e5d31f89557a46dd292981905e1ecc53a3002d35f76b753987703ce7e951e0

SHA512
987a1acdb863a764cb6632acdc6d0b3933b496569fc01cc9b3f76afb0913b5ab473acb1dbf8b011c7ceb1e532a509df9ce0254a71f7199c0967c6932a7861ded

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
64KB

MD5
3a9036850b65a855b8da7195311a14a1

SHA1
92bb62bb9ba493f189bdcb359701a130afe9370e

SHA256
48db9274faadfd7f19ef9ad4c88bca16cdee115caa58f0882fca027be315aca2

SHA512
e74ebfe84ed15c83958239fb04702db209edfc295cdc96b90a9791c056534e34cc2f896afdac67636711157792e65856bbdc40b3bd134bf6a858bc7435daafc3

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
64KB

MD5
88b865da11bb1b008a9393ea7d391c8a

SHA1
f0ef5e33f30534e55ab7f76b1e32109b3e31bf4e

SHA256
4438cfdb4eef65ee31b827d7d37a0da63d17ade30a244fe4e7b76d5025d77105

SHA512
a9f64406181668c1c2223e9dafc2aabf95f46cc63b8b6213320e98cce2031393d0e8dc0547aa0274bb7055312c1fea2fbd500b04246f200cf57153690b8e0a51

Download Submit
\Windows\SysWOW64\Pgcmbcih.exe

Filesize
64KB

MD5
4c8d2b599b2987672af2c28dbca4184f

SHA1
321efae83a479602a978b3d386e3ec81d0f5ab6d

SHA256
034a14f82b32d3fd70d83935a8f8b68624b7da6f3f5d31504374796914376a7e

SHA512
5dcf2345fcbf9b494fa20852b476a2d1bc7cd3def990863fd983cc079a40eb0d4950c5681ee968142628a96c1004b1f282f14073fe7f51bf6a16ab0b122cfa57

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
64KB

MD5
a00b09b2e08cf84e922e7cb0cc184d4b

SHA1
7d58f2d6fffaa004e2c07cfa69a80563daf2bd19

SHA256
00c88ec35f9ca3352677eaba7c13e8c249fbe33ca14b49217b0638017afa02f3

SHA512
218aba0e1501d263389cbaa2aa24f1ff882defc2a7aa14cfb147b44dc31ccfdec4e3c31b97e99d87894e113b546b80e5fe6e4376065edc8493483e84a10e2494

Download Submit
\Windows\SysWOW64\Qdlggg32.exe

Filesize
64KB

MD5
9bebba08bbbfae3a0a76d2f077980d11

SHA1
d890b6350d52e99b309c2f053f35d4c57b453a37

SHA256
56a1752c423b120b4b6be03a5241feac83cd68f367f08d90d8a763e2a193aca2

SHA512
aa5bbbe3dddbf386d84cd7336d713e7f481199887eb416dc6215d5710fa2d3921adcdd04506d44b634366457dba176fcc85648c745ffc7106f0b534a61649a88

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
64KB

MD5
7bc8fa073e8d6723719b07180a07237f

SHA1
6c4d42e8481fc2dc0ebb98e5351d1ec7da511b2f

SHA256
51753eeaaa3e45b9791ec8a1d07aed70d5abda4fc1d8a2ba58566db4ac28c12b

SHA512
4fde8e423ac6019f22c19929773651abdcfd16944b0a0f6f679bf866c4b4e264aa661b9b25cfea7a317dde3d51cbf3ad415afa8706dcf58c48470690c59969e4

Download Submit
\Windows\SysWOW64\Qiioon32.exe

Filesize
64KB

MD5
11f91e8d9810e4b574efa72fd575dc56

SHA1
5f458e5a3c1a204824473152d59beeaf639f03e0

SHA256
e3c2c394921f14d7e318b36d75d9563e690ce3910cede7d8170f99c714609d0b

SHA512
66e10f0ebf8d542db6c6a4b10835b33a7f82a14a3f28e1aa4b0700241a4146d67ef445b644fd247c4eeea13bf9c5ffd07d1650a8d886e204dc60b04039b66337

Download Submit
memory/652-839-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/652-493-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/652-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-277-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/696-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/984-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/984-299-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1008-843-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-854-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-170-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1488-840-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-831-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-439-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1524-438-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1540-518-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1540-513-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1540-849-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-850-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-313-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1552-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-821-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-221-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1600-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-258-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1736-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-486-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1736-485-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1764-239-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1764-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-403-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1792-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-428-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1912-424-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1912-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-251-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1972-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-144-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2020-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-827-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-374-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/2084-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-40-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/2084-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-196-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2136-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-462-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2260-330-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2260-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-117-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2272-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-844-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-853-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-349-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2504-11-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2504-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2504-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-373-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2588-89-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/2588-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-416-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/2632-316-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2632-320-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2632-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-842-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-105-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2660-417-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2676-857-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-61-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2696-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-359-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2816-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-351-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2832-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-80-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2832-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-824-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-448-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2924-451-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2924-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-851-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-825-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-474-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2976-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-473-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/3032-852-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-383-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/3052-856-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-841-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads