berbew | bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe
Size

128KB
MD5

848cafa9a65f0fb5861d8152485aeab6
SHA1

1e34216a0e99c741aee51f1a1915dc5f6335cebb
SHA256

bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9
SHA512

be31cd6d0b8f1aea12be4fe83390f2744e72f73db9b7ca79f8905e07c70d7c6f3fe5a7e4e431de095f8fd353d15cce8b9a2b7148bdaf5a4671cd8462f4569724
SSDEEP

3072:GaQ50PxGRWJixKcmL/rNV/XKm08uFafmHURHAVgnvedh6:60PxGRmixKHrT/6m08uF8YU8gnve7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1256	Pdjjag32.exe
2160	Pkcbnanl.exe
2132	Pifbjn32.exe
2804	Pnbojmmp.exe
2540	Pleofj32.exe
2672	Qgmpibam.exe
2564	Qjklenpa.exe
2996	Qnghel32.exe
1984	Accqnc32.exe
1680	Aebmjo32.exe
1036	Aojabdlf.exe
1996	Aaimopli.exe
1152	Afdiondb.exe
1104	Ahbekjcf.exe
2120	Aomnhd32.exe
1128	Aakjdo32.exe
948	Afffenbp.exe
1048	Ahebaiac.exe
1572	Alqnah32.exe
596	Aficjnpm.exe
1324	Adlcfjgh.exe
1724	Agjobffl.exe
872	Akfkbd32.exe
1728	Aoagccfn.exe
3024	Abpcooea.exe
2152	Bjkhdacm.exe
2824	Bbbpenco.exe
2588	Bdqlajbb.exe
2560	Bccmmf32.exe
796	Bmlael32.exe
756	Bqgmfkhg.exe
2584	Bnknoogp.exe
484	Bmnnkl32.exe
1272	Boljgg32.exe
2740	Bffbdadk.exe
2960	Bieopm32.exe
1656	Bcjcme32.exe
880	Bfioia32.exe
2144	Bmbgfkje.exe
1740	Ccmpce32.exe
236	Cbppnbhm.exe
1328	Cenljmgq.exe
2720	Cmedlk32.exe
2320	Cocphf32.exe
2968	Cbblda32.exe
3064	Cepipm32.exe
2556	Cileqlmg.exe
1968	Cgoelh32.exe
2484	Cpfmmf32.exe
2704	Cnimiblo.exe
1664	Cagienkb.exe
2392	Cebeem32.exe
1440	Cgaaah32.exe
2928	Ckmnbg32.exe
1908	Cnkjnb32.exe
1796	Cbffoabe.exe
2124	Caifjn32.exe
2052	Cchbgi32.exe
2180	Cgcnghpl.exe
2000	Clojhf32.exe
1368	Cnmfdb32.exe
2544	Cmpgpond.exe
2456	Calcpm32.exe
2352	Ccjoli32.exe

Loads dropped DLL 64 IoCs

pid	Process
2952	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe
2952	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe
1256	Pdjjag32.exe
1256	Pdjjag32.exe
2160	Pkcbnanl.exe
2160	Pkcbnanl.exe
2132	Pifbjn32.exe
2132	Pifbjn32.exe
2804	Pnbojmmp.exe
2804	Pnbojmmp.exe
2540	Pleofj32.exe
2540	Pleofj32.exe
2672	Qgmpibam.exe
2672	Qgmpibam.exe
2564	Qjklenpa.exe
2564	Qjklenpa.exe
2996	Qnghel32.exe
2996	Qnghel32.exe
1984	Accqnc32.exe
1984	Accqnc32.exe
1680	Aebmjo32.exe
1680	Aebmjo32.exe
1036	Aojabdlf.exe
1036	Aojabdlf.exe
1996	Aaimopli.exe
1996	Aaimopli.exe
1152	Afdiondb.exe
1152	Afdiondb.exe
1104	Ahbekjcf.exe
1104	Ahbekjcf.exe
2120	Aomnhd32.exe
2120	Aomnhd32.exe
1128	Aakjdo32.exe
1128	Aakjdo32.exe
948	Afffenbp.exe
948	Afffenbp.exe
1048	Ahebaiac.exe
1048	Ahebaiac.exe
1572	Alqnah32.exe
1572	Alqnah32.exe
596	Aficjnpm.exe
596	Aficjnpm.exe
1324	Adlcfjgh.exe
1324	Adlcfjgh.exe
1724	Agjobffl.exe
1724	Agjobffl.exe
872	Akfkbd32.exe
872	Akfkbd32.exe
1728	Aoagccfn.exe
1728	Aoagccfn.exe
3024	Abpcooea.exe
3024	Abpcooea.exe
2152	Bjkhdacm.exe
2152	Bjkhdacm.exe
2824	Bbbpenco.exe
2824	Bbbpenco.exe
2588	Bdqlajbb.exe
2588	Bdqlajbb.exe
2560	Bccmmf32.exe
2560	Bccmmf32.exe
796	Bmlael32.exe
796	Bmlael32.exe
756	Bqgmfkhg.exe
756	Bqgmfkhg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Jpefpo32.dll	Pleofj32.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pifbjn32.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Eibkmp32.dll	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Kbfcnc32.dll	Pifbjn32.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Ahbekjcf.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Komjgdhc.dll	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjjag32.exe	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe

Program crash 1 IoCs

pid	pid_target	Process
1672	2300	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pleofj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll"	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll"	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1256	2952	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe	31
PID 2952 wrote to memory of 1256	2952	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe	31
PID 2952 wrote to memory of 1256	2952	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe	31
PID 2952 wrote to memory of 1256	2952	bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe	31
PID 1256 wrote to memory of 2160	1256	Pdjjag32.exe	32
PID 1256 wrote to memory of 2160	1256	Pdjjag32.exe	32
PID 1256 wrote to memory of 2160	1256	Pdjjag32.exe	32
PID 1256 wrote to memory of 2160	1256	Pdjjag32.exe	32
PID 2160 wrote to memory of 2132	2160	Pkcbnanl.exe	33
PID 2160 wrote to memory of 2132	2160	Pkcbnanl.exe	33
PID 2160 wrote to memory of 2132	2160	Pkcbnanl.exe	33
PID 2160 wrote to memory of 2132	2160	Pkcbnanl.exe	33
PID 2132 wrote to memory of 2804	2132	Pifbjn32.exe	34
PID 2132 wrote to memory of 2804	2132	Pifbjn32.exe	34
PID 2132 wrote to memory of 2804	2132	Pifbjn32.exe	34
PID 2132 wrote to memory of 2804	2132	Pifbjn32.exe	34
PID 2804 wrote to memory of 2540	2804	Pnbojmmp.exe	35
PID 2804 wrote to memory of 2540	2804	Pnbojmmp.exe	35
PID 2804 wrote to memory of 2540	2804	Pnbojmmp.exe	35
PID 2804 wrote to memory of 2540	2804	Pnbojmmp.exe	35
PID 2540 wrote to memory of 2672	2540	Pleofj32.exe	36
PID 2540 wrote to memory of 2672	2540	Pleofj32.exe	36
PID 2540 wrote to memory of 2672	2540	Pleofj32.exe	36
PID 2540 wrote to memory of 2672	2540	Pleofj32.exe	36
PID 2672 wrote to memory of 2564	2672	Qgmpibam.exe	37
PID 2672 wrote to memory of 2564	2672	Qgmpibam.exe	37
PID 2672 wrote to memory of 2564	2672	Qgmpibam.exe	37
PID 2672 wrote to memory of 2564	2672	Qgmpibam.exe	37
PID 2564 wrote to memory of 2996	2564	Qjklenpa.exe	38
PID 2564 wrote to memory of 2996	2564	Qjklenpa.exe	38
PID 2564 wrote to memory of 2996	2564	Qjklenpa.exe	38
PID 2564 wrote to memory of 2996	2564	Qjklenpa.exe	38
PID 2996 wrote to memory of 1984	2996	Qnghel32.exe	39
PID 2996 wrote to memory of 1984	2996	Qnghel32.exe	39
PID 2996 wrote to memory of 1984	2996	Qnghel32.exe	39
PID 2996 wrote to memory of 1984	2996	Qnghel32.exe	39
PID 1984 wrote to memory of 1680	1984	Accqnc32.exe	40
PID 1984 wrote to memory of 1680	1984	Accqnc32.exe	40
PID 1984 wrote to memory of 1680	1984	Accqnc32.exe	40
PID 1984 wrote to memory of 1680	1984	Accqnc32.exe	40
PID 1680 wrote to memory of 1036	1680	Aebmjo32.exe	41
PID 1680 wrote to memory of 1036	1680	Aebmjo32.exe	41
PID 1680 wrote to memory of 1036	1680	Aebmjo32.exe	41
PID 1680 wrote to memory of 1036	1680	Aebmjo32.exe	41
PID 1036 wrote to memory of 1996	1036	Aojabdlf.exe	42
PID 1036 wrote to memory of 1996	1036	Aojabdlf.exe	42
PID 1036 wrote to memory of 1996	1036	Aojabdlf.exe	42
PID 1036 wrote to memory of 1996	1036	Aojabdlf.exe	42
PID 1996 wrote to memory of 1152	1996	Aaimopli.exe	43
PID 1996 wrote to memory of 1152	1996	Aaimopli.exe	43
PID 1996 wrote to memory of 1152	1996	Aaimopli.exe	43
PID 1996 wrote to memory of 1152	1996	Aaimopli.exe	43
PID 1152 wrote to memory of 1104	1152	Afdiondb.exe	44
PID 1152 wrote to memory of 1104	1152	Afdiondb.exe	44
PID 1152 wrote to memory of 1104	1152	Afdiondb.exe	44
PID 1152 wrote to memory of 1104	1152	Afdiondb.exe	44
PID 1104 wrote to memory of 2120	1104	Ahbekjcf.exe	45
PID 1104 wrote to memory of 2120	1104	Ahbekjcf.exe	45
PID 1104 wrote to memory of 2120	1104	Ahbekjcf.exe	45
PID 1104 wrote to memory of 2120	1104	Ahbekjcf.exe	45
PID 2120 wrote to memory of 1128	2120	Aomnhd32.exe	46
PID 2120 wrote to memory of 1128	2120	Aomnhd32.exe	46
PID 2120 wrote to memory of 1128	2120	Aomnhd32.exe	46
PID 2120 wrote to memory of 1128	2120	Aomnhd32.exe	46

C:\Users\Admin\AppData\Local\Temp\bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe
"C:\Users\Admin\AppData\Local\Temp\bfd8e9114c0cbfb305be11d3485b3cfb9bba440441b28fcb76d368bf45da79e9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\Pdjjag32.exe
  C:\Windows\system32\Pdjjag32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\Pkcbnanl.exe
    C:\Windows\system32\Pkcbnanl.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\Pifbjn32.exe
      C:\Windows\system32\Pifbjn32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:236
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 144
        71⤵
        Program crash
        
        PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
128KB

MD5
12e7161d2b60668912bb8d7e8ae2e6cc

SHA1
5d15ec8ae9f159b92b9e82502391556ea6d0af04

SHA256
a29e63f09b85ce5870558b33939afe575333bbbe1187b7b31a1077733ba0ae30

SHA512
05d6cb8faf95cbef4b19df5d751fdf5f73242bf038a33a3905c743a0697c9a082c30a41b13fa5bcf7c83404fbb74bc2d8eb4289a043b4243b9e1d51593f9359b

Download Submit
C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
128KB

MD5
5d91f91ca7d9bc1f74e0726353d8728d

SHA1
c67dca9f7bfcb8382686720c50e468aa6bab6217

SHA256
04b015dcdd5ce072f6dec5caefbed3537a85a98dfdbe7627dc95925028f36097

SHA512
dce02b01a38d0a3a35470f1476db4e2d53fb7490ea5616724e08364a6e820c6ca53f3c49a49a3b499c765dfb8fb2832f262447c97d162dfc9422712d9c784937

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
128KB

MD5
20acbfba1df97a42cee56025d8cded9e

SHA1
b4da646bfbe36431b22593c9406fabf89a8bea62

SHA256
f8f028b37ba3b5bb048330fccca0d66df1cf840a901db5c890e93426c68dba4e

SHA512
dc1f817a06faa3b41a4e09149ea73b5e6119f83f1d84d35e679c1daf01c059e9d3a3add4fafaa8127b5e8f1efc0ab30f7f1700d4b9a8356e011aa2809bf7149b

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
128KB

MD5
e026294e1f43737862de1da789364941

SHA1
a6afde2bab5b216f952e9e1edf7fe5adf23934ed

SHA256
76fc3da29dddc0bce1180e8e0be17d3818b678d426ddfb2a71bf2a3614b5320f

SHA512
f8a6e2f3da8297ce2ab634f6243af9ce10c9c6aa4c7754a005ce67e484e3fd86fbeb5809ca1b4c4285cf86f83e65f027c6bcccccc0c55898a68b054b2afaa7ed

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
128KB

MD5
91814429e5ae0ab5b01ae55f25375d15

SHA1
f688f7c49b51bf8b0fc04e68fdb5a8da6d639c14

SHA256
e4a223751e8b72bcf462e8e125b76f728a80b2f3ded7209ba3e59a9cc21a37f3

SHA512
5b54de414c095cec18dcf1c97c772cd251e8f7f0d929d8ad32c2488f37e9bd79947e8705b8004b02ad5dbefdbae421bdfd7d2c9940f41394e6c7d91ff45bfca3

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
128KB

MD5
970e6498e362a290420c8306be97ddeb

SHA1
03cce26f12a1e0507937f070f4399e6632613677

SHA256
52c3b86415954cf9e0446050eddbf0dd20821037d712c6e912b8085f182c90b8

SHA512
162764d173e1afc71d8e1767cbad8a97cb563b2f3cfffc35dacf3eb521a719f07e1385250ffae35dc1e57276c2b1fd04f00b203307a27cece60f91255a10b6db

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
128KB

MD5
c2cccd42993f00f35a7da020ae6b06c8

SHA1
4f89df87c8c837928b590da03b8cdc4acc71c3ee

SHA256
275376022a21927197c99a9809f833599244ee3ff4d384c6b95c28c9379d0ea9

SHA512
b96759d633e37db613b8bebeb70f46dbe27df89ea137433bf00452c87b7ff6b8f065be65aac016a5d74d280ef42ec1c4abb086a095dba8db3c2f81d28de23431

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
128KB

MD5
f1350f935c985899bde9f2b26d8b4794

SHA1
0ccf883558a8462d772e96f30f586c7767496b6b

SHA256
e9b125b4890f79a39c998daac0be874dd9a050ef26ddf083ff9d1e25d1578f1d

SHA512
8fcbf7f2a2ea203cdf758b79e1bd60c88b857786e4f0547954ee5491e63936be7beb947f27837272b690a44d9a9f9f7a594acc37ed36ceaa1e365d4cb6b7ee64

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
128KB

MD5
cb47d9b52d24357e13cbb40ba1ce17fc

SHA1
83647f8216bec155eae5d462dbaf88be98f60011

SHA256
097034cb1e48fc9a5cb80847da60b768f1c0dc6cf0044da802556b7536854cad

SHA512
6ad02c096dfe3fa572b533393aee1a3e41e00bf38b1d16b479858a07a338b7da438a64d81f32cb45e4b2d6325e3b04d533f64525e51990538122bddf90c2ac8b

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
128KB

MD5
64331d456897274a1e498ccb327b35f6

SHA1
da6b4d0150110ecdc9762a9baf9148f300a19330

SHA256
2432d00e191dcf6c384a5893001e3edc99d2229163709e806ba984f63659a87a

SHA512
fd89a1bbcc74e36127f049f49a46191d0de1f07b4cb2a2b72d66cc981cddc6580b96347285f6003d548a33edba2d0442ede284f2cdf0a8c7d2ee8d463470d402

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
128KB

MD5
5ca011f98d6056894d9edaa8e43db8c2

SHA1
105584cda8424e2edd909556f8a8528249241ed0

SHA256
4074ecf42f128405c674032ad27873d6e4f02444eb82b7f25edd9ab6e33b2485

SHA512
b226f5d60b35fce3aaf7b099b0204d53ecd517a16c7e7e2bb0fd5c26af4a25443aeb15793de48bfa0750bf96c09f2a0d7b3bd22910f1c91c718e12000314b288

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
128KB

MD5
fd8b70640b5af546286d8b423e59954f

SHA1
3229fda768ccabfc1cf2f87636d4856349e7ada5

SHA256
d1752592118344bf07ccbbd1a641d0841c319008749a3fabe8309c6e149e7ee4

SHA512
ae494bb87ea8545ef4ca7a33ea59fb1622f3c1589605e3f32e6a528df5b533ccb43085c94afe77f461fc8e5027197eb7636037881fd63e1dffcb49c52da3d3af

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
128KB

MD5
cb467a659cee5ecfe20d049b1f0bfd0c

SHA1
7db24c4781e8460f7e251ee10ec4a5262d5b6c70

SHA256
58c47db50a37950fe0d8b0a39fd4ddd54dc8eef27906ba12bc036eb86d32f1cd

SHA512
2f0677351d2678559c08c8e9e64f8c50d4ee3ce2badce06202fe153cabde6eb199133e76df9f1d5af94be6ecff4855dec87ed401b78402041dbf59b6e14ecce3

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
128KB

MD5
10c602496d6dde5f2cc0b1c0455a9c6a

SHA1
aa0981206463c27edf664e4d9dbf92cd91e1b14c

SHA256
a44ec984c106c94414241d1bd16cd6fa966cad9ef4587e570931f56b8798ab06

SHA512
a296a262635b36df6736ea74992b74e843925dd4a26c54da9382b6b83c0c649aee1247411a96727ca070eabf45715c58bb422081c5f85f047bd6ee4a18b71995

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
128KB

MD5
cfedfe06201b58b4abea5b03698f9d7e

SHA1
e9afc12018d3a37818f4a91f9bd60ff783eac106

SHA256
b6705c761e75c2d936b820c659442282d48265245c624eefc8e19d0ed8e3803a

SHA512
5225e9d620ab5a60a124a6598a4c0e461f0e17287d074f39ac666b05d80965b521a9271ec40d7b3aafd4c250a251fac479b977fcd5441a5339295096f7abff74

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
128KB

MD5
b776d5044876a3a8d13e55dc064d06ac

SHA1
fcf547b2fb27f9308758807cd2de00589a841276

SHA256
bfbff58d588f4f18f3f3ba0fd68ef17b556bdab682771035b19f8c25f7e5864c

SHA512
46fe83f7bc956aef49e646f7eb6caa17d7ee74189660d662d1cc785e56c7bafa336b38eb54b5956a5dac693ee4b9c30bee04a8ec5ec7566e016210295e7fc3b0

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
128KB

MD5
1f5f86e1625293da9332c0d3739680da

SHA1
bb5f6b86ee7d26eb1e72951c7e42d72bd888d3a0

SHA256
c07373f3c6430982b605346367ffc4b8880bcec5337303452ee695090039c69b

SHA512
b47d7e3e84dbaa4c115162ccc609dfed114a6374f6173f5ceee9d00e870bbd2804f8c022bb643a7cedb74727d61ed0c91926b43c1fe4291ff012d67117aa3677

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
128KB

MD5
aaec9c3db7c854d8a58450dbc4b99249

SHA1
db5d31d5d0b6a45ccd81a2caa2badfc5460d01e1

SHA256
82cf3d6e00ec77c58c68bd129451dc99f7d614f65e56818c99f55c207d9ac3ec

SHA512
68e7264fb6b9de627f37d3e6401ff76963e385781b49b032b7eb31ef5b4b56fd73c29cf6f5e9fec79015e75514410d60d0847d3689a545adc49d2428f3b5c35f

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
128KB

MD5
ef385d4077f31588b81d6412d362e29a

SHA1
52dcedb078c6472932f2a7b5059a6abf4c271074

SHA256
e4cea7367b7a7dd954526521960691229f10d0f26f80b3216134cc3b30786dfa

SHA512
817c06073f056c704299edd10e5d4599cdb0a8c715cecfcf6225f99e77075526fb2cc89d5771881b1739ee0760f50e3496c1b30dedc0c10b9cfc39ef73c0c513

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
128KB

MD5
469359bc930e2d3f508e8d979bcce08d

SHA1
e04fd5fe7c99ea6853f7648a82fd0eb64aecab3c

SHA256
4033b84ea607d3d8491f423e32f9b8253e837acaf9c97050086123d142809e66

SHA512
8d085565371b4f29dc082bf0e5a430d4db1196b94f1c962f9c88889f8aefcfd9e299b25f46aad39a05b04e5572b23e7edf69ee799a9e6a3d536bb4727113002e

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
128KB

MD5
707c6c5a7df2a4810137cbfafbe95fb1

SHA1
723e72f7b374de359dc89fa1d07f70fc22379136

SHA256
0c0508602825dcaddf31cb56b34c643346c0b79a422c3dd19be2ba75368240a6

SHA512
eef2b41d1e1ba16e0c7359f7204d6d1a4606e3e87bf8807b8feab6b80003744eebf78d1e414a17378ec842f1948b44e9114711237f5152b5a44d5f221d5acc7f

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
128KB

MD5
0e381dfa58c9b94650a48596c7fe6309

SHA1
944040369c9c215e0a362d5dbbe99cf40564e2e6

SHA256
1e1a64d405e78e794dc503cf38683caba6dc7f3ac29237a464ff329f2c715320

SHA512
8264f708a9d597bf9ec51faba58e32b0e02829eb972c92dd48f7a9598b8da28141bd2ec52344e5fefb2a9c8f04d8dee451ecfd07459ed9d0e553b62cddc71193

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
128KB

MD5
0c77ebade24dafb8c2269ca828bce1bd

SHA1
1dfb8251b67bf7fe66b01dbcc79fac20798def87

SHA256
b66e4324b4baed9cc7ad2da63c82785324acd91e7669fab0cc2df852fae9395c

SHA512
9fd4692aabf5641265fe6f4735088c8ca3f65ada1b565613bb6c88973b35b7221e80491c49a4308e4a50ffde5747d6576ac2883ced6c1be891caa1cfef9dc599

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
128KB

MD5
bc2150386071ac816023b06094e23d60

SHA1
213ea944d2a5f3761f998eb22556b9b251882755

SHA256
b18e6dd7f06389369c2730c5b0b63a4123df7b46c55c902d7b35df9be401dcd3

SHA512
10e25dd42e286850c125cf91f4316cb65d15750014b18a45214189204fead6e6218ddabfae47b70d2b710a1aa63de4f24db1331757accd49839fe1fcb3dfab38

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
128KB

MD5
5dab58444a39f7ec53e51860b6935982

SHA1
1ded8ecb7792e83b7d55509677c3837967d72945

SHA256
8d5d8ad814c1abab8aafdaee04cf64cca6bbe2f817db877e4d708606ad0b2c98

SHA512
dc25772c4cadb0d754a36d6b8ab8304a470de29da96e8ecd7253c43ee26ba1d1e4181419a7f5925ed262ab3017805069fc8237911106ff1dc89cc4800e02f536

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
128KB

MD5
84250ff6237f726fbd9c2c2658e5edb3

SHA1
4ca6d8fa2313ef00ebfc6e8995bf683e7b7e2eb4

SHA256
8ae65a52d4d2f65574fba02432ec710e8d657a153f0db9978377d09cc81f3e43

SHA512
1c13ae4d5312462f1b3b27161839c88777d3b7925ad2cca80a80c2eb8d715e9154cdd43444cbbd949d84dd13371036cef500c2265dd1263b800b3f9c7a292cc6

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
128KB

MD5
e6081b54abebd344a477a27f862b8c4a

SHA1
4993436031e2ef8688eeeb78bd58cc98b1a7c5a5

SHA256
3ba659466f98d8bac1ca6811f60742fb0d299ea11f8babe35ae670a2c55df74c

SHA512
942ad59ea377d514de6702123966cfa6cbbde2ff87c8240273c752782a2c26a9ed6a6233d65bdfcc2ee1e5b0a463c27b6c1916cf08662d94187f2c8fbdd9f8af

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
128KB

MD5
66015c21e6a8f6327ec7e01c3e8359eb

SHA1
f82fe52be8d447cb6bde3ec3b987702462398f4e

SHA256
2ceee5bc897f0f5e117f50da66fde41b0229449fd6926e045e4c54421e275e24

SHA512
dd913c67b370288041be8afde316232327e891dde1b88c514cf60cf99a55220b63db956b8843c4ec79b450440316e93e370e2a8f02807234a871ba83f19de18d

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
128KB

MD5
4b1fd3712eb99d7200943d9eb3ee9c44

SHA1
4bc08f478525280a60843537343a0819376b2b82

SHA256
658185733c69dd50c17ba62999814aa942cccda0048f12b2e99e5a7405e6577e

SHA512
caf5cf1915d0d5af5d64182ea50afe625081d2b5d8d7adff5fc7df03ed9bfdf3c905f1e86f9ee4a0ff13d3a19d2ea9787668e3f36a10b195d4f400add0cd9156

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
128KB

MD5
e04f4da6b07a582af31014d575a254cc

SHA1
06fb1d3013bc37ec31556af3e0f15bb90041cdd5

SHA256
9a9124304dee7731d6294a0d390f143f132534f000e6414232d0ab223651ff29

SHA512
e678dfd84fd4fcfbffdbb0f4783609843799ddfef0d4ea034a63a51c6377a443825d52f5852775d439cae2d2cce297d3520a20cd53472d58934bac338bd6e947

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
128KB

MD5
cee5c5e6e4eb058115a45bf8788e0ec9

SHA1
906c3995986af437d58b15b28d5e8d2439df2c82

SHA256
a1c30d376f14e4a753f42803b04495e4d727bbfbf0372116164b1755eae8159e

SHA512
8e5b67af87fa02e0ede05d4edee3c6beaec4e2d3d20ac5cc8f227d497cf88b952c9d51bc1c772298292f43077c13eb2af01dbed7740b2bd7ec83ea08ae235915

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
128KB

MD5
fe57dcf03fc544b5bab7294a0167fe97

SHA1
ae4f66dcc2485032a4fc5cf8706d30a3d162118b

SHA256
356d5ac3a381480a22af5021d8cdfb6d5cf80500305fd060f28eaac4f78f9a30

SHA512
bcf9111647b1c58b262879a3e1a5a25128e738c5b9246a9f3b9d5eb129537a930ccbce00c1c80ac6ef96606da22953820ee50f23d0d2ef0fdc52e237f9d8ab95

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
128KB

MD5
dd6a7461a8c1614d93b30aec223cff17

SHA1
748b86e29b9c88068020424430210641d86bbc86

SHA256
8d174a117edba36753608b9bfd63958bdfefd8c49be4efcc398816bd9694adbb

SHA512
1aeabaf4aef3c8c11522b9461b04d3bca52a1c835877d991ecfec559794971bfaa326a83756bb5df3f635f8121231399f22b8212776562c947f4cca663b6c7e0

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
128KB

MD5
7df919bd565b3167eac6265e09f8701b

SHA1
a671536adb27a6772869cc8f7ff7d47f28ed2d4a

SHA256
335ff0ed28e73cb8d3fd8fe5cd9655923edf9214d533ac184e47ad238990cc5c

SHA512
2cf87a31ea0b1467e775ab80233ea32b4fd38f0de8662666e32d6d2f884df72ee3a94416a3156a6a50df9a06a2b377a942192f0ca256536c669809f249d636b3

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
128KB

MD5
6f1e4e5c79eabbf5464c3d5240923f6e

SHA1
f12578b7f754b36b05bafbf0cd5372b5a97c107f

SHA256
ce24af5a2e2dfb0626c04a497d9471df7fbaa8deef588310080ad99b675c2913

SHA512
5182a27763b6ae3be93ab3e4ca55c8a21b77febe31453c444474d318f489a99650fc78fa033c77f7b2fabf18e87f9e4bd91901fdbaa09daacd24fd6ebc7049d5

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
128KB

MD5
144e9d695518fd59804aaf877cd478d1

SHA1
f64c5abb181902ef87e1e980c0392108bc95f532

SHA256
08290d475411290f1a227460477fcc8ad40b0e18ea64a595868e4b0780717f5f

SHA512
ec38a553f6b7700a269194622cfca13c4cf2393277694e202d9d740e52c1873c52630c71a60deeb36cf933bf57e67bb9f47f9b6a4cc6800870089e75ab0af479

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
128KB

MD5
7c8ee0d467f9b3c0a4654e15b27d8c42

SHA1
5e7902ad5f06c74816cda55f1b4e25700c64fb6a

SHA256
df326ae09b64e91516d06ca7686b7683c5ca751b07bf8a10bcda8a2a91dca78e

SHA512
a72729d44e2bda5a919ba093f9ab385e71f70f5ec9057bcf05e87407c85bdd6c81d84397c911dadd94bd9635e86f3b0db7d38449047b97609ac80d91e6cf80f0

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
128KB

MD5
d7cb1fa7a5221453702a33184b3aca16

SHA1
9725d7a3937b9a3f991cd58fc375cd5cad39a34f

SHA256
0399abdb00a21c15a3d0735d2b268ac3071e643854bb348e9a7d0a7b8ead1ebd

SHA512
c5efeef80c9e7aa80977a49fda8601c539e275b7fc6ec7c112ca0c1a35251b0c51c8f40a85a847eb99e17a3fdca84170b0278d5f04eee27535809fd2283b3a01

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
128KB

MD5
9bf12cb894338a2dc5b9e0bec2ceec41

SHA1
580a7c52a600158f33169115e32de1a2d6e2e689

SHA256
6864d1ed7c43a9b244d9649eec68f9cb5ad5411bdec11782800769bd1a09ded9

SHA512
c1c8366d996088ddfa6e6c962480d2d1a41ba61c8e27d71d73f858e4f61cd13f366ac3089ea1d58085397236dad80b6c6b454ee64fe74eefe117720955229c57

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
128KB

MD5
afe07151e0b02a9d731b829e45828353

SHA1
493e11a2d6e05bdf7dfa19ed2e51d51ca8a3beef

SHA256
6387e47f9b536330df4fb9e4f25fc825a2e45a354ad9027e163b8630922962ff

SHA512
59e7972e738bf84569127667eb8011ce08a654348dd9c155e1638b88109e7b80d8e8cc8f8e7aafc6a332d8b65ae8cd30f2ddeb89abec282c4b4b8b14f006b4e7

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
128KB

MD5
b9c0dfa61fa131752aacf4a9db86298b

SHA1
17d697671a16314df737812370894ed408f869f4

SHA256
2b9f49d67351c2614b4f89eba42c19af75f85d0803b7287409456b8c727c3a59

SHA512
4714a1905f859088bcecdb3df22adcfabc76b7280deb40c41123e6356018d181a98a87444bc8746c1d23731f7f4866d3630eb2ac02e4003bac4d362e09e9d6d9

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
128KB

MD5
2f3d411f454c9056683744ad9ff5de67

SHA1
86588f262aa787ccabecc9e07ebe1f52f0d134e3

SHA256
2b4855390bddefdc598110502c96ab430738e4727db6d7f96c70fb5bcae06c4c

SHA512
a018386631646158744e4baeb21bc5303ced392d1271cba5664ce5dd2ccc409bb0dce6da0a1dcaf9894e8b2d7aaad70302aa52d3707f86febfad507bb620d300

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
128KB

MD5
b976e89589adc823c8077b45a794ae0c

SHA1
c146c12ceffc25613c72fc5c361c43795571059f

SHA256
ec32a7524d02c59df2e2fd5fed4a00581b285eeb36a454b0f2c4293c1f2a7895

SHA512
f4b5c60bf0e2bb9f1b753707c7b733bedf15bb7acf93d371883df4adabe18e8fb3dd77c007ba20a518b68eb53b571cef4197a1961e9c9b7030fb5ca65d0db261

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
128KB

MD5
b5a779e12dfd5363ffee20595ba47cf8

SHA1
76e3d813227da989bcc67f587ac537b08c525222

SHA256
b4f4ece8bd860e40f58c0e8c3668e418222c377ed79a641af968efe15e4f9fe8

SHA512
2379abf42579d300d397038d71d4f61ae8cab01d11128a0456cd532936bd9e26d2ff3291ea730ec186f73d6bb15c5257c5e6db4f83402a0ebf3deb56fd85c112

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
128KB

MD5
361f3073c18308e0c945be8888a3836e

SHA1
ec24d644d9a436163bd46108428f98b706590d7b

SHA256
f651678251aab9213bd894bcfae3ac10953fd94bad9accf84c53e8655e5b74d2

SHA512
ad5279869bc162fdbb578870fa50006910bc85bbc28b95f799a96b29c28e5cf7c602adb246428a7c685ce793c36f24a7516fa99489fbef87a1568e92c189e2da

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
128KB

MD5
b64fcaa0b64832d29fee3d5c40f276f9

SHA1
34e160c364a56774aea494943df01c06300da3f4

SHA256
2a613570fff5fbc332bedce6d3166d1c024b132cde19a866889e9fddb5a3be47

SHA512
c41a67450e06be5d17315d72ade22adbd81de7da5905296ef7dae027f7c53eace440f1dd5f30851c13a4ea2e4f0b10b6134f6230655eca9b35452f2bd2d86fc8

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
128KB

MD5
8cf81b40bcd0b4d4c4006467edfc7130

SHA1
73b3642808bd82f11073a0246142d83d9e032e8c

SHA256
76bc243be28bf954e05cf5a8513d1685c073d16024774f6213fc98ece6e06f99

SHA512
fc83b9cb497672e8f8ae8832917fc741e3cfca42c5aa7556f2df027e0e099a86256a09f721957fc619d328abf6faa1163de04b841d75e95bd48b959b24b60b27

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
128KB

MD5
cd89e9c3365c5201780edd61191d94f4

SHA1
d7ddc0166a5e288d5b4b42b358819b8c2f4de767

SHA256
80f3add0c745bce832bdbb6eacaa04e25271e9c9f9a7958bdd0c30ccfe246bc4

SHA512
f58201b9ee59cf519ac2090e2d4bd3fbc3a522543e4319f90d57dd656676e197f2001e0e41443b4c288d14af3fe4077f0cb1c665703f373102beaff2935a88d3

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
128KB

MD5
0969220ffc142f6ce8c36c17c6450223

SHA1
655bbef8a76786a0f60f5bcd6a62b26630b1f078

SHA256
200ce5660d5e01db80c3f5b85b88c0a56ee12fa7846ac04a2186d6a9982f1f18

SHA512
1da187f93abb2d04f00a21dc14c32fdd65b5190d49033e682b51e5af43e3f1ba56de84863aa1bed00f55f6f7027fa76eefddba9818289aefee804a526d39cb78

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
128KB

MD5
07f6c6bd5cc4b1e24e4eb0ff88d60e4d

SHA1
59b5b88e501979fb9d2e63a6d92d5249cd44f3a3

SHA256
3f5dc262de6ff358fe7c71c3efba131093cf53d2373f551a6f31051062e5bb0f

SHA512
c88e2017f73c372bb1fb9e9da3798114f4ed2046d2a3136e13e587d192d5bfedabd8f84e7c766303280bec876752f08c4958f3d5446c6a7f7b07c47d7d005845

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
128KB

MD5
479a72a21a08d2403ab75ebaa6a7999b

SHA1
9d10d8def8ee0e1cdde71239dbeff291329d0a75

SHA256
715d95f65d65f05a38208fbdcd364c9a09bfc0945b5961ddee49d572f824248e

SHA512
fed9835778e7c51bfaf3bb6607a83bb8089c2594e376d43339d5aef4d4d383bca50a98726f638c4621addda6295c64510177d83dd8450c907dbe2a4a1d864642

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
128KB

MD5
c79fc8df164426c112f8e1143f72d071

SHA1
d763fd99e142c5d60dd43317f8b5f8b752487967

SHA256
52cf526cf82b4231ae794f2d7c644ab00bdba2d9a5680738c37b7c533f2ae082

SHA512
0b56f04998cc4956cc082ca520f0fbec78c40e35acd69d0f6ada3e87019c56bbc8d10b358e1f6bbc055dd1bacd91113e9d020c653efdb09583cb8c19758109ce

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
128KB

MD5
69cc236bb24ec3b566f562fdcba92d6f

SHA1
48fdd19659da190a33c6f0eebf0d1b1a952b9675

SHA256
5e68c929e63fd72106e1f25e475761e7315a80bfb1b1deec3ef1dd5b4bc5fd6d

SHA512
10ab124ff41c4d536419f7ed8e91f8a4c6cce96f9d660d0987ae077e270359ea0b872644384039dcad709cc8151310d6746b4321cf47a448935c764cc25cb4f0

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
128KB

MD5
4abb73c4b5d49326ae91696647e302c0

SHA1
cb92d54a68378cc35b12bf1f3cac0b18e59b3228

SHA256
8aa2748116d8b330c4c9069c8f43504e5e31dbfcdcbf3a0d65694258f1ba76bf

SHA512
2179aaf1dbc7cacb5c812fe25e18230dbac1c5dddbc522effae414269f89997d58fcae9366c6559250cf6073e68e2f2ce7ed435b726efdb6f37dede1f4e41875

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
128KB

MD5
bd720b6647649ce5155bd5ac06e5728e

SHA1
7393e60b14ac956f0ec54ac2d879186079e9978d

SHA256
0f9eb73f84740a1e20c218903aa70673938fa442b3b32401248c896dfa0392f1

SHA512
be270f376d153f7eec4ba5559b16cbe7130bb98d4f131badea0bb16acd26e60aa782435734ead321885112aed8ed857f88a44bb3485d6e56b6f6cf483479e522

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
128KB

MD5
19860f715ac4a59223f85071e8a2b641

SHA1
ae5dc358afb0fd16554f34919914f7c359e3d253

SHA256
ab2c10eacdb01ccea74c3804018eef6b06508b416c43721e1cd607b778de4b81

SHA512
30a8e7b093b450679c299e66c11b52b581a3335a848b62c7563644670979d1df93293f63b6d224168124590e26dccc7672a9a9ce903cbce1f307730af32d8198

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
128KB

MD5
6a47566aae1b7c0929fe6bcc6a68d953

SHA1
e263b65b027f57abda43c2af972112eadab8dc4b

SHA256
631e2541dec6ac23efcf2f1838f4e5a07fd3488620380bc9384a89fe215461fc

SHA512
300902a785ef34677d1c7d4e62e647e5b461e3721237004af3114ea3b1b2319af3ed3a7c7dd462353d8b4e237aae99161e22b0a365b4cce1ca7acbd8768cba39

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
128KB

MD5
fac61c1877292826d57954f9acd552a0

SHA1
79bb7cbb0c843773573a800252c99ec389170ac6

SHA256
55faa8345492c34d03902f706512c1ee6f2cee592fbd2d210b08ca8a21b8cbba

SHA512
2105d307494da2ab48204eb5235ae60ad9ec1e7e32ed1e5042b747493fee19e25b33cbbb546e0d83157e34abbe125f391673360733eddca1e34b243d3618bdb1

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
128KB

MD5
acb1374f54494f06d20037701b13fcfb

SHA1
7a53c973ae0c15d584a4aeb310d122163a93620a

SHA256
2d756fa9933a28c3a0811e76bd563ac7752e1e5aa7aa6413dfd4300a59e9a7f1

SHA512
4c9cc5c2ba16136a050479c0f75f1408690e44b643a8a16d68fa2dfccccfc885361604c4a18f04a0c5d5925830b1bd890f85bb2b0bf961378892af86fb11e55a

Download Submit
C:\Windows\SysWOW64\Nlbjim32.dll

Filesize
7KB

MD5
14545ec1d6931b4b87fb1469ea7beb9c

SHA1
b7898e74d7de7ae5335ca81d49011ee53dba11e5

SHA256
e8042f80d9344fff88edabfe96ab5652dbcb6ce711deb1c0d724275658fdef50

SHA512
0dc5fd6ceca5d9712e3deec4db509e47886db664acef144831be10138bf05696ced54366345db78426832b4fb187afd7bb89629e5e476fd7be8a0e3829b8d1eb

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
128KB

MD5
16433819497bfb6392afb602d7a1a212

SHA1
4776cfd321d78be037cca81d7686607c7c06c445

SHA256
b7ad0b073377413c6302822471fb806f9db5e8ae47e9035968d722519f9f83fd

SHA512
2d650961c1a60362df0ff60ae9313a9fbbbaa73aae494bd2757d72c22fb69c15d9e9fc54e3e5377b28a4823ab6eb73b5c60cdc7202f11993afcbf1dd782cc444

Download Submit
C:\Windows\SysWOW64\Pifbjn32.exe

Filesize
128KB

MD5
d5135db36265205f30ffc1731be6213c

SHA1
bb76057c4dc94d4efc18c4ee5a269b79b665f331

SHA256
63b4b10e4f1ad991636ec47d8d2bf309e66b06e92d9deb64acff6e3b12cf66e2

SHA512
a05bae07c915966dc8cba213e14cdd9c834f66525bc3b3416194c5cb0d764183c8e8d7b1c3f1a52a2d57a58ced90ccf2c00357502efc41c372ca11c35fb029b8

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
128KB

MD5
042d70d816f3f4c14f98cb110ec2bda9

SHA1
a8481261701d6497679e148c8eae72e026b37d07

SHA256
f940d09d0af5ae68de348fd9920b16053d61a7d2df1c1520ef5ef0a0628e8070

SHA512
b3e68952e062e7d12fed9f115acf0eb6b6bb357865610fb1ded2ce7d2f6721817eb8702de8b11c49a514e721815756ab348cb239455ede2b1d46392b40e92b69

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
128KB

MD5
12ca215c1ee9c99f09c134c57210de22

SHA1
150c2bedd342fbc72e2847cd78eb204f97fabd16

SHA256
b08da5913d26280a14fc3acebd6d646ebbe4f9a094995dde119bedee98f7051f

SHA512
47c21fdb7fc7d02eaa1c0dd6eec5d8209aff668e6e7e07dbd41b416281f21e021c117bc65e73157417930ea476e67569089ba7eab6900a93109a80d23a9a6989

Download Submit
C:\Windows\SysWOW64\Pnbojmmp.exe

Filesize
128KB

MD5
c30419bca93c77fae6121688743fa73b

SHA1
8f7458975b48e8d657f4ad6eac351559ffaee0c0

SHA256
54e42bd18e6222ddf8dc605c21af174efcef00d01a53c2873d44eb77d2a6fea2

SHA512
0610cd1fee2d32a2607da088584f304a1a9be5f6e602c02c5fe5c9a2f6b9debeb3bc51d02ecf1d680f933fdc2c9c024cd6522d0d725395570a2afc8b0483383f

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
128KB

MD5
78028aaba1358281e43e494f6aa84190

SHA1
388f0c1dfc872ad8468021b510f730e2f7ee3a68

SHA256
cc2764eb21c954874512a77b8f6ed84ed9d8304630460718d7b884841cd069aa

SHA512
e019ebe3618ac578ee6d6a61432450a01a62c0a37b3db3dc3e899fe3e9036f83a9cd24bcb7a5e8c7091e13cddeba4ab08e6885b9d52dd18bfb28e1cfef519cc1

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
128KB

MD5
01b769278101632a32783d6116470161

SHA1
5e317cfb5ea4d0f5a59d4e69a6f933b7305e0d2a

SHA256
993e8dc33b509bd2022ad76edb8cee9744bbb19a14282d31edd6d1cd2ceb94e6

SHA512
f9dc6515dd11f45fdf1a06fb52d121c288eb411ef218fbcbf98b7e32de728e9886017caf7cbd5b79801c76799739b18bc6d31e77f53b1da6a90b6fd89ceddf35

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
128KB

MD5
a0860ea7d3ffec922c9bc7832e248f61

SHA1
91f7b64d32e4b59a992891c2975f614da2a275f1

SHA256
75a221f8bc6453ce12c6666fa1969e0aa94a65632299c2bee9b46e230e11d0ba

SHA512
cb2af87b3052b010b53fa3fe08730180d71b2eccf1bb86347fcdc7f385eef08b1d9ca268293cf68c57a3a468b628db20c1fc1594eff3040f95d7ded2d4c78b56

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
128KB

MD5
79107430f03573f58b1b1772c74e6a55

SHA1
db61c63183262d2e564234e13a5d3257dd50c11f

SHA256
633b2d68d24a102033c2450cb607351bf69647ddb9f6a8b93df8b8dabc5d7bb2

SHA512
620c544156908ba4ab3fab94c923ea8900b20974f1f1d4808df7eaf818c661ec4f52c165c8f2c5af0d5b49b266b2bc61da1ac559b0461100b2993bd869ea7fcd

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
128KB

MD5
f9fbd18bbfe2e5d5358fc7b816ffedd2

SHA1
128a528c3fc21ea8a46f3d7629d090f79efec800

SHA256
2dfb2ff68a9b50e262634a3fc1e836a887fb8cbc9bb57c47c97942855c3bf287

SHA512
dbc631cd12fb55391548031fef9d46ab5ee7d18e5afccececa2f790a8cfdb84b9bc2365403923a607ebe1d244d965eb7a6b2636a7d193fef3f31f28470174ea2

Download Submit
memory/236-486-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/484-406-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/596-267-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/596-271-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/756-391-0x0000000001F90000-0x0000000001FD5000-memory.dmp

Filesize
276KB

Download
memory/756-389-0x0000000001F90000-0x0000000001FD5000-memory.dmp

Filesize
276KB

Download
memory/796-380-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/796-376-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/796-370-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/872-293-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/872-303-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/872-302-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/880-456-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/948-235-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/948-239-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1036-466-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1048-250-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/1048-240-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1048-246-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/1104-190-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1104-198-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/1128-229-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/1128-218-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1128-225-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/1152-177-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1152-492-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1256-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1256-58-0x0000000000290000-0x00000000002D5000-memory.dmp

Filesize
276KB

Download
memory/1272-411-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1272-421-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/1324-279-0x0000000000290000-0x00000000002D5000-memory.dmp

Filesize
276KB

Download
memory/1324-275-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1572-251-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1572-261-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/1572-257-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/1656-454-0x0000000000310000-0x0000000000355000-memory.dmp

Filesize
276KB

Download
memory/1656-445-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1680-144-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/1680-462-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1724-292-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/1724-288-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/1724-282-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1728-314-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1728-313-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1728-304-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1740-476-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1984-455-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/1984-444-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1984-128-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1984-131-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/1996-170-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1996-162-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1996-175-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1996-482-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2120-204-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2120-217-0x0000000000310000-0x0000000000355000-memory.dmp

Filesize
276KB

Download
memory/2132-64-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2144-467-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2152-336-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/2152-326-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2152-335-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/2160-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2540-80-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2540-401-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2540-67-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2540-74-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2560-368-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/2560-359-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2560-369-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/2564-107-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/2564-427-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2564-95-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2584-396-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2588-348-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2588-358-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2588-357-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2672-417-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2672-89-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2740-426-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2740-433-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2740-429-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2804-65-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2824-337-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2824-347-0x00000000002E0000-0x0000000000325000-memory.dmp

Filesize
276KB

Download
memory/2824-346-0x00000000002E0000-0x0000000000325000-memory.dmp

Filesize
276KB

Download
memory/2952-13-0x0000000000300000-0x0000000000345000-memory.dmp

Filesize
276KB

Download
memory/2952-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2952-390-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2952-18-0x0000000000300000-0x0000000000345000-memory.dmp

Filesize
276KB

Download
memory/2960-443-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/2996-439-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2996-117-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2996-109-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3024-324-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/3024-325-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/3024-319-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads