berbew | 2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
Size

113KB
MD5

428ac28b0093ae6b697ddec55931538e
SHA1

b2dc89e8a5bd3ac0893e754d6433b4c5dec54ecc
SHA256

2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4
SHA512

04aed98c1b6783a5cf8735c51c475fb170a2aa481a97f14eab55ed1bebbcd029fa41a3c8976e456981f90eb68424b80ea50d6a84b8f1db1189437d2893d5652d
SSDEEP

3072:3vkFfUYL4qTM5/UP+TYfOuGkZFfFSebHWrH8wTW0:sFfd98Ym7otSeWrP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 62 IoCs

pid	Process
1052	Oemgplgo.exe
1944	Plgolf32.exe
2748	Pdbdqh32.exe
2664	Pafdjmkq.exe
2560	Phqmgg32.exe
2588	Pojecajj.exe
2980	Pdgmlhha.exe
872	Phcilf32.exe
2760	Pmpbdm32.exe
1920	Pcljmdmj.exe
1220	Pifbjn32.exe
1912	Qppkfhlc.exe
1768	Qgjccb32.exe
2028	Qndkpmkm.exe
2116	Qdncmgbj.exe
1640	Qgmpibam.exe
708	Apedah32.exe
2008	Accqnc32.exe
1308	Ajmijmnn.exe
1636	Allefimb.exe
1852	Aaimopli.exe
1284	Ajpepm32.exe
3016	Akabgebj.exe
2232	Achjibcl.exe
1864	Ahebaiac.exe
2992	Alqnah32.exe
2756	Aoojnc32.exe
2404	Aficjnpm.exe
2692	Akfkbd32.exe
2700	Abpcooea.exe
2984	Bnfddp32.exe
3000	Bdqlajbb.exe
2848	Bniajoic.exe
492	Bmlael32.exe
2020	Bfdenafn.exe
1632	Bnknoogp.exe
1164	Bqijljfd.exe
2968	Bgcbhd32.exe
672	Bjbndpmd.exe
2212	Boogmgkl.exe
2628	Bbmcibjp.exe
2512	Bkegah32.exe
1700	Cfkloq32.exe
1304	Ciihklpj.exe
2032	Cnfqccna.exe
2424	Cfmhdpnc.exe
2392	Cileqlmg.exe
1928	Ckjamgmk.exe
1964	Cnimiblo.exe
2740	Cebeem32.exe
2840	Cinafkkd.exe
2552	Cgaaah32.exe
1328	Cjonncab.exe
2064	Ceebklai.exe
704	Cgcnghpl.exe
1980	Cjakccop.exe
2124	Calcpm32.exe
2340	Cegoqlof.exe
2940	Cgfkmgnj.exe
1940	Djdgic32.exe
1532	Dmbcen32.exe
2096	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1548	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
1548	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
1052	Oemgplgo.exe
1052	Oemgplgo.exe
1944	Plgolf32.exe
1944	Plgolf32.exe
2748	Pdbdqh32.exe
2748	Pdbdqh32.exe
2664	Pafdjmkq.exe
2664	Pafdjmkq.exe
2560	Phqmgg32.exe
2560	Phqmgg32.exe
2588	Pojecajj.exe
2588	Pojecajj.exe
2980	Pdgmlhha.exe
2980	Pdgmlhha.exe
872	Phcilf32.exe
872	Phcilf32.exe
2760	Pmpbdm32.exe
2760	Pmpbdm32.exe
1920	Pcljmdmj.exe
1920	Pcljmdmj.exe
1220	Pifbjn32.exe
1220	Pifbjn32.exe
1912	Qppkfhlc.exe
1912	Qppkfhlc.exe
1768	Qgjccb32.exe
1768	Qgjccb32.exe
2028	Qndkpmkm.exe
2028	Qndkpmkm.exe
2116	Qdncmgbj.exe
2116	Qdncmgbj.exe
1640	Qgmpibam.exe
1640	Qgmpibam.exe
708	Apedah32.exe
708	Apedah32.exe
2008	Accqnc32.exe
2008	Accqnc32.exe
1308	Ajmijmnn.exe
1308	Ajmijmnn.exe
1636	Allefimb.exe
1636	Allefimb.exe
1852	Aaimopli.exe
1852	Aaimopli.exe
1284	Ajpepm32.exe
1284	Ajpepm32.exe
3016	Akabgebj.exe
3016	Akabgebj.exe
2232	Achjibcl.exe
2232	Achjibcl.exe
1864	Ahebaiac.exe
1864	Ahebaiac.exe
2992	Alqnah32.exe
2992	Alqnah32.exe
2756	Aoojnc32.exe
2756	Aoojnc32.exe
2404	Aficjnpm.exe
2404	Aficjnpm.exe
2692	Akfkbd32.exe
2692	Akfkbd32.exe
2700	Abpcooea.exe
2700	Abpcooea.exe
2984	Bnfddp32.exe
2984	Bnfddp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Kblikadd.dll	Phcilf32.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bniajoic.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Plgolf32.exe	Oemgplgo.exe
File opened for modification	C:\Windows\SysWOW64\Qppkfhlc.exe	Pifbjn32.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Apedah32.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Ihaiqn32.dll	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
File opened for modification	C:\Windows\SysWOW64\Plgolf32.exe	Oemgplgo.exe
File created	C:\Windows\SysWOW64\Pdbdqh32.exe	Plgolf32.exe
File created	C:\Windows\SysWOW64\Pafdjmkq.exe	Pdbdqh32.exe
File created	C:\Windows\SysWOW64\Cfibop32.dll	Pafdjmkq.exe
File created	C:\Windows\SysWOW64\Ameaio32.dll	Pmpbdm32.exe
File opened for modification	C:\Windows\SysWOW64\Phqmgg32.exe	Pafdjmkq.exe
File created	C:\Windows\SysWOW64\Kbdjfk32.dll	Pifbjn32.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qndkpmkm.exe
File opened for modification	C:\Windows\SysWOW64\Qgmpibam.exe	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Akabgebj.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Mdhpmg32.dll	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bgcbhd32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2960	2096	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdbdqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plgolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemgplgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaiqn32.dll"	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oemgplgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plgolf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll"	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akabgebj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll"	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1052	1548	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe	31
PID 1548 wrote to memory of 1052	1548	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe	31
PID 1548 wrote to memory of 1052	1548	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe	31
PID 1548 wrote to memory of 1052	1548	2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe	31
PID 1052 wrote to memory of 1944	1052	Oemgplgo.exe	32
PID 1052 wrote to memory of 1944	1052	Oemgplgo.exe	32
PID 1052 wrote to memory of 1944	1052	Oemgplgo.exe	32
PID 1052 wrote to memory of 1944	1052	Oemgplgo.exe	32
PID 1944 wrote to memory of 2748	1944	Plgolf32.exe	33
PID 1944 wrote to memory of 2748	1944	Plgolf32.exe	33
PID 1944 wrote to memory of 2748	1944	Plgolf32.exe	33
PID 1944 wrote to memory of 2748	1944	Plgolf32.exe	33
PID 2748 wrote to memory of 2664	2748	Pdbdqh32.exe	34
PID 2748 wrote to memory of 2664	2748	Pdbdqh32.exe	34
PID 2748 wrote to memory of 2664	2748	Pdbdqh32.exe	34
PID 2748 wrote to memory of 2664	2748	Pdbdqh32.exe	34
PID 2664 wrote to memory of 2560	2664	Pafdjmkq.exe	35
PID 2664 wrote to memory of 2560	2664	Pafdjmkq.exe	35
PID 2664 wrote to memory of 2560	2664	Pafdjmkq.exe	35
PID 2664 wrote to memory of 2560	2664	Pafdjmkq.exe	35
PID 2560 wrote to memory of 2588	2560	Phqmgg32.exe	36
PID 2560 wrote to memory of 2588	2560	Phqmgg32.exe	36
PID 2560 wrote to memory of 2588	2560	Phqmgg32.exe	36
PID 2560 wrote to memory of 2588	2560	Phqmgg32.exe	36
PID 2588 wrote to memory of 2980	2588	Pojecajj.exe	37
PID 2588 wrote to memory of 2980	2588	Pojecajj.exe	37
PID 2588 wrote to memory of 2980	2588	Pojecajj.exe	37
PID 2588 wrote to memory of 2980	2588	Pojecajj.exe	37
PID 2980 wrote to memory of 872	2980	Pdgmlhha.exe	38
PID 2980 wrote to memory of 872	2980	Pdgmlhha.exe	38
PID 2980 wrote to memory of 872	2980	Pdgmlhha.exe	38
PID 2980 wrote to memory of 872	2980	Pdgmlhha.exe	38
PID 872 wrote to memory of 2760	872	Phcilf32.exe	39
PID 872 wrote to memory of 2760	872	Phcilf32.exe	39
PID 872 wrote to memory of 2760	872	Phcilf32.exe	39
PID 872 wrote to memory of 2760	872	Phcilf32.exe	39
PID 2760 wrote to memory of 1920	2760	Pmpbdm32.exe	40
PID 2760 wrote to memory of 1920	2760	Pmpbdm32.exe	40
PID 2760 wrote to memory of 1920	2760	Pmpbdm32.exe	40
PID 2760 wrote to memory of 1920	2760	Pmpbdm32.exe	40
PID 1920 wrote to memory of 1220	1920	Pcljmdmj.exe	41
PID 1920 wrote to memory of 1220	1920	Pcljmdmj.exe	41
PID 1920 wrote to memory of 1220	1920	Pcljmdmj.exe	41
PID 1920 wrote to memory of 1220	1920	Pcljmdmj.exe	41
PID 1220 wrote to memory of 1912	1220	Pifbjn32.exe	42
PID 1220 wrote to memory of 1912	1220	Pifbjn32.exe	42
PID 1220 wrote to memory of 1912	1220	Pifbjn32.exe	42
PID 1220 wrote to memory of 1912	1220	Pifbjn32.exe	42
PID 1912 wrote to memory of 1768	1912	Qppkfhlc.exe	43
PID 1912 wrote to memory of 1768	1912	Qppkfhlc.exe	43
PID 1912 wrote to memory of 1768	1912	Qppkfhlc.exe	43
PID 1912 wrote to memory of 1768	1912	Qppkfhlc.exe	43
PID 1768 wrote to memory of 2028	1768	Qgjccb32.exe	44
PID 1768 wrote to memory of 2028	1768	Qgjccb32.exe	44
PID 1768 wrote to memory of 2028	1768	Qgjccb32.exe	44
PID 1768 wrote to memory of 2028	1768	Qgjccb32.exe	44
PID 2028 wrote to memory of 2116	2028	Qndkpmkm.exe	45
PID 2028 wrote to memory of 2116	2028	Qndkpmkm.exe	45
PID 2028 wrote to memory of 2116	2028	Qndkpmkm.exe	45
PID 2028 wrote to memory of 2116	2028	Qndkpmkm.exe	45
PID 2116 wrote to memory of 1640	2116	Qdncmgbj.exe	46
PID 2116 wrote to memory of 1640	2116	Qdncmgbj.exe	46
PID 2116 wrote to memory of 1640	2116	Qdncmgbj.exe	46
PID 2116 wrote to memory of 1640	2116	Qdncmgbj.exe	46

C:\Users\Admin\AppData\Local\Temp\2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe
"C:\Users\Admin\AppData\Local\Temp\2e6acd9f2ef578a239aec1663a0be9ca52adff5e8979b0c2f02ed67dfe146fb4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\Oemgplgo.exe
  C:\Windows\system32\Oemgplgo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\Plgolf32.exe
    C:\Windows\system32\Plgolf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\Pdbdqh32.exe
      C:\Windows\system32\Pdbdqh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Pmpbdm32.exe
        
        C:\Windows\system32\Pmpbdm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:492
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 144
        64⤵
        Program crash
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
113KB

MD5
fdb425cf0382c4ebe136af661f940077

SHA1
4afeec309dacf2e0df28b426130ea12e5c0ebcf5

SHA256
294d5d6cd938421b3b0cdbfc70576436f455bf87941036de51ff014511458919

SHA512
942efa42b4c307509a2ee07c48c129a766286b986cbe65124ca0bb06a273416647deb5efb7c79df9c486fe473753ca8abc53e781d408f4c8d86257de38d1e45b

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
113KB

MD5
58f8b835b74f0e3fc262eb3760cb1903

SHA1
cd52ba5b596617625eb0006473e7679e3cf61258

SHA256
d98312e6b8ca4b99f9d2353b5fed84e642a38b62b786f3b1b84b07680122f3ca

SHA512
b4ebe30008fa72f93e0d662ebb5f4b6d1b6b24ce8b4f2cdeff8dbbf9231414a9f78ea732f8088ed3c7c34432466acb0e3ce87123bbaf26a99dcba676c3ca48ba

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
113KB

MD5
d5f4a89be0780fec03fe8496d0d8d8d7

SHA1
63f194d30c48a3632a724f4abbec441f56c1ecd5

SHA256
e60140d33d178a5796e7dbd99583e710937fd7cfa666e690f72b8c7e0f22d066

SHA512
0795d35dcf845ef5d22ec1518720f939aaeba97780e9ed6aeec1c950d1d327665b0dd3596063ac409e4e25e1f987c1202151cc754d1290f6cfd96e876e00a69d

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
113KB

MD5
e02e6020dd926fd55c05614878b2e30f

SHA1
0d7df8cdf794d9510f2da4d5b554f3324de3e800

SHA256
17a883d3fa5f65217d9e4e428e046a1283c3b4a3ecc60f98d55d6d315945feaa

SHA512
6d722d26dfbfda17691e56f84af07e04a89f6af9c706dc72dd5897b114e5677339d9502fee77d8daef003e8c6ef48b4f0ad6e22507b7c2f2cc66dd439c6724f5

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
113KB

MD5
7475adecfb7e08eb7dbff0613e93d1af

SHA1
85f1e48410eb7d1ea399a83eddb279331deadcfd

SHA256
96404272048793d00e9e034c8b4e1de9aec775d402c04c438dba185d8fbea025

SHA512
c43501613c5221becbbf8b712524097bbe7b708f6c57cbbf04c441915456893fdfe13ccc4876e5a3f012d8dfc7eda40f80c231bbbf967cf1bea08f571a2315e3

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
113KB

MD5
91f42e88dd89d22b21fd69b8dbab2260

SHA1
d9f8f4124f47c8e08b32c3848337258d12dbdb94

SHA256
1e02eb75587162486e4bcaa188eac4c61cc869bc07f47a26c9b57ee02874c4a0

SHA512
0e7cca4a1beb599318b882bd1125898e66272d3719c122c34c33c826a519ad5e9c2d9941df2d043d6abbb787b1068f33fd7c2f7a6a04ee04e9cbeb6b3780291a

Download Submit
C:\Windows\SysWOW64\Ajmijmnn.exe

Filesize
113KB

MD5
4e253842e377c082154b0944262ae132

SHA1
3b273c1c7be0078eacd92602e69837789159384b

SHA256
4879ee0b8cb508412df9f2ee5eeefd6fe099aad3cf191b0873a1b3a1d3f56a69

SHA512
480241f4f6d17bc8657c0376aa475c01120a29bc2f98b77b37059601d737a078c2a753595065573daf88f7d8a1d83c71f507f3306c89631cd0b3e3c39ca897b3

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
113KB

MD5
097e0d07dac086db73c7a613e13a3e48

SHA1
0351d42bb7ed2388a5bc97f4ff662c82b10aa184

SHA256
55f8478c43cc52071fde1b4d84f1b9834af97e0ef1202050c2838bf9165b35de

SHA512
4a5d9e7bf3ac5ea18842feb3637a00a91194b5cc85c1b6f4d4a43fe56f7dcc009b88202b2a369ec47933ea299914bdadab863775252c09218a15c45d22faa0c8

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
113KB

MD5
4132299c25978dd803600bb63e24846c

SHA1
a4e87e6dd64b1a4fc7ba304e3c866225b9a55b92

SHA256
e9a3e9f7b603629b67965d160566270e7d40bf1ca1433e6ad723952aa3d02408

SHA512
a1cd4139987276aca61a9a501f506388d2cc11341367b5a2bf568a9a06cd3770efc53713dabc537e6bf32e8650a7432b15fd8066df4a08015a07294dab96f8a7

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
113KB

MD5
1f8a1c7fb71b7bb0f1c60d2b49e46e43

SHA1
d7f7bc299bddf05d9704c89d6b56d6e8e730237e

SHA256
5f9e7e78eb205541b3fa77979e5650db9fee411561703dfef3bfa3db99331974

SHA512
39fc21a32c752662f101ace276bcd412825cb9d011714f4c09c12d6ee3c0b0a08f54afd253fee1ed789592c7d7e89bf7cffa5e658cdbdffb611aae2ff9eaa0e0

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
113KB

MD5
718b9700a49254c6f547dac6ee1f0ffa

SHA1
43678a960c46f3f83cca2fbf23fef5d0f1c6e0ac

SHA256
545ef97eab91fb28cc0a28c4d3abc2faf7d5ec0889f3be13ef74b387664c7303

SHA512
7e6c5a2bc86a83a63ed721fb2a2545e1116b869128bd2eb4c178b5a279102a8d48a4e71da50450e21bd3d7cc7724f65ed6ae0816b4acf62c8da6cab53bb038f5

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
113KB

MD5
6710c1e6d76b4dc4497a74896ab981c5

SHA1
c0d1b542b5ed392cc34ec7f0123feacf14c92ee5

SHA256
a74b4f2dc1989d35bc582d9879cba98d530807463e1aadc57c10e85e075441a2

SHA512
49ce6edd69e69e7d8ddb18478fc9091723dd30752ed1a64a6aa26448786c6547add6d9da34b22177f53fdf07d3bc21c24ce930abd18e362b95cc7dc9457f4c96

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
113KB

MD5
8c53f87ac82e2bb7f2d068f5e48cc208

SHA1
243673ace3cafc93175dd210012754742b6ac49e

SHA256
83eb596611ce61e731ef3572c88eecdd79ae201efddab47a5af9d1c88bd53bdc

SHA512
1d3c7f59a8f24438f23c24ccca2307ad6038e9f6693b895c0745b9fa6efad2e1452b96d96785305bc8fed6e92b64f04c906c1fbf85d4689952be590ba5c1f115

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
113KB

MD5
4785df75e45e9740725df73e3c175ad1

SHA1
7304aaf40931cb7c2491c9ccbbb3cd24fbd00549

SHA256
0a96aabec8c053e6dea34ddd6eae1390b6b5ae369e4be6f62b9e00d3454763bd

SHA512
ef4ed133b5c6573890a7bf64a750e33dbf0add414f015249fc233fc94185998edd7f77339008b5decb0161c67f900d10a7211e0730bc154261fd59d40c58a2e0

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
113KB

MD5
f6386f3da5b677758f684b2672b27aee

SHA1
1ec05b84d6d629b1c1b5dc1c00c370a1445c443f

SHA256
13fb11340560a77d7965719dd42ce4e4822915c528962c863fd88cfe919f6144

SHA512
4e07495febedd740fdfd0a7552242564f1cebd3ebbe44726838cfb0f8b688114a253408231067da2b9f4595aa293d9f6e93cea7c6983f39f6c939717d6dbc6bd

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
113KB

MD5
e114c46aba25c24166fdb8b3caf82a4c

SHA1
df8cbef705b04428344cd27fcb254aa9bcb54fae

SHA256
1445df15adcd6cf9ed595ff79a960d88d6a67d3cc6f613c11c737f48eeeff32c

SHA512
f7f614ae38b0172619f46e7e2e1c4dfb43d7dfa6270786f6d92bec9f94e903cf2566eaa2a92fecf50c243f90b77f12f3d04e4f74f58160e4140aaae440cdfe66

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
113KB

MD5
235a07986c7c0ed3ce5a10a6193766ad

SHA1
75fd2811ae5bf0e3e9406d31663e3c2c08088a79

SHA256
9139a3e39cb5befdce4ffb0820f5e4e43087522ea36b31246d9abe584bf731bb

SHA512
2cd7c9ca03b576a1ba3b20fbdb917082f8c15708aad47dc0b79bfc275bb2aac8c9f527b82a212c841871572067d0b2117c008b4113eeef34d84bcaf07bb30d1d

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
113KB

MD5
b3cbc214978eb3833f9b58be7e3bcac3

SHA1
6cc2fc8cd0d500b29a9f650928b6c1ff86b0a517

SHA256
0379ba1dec9bdf5a405c23e275c6fda727e72647e40dc03e40a3eb40ecf881b8

SHA512
01a69f9eb7c00b34542d7e4f799800de5fb2219783c401abae1507636296638b894499db1a38356ef05e0c463453312cd1698ca17f601b6cd0981fd2c07479ab

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
113KB

MD5
eb4abc90df3dd3ea9b0d3dcea40be8e0

SHA1
994d2ef659bffa08c873568221d0f467401ad123

SHA256
fb76b987a2409fde75ce4a3fbbf3da9c97db108fcc9f5b19f8db35932248ef39

SHA512
c7cea277c6e68dc409402c1a674c8491b193b02abb648f3ad0a648b3eed79d786ee721bdbbddff5b1792d67f62948502c815722ce4765f2dee8d02bed3dfd629

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
113KB

MD5
21e214cc9c824ff0ae79e16fb1d6379b

SHA1
0a43b095ca100337f32a5f22b26febcaf86234cf

SHA256
3027bc42f27ebd79904c97b81b14eb869a44f7420262a9d0efb70fb9cb55c305

SHA512
bd1eb1a77caec2ca17ff4a0a6d9b46949eb40982bdeaf66a5c20224a654ab0a8f76a3da976dfb6717c575d2bafb32dd47b9d47db9a2b6b001da141a967b2556e

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
113KB

MD5
562feb09814ed8955e22bd05693e6b85

SHA1
fb98da160122787656996c17b41e7f89efc15127

SHA256
b2ae0141a99a3b0704f95be26122d6e90c0daf20fdb24ecb0a919d5def2b2f60

SHA512
03221b4dd0b01ee42c9aa0ff0aaa7b2ca75661be8a72755993f5b8f4e7873af935a96512f0539dc6086845acbdedeb9d3c964e346564593f54812e25dbd46e24

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
113KB

MD5
79a5406f3000653e17f9db626e5b9182

SHA1
45ce7eaa8a16057d14b5e190354c54e8b96529aa

SHA256
bc8180923f9bed2af9f69228e35be775ca9f18151ad60f18df1f0e4ec5cf1faa

SHA512
a825d0050e5618f87f90a6d97797a93eabbc9b25c5cc1e0afd12b20154b39a1e7fa9edfaba24761d89defc63f8b1a179685d882b99e0f94a036836b245b69dd2

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
113KB

MD5
fbe09a36a9f7fc4bc1170905b1095464

SHA1
f92a88ff4894de9d674643554d1860856743398b

SHA256
fef1fa3e7fe03a5208ac02045eff2deff177167041ddc6bb4f28871e5ba67286

SHA512
4fdd1106ab8a66fc25ad6cda1e04deb9fec579e1feece8ba70f70f0fcb36ced3e17a06b45e9630807bea49e30909ccf3e67f67f2afd9fa0ff4b107157e21b489

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
113KB

MD5
7baba09307abb73a871c742a70e6e70e

SHA1
27c03b5fac4d1c571876b212302c4effb22a05c8

SHA256
df6c4366ea5596f36c737258bf945a6d509b1e24f8151258726bf1d309673bec

SHA512
c8638dd7a3ebcbbf43b4783153f57354d4ece6015c1f104f2803979f92a7e6e82b66a4ad6e330d3a70989028e621b89ac95b76a31dd7e6a0be52dcdb751d3abb

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
113KB

MD5
b93033f7534e5c1484be6fc454f46f0a

SHA1
6428208406746eda2ecc8aec0f01261b45d86c85

SHA256
6ee7865c59cf00ed050d8f7243e24757a8287398eea7872dc877be4e1b1f0e89

SHA512
aedbcf2af90c2bb73e9fc85338e59594ca9cacd381ca1a297b4058738f4d7bb6f53fe2f5dd4bcd6cba9da98d500e799665c3c7acba89e9a6164f7a07c6420c7f

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
113KB

MD5
b9a424bd545ebf8b16cc0f9d17017fa8

SHA1
913984fefe1c7ac7791cd343ad7d0d740443a448

SHA256
5b3fc9dca7d7a41ba86e148cb55e987e5909ad2a28dcc618e27fe8cc37585289

SHA512
fa4ece3d98881ba936ada52c5f2f8f719407910c108603c9e071443cdabf0e725353eba791c5e55ea41ce15e412af5ca35e2eec70b0c1840b76f104f05aef403

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
113KB

MD5
6870cf3c23d0f9c49e11628a2ba82f2d

SHA1
f1dacb281bd55342e8d30e6e79dcd1b1db996e15

SHA256
67ccb9f3a5067142a88860d4e77c7d208ce4f0f117e0775ed49d22a904d69945

SHA512
ca848ef607015c21216ead191c6cf649908fb98e192174b455397d3f6c5bc71a97bd263e9712f870b175c1bbead4b82f4daba9f9840a75f02b0ac71523b0e716

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
113KB

MD5
a50d67f0008c105491b7e2a980c7d8e6

SHA1
b08c930667cd0892ddc9406095e2f4ff31334972

SHA256
31bd87c13dc6b518c6458fa57ce3ddeaadca3df9ffc59954b0da6fe4e1b1758a

SHA512
c3d10963e52881418da477a4d49b60ac6bcdb1934fe114bdca730e84c0906dfc4b22d927831638795b83afed789af4fc21fc61cb9ef1d151b0838a1dd33b458b

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
113KB

MD5
4f22dee48780736d80815438ae75d8de

SHA1
5983439209715ed1a5233c09c2e894ef7f66bff2

SHA256
aac918f153ee502974fa46f03d2999e9f632fa5eaa7a8b46fe18d128bd7842a1

SHA512
3d9d98895a7c255ee23477fbf8b13e5f7e7fb0c2c749edd34bb8062bdb4780a05622470b1216cd336200a5fead135eb6de050db2b402f8a23dbdb49aef774490

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
113KB

MD5
606b187489a5fdb5d338b148b053a476

SHA1
62e5e78ba7c3b9ab470938a5dd823b1062477da9

SHA256
583a730568c60dad06cdf57613d12dc110c811b8d5315efad5178de532b1268b

SHA512
8171213295efc39e69debf3a75c130e7b67de89efa5fa679f77e1ee89fa263fd2fc82ecf4e6c0733635ec7a2fd8b75029710c1b8a7580c4333da786964bfb12e

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
113KB

MD5
78f19f4eb36af3d817c1104c4cd27571

SHA1
0ee6d23a103b5db587b0401d8287b3c18dc19def

SHA256
b00cde9919c06d8f4edf4fcb1262c53b7f3fae44d9882169426d0713dc781932

SHA512
a27eb90add8839c726d8576f7c379651bf061572b40ad5a34d822a7591346e45710d7dbcadfdc13b3ec5722970c348b709cdacec05d6108b02fab112b988d4ad

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
113KB

MD5
c65747fde5eb02550a9ed6ca91877e67

SHA1
26da68d19eaeb4ba3a97fac0b70c674adaad4660

SHA256
443c39ab85a9cd04ebf31b3f050272549d9fd346faca9d99c318dbc8302bada1

SHA512
2ee2cd597f3752167258a6e287f90015b95251bd026dad4bcbf8fa02755701ac440d605a5d67d136cb9fd4270c8d54a84ed40f750f5e59fc73262305c1e2f4f5

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
113KB

MD5
3f814b7d1f464ca4560ba64ac25163a9

SHA1
92c612783828736e5efab32e4d30646377348b9a

SHA256
664d852a80bd23d3533755e55098d4f52f933959b8a200b2407b74f7a60d5109

SHA512
6f777e63cefb05f27d4d826b00cdd1e0358498c9760c2147ba4b655a40aef508121a4c1d3464545833a40165e3f9a93863a650ad08447ef034398659720e8240

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
113KB

MD5
a1625c41633e3c170aa9f094cdfc6110

SHA1
472534a26c60b33afe05ebe832e0fbae3a240011

SHA256
93516e5c824a04727d090a50c9485fc6cbb53483f4df52a3f4997848fe2156f0

SHA512
a91e50d66dc23d9af1c0c37dd8c8c7b67e563b9fdc73e13cd72d159a8e9a7e5f8611c70ebd2726360594df8a171b5f1eb7caa321f80236c89d90169cffcbb8f4

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
113KB

MD5
7b2963e0a4e9f7ab1d0b6a1b34b6b81c

SHA1
db6c0c48f7be6385dbd8d7725fe23ab1a308eef3

SHA256
4b74dd9a1cfc4771bc8efa6cf1e5aad126acae8e93651c69720991c7b538eba0

SHA512
9d43ff5e0dd794f3c8cf5569fadbbeac7170a169851643d2e8f17ca1ed2efed52dc4fbfb00087c043fac83d7342f98a669a092c14e09b2d2d51f12b82c93b416

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
113KB

MD5
34e7cc4fa0a7b6b017a54d94746b3bb1

SHA1
dcda007c5e9c2b2f4dfad3f45953f99e81831053

SHA256
1d46ae7236e8ecc60993a5a677a23f0ec562ee7fe8f42422f8f0247a273fbd07

SHA512
bc12a0a3222ad924332489cf8469a23e16338e5c47574beef2d377c7ee9c932c9407a31997ba49a7ddbafb44eaf9dfbaa2eb0b950e6d3f9ddb28a008cb024db3

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
113KB

MD5
abf807f251723b4f22113bac92685d2f

SHA1
b66e089b9def67302f4eee9eec3b5f6b6bdc79af

SHA256
5c191b1adc01d4727249e26d83e06cde667c23568b7a8c398a0697193c4d0772

SHA512
89d7fd41ca3bf971eb70f337c2e68ecd131cb0766b3547d4833c9fa68922f95362ee82ed2b542d19029c925304f85bb60d4d8a3c3a84eedf39785610dc97d547

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
113KB

MD5
50079826fb33f3a791c63cefaf9b64ca

SHA1
b6e2edcd4c26068ee44fccda860be3edf1a43555

SHA256
f7c5116a2f1bed0e6e88ff1c6cb1544fc2bc0773ee39d3ad4f55352667c1f27b

SHA512
566b447d54700d7dad33c7e448986818eb3b8177ee3085b8fdbb1e23bf3ca217517028e27df331118684659c528afd9dda2d47eaf21c7c98f06f35f8342ac427

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
113KB

MD5
d5b899b85e04c552566307f1d7e0f742

SHA1
16a491b04881f861ba7911d4404908dc2a491295

SHA256
8f4bc9b25ef6d8b5d0b84da27f19944dfa13c91acd1400fc9f219c7974651d05

SHA512
49a94a8c93e543395f09ce5e4bfe99d1d8901748b61e7a36672c422a9b28afee676c7d7d5551a54ee1067ef1542fc1022b398c8ce79d44e0a3b21c447d869cd9

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
113KB

MD5
ed04b545b9cf08e1ed909eb16fbcf1cb

SHA1
75e44f7b62f48cf8933ba02d211fdfd84de45e95

SHA256
588f5442d17ed6316f5afaecced09535aa77856c220ffdc5ab2d251255f43c26

SHA512
3d5bc41d939d029e43b0cca6dcd3af42bf3f13dbc2f0bda8848fa809a056db0a9c209ba96201383357ec286876ae8d06767c97e843c5462c453196d511f929e4

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
113KB

MD5
703a150f01e8612e8e294de7acb94948

SHA1
1140ff2d610f19571204a9a77a0175a702d76486

SHA256
6a9750d5fdfdbf4d4f39e91d6eb4577f928122a5e4b00ffcb662a3bff90bdd8f

SHA512
4349a1e2104ab0300b872e68090dcb132638a897eb8b0c190817695e1380bdd873058a70d0b69f4935e15f5e22c6e2c29920df6f6cea6c25f4a2c6db0ee47dba

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
113KB

MD5
be62da1539b9ce51195de56b2a0f7d92

SHA1
2424288357b6382567ca57c8c9df119232caf8fc

SHA256
92280db7e1d995bbcef7c96968ae1046af438aac265155291536d77352fee97c

SHA512
89b725b21b37d9c0eecc63086d3d256f8b5429b88e317595c8d7096e4621db02689e804154a9402cdb848bee05b39701053fb63fe1ae17e34d99ee9bb0c344eb

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
113KB

MD5
e940ccdc2bc40104a491a51792c11510

SHA1
0d2fe49a4680752e5af9913e07b61862d19c7b25

SHA256
1f2775a40dcd1bb8c7d97c86ff9ffd67b6ae09f73e0dcffe7d8da84c75e211c8

SHA512
8f63a879f997598a7d06d2d2c92ed59800dcb6904715a22f513c71a60887c4f65a6b859b184231eda0bbc3fc41210675032a50df7b6b6612d6f68be7f9747e16

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
113KB

MD5
bfad26d1762cf0382a3bd27d11577a12

SHA1
d6552634d4a125cad8e8616c883f4393173bebac

SHA256
bdd08616d691a67a9ab69489336d192774c92a09de0e86485806a11c3ba6418e

SHA512
41e1599c09e7ce28e373fa66846276a6386736ba6cf61a9a28df77e2d972ee99416daf52f24c0c1077fd063e3b45b3f94270d32b46e272ed38072bf9b6eaaffb

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
113KB

MD5
3d9c0c9618c221525a200879be167b21

SHA1
fe59644ff8ab024fe5a3ec0dd5b3cbb82a8a4965

SHA256
dbb7fc838b48f24d19e084d18c90f0c2d839b2f6b6517c878620e58337893ded

SHA512
70264c842a4cfc8b6a4f693d3dd0a78aabebebdaafc37e2e9f1440086d0583b88da151e4c75dcf6029e3ed2e06567031aebbb1548b5eaf71cb774e34751a7023

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
113KB

MD5
bf1f841eb7047351e972d998caccd31e

SHA1
e00ad753bea84ff0d93e42be88845ec8e41422b8

SHA256
841737dd99e00738dfb452eab1b1dabedb4a53466900d8ddea670f84fa25c5b0

SHA512
ffc572ccb2c237ba5f6921cd647924f058b6c50fb544ee742b8b9809a9c733256266da9a17004017890b862b44677a2ba6fdc48277a28632a5be5fa84c70ac6c

Download Submit
C:\Windows\SysWOW64\Pafdjmkq.exe

Filesize
113KB

MD5
aff551a125ee8c4c90f5a0cc5ab98f51

SHA1
934acfa109068e3391b46cd6ae911b8be3d15870

SHA256
13eb069b17270ec5676c69e297d83f218a0654eeffdffec4d11c4a90319e4a31

SHA512
029729bb7c23860beeb7f3f3b1d8befd57cbd7cdf713ba3296266451751e76e214a2e775d41d08350144f5e00e390c918f65074441c1752ddda44a76e2353199

Download Submit
C:\Windows\SysWOW64\Phcilf32.exe

Filesize
113KB

MD5
b3c2e671330e1556c8b5a39e7e73747b

SHA1
53970960e3850d69240fde59e24402d9f4dfd368

SHA256
af502bd1fdc084be3ca8b20e584e22b1763cb423939b5c3c84fb67d98656fcc0

SHA512
59d12c0b29b2a5e95c735f1a3eecd1345eb3472a3e75563da3e3274551ea25de07e9b2ce89f1c5ba4dcaf3fe6f5069722a0cdb5e0e719e101d077bebf7a8349d

Download Submit
C:\Windows\SysWOW64\Plgolf32.exe

Filesize
113KB

MD5
a7a89e719ff93cd2460798aa8660569e

SHA1
d4a0e71be41bfacf112165f0419990797988c03d

SHA256
5cf684c6a0fc5beb689e53e04bef312180ad6e51cfddaae5847f811950a2d837

SHA512
bede564b9f5cdeeaf8045b97642abdc790f5d97512b0f3c6e174eff0598eb235c7e6a3e8904f2d6ab1a916cbef1c91fc7e7e25d1ec29edd47b3095067f5115b5

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
113KB

MD5
e68df4033dada525b4326ef985b6d79e

SHA1
b3e9842e100948473c13cf0d77815abf4ff8750f

SHA256
a3376a6ec186d1986c7df219ea1f032030fcd8a609521e3f3bd71b68cbc70ab9

SHA512
5c7f30572c3d2da8ded98dc2588ecce64406be0f2fc7aaae9bc94ef90ab95f09d21800cfab050f15b9fd19151ff601914c1e2da3956f6ab3ee641611d50f0ba2

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
113KB

MD5
6a0f5590ef847f9ca7a284e0da9bb914

SHA1
39fe20a5a8699a0adfdbe2ecdae06c28d470b631

SHA256
0e10a73cdd42581ffa40fdebdd74f31063f4a3ea0ad9315b16ca0cd81daed1b4

SHA512
f7724ae18a43296501dd9c40442cb7eb26c27e6aa6429dc831025edf5c07674767d34f8bd5980b4923dd958b8cdbade3f2e1452d06cda9b30b2c34f0b9f818c3

Download Submit
\Windows\SysWOW64\Oemgplgo.exe

Filesize
113KB

MD5
7e3cf59ee6128214df0dd355c6ecd725

SHA1
1f6fca7ef409200d7f0c2875e1b98445674b9acf

SHA256
f28c361fcca0db871c625ced586e9b7c0f74c990e7243102265669fef98c8f1b

SHA512
06e74c663490d368f81e9357a7a7a3eb739440fb988504057ac573041cee1830fba6f7d25853f429f092d857bfa6560313aaa487a7f4d668b9f0f6dfe6e30099

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
113KB

MD5
b70940a543af3cb3d00455c02a2789df

SHA1
df4f99cbd45ddf72d409de4066f98b14a2388d96

SHA256
26cde2efc15f081164fa93865594614f300bb96d8bd097793927caca49e173df

SHA512
b46a2992810e00b3928ac8a9ad5e0039527695c2ab772c3959986cc2605b848a527a76829e6621e6763b8ac45709c24522051d1a7fae6e2ea871562f480e1878

Download Submit
\Windows\SysWOW64\Pdbdqh32.exe

Filesize
113KB

MD5
e793080de1e8a6c4488d0b1366859dcd

SHA1
48d4ed39165d58c39584468e430eafc6acd68c1b

SHA256
193793176199ccfcfb1e656f9b00e837e23695230f6bdf263d448453b423f62c

SHA512
d29016c3e1f80c2a05928a47152b98fee559fd4879afed65610eb272d670281e8dcc0aec030dd672bcd656173cc068feb5b1c4d5e01967325c54c17da0c66a21

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
113KB

MD5
aad97b2dd1ecbd640262b4ebcae0543c

SHA1
3b0b6c128653ce0b5dc91f118d604e41122efad6

SHA256
eac04adc106a3b7299f2b6a008f7d666315ae820b6a045f094ba6b34ce4a1be9

SHA512
a379165e0a8817809d1b7c0e0c2b4eeea449130c2e81dcee8a7a99f02b72bd50010765f55ee118633ee1669c56495d2e63e823c570c61057a4852cb661b1ab1e

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
113KB

MD5
95c105323965a3df7c3caac699caaaf2

SHA1
60e492eee302ba02f79dea83c5abaddc30beebf2

SHA256
e2fa74b986391f82ee4e97d69f8987aa0cea7106d5f664c04d1b01cfa5c32399

SHA512
676965c262e597d8ac9a9cdf8dfbb8bc5d7a17acc0fea86723be6136c46597e958f8c297962146e516eeb633decaf3ab2e799332856f49c59f43eef1e43cba4e

Download Submit
\Windows\SysWOW64\Pifbjn32.exe

Filesize
113KB

MD5
9bba316651318e605cffc57012530259

SHA1
185fa87caf794015d8c6ed3791aac37e61f9062b

SHA256
4d6250f57a27c8c48c66c2fbde4af4726654d60dcb796ee3a01cb43484897814

SHA512
52ac3e731a629314b48dedfdd7c88cfbf2b961a865b16d8d26d2cb4add39e3983ee569419c81972abaf760371ab3b2573fcefd23664398201031b7a89be9e79e

Download Submit
\Windows\SysWOW64\Pmpbdm32.exe

Filesize
113KB

MD5
43b7836d8526dfbf8ff507d07fe4d8cf

SHA1
1a8fc74fc58e48e3b71d979e71c7e5dc1dafbfad

SHA256
9686c396f9f4337aba4733ef3e9a6c598711fb75b9a8c56ad9b309529b329c1c

SHA512
5a5da3ee8d56f664b3d7d8ede303935d03fda19a0d8203067a75fec0c62e3825a10150c9b2abf67bcf1c7f6a452a98533252cb2b9f3ee44b594e1bfa5b4aa621

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
113KB

MD5
bfc50db5e36373be5ff7c7b5b001d538

SHA1
f31b16007947eb43215916a2af87e24e47e0b0d4

SHA256
1549f2456d7bcf1afafb3384908812d049fd7ff4976ac75e090bb182af99a94f

SHA512
0a7d51f474fe4a67942ad7e5399613c232bb4498f3ddbabad8239d6b5ba48ebed18c113d546cfe8fa9eda17b931dc008a803db025446d20027bb05de61c6774b

Download Submit
\Windows\SysWOW64\Qgjccb32.exe

Filesize
113KB

MD5
8eb79cf7262c58562d4819c139c71350

SHA1
1f1fbe3ffcd2223b0388f87db09724fce64549b9

SHA256
305bcb8359c3ba8a25fe653290484f39d640379f82eccc270ae40666da481471

SHA512
dd66869a4e482b106c474c1a5a0622439b944438bb1c5fdfd5a4628c785fe55de91842f9777c67bc107fc15c9f57655699ea7f237723a22e921fd67e70e24624

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
113KB

MD5
77ae4bf443800cf08ed5313585d71c40

SHA1
d8e713fdf80ad99a008649647e4caba3b8061890

SHA256
15dc8a75d563947b348724cbb405623da7b5771ac4b74d2113b99609b127e636

SHA512
ceb5165902dabacb3043e1af0516d977c58c6684b175b762edc23a7ac57b74d674d66add1960fd3b20f77d8120e4c5a2c70c2158d89c6c8cc35898efa77198cf

Download Submit
\Windows\SysWOW64\Qppkfhlc.exe

Filesize
113KB

MD5
5f62507f676975f158cbdf6e378ef567

SHA1
fcbe1c0f3ede88e3c21343084e7b8e554c67f443

SHA256
0501b779cbbd98f0f6c612bd7b0891dfea119915de2b7b1095e25e1e0169f0d9

SHA512
1cef80e869ed3d09e0f54ff8af339009558de27cf54c390213d8cf3bfa4e52c0328cebd9d5aad2f1aee51faa04228977357b989ea6eef01305aeac1ac5014631

Download Submit
memory/492-405-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/492-414-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/672-463-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/672-468-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/708-227-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/872-455-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/872-114-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/872-107-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1052-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1164-439-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1220-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-280-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1284-284-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1284-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1308-251-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1308-252-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1308-246-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1548-359-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1548-12-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1548-361-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1548-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1548-11-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1632-425-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1636-253-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1636-259-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1636-263-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1640-213-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1700-508-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1768-186-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/1768-174-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1768-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1852-272-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1852-273-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1864-311-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1864-317-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1864-316-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1912-497-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1912-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1912-171-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1920-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1920-140-0x0000000001F30000-0x0000000001F6D000-memory.dmp

Filesize
244KB

Download
memory/1920-480-0x0000000001F30000-0x0000000001F6D000-memory.dmp

Filesize
244KB

Download
memory/1920-474-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1944-380-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1944-34-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1944-27-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2008-238-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2008-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2020-421-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2028-187-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2116-205-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2212-476-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2212-469-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-306-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2232-305-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2232-296-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2404-339-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2404-349-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2404-348-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2512-501-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2512-491-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2560-415-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2588-435-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/2588-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2588-88-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/2588-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-481-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-54-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-404-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-62-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2692-360-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2692-354-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2700-362-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2748-393-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2748-52-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2756-338-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/2756-337-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/2760-462-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2848-403-0x0000000001F50000-0x0000000001F8D000-memory.dmp

Filesize
244KB

Download
memory/2848-398-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2968-456-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/2968-457-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/2968-446-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2980-94-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2980-445-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2984-382-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2984-381-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2984-371-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-318-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-324-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/2992-328-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/3000-383-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3000-392-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3016-294-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3016-295-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3016-285-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads