berbew | 5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938a

Analysis

max time kernel
83s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
Size

128KB
MD5

dd7d4fababe2f84fbbaf56adbeadc970
SHA1

b0b26d5738fffdfa743af33710401bea51769a68
SHA256

5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938a
SHA512

e9baff6559874e768e96e4c4b1a862d8b9f5d7008911ca4bd496f538496a38e4604741d79371c46a5b27ebee2946521420a3bc2acf5cd75166d78196123a3cb4
SSDEEP

3072:A64B25bnh/QsYC11ceD55Kbwf1nFzwSAJB8e:AtB25p5v1i655n1n6xJme

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pohhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1792	Oemgplgo.exe
2836	Phlclgfc.exe
2732	Phnpagdp.exe
2656	Pohhna32.exe
2840	Pdeqfhjd.exe
2644	Pgcmbcih.exe
2980	Pplaki32.exe
872	Pgfjhcge.exe
2844	Paknelgk.exe
1948	Pdjjag32.exe
2336	Pifbjn32.exe
2876	Qdlggg32.exe
2092	Qkfocaki.exe
2360	Qlgkki32.exe
2116	Qcachc32.exe
1640	Qjklenpa.exe
708	Apedah32.exe
2008	Aohdmdoh.exe
1308	Ajmijmnn.exe
1636	Allefimb.exe
1380	Acfmcc32.exe
2972	Aaimopli.exe
2924	Ahbekjcf.exe
1900	Aomnhd32.exe
1908	Ahebaiac.exe
3044	Abmgjo32.exe
2792	Ahgofi32.exe
2812	Akfkbd32.exe
1992	Andgop32.exe
2544	Bkhhhd32.exe
2580	Bdqlajbb.exe
1392	Bccmmf32.exe
1668	Bmlael32.exe
1652	Bqgmfkhg.exe
628	Bceibfgj.exe
1628	Bjpaop32.exe
1996	Bffbdadk.exe
2384	Bieopm32.exe
2088	Bqlfaj32.exe
564	Bbmcibjp.exe
1276	Bkegah32.exe
2056	Ccmpce32.exe
1700	Cfkloq32.exe
764	Cmedlk32.exe
1284	Cbblda32.exe
3016	Cfmhdpnc.exe
1692	Cgoelh32.exe
2108	Ckjamgmk.exe
2680	Cbdiia32.exe
2404	Cagienkb.exe
2556	Cgaaah32.exe
2528	Ckmnbg32.exe
576	Cnkjnb32.exe
2064	Caifjn32.exe
704	Cchbgi32.exe
264	Cgcnghpl.exe
2416	Clojhf32.exe
2124	Cnmfdb32.exe
1092	Cmpgpond.exe
2248	Cegoqlof.exe
2512	Cgfkmgnj.exe
2720	Djdgic32.exe
1028	Dmbcen32.exe
568	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2016	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
2016	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
1792	Oemgplgo.exe
1792	Oemgplgo.exe
2836	Phlclgfc.exe
2836	Phlclgfc.exe
2732	Phnpagdp.exe
2732	Phnpagdp.exe
2656	Pohhna32.exe
2656	Pohhna32.exe
2840	Pdeqfhjd.exe
2840	Pdeqfhjd.exe
2644	Pgcmbcih.exe
2644	Pgcmbcih.exe
2980	Pplaki32.exe
2980	Pplaki32.exe
872	Pgfjhcge.exe
872	Pgfjhcge.exe
2844	Paknelgk.exe
2844	Paknelgk.exe
1948	Pdjjag32.exe
1948	Pdjjag32.exe
2336	Pifbjn32.exe
2336	Pifbjn32.exe
2876	Qdlggg32.exe
2876	Qdlggg32.exe
2092	Qkfocaki.exe
2092	Qkfocaki.exe
2360	Qlgkki32.exe
2360	Qlgkki32.exe
2116	Qcachc32.exe
2116	Qcachc32.exe
1640	Qjklenpa.exe
1640	Qjklenpa.exe
708	Apedah32.exe
708	Apedah32.exe
2008	Aohdmdoh.exe
2008	Aohdmdoh.exe
1308	Ajmijmnn.exe
1308	Ajmijmnn.exe
1636	Allefimb.exe
1636	Allefimb.exe
1380	Acfmcc32.exe
1380	Acfmcc32.exe
2972	Aaimopli.exe
2972	Aaimopli.exe
2924	Ahbekjcf.exe
2924	Ahbekjcf.exe
1900	Aomnhd32.exe
1900	Aomnhd32.exe
1908	Ahebaiac.exe
1908	Ahebaiac.exe
3044	Abmgjo32.exe
3044	Abmgjo32.exe
2792	Ahgofi32.exe
2792	Ahgofi32.exe
2812	Akfkbd32.exe
2812	Akfkbd32.exe
1992	Andgop32.exe
1992	Andgop32.exe
2544	Bkhhhd32.exe
2544	Bkhhhd32.exe
2580	Bdqlajbb.exe
2580	Bdqlajbb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Pgfjhcge.exe	Pplaki32.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qcachc32.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Hqjpab32.dll	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ibkhnd32.dll	Pdeqfhjd.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Qdlggg32.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Phnpagdp.exe	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Gncakm32.dll	Pplaki32.exe
File created	C:\Windows\SysWOW64\Eibkmp32.dll	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Pdeqfhjd.exe	Pohhna32.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Paknelgk.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Phlclgfc.exe	Oemgplgo.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Pohhna32.exe	Phnpagdp.exe
File opened for modification	C:\Windows\SysWOW64\Qlgkki32.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Hkgoklhk.dll	Pgfjhcge.exe
File created	C:\Windows\SysWOW64\Pifbjn32.exe	Pdjjag32.exe
File opened for modification	C:\Windows\SysWOW64\Ajmijmnn.exe	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Gmoloenf.dll	Pohhna32.exe
File opened for modification	C:\Windows\SysWOW64\Ahbekjcf.exe	Aaimopli.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
876	568	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdeqfhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemgplgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phlclgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll"	Allefimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaiqn32.dll"	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll"	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1792	2016	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe	31
PID 2016 wrote to memory of 1792	2016	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe	31
PID 2016 wrote to memory of 1792	2016	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe	31
PID 2016 wrote to memory of 1792	2016	5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe	31
PID 1792 wrote to memory of 2836	1792	Oemgplgo.exe	32
PID 1792 wrote to memory of 2836	1792	Oemgplgo.exe	32
PID 1792 wrote to memory of 2836	1792	Oemgplgo.exe	32
PID 1792 wrote to memory of 2836	1792	Oemgplgo.exe	32
PID 2836 wrote to memory of 2732	2836	Phlclgfc.exe	33
PID 2836 wrote to memory of 2732	2836	Phlclgfc.exe	33
PID 2836 wrote to memory of 2732	2836	Phlclgfc.exe	33
PID 2836 wrote to memory of 2732	2836	Phlclgfc.exe	33
PID 2732 wrote to memory of 2656	2732	Phnpagdp.exe	34
PID 2732 wrote to memory of 2656	2732	Phnpagdp.exe	34
PID 2732 wrote to memory of 2656	2732	Phnpagdp.exe	34
PID 2732 wrote to memory of 2656	2732	Phnpagdp.exe	34
PID 2656 wrote to memory of 2840	2656	Pohhna32.exe	35
PID 2656 wrote to memory of 2840	2656	Pohhna32.exe	35
PID 2656 wrote to memory of 2840	2656	Pohhna32.exe	35
PID 2656 wrote to memory of 2840	2656	Pohhna32.exe	35
PID 2840 wrote to memory of 2644	2840	Pdeqfhjd.exe	36
PID 2840 wrote to memory of 2644	2840	Pdeqfhjd.exe	36
PID 2840 wrote to memory of 2644	2840	Pdeqfhjd.exe	36
PID 2840 wrote to memory of 2644	2840	Pdeqfhjd.exe	36
PID 2644 wrote to memory of 2980	2644	Pgcmbcih.exe	37
PID 2644 wrote to memory of 2980	2644	Pgcmbcih.exe	37
PID 2644 wrote to memory of 2980	2644	Pgcmbcih.exe	37
PID 2644 wrote to memory of 2980	2644	Pgcmbcih.exe	37
PID 2980 wrote to memory of 872	2980	Pplaki32.exe	38
PID 2980 wrote to memory of 872	2980	Pplaki32.exe	38
PID 2980 wrote to memory of 872	2980	Pplaki32.exe	38
PID 2980 wrote to memory of 872	2980	Pplaki32.exe	38
PID 872 wrote to memory of 2844	872	Pgfjhcge.exe	39
PID 872 wrote to memory of 2844	872	Pgfjhcge.exe	39
PID 872 wrote to memory of 2844	872	Pgfjhcge.exe	39
PID 872 wrote to memory of 2844	872	Pgfjhcge.exe	39
PID 2844 wrote to memory of 1948	2844	Paknelgk.exe	40
PID 2844 wrote to memory of 1948	2844	Paknelgk.exe	40
PID 2844 wrote to memory of 1948	2844	Paknelgk.exe	40
PID 2844 wrote to memory of 1948	2844	Paknelgk.exe	40
PID 1948 wrote to memory of 2336	1948	Pdjjag32.exe	41
PID 1948 wrote to memory of 2336	1948	Pdjjag32.exe	41
PID 1948 wrote to memory of 2336	1948	Pdjjag32.exe	41
PID 1948 wrote to memory of 2336	1948	Pdjjag32.exe	41
PID 2336 wrote to memory of 2876	2336	Pifbjn32.exe	42
PID 2336 wrote to memory of 2876	2336	Pifbjn32.exe	42
PID 2336 wrote to memory of 2876	2336	Pifbjn32.exe	42
PID 2336 wrote to memory of 2876	2336	Pifbjn32.exe	42
PID 2876 wrote to memory of 2092	2876	Qdlggg32.exe	43
PID 2876 wrote to memory of 2092	2876	Qdlggg32.exe	43
PID 2876 wrote to memory of 2092	2876	Qdlggg32.exe	43
PID 2876 wrote to memory of 2092	2876	Qdlggg32.exe	43
PID 2092 wrote to memory of 2360	2092	Qkfocaki.exe	44
PID 2092 wrote to memory of 2360	2092	Qkfocaki.exe	44
PID 2092 wrote to memory of 2360	2092	Qkfocaki.exe	44
PID 2092 wrote to memory of 2360	2092	Qkfocaki.exe	44
PID 2360 wrote to memory of 2116	2360	Qlgkki32.exe	45
PID 2360 wrote to memory of 2116	2360	Qlgkki32.exe	45
PID 2360 wrote to memory of 2116	2360	Qlgkki32.exe	45
PID 2360 wrote to memory of 2116	2360	Qlgkki32.exe	45
PID 2116 wrote to memory of 1640	2116	Qcachc32.exe	46
PID 2116 wrote to memory of 1640	2116	Qcachc32.exe	46
PID 2116 wrote to memory of 1640	2116	Qcachc32.exe	46
PID 2116 wrote to memory of 1640	2116	Qcachc32.exe	46

C:\Users\Admin\AppData\Local\Temp\5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe
"C:\Users\Admin\AppData\Local\Temp\5d85f01fc2dc8ea950fc484e27b08c9307488a24122552ee407e71b5ac09938aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\Oemgplgo.exe
  C:\Windows\system32\Oemgplgo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\Phlclgfc.exe
    C:\Windows\system32\Phlclgfc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Phnpagdp.exe
      C:\Windows\system32\Phnpagdp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Pdeqfhjd.exe
        
        C:\Windows\system32\Pdeqfhjd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 144
        66⤵
        Program crash
        
        PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
128KB

MD5
864adaef460887fb93c74c3ec92a3364

SHA1
6762f512d93f6808c165d1f085a286a0c3a13f78

SHA256
dbd89c58d5eab9f0efdbb6e0cfdd9e0089f8d3e2e3cc5e11d383507d273eb5d5

SHA512
c00664fa6475a0cdf809812e0b0536003762796566fcb4bf97ae2561085f25d7ed99bc51fa9f908fd606753cf54b6cdf1f3e773025af1e0cd3b7db55510507e0

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
128KB

MD5
edb5dd6c1988786f8c3c829450b82f9e

SHA1
f4cd95f408d9f3e8db8e8d7408a59976571c710b

SHA256
4c1629a1a9c64332e2d58178cf12cb05d9a9cdd9090c053c140b105a9396b248

SHA512
55e8181f5912c0c2c61bbee0d55103eaf5ac075601e27a83e18f7cfae1c3f081241e1ad58d213b63285ecb0427e7582c02e67b2dcf04763ccb8f689360a3aa46

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
128KB

MD5
19c07acc6c8d1ea01cbc3a61c4364362

SHA1
b470b00312d9a992f80fb2a31cf2c7ea57acabd8

SHA256
be7bbd1e4c42a7cdebc384f075b2d5e7808c3b0411ddfad1276da581d14e725a

SHA512
56b1a99cd8c6284f38f09d83fbf5fbcafa45657e050349a49faebd23cb2c77e7282227966a76bd5ba6e8b69129a27b8662a63e15323edc886c187416a82aacd0

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
128KB

MD5
af15f0584ddf8a1d2652865d7c974874

SHA1
8a4f1d162f13c3d882a9c2f5985915ca8c3428af

SHA256
472e38d764eaa02bafe6e8d094a10fecd781a750dc32f149f16e8d3659558d62

SHA512
299dd5542a6ef7daabe5ce1552fa67766f31b58ced0533975b00dccda07ea9442143a5eedaee757cbafe1a3b2a1a7e8e714f25e67c660bd5fddec3c976c822e0

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
128KB

MD5
e8dde20c9d0a93e8c66e852162f7643f

SHA1
d8907933ad9cb385058ef776bb7ef2935e5ae86d

SHA256
0117a9ddbe4d6ea6d9911a9c95f613ce6d298d31cfaf881b9421ac5f0a5f28b7

SHA512
59f4cd74df6684b915d0d360f72f4b8efc29c6a227ee67e383de3f680edb968bfed46927ffcbf31d6b7c2104b33e11eb793662c5c0f11d7f56e53cdbf90f7138

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
128KB

MD5
e62bd2bf40e60e85a1dd55b9611f1f4d

SHA1
a2f8f40f274a6625281b1f22ccf90074ba3a8775

SHA256
d6e349b381e2c4d3080fcc150b1cee0bd88adaa6a32a032ef89b20156c26245b

SHA512
bc6b3b796edda1834443c0d16ab7c8ed20324703392e8e073b235295530377a62b5f05d1fe1987feb8544626b1b9b98583fcedc5010c5c9807def1a98f37b8d5

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
128KB

MD5
6f1755ca4ccd8617f16a46e88cf30127

SHA1
c4dac1b580009ac998200dafc9663d063135bf91

SHA256
fb9b28f2c783340b5943324fbd0302dfe6dc2ad97cc2e7f2b523a9538e05d760

SHA512
d99101810e0b8bee4b38781436bf70faaefbfbac75981340b8c048479ecb517de7dc3d915a7647aa6e1c561c2aeca29533ae793e6d23701ee10fae596ab2c55f

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
128KB

MD5
eb5564be8f9e938d6dd48c2c2527399d

SHA1
4af2329afcfa009338fbeb23595511e8ba2ddb74

SHA256
fae15e1386c02ce24a9a66700ba0a8bc2e7fb38dd73f0d7ace9e18da279bdbb5

SHA512
3c73dc801a751d1d45b50e8b86cdf1542970a1a8aeee3630313c9cb4d7a7b43aea6fc7fa13588ae41725f2f0df094127855cd96f1539477973af8b54c752f157

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
128KB

MD5
c0127504d90a59a05ad4432c78eea5a2

SHA1
ad3eb1fb0f68d44a29eeecc82178927e5e075fad

SHA256
dad45a330a7a3914f0b7d191e4b41fb4f49a0cda4e6d5c6139d9bad5b4903e21

SHA512
b9efc733b9c73a6f9624478556a3ce117f88ea4b67da86e8e66f1ef4451ac6b49b0f369412e0ffad871638a84ff7f0d3f4cba25f2e78f5bc3cd0410875f07ab5

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
128KB

MD5
612ce69b87a48f8c9aa3ccd0749cd2ea

SHA1
f20a7b3387984648d0f6cd370fa4e65411e9171e

SHA256
a3c8be402c51b65c1a573f63c7546d6ed1a1fba0fcec9dc95e09d04ca3021543

SHA512
50fe882a34cc5edbbf0a6b4239c6bbaab7edf25c64091fd4f9283b43d7a21a5c2213a4a27abee5d045bdd427a8cadbe803e9c5bff5bba9e2c5940865e52d7590

Download Submit
C:\Windows\SysWOW64\Aohdmdoh.exe

Filesize
128KB

MD5
9cf0ee91d550100cc8b3cfc4a370bdd8

SHA1
c1e248e2aee376c6c7100010b83154424bcbcc31

SHA256
56bb5398a8809dbbb761e7fd3b5cab779e84cdb6c756591a102e0d27934d4b75

SHA512
9d2be5e006c5cb9b4c2bb0656d1f643325d1395e247c4460a17a619375af7828bf969ba9ba471f9f1d6d32fb6803e22fcd1dc7756f5d0c032de6045288107f66

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
128KB

MD5
a194553ecd8db99fd31dfd3ecbce8fac

SHA1
21852ca15645ab47e7f9e5103dbc573a220aad51

SHA256
5c76bbb19fb4d8ed7b9e2aa5f1285494fea11c472858b9813481a38f7ef3d531

SHA512
5cc16493348ab7a04d562fd51cae29f91d3d4c59a481326d6a9f1e8b91d9b8decac30dbd1c7781466135a58df329ac28fb3df8b28fc0cea46da28a3771cb013a

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
128KB

MD5
ed99b3f9dffcb2630a9ad331b3124e45

SHA1
31f6aecaecb8e4cdf25ec378f1de2ba4369c2ff0

SHA256
e7edc281e6cd8cc6c4fdd5a790c9535309feea66a0558f8968144d7597fc212c

SHA512
9b60a8b11213b12042a5232ee136457870597485fb4e89ed63685016b090427f762aceb8dfc612c8829a28ceab686fcb66b6027ba6026d2c0781049fd931080a

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
128KB

MD5
764f0ab83771dd53da650c15cbebec7c

SHA1
4d31698a9a84ca8ab8b9117ebee6b46a77d9dfb4

SHA256
70c03bf30ddfbfe8369e36052427296a91f105254302c85a8bd6a982bff28147

SHA512
8a11c8eeaf3421a79ba97853f6da3ceb9ea67df2ea852dc469c86efa5e3652f1c953c7ff2eaae5cc1caec35f19a23d45ef056a2ac90ba7bb0721edb0673b633b

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
128KB

MD5
309d0edd62f236c8b74eab2fb209b62d

SHA1
9007f7840c93bf5337c3d798fa874e5b69754b8b

SHA256
ae13af73eff454ba3dc0f3dc61d82e3f143dd20567432f630dc737e461db3d61

SHA512
898f35d231a6daa8626458aa53ca4a7c10ad2ef0d70cc00f6e3450fbe234fe35b1582da4e92e82580bfccaf13346a1f0d2b71b41deeaf44f1827d2bc184d74a3

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
128KB

MD5
daba6ca817e1ca2de3f9770960a1a8ee

SHA1
ddd01e9dc6366b7dac9beb5f9e8145564fd8dc29

SHA256
0cc8518a179460979e325c0b735a98911cca517fcdabb7da79fe448295f60372

SHA512
14d0d73d3d50deac9176665cc64fa9bdaccccbda0af3677ace25bead16f83c1ac3cf5badf430b350b965e97132642610353c707e959334bf65c524a745dc29bb

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
128KB

MD5
7f960f838ec5e03b569a4421eaf8af48

SHA1
2e6155f730b1054d5277f2b2762c305339541723

SHA256
d35dedf7acecaa7fa5126d5284a8f3671fbcb6b16ea9bbbc0ba69374eba0ed5c

SHA512
93395ee542f46e8dfea664c0d4caad7df04a95bb02a097b4e910de837f492dd5b4266549f1c5ab8f649dd12e619e828d91966167556fb349b0e02ad3ed5d78e6

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
128KB

MD5
6c1e808f77a108acb2e947bc80143219

SHA1
b515b01130fe68f2080f956202108b680b436eb3

SHA256
a6873301079fa499a965be64fe2f5bbfdebf22827ab49a2e297c4d2a46df1c3f

SHA512
6e8956e953a04489b69f4b24872733aab443619dce120dac5cde2f967eacfe5648d03924d68ba731d6784091d061c81167c1c361037e1b4061b521b842bcf627

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
128KB

MD5
00e149439f3819dd142615a4ca6cebe8

SHA1
ad3c95219f0cc9fd0af776d56f7ba6672b9ea27a

SHA256
1e0d756eb6bee8146d2170e6f15d459f3cf62cc431ab12852356a36a8641e9d1

SHA512
e47a08108654b366265a961bcb823239ea91f64ebdaa7081613d3625e3b4ad4995e022cf53af1d09b07b69c97fd980a16e41623945eac8ff1e84eb7b7f71f5ee

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
128KB

MD5
398936ce4e872a529ee6b434c0db1b2b

SHA1
d22ae821c747e30a553fa778a8768f00bf719e18

SHA256
b15372ffd7b9b462a154bdd31195cedaf88ef6655d04691785546a2a9e00e77a

SHA512
f6b2fb1b211659005256e1cc429e6e10fd0f65f035db40f92280f15430237db3876ff86d18e4a6d05dec61076b486ff35135e4e7e2ab3f33acfa4f95ec01021c

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
128KB

MD5
042a1e002d9d2ebc947357a8f8f22192

SHA1
9ee6b47db86996ff9edcc56336171c453f5f5f3c

SHA256
b5cebff8145ba934e3104965602695fee99b6bb8d626e745633cee607d405258

SHA512
04a2e5718182324737c069b4a378bbbb9bd965a507ffe0824d4ca0522a0b36db4629fa115e8728f805aa26bb3fa4df069bcbec49d63c3c6ea245fa4e6e5dfdeb

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
128KB

MD5
d6a1728465ef8c921adb2a3c845ea8d8

SHA1
a28121504f3b3aef56791960554ce225d08e979e

SHA256
714e25d2b99d676222d1624f82068aacf5976a020e6b4235354df81a1f88c12d

SHA512
5cc08b15718ad71ef5003a3c2ee8b77c6cd9da4e35b23e07c641c21e4fde38bf7505c808d6c399f2d54594759b7df80323b60300aa94378eb65191851405b8e2

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
128KB

MD5
896931147c06b272bf5ba45df9a65ab6

SHA1
7ce1a156162251e23a050fec86d143317779a69c

SHA256
7e81cbc3ae5b2aa881848393d203332ee72941151edfdfe2c4eb7fd74d74dd6d

SHA512
85767f8a57ecc5afb6a2007c29d7eb4bb1943b06b2851726c334eb011d6eb363cf93cb342a569664085225e4a93168aaf7b598acd97f492790c2f1083030f0f3

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
128KB

MD5
d1654e6b4f3c4196754ed1150a90091d

SHA1
b7e6a0f6abe45fff112383a9212635e718c43181

SHA256
2740b03cf25e2a40818fada39aaaccf0b07fc1e511d15fb8da292b23bb48b57c

SHA512
bc53ec0c1222f3087bc043b2dd47523bf5528a04e4eb65b56f381f69f4440235ae17be5ec3ceafe1171b3bed6d0013e077a9aeb4cfd3dd314b4f50d553ecde9b

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
128KB

MD5
1c483b9d0f44fa272533b15ff542525e

SHA1
79884ad5e231da1fe2f2ee5e1f4ff74cdf91b890

SHA256
75b5cbd2663ac9b594ca6644bfa8cb36d193bfdeb36310b902ee107ca6058d93

SHA512
3373ff3bf4d49aac79a88385c1f87d43c20e5dc7e88c93c71cdcfa074e9d5cc0a641982ef1dcb655d7b78c369f036a3918fadb25950729ab6dc7c35e21a8287b

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
128KB

MD5
7286e526751b7d01f39892088b972858

SHA1
f47f4e753c46eaa4dfd4e617aa89761edbdf6157

SHA256
bba0b53a09d6b8a48dedd6ddfdb7285a64a1e1b84220262d1665ff8a3755d46d

SHA512
0dbf14e9eb78bd561ef3bbe9b637a1f902740f7cb9efb7a60f8dbd32ee54affd128528cd434cac3f2d4816cdeb08c4e22a90ba3b03e491b2b0f3b29e9b25a57a

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
128KB

MD5
42d0d676e5d75c4d63ee04f41907d32f

SHA1
f369b9e127f34f2774b007aa0c415304df1a4cd0

SHA256
354ba86407924548577b604d339a107554a0c1a804077dddccaa83ba254657a4

SHA512
de6b3152269d10a8cb59ffe25e6ae81c753fc866d566338072a81491eb03c78fb8e4f59bb53bdd195dccfbcb835922e2d582b1dbba11b593d2f1f8e0fe105902

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
128KB

MD5
e98b160daf1f8bce4a5ce02b4b4a5148

SHA1
9900efbbb81f8b927d0f1c466a00276693583a9b

SHA256
0a6f10a648e2f894a059c087a52286c4f0a70a62ddf0d5aa79c8386415db713c

SHA512
34e7602318ee4577eb6e85d361d26c93f547e49d3ef864abb209f00714f4ac3196f9b5a923505bb696910804aac5757f0cc5e6b640ad2e64b64c7e9220783667

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
128KB

MD5
af5c0acb7b1cbe858e33306f286dda91

SHA1
61ef797195a6edae96182e2ce043d399f8066e05

SHA256
11808c1d04434f9abe5ed71814529bfec2c20863de5e311e16c584672be504eb

SHA512
5424098e9dbe92ab037553646e01220cd8bb172dd7dee5ceebf07d56382fdf7e792b3d66f3ebbe7af02595f3ac2aabfebb7ce2797c5138b04b233f5de4f73a70

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
128KB

MD5
762c6ee49a21947c388aae7ff7c6f661

SHA1
7f2cb376b43e0c0b14d44643574313c66354e428

SHA256
22cd9c2e3eda4505807ccde0af678b00cfd4229d29ea3b910fcf6d1b2a287db2

SHA512
808c550afcb6e6935d1d4ccc8ba79c17bdc8c7757c5a0c2a7556fcdaca2f084defee9cf81ee8411a74d71b4d5825fc366221412546c91d0ca5cd1c213f08469d

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
128KB

MD5
a4a3fbd8de8593b4dc03eec02d558351

SHA1
14868bd4b0baba81e3a6bf9b4eeca899babc6836

SHA256
5484d1df9a22e483b91c7d9896e7f1879d96e778900670bb906c5745eb0f4a4d

SHA512
31ef585aef8a09c4ae73c6fac835f5082177e74362465b359e73d722c95db7d1e72c2a66926adc60c36f5c4cb0acb141d2d852fb3b22d0172ae4c284b3122856

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
128KB

MD5
b21132a31f008b630b73526786e90eb2

SHA1
0587e1d990241e6bf98fe4d2c6300ede2a1ef25a

SHA256
e5d2ae9c8f8c4b8ef291554064e9c76a1a0e51cd43ebd89c87ec9a99e06a102d

SHA512
ff93974947e3ddb395fcb9adddef19880bca09c83358ef528ba34b0e50aad3523b60c62555bdafd11f2cfd2bccac7e00689d33b083e1a38f7f095175dd62f056

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
128KB

MD5
046c1be286e14ac163000be25afd479e

SHA1
d3b47941838639752dfbbca4ed9f45c327057c85

SHA256
7ef9a39c77635b08a0efd74c58127f2352d5333572a5726e2487dc4cf2c9ce8c

SHA512
d56cb351e1b215b739ee37c946f3ea2e5f41df6a580214cc172161eb175c2cd7981e058f75dd41171dc297ea179fab9e431900806f70a512aa5c4fbe4c142fce

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
128KB

MD5
dfb337c76ff744015ea6e2359148380c

SHA1
3790dc508f4f46ed25a672e783d66e0d37da1761

SHA256
a7af84a72a5d9142a0b313c604d6a6724dd150b4e5f5d36a96f34770aa65d4cc

SHA512
6f73d13df86ae7942f406c9d3bdfc80fc3705a5778624d6d6f097d1b9720e530f80b4abf3415179409686f342a5c2043552a03c13557cb598c155d164d9bbf86

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
128KB

MD5
867e12bcb0b39b056c5bcbcc74210f1e

SHA1
f005d773fc81931bfa1f4184e8bd3ef769288173

SHA256
ada2680af0c04ec77625bb01f38b42780777e3b7e391c07fbf2eab4cde8838d6

SHA512
c8c69a25d7df1b4d96faf91b4c96bb735cb5ac3d0de55c3004bf96146dee0848ad1470a23f28ea51c66507a20c4249d0250bd0c89fcdc50c82e51e6044b54ecb

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
128KB

MD5
bd598031fa92e618d225cd28815eaa63

SHA1
f95f9469672d18084b42314961ebcdfc33dca089

SHA256
547ac1846daf1827c3dcec1bb65428230ebdab3ce2e6fec3d5a1b875ce5d10a7

SHA512
64bd43bc1609112ff39df24e339907d0f38303c5a590e63cd7682d6a9e7f743c10c5f9b64fa816432cf0b7606de2d4e0938ffefdb2d2fbf08d8c72a233b9899f

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
128KB

MD5
d9b63038c8ac7950f332186913e54c8d

SHA1
561ad10400508d2b5522d2e824a27b569277bcde

SHA256
607567ea5d19702fac37316c747e4d07113751195d140c4cd5584aa91424a005

SHA512
9829cbd585dd5c2d22664c3467cedfc7f88a11ce4e9ebd3cb80dcfb1ddb251510f7d5f9bce5e4083a5b99eb8c3b29125cee95d870c1d5090dc280add9e690a93

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
128KB

MD5
49571494d22d05da43f40ae9aa3a7ca9

SHA1
a015dfeaf440eb0c79cc805ef34ab1025654974b

SHA256
a08c8c030ca879ce813cdf60b6118d26b74f17d6552f6313be24379fc12928f4

SHA512
3f53e790310d5a4e4abe4632ca31de61f30b64bc5ca44d715da6e53017ed2a3145ce9c175c7a11ebd50ce8616e01157b528c8504e2e0d3aaad2fbad9a0ef96f2

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
128KB

MD5
e380e1feaa3a27fe666af32fbc4b5ccd

SHA1
ee51e0acca9b0ac5985ff4f4fef70dbf03ff5f2a

SHA256
9b80f8020db07e1ab1db6ebc5043d7565b0cd6d5a24c3b69fa3a6312c1abb470

SHA512
e35e130adb067d62c1b18b7169337cafb118fe00cfbda6b5a23b94b693fc9c99ed81a00f86bf5bcadd97f5b9022d01be53df2faf975e27fc7e60102f8c690d04

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
128KB

MD5
f057a80a6b9d9ea15e8f1b66345f1b45

SHA1
5887f121b1362dfe07d14f1799164752e4739ec4

SHA256
810cddabb8fcdaf27e9ec88e857dcf9b250f5a13e3039ca0734ff959de7a40b8

SHA512
960c1a6d13dd70d3fd27cd06622944510fba49e74981913041919deb8bfc0a1c5c8960dd02aab42e13fcecfa1a6e56104b51ac8dc26556f4281d8e3f18bd60fa

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
128KB

MD5
9fb25851657b2c1903799423bbb96649

SHA1
99343133a7c6d059854b19704ff9548882cb4e8d

SHA256
61ee6f5dd43fe05cbba723faf02c0c83e494acf2c91efd56365d7e02b9cfd65f

SHA512
4996f0c8e34be220a1ec5f32fdff255ecca55766c8ee4a185d5a2373bbb7847d0da015e77781ef196fc418a82f0700a73d64147e529274bd9637bef368a836a0

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
128KB

MD5
7f78fc4b278133201c2d34e2d2b410a4

SHA1
4a4bd0c721495f67a355621ac82e86f07fb6c141

SHA256
a31d5da16df6a9f9b2f222156cf0f56ceba7ed3628cae1bbaf415a85240c3aa4

SHA512
d37e64f94c2080ffed5da96a6973d8a8db769888bc03b7f9c7b41241e04522356bab345e2939bec88ba7a4d121dd03f1dcd19597631f5f297a17359460633bb9

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
128KB

MD5
02ced2bc911b2ba78d98720b20d49aa5

SHA1
39b3685544a48709320e0bfdf88f65c99d3bf0ea

SHA256
eb8425047f1e380c0151dc294a303e166c6364cbcdb871018e1f3ebfe2808e3b

SHA512
e87bbf474c7e7be54d545309fecdbe0cd9baf7d6209f4b0f3e958e3d8ed40682a485d87ae32d3fc4d3836eb613da0a989f80845bc6a2fee46cee6ca4048d56f5

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
128KB

MD5
ca4ac9811a816380185a3acf1e09de41

SHA1
e22b5f2be3b59a15ca7af9d389b92bf646694c10

SHA256
a30c3abd28af4a40e67363589be0d8a26bb64f0aac1bcaa570a61bbc83125860

SHA512
dca2a03b85d7cb47d26f8c620a124fce42c3ec52e561f389b56d9595e77b90099286957ebc9b6d896bbd99a5a47b8bc4af1e5bd11724a06413d7268efbd56bcc

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
128KB

MD5
33825daa718400f7d3f1211120a89c26

SHA1
71c2f55ed68df8e903d514929e917d2d81e77893

SHA256
46ae945e7e11098fef998b913d6f46fab6b0c5c6bfcaeb8a1287096c7400ea60

SHA512
6afedc49b8c7bb49577fce9ecd12b66cedcbd0bd01d7b13016331661e2c4bfb18d653c5ec0b88d524416883ac44fc7243137667b5da721af1dfad8c2c6f453dd

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
128KB

MD5
c7d853aa207bb8ba8baf2f4aae93a86a

SHA1
43901ad8cb239a7566b3d22296e265b9612d9a74

SHA256
70c83bcbfaf0d0bb3814470a95822a64146e547d6d28cfa3cdd332f007722312

SHA512
6749dae9bba2ce4875480deda13a78a591e135d496c6d47df2b050a767ea850bbe2633ae681ef9044314710b83c6d1c334f46be31ae45535dbeda7d80ad8e63d

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
128KB

MD5
4fbd702018074e765718a3c42d3a6837

SHA1
e2422157dad60f8950cb94cdb885d67d9a3e545b

SHA256
f82b43f7f920fffc8247be4fb97ffceb513ed88934ae8d4474f93032adc9e8e8

SHA512
1dce37118c10ba4c0c40d879c3b12393734f4a9ec6e047bf07d28cc1d2e630848c66e221912ac82e3a2454281fbe4303ae2f38960d45d6dc25125fbb568d344a

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
128KB

MD5
32d842faf0d397901b42385727401804

SHA1
956d79a202a115cc4d3816b8596a0c31678cd509

SHA256
21af14a8553dd1216240c5436ce27f2162038240005eb9223cc37d2b17ff2356

SHA512
2c55c0b2f0e95ebca590e1dd12fe0fffb5cdc866d52d49f75959db75a8889dcb5e2fd028d2f907262080773ab7f6f6652071f2185e03b8086d7df8b239075f62

Download Submit
C:\Windows\SysWOW64\Gmoloenf.dll

Filesize
7KB

MD5
9131bdb77d1bdae1cfd441d1c158bf55

SHA1
a9dc22aca69f1b22a12c992f28543cf9a7831d09

SHA256
2e241800533f1b9087f6f1460fb4386aee5058b87ae7875b326d8c49181208e6

SHA512
ef08f892fa3e735a82bfa03a477fdb3907a02b83611b6874f173ef8ea9ac5135b6b414e5a3dc4818717cf6810c2aa7c92ed20e428ef3b54f71c937723bf00453

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
128KB

MD5
a88b0177c4b81b595340c171d470919e

SHA1
9149ff65d53dff771d67db4e4ae4d5968a9dbfac

SHA256
eff5692fbfe7a15908e0acc693ba787175078e04e087a7d8e0bc30a28ef1c68b

SHA512
92f90733c990a7d9c8add2be794a97fa97c65e39eccdff138b973b3ff21dfe4e213cdf57c108460677891dfada619994be5380571b6ae7ba2e17bd867165f561

Download Submit
C:\Windows\SysWOW64\Phlclgfc.exe

Filesize
128KB

MD5
998ccfb8426bcd36aba87fc1b1fb3ca7

SHA1
aee91b8cb7ef05feb3d4626efc0efc2c75478341

SHA256
8370eaa8f78471e1108c7ebb93c5dd806372aa22b280afe3242422d31627e493

SHA512
c49c078982133e62e9874a6ab127448401390eb93a8324386847805cf467088562ce188fbc6197978d3de19de4de5c60353b37b443825b269c1bf57b3018617d

Download Submit
\Windows\SysWOW64\Oemgplgo.exe

Filesize
128KB

MD5
df849dd312d174d2d75d3c79c1c7bc0e

SHA1
23f632930fd5f7b06756aec413b138a4d3525018

SHA256
983ea649e3a9fea4b78223315e873b0543898f14c4dd93b922b6816e67852070

SHA512
30c9cb693afaafb868d81614df289727b359db86f35bb4cfa13844264858288d3a26bce0a0f9aa9833dc79233770a6bab9f16b1b9d91c15031af5223c23d0127

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
128KB

MD5
82e4a9ccf77bb3e1a2d52685ed3533b0

SHA1
77d10a8cde81b0f5a08374da6d828d787d051384

SHA256
1fe1c06c0377b6f34b58c7590dc444e4fef20d1576e1dbdb24530516b7a8c20a

SHA512
3fc17880a38f3eff96146959a9c532c6f33bc42fd2247011dd325b07df42093fdfbaa8e42109f20d687dc0bcedef9d131398b0306a8973e9cc79ef95bd12b55e

Download Submit
\Windows\SysWOW64\Pdeqfhjd.exe

Filesize
128KB

MD5
3d848dacd28bf7ba11f47afc11843ae6

SHA1
29802f5a98d9e0af7b6d90f71c353ef04888fb1f

SHA256
45546ac9a419bfadccef973cb9da46822f563a73718d84b659cd91d8d7f283d6

SHA512
3c355850c9e3991f86a61b805236d5540c4e463e1b9a37cf0ddc9d912d6b62e8497ac1d83e1688df97bd5290735873b4f2fc937678cbcf9aa1cdf150fd54298d

Download Submit
\Windows\SysWOW64\Pgcmbcih.exe

Filesize
128KB

MD5
072e3faa194a2f801365c36066015600

SHA1
3866a09604990442f53b42698403a70b967c9de8

SHA256
281fc50a2ccd0b9a0708ec9c24cbc1c4b71cfb037f6b53751c06ccae5a522a90

SHA512
affdb8d5fcba3d839177d5d730653ae5f9c002de3104d4cf354db9103db20d627c161b6182b497ae1494cf0c758c3fdcd5016e157202f7486ca2b74b10070364

Download Submit
\Windows\SysWOW64\Pgfjhcge.exe

Filesize
128KB

MD5
1fc8237ade38ad6b1ac720e80406ff04

SHA1
c70b1be1fdf12918129c2c112b4e3d69001ecbba

SHA256
072f0ec17b147983fc2515f694c2f4fa0be4162124a147eaa3880bd89936c44d

SHA512
a3cb6100145e19ec73256b9a5c8a486caee465b17dfde7d54c400a83a97d01f6f2196b27b041686ad3b8117299e96fc55612ab71dc15325433dd73e1a3952f30

Download Submit
\Windows\SysWOW64\Phnpagdp.exe

Filesize
128KB

MD5
f8158708498b48a50fcdf36f8da4d489

SHA1
5362a8387af925348700e8476add5fcb4f8c6730

SHA256
e19fb925b4efc417b487151f0e24d7b57f5ca74a2a34b05978dc20fddd5ce716

SHA512
e3890ceb4c45668ac890adc18182194227d42804c3b63e727cd6a52454bbc182077dbc3cbc4bfd501c3ec3980b6af4453b6542f34385041f8f2d4fa2bfa4b13c

Download Submit
\Windows\SysWOW64\Pifbjn32.exe

Filesize
128KB

MD5
95017720b00c8779c1aa8d33c4f81585

SHA1
491a269d54cd39b60bbfb32a8c517437bfd21f18

SHA256
0f69f4facb2a069b2ab08b30766777a0a45e8def59968865cde52c3b44ede0ae

SHA512
d05f1e598cd31b36e172a6fc6a9e7db72be56376dfe96f6553062e8474c71635eb1ee6689dc06010bc1e641e158d25eb5a2af0e552c92622aade46e36ac37067

Download Submit
\Windows\SysWOW64\Pohhna32.exe

Filesize
128KB

MD5
61e087bc0fe67641b6ad480ec9aadfd7

SHA1
b2c89676a0f5980634b4f65f5f1e5f2de1497ea5

SHA256
34a798c05173e049415a6eee6e54afc5cfc5f537be0324169246e6620427f6b5

SHA512
08301584b1b3f55899d82f286c4f3416d5ab56b6e6540b91a20d78bb5a1e423c45853cbe9becca22600ba10c364141903b5c535348a45c77a64edc59f7569a65

Download Submit
\Windows\SysWOW64\Pplaki32.exe

Filesize
128KB

MD5
9f1fc9ce442abbb595d799ce0fb398be

SHA1
dd6e1246b8e2a41e4db5935d5ec86ea141e0282d

SHA256
ca990e4e383fcdea551a39dab01cdceb6db33c5648fd6a31d064407d847848dd

SHA512
5100b78e2a4f0ec507f696984d80a9f73a6e27216e9323ba2f8f624f7e11761b53a70480661ebc233f7b461cf5f41e3b9a3b0cba9a57a6f3c587a57ec0158cb8

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
128KB

MD5
662b12c5c0ca36f07d8d6878d2171164

SHA1
f1354bac7db147f657b3afe99d1c4cc9fdfbbfca

SHA256
39b0ce819d728af44644e32f65bf0a86220eb9d00d7a4f2fe7808cdb44650050

SHA512
79fdcc9c3046d9e1ffbfc214a9be118faaf260d083fd8666826213e641cee2a02cfb09122f478f8f1b22189681fca6eeb7743fb83ff6f75fa9f3b4853bf41aa1

Download Submit
\Windows\SysWOW64\Qdlggg32.exe

Filesize
128KB

MD5
e8f6d3393df470c7b74fe2f3c1f21265

SHA1
8aa7ea0e2f79587e98970a6d7a0466fb90d217a5

SHA256
9c0364db76be201fd277384d2d5278818934f0a8b2a0b8d62746aee984894633

SHA512
ec78b37a2dbe6a979aaa622bfd7f24f792537a67d172f2a69c246e0fc5ae557644c1d128cf5be9f70647ce261654d7772c85c63c9910d92551a6f881faffafa8

Download Submit
\Windows\SysWOW64\Qjklenpa.exe

Filesize
128KB

MD5
3e3a82bc69b95b3452cb7d52abc50b3c

SHA1
f9bbb2fa9372338a97adea82a4b4cd2c6d010221

SHA256
031227d71deba59f7c16b2627b178a54e08ea65253d7f2159c1fa021a9eed4ee

SHA512
ca5ab71edc5f5b69b24ac171aafd4fb5b23dd2ea7eed4c669b1cb48b10c4f3990849f1bf031085ab9737058efeb123b6a374f79aa0a518263f8227f7684a81b8

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
128KB

MD5
34e1bbe8de03dcf26c1823c84aeb7896

SHA1
c95e2e238c4a7f4ffcd2b8972c6a161f2f9aed87

SHA256
70db68c051e3cd3580b2971d8209a76238c9f8b6395ee634bef3631fc748c9b4

SHA512
bc86ff87a61800151ae456b116cc0e938c6c28320d21480e91428406cab61dbc45643dcb558c9db7917b78298adb2fcb627f3efca1f32275c2a3262034831e2d

Download Submit
\Windows\SysWOW64\Qlgkki32.exe

Filesize
128KB

MD5
de48189940c7ff87168e1547e217ded4

SHA1
a5e2ca1349504d2d4dd99f8d451b13878134c2d4

SHA256
8c508383c70ddf03f7f999b80ab0743c987575f1d315e27c7cccdc4f2d6ed984

SHA512
5e4136c039cceb3cbad2cbbae55e6a83fcebcdfde1f7134fb104ca15c9b07d9bfb86e933e841d1b7d9dbc05e1ec6a5f1008c63d0a7c481b3a2ebc756d178c642

Download Submit
memory/564-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/708-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-117-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/872-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1276-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-274-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1380-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-272-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1392-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-436-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1628-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-259-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/1636-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-418-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/1652-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-412-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1668-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1700-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-306-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1900-302-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1908-315-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1948-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-143-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1992-361-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1992-362-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1992-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-450-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1996-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-240-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2016-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-339-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2016-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2016-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2016-13-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2056-500-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/2056-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-196-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2360-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-374-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2544-376-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2580-387-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2580-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-92-0x0000000000380000-0x00000000003B5000-memory.dmp

Filesize
212KB

Download
memory/2644-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-61-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2656-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-375-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2732-48-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2732-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-336-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2792-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-337-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2812-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-350-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2836-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-34-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2836-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-363-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2840-80-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2840-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2844-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-170-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2876-162-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-295-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2924-294-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2924-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-280-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2972-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-284-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2980-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-109-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/2980-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-326-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/3044-322-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/3044-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads