berbew | 2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
Size

96KB
MD5

caa46f119e494108179c50b07e6c66d2
SHA1

e04e36b5f0d26e7ae4e7e23f9d8f2b7c750d9758
SHA256

2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700
SHA512

d3980aab18679683c98264f3e90a953dd15a0168aab0d635f0d6b081cb29eaaebb116bd9310335255fdb74de595543225f621104e7ac934d2d3c6314c565daa6
SSDEEP

1536:O4pTaa8FVPTYwdugrLZMzNnPpZL8ppCwAmKXIQLEduV9jojTIvjrH:O4pTaaMVRugrLZMz5pZwSCKLEd69jc0X

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkkfmml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neplhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neplhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bonoflae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 37 IoCs

pid	Process
2832	Ngibaj32.exe
2864	Nenobfak.exe
2844	Neplhf32.exe
2708	Ocdmaj32.exe
2568	Ocfigjlp.exe
1484	Olonpp32.exe
2052	Oegbheiq.exe
1988	Onbgmg32.exe
2504	Ogkkfmml.exe
2300	Ocalkn32.exe
2116	Pqemdbaj.exe
3004	Pgpeal32.exe
1308	Pcfefmnk.exe
2240	Pmojocel.exe
2308	Pbkbgjcc.exe
1096	Pmagdbci.exe
1656	Pbnoliap.exe
1532	Pkfceo32.exe
796	Qijdocfj.exe
2164	Qeaedd32.exe
788	Aaheie32.exe
1520	Aganeoip.exe
1776	Anlfbi32.exe
2652	Ajbggjfq.exe
2916	Afiglkle.exe
2952	Apalea32.exe
1644	Amelne32.exe
2676	Acpdko32.exe
2628	Bbdallnd.exe
904	Bhajdblk.exe
2536	Bnkbam32.exe
2580	Bonoflae.exe
2072	Behgcf32.exe
2776	Bhfcpb32.exe
3060	Cilibi32.exe
2404	Cinfhigl.exe
2144	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2876	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
2876	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
2832	Ngibaj32.exe
2832	Ngibaj32.exe
2864	Nenobfak.exe
2864	Nenobfak.exe
2844	Neplhf32.exe
2844	Neplhf32.exe
2708	Ocdmaj32.exe
2708	Ocdmaj32.exe
2568	Ocfigjlp.exe
2568	Ocfigjlp.exe
1484	Olonpp32.exe
1484	Olonpp32.exe
2052	Oegbheiq.exe
2052	Oegbheiq.exe
1988	Onbgmg32.exe
1988	Onbgmg32.exe
2504	Ogkkfmml.exe
2504	Ogkkfmml.exe
2300	Ocalkn32.exe
2300	Ocalkn32.exe
2116	Pqemdbaj.exe
2116	Pqemdbaj.exe
3004	Pgpeal32.exe
3004	Pgpeal32.exe
1308	Pcfefmnk.exe
1308	Pcfefmnk.exe
2240	Pmojocel.exe
2240	Pmojocel.exe
2308	Pbkbgjcc.exe
2308	Pbkbgjcc.exe
1096	Pmagdbci.exe
1096	Pmagdbci.exe
1656	Pbnoliap.exe
1656	Pbnoliap.exe
1532	Pkfceo32.exe
1532	Pkfceo32.exe
796	Qijdocfj.exe
796	Qijdocfj.exe
2164	Qeaedd32.exe
2164	Qeaedd32.exe
788	Aaheie32.exe
788	Aaheie32.exe
1520	Aganeoip.exe
1520	Aganeoip.exe
1776	Anlfbi32.exe
1776	Anlfbi32.exe
2652	Ajbggjfq.exe
2652	Ajbggjfq.exe
2916	Afiglkle.exe
2916	Afiglkle.exe
2952	Apalea32.exe
2952	Apalea32.exe
1644	Amelne32.exe
1644	Amelne32.exe
2676	Acpdko32.exe
2676	Acpdko32.exe
2628	Bbdallnd.exe
2628	Bbdallnd.exe
904	Bhajdblk.exe
904	Bhajdblk.exe
2536	Bnkbam32.exe
2536	Bnkbam32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pqemdbaj.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Qeaedd32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
File created	C:\Windows\SysWOW64\Hhppho32.dll	Nenobfak.exe
File created	C:\Windows\SysWOW64\Pgpeal32.exe	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Afiglkle.exe	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Igciil32.dll	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Afiglkle.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Ogkkfmml.exe	Onbgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdmaj32.exe	Neplhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocfigjlp.exe	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Lcnaga32.dll	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Kedakjgc.dll	Onbgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Aceobl32.dll	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Aganeoip.exe
File created	C:\Windows\SysWOW64\Ocfigjlp.exe	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Oegbheiq.exe	Olonpp32.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Ocdmaj32.exe	Neplhf32.exe
File created	C:\Windows\SysWOW64\Ipfhpoda.dll	Ocfigjlp.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pcfefmnk.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Neplhf32.exe	Nenobfak.exe
File opened for modification	C:\Windows\SysWOW64\Neplhf32.exe	Nenobfak.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	Pmagdbci.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Pmagdbci.exe
File opened for modification	C:\Windows\SysWOW64\Oegbheiq.exe	Olonpp32.exe
File created	C:\Windows\SysWOW64\Pcfefmnk.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Bhajdblk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1192	2144	WerFault.exe	66

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neplhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfigjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olonpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfhpoda.dll"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgljgoi.dll"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll"	Neplhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhppho32.dll"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olonpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll"	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedakjgc.dll"	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Neplhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2832	2876	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe	30
PID 2876 wrote to memory of 2832	2876	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe	30
PID 2876 wrote to memory of 2832	2876	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe	30
PID 2876 wrote to memory of 2832	2876	2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe	30
PID 2832 wrote to memory of 2864	2832	Ngibaj32.exe	31
PID 2832 wrote to memory of 2864	2832	Ngibaj32.exe	31
PID 2832 wrote to memory of 2864	2832	Ngibaj32.exe	31
PID 2832 wrote to memory of 2864	2832	Ngibaj32.exe	31
PID 2864 wrote to memory of 2844	2864	Nenobfak.exe	32
PID 2864 wrote to memory of 2844	2864	Nenobfak.exe	32
PID 2864 wrote to memory of 2844	2864	Nenobfak.exe	32
PID 2864 wrote to memory of 2844	2864	Nenobfak.exe	32
PID 2844 wrote to memory of 2708	2844	Neplhf32.exe	33
PID 2844 wrote to memory of 2708	2844	Neplhf32.exe	33
PID 2844 wrote to memory of 2708	2844	Neplhf32.exe	33
PID 2844 wrote to memory of 2708	2844	Neplhf32.exe	33
PID 2708 wrote to memory of 2568	2708	Ocdmaj32.exe	34
PID 2708 wrote to memory of 2568	2708	Ocdmaj32.exe	34
PID 2708 wrote to memory of 2568	2708	Ocdmaj32.exe	34
PID 2708 wrote to memory of 2568	2708	Ocdmaj32.exe	34
PID 2568 wrote to memory of 1484	2568	Ocfigjlp.exe	35
PID 2568 wrote to memory of 1484	2568	Ocfigjlp.exe	35
PID 2568 wrote to memory of 1484	2568	Ocfigjlp.exe	35
PID 2568 wrote to memory of 1484	2568	Ocfigjlp.exe	35
PID 1484 wrote to memory of 2052	1484	Olonpp32.exe	36
PID 1484 wrote to memory of 2052	1484	Olonpp32.exe	36
PID 1484 wrote to memory of 2052	1484	Olonpp32.exe	36
PID 1484 wrote to memory of 2052	1484	Olonpp32.exe	36
PID 2052 wrote to memory of 1988	2052	Oegbheiq.exe	37
PID 2052 wrote to memory of 1988	2052	Oegbheiq.exe	37
PID 2052 wrote to memory of 1988	2052	Oegbheiq.exe	37
PID 2052 wrote to memory of 1988	2052	Oegbheiq.exe	37
PID 1988 wrote to memory of 2504	1988	Onbgmg32.exe	38
PID 1988 wrote to memory of 2504	1988	Onbgmg32.exe	38
PID 1988 wrote to memory of 2504	1988	Onbgmg32.exe	38
PID 1988 wrote to memory of 2504	1988	Onbgmg32.exe	38
PID 2504 wrote to memory of 2300	2504	Ogkkfmml.exe	39
PID 2504 wrote to memory of 2300	2504	Ogkkfmml.exe	39
PID 2504 wrote to memory of 2300	2504	Ogkkfmml.exe	39
PID 2504 wrote to memory of 2300	2504	Ogkkfmml.exe	39
PID 2300 wrote to memory of 2116	2300	Ocalkn32.exe	40
PID 2300 wrote to memory of 2116	2300	Ocalkn32.exe	40
PID 2300 wrote to memory of 2116	2300	Ocalkn32.exe	40
PID 2300 wrote to memory of 2116	2300	Ocalkn32.exe	40
PID 2116 wrote to memory of 3004	2116	Pqemdbaj.exe	41
PID 2116 wrote to memory of 3004	2116	Pqemdbaj.exe	41
PID 2116 wrote to memory of 3004	2116	Pqemdbaj.exe	41
PID 2116 wrote to memory of 3004	2116	Pqemdbaj.exe	41
PID 3004 wrote to memory of 1308	3004	Pgpeal32.exe	42
PID 3004 wrote to memory of 1308	3004	Pgpeal32.exe	42
PID 3004 wrote to memory of 1308	3004	Pgpeal32.exe	42
PID 3004 wrote to memory of 1308	3004	Pgpeal32.exe	42
PID 1308 wrote to memory of 2240	1308	Pcfefmnk.exe	43
PID 1308 wrote to memory of 2240	1308	Pcfefmnk.exe	43
PID 1308 wrote to memory of 2240	1308	Pcfefmnk.exe	43
PID 1308 wrote to memory of 2240	1308	Pcfefmnk.exe	43
PID 2240 wrote to memory of 2308	2240	Pmojocel.exe	44
PID 2240 wrote to memory of 2308	2240	Pmojocel.exe	44
PID 2240 wrote to memory of 2308	2240	Pmojocel.exe	44
PID 2240 wrote to memory of 2308	2240	Pmojocel.exe	44
PID 2308 wrote to memory of 1096	2308	Pbkbgjcc.exe	45
PID 2308 wrote to memory of 1096	2308	Pbkbgjcc.exe	45
PID 2308 wrote to memory of 1096	2308	Pbkbgjcc.exe	45
PID 2308 wrote to memory of 1096	2308	Pbkbgjcc.exe	45

C:\Users\Admin\AppData\Local\Temp\2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe
"C:\Users\Admin\AppData\Local\Temp\2379463a6ac4ca4000dcfb97a52899c107def7c70323439c86ea13517bf40700.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\Ngibaj32.exe
  C:\Windows\system32\Ngibaj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Nenobfak.exe
    C:\Windows\system32\Nenobfak.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Neplhf32.exe
      C:\Windows\system32\Neplhf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Olonpp32.exe
        
        C:\Windows\system32\Olonpp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ogkkfmml.exe
        
        C:\Windows\system32\Ogkkfmml.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 140
        39⤵
        Program crash
        
        PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
96KB

MD5
0885df29404ad55cd697e62946794d1d

SHA1
3a9f1f109c5735ca170c460d5b564926999d31fa

SHA256
8073d7aa4046848c031e9ee23aadb723f5baf07743a9db4ece22b71ede5d3006

SHA512
fb2126536adc9c239cf254d8773b80c2cab1620326ce172d3842d213ca74560fea67a33762dae4b5c100462e647492ce97b03a26dacc46079149c88141fd84e0

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
96KB

MD5
89afbffd10d42a3a251adabc2134c1f9

SHA1
eddeec55b5fd1eb815b8025e93873ff96017cdb9

SHA256
029fd8084e4b92e2d1b1f505a9e8340f6ccb7de7f3d2a3a12ef765905dfc22d9

SHA512
307695a8af8c911eab8544de430114349dc87377a66010d8ee32551c2b9e9ca2129075327a64f55263cad53716ffb1eba63cc8c6419a622ffd4e5a5c2fdf37eb

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
96KB

MD5
ad27abe384e8a053f24c31084aaba794

SHA1
25ae12b083b705060debfef072c61ad14291fe72

SHA256
3e8942dc0af375df953e64e3c62f9d41a6eac5a45e392a997247db09826632d5

SHA512
017a7b3e79bf2f638f31eb9f3c8e7f5ff18bc27d1e5686921673ba6822ab11dfad6e237e0a3f43855c60b1bd9dddae748e3494d1660167e68a2259a4723fb0c1

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
96KB

MD5
ee0b68fb4212e3db34d56e22a1f9767a

SHA1
6f02089426fef6b8b37a70501935162d29749f35

SHA256
489dea7ccbb7b99925c989a30e7c91944070d76ddf918e9da0ab563501694c14

SHA512
0e249fabddf20f287fa5745606ebebcfe4305ba8531fd012be0a08f59c3c8b011611db0f9481f53947c79e1877d0f880b9f1ca2b6304469232fd9322083dd178

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
96KB

MD5
7c52570511d534aa6c3954f4c58e78bc

SHA1
14d985b73c8262404c30824edaf5397acb6efa63

SHA256
6ef94cf342631b523c2a150fd92101ea75bf5b2cab3ecbe98932ebe82014f95d

SHA512
4454947bb1b0cc9cfa9d252269d3426b92987c1a0db927b875283a880dd12750b715be1e967eeeed9530337aa161feb9cdf9a289efe8f762754e747a489484a7

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
96KB

MD5
1e97ef8a8c573e0bcea9c09e3c90a978

SHA1
0bf04f487339b1d8f29df3e1aa9cd7375d1065a2

SHA256
e8b4f392f066dfaae330d056f1e5ce9b90290f30265d16f14cc310f6e390bfca

SHA512
d37b6e7a3c09fdedcc8f3436daa9e4532280d94829532d3a274b8db49e07ec915f14c08d28d32ee348a6993b651694357c82b2bf26f21aa36dd7967d947b38b5

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
96KB

MD5
3ce3f9e4a7bcbd6b0303233862cbf5ec

SHA1
86b5f988ea86b0c4554ecfd8abaeb5f93cb30c26

SHA256
b58fae475dfd155bf649fd8ebbd4fcb4d4e53e651b1161666815cdbe3a52862a

SHA512
f38ab77357ec6203212b02a0eb10fb3c32860b1d1a73c557229bf76796d33d3e42e71b725034e102ea9ba604701edf6e26488aa3894e0a1d46e7cd2a13841206

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
96KB

MD5
dfa2f2da60c1669d3900fdd323738af8

SHA1
37b3251e291ef4270ac4c94665fdb9f4574a5f87

SHA256
7a72c9cb719d1eec98f30cc24836f5ad8b5bec1aaf0b2643e4c8fd871ebe34c7

SHA512
64b37f3b31f26fe01070d42f275059bcb71f90e086beb9cf38828d21cd6f34451f67a5a91821e86636ea82d80bf94e854564e037b9f8fcbd9813fe3e067e00ed

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
96KB

MD5
3094a280f15dde4e164a5a12525a3083

SHA1
23440be7420b4a49216a7f6a4b206c260fc945bf

SHA256
dda6f57f8380eee37b3905eb093dae95c64f2c6bd2f4d4c21b9bb5d2a38bcb5f

SHA512
0485737a1522d868ae6321efc4971b5f76dd40cf779168f484833fa5968ba246ca79dd68d32f94bd81fdac0e6604083e55d44849bb3de4d0536ec63593159ebf

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
96KB

MD5
5e0fc3216bd87abbc4985eeea63c916d

SHA1
57aa059525b9ce8000dfed11488b6dfc054a3e60

SHA256
5d2b2aec04a694a0ba0e6addc8022cb7edad42662128686d8de828fefd0c8975

SHA512
ac12e982796f34dcb5183a898bc7261d11a6b2bbf82ea94f99b76d24c87d8103e6f2bde768b875519e17c67083bab108c730361bb4594da0ed042d247c205902

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
96KB

MD5
4c0b21b2961c55189c5f914f9d3413c7

SHA1
359e5dd92e3955a83b58fecd1e49e36839dc5bd7

SHA256
cada22ef8e9908e308e6e839f9d427ff0a5f416d94cfc93c9da75d8f91ce3245

SHA512
71e1a113baf680354adc8ae57a266143a6c9e2e1edf1f67151e320234af3a64490b221f0a48cdbdaa3ffdd8ae2d8c333deaf8777e5da9acffbf3d95effc88fb8

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
96KB

MD5
cccabd0a1800c17e97efc5000dbcad11

SHA1
eff0390f2b784b762134d3b427eefa964b5e4230

SHA256
8b6ebe845fb3833a9454e3decfd6112fb605f0e3b8b06a4a856a299839409e78

SHA512
5c385cad0e664311cc4d572dd539a9a5023baec598b87c73d786e67a695be71837592f35007702c6a36e051ae4dce205eef1aac54fb80656dd2944296d2af674

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
96KB

MD5
4584f6a528028515f62b7234ae92079d

SHA1
d6393bfa2290c476492cd1bca5a168e7ffb98040

SHA256
36a33bd906a12739131bb8e15d0f7e2420e605e4eacdaa3ff96255c2ff6ad4b2

SHA512
3b69e998373a85ee22c27a46e43faa1dc12220ac83cc64b344030c893486073534f4aca014e73e70702401324b768623b3030b7ac44422a0aaffe421702baf07

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
96KB

MD5
7c9522ad561486d422012f933f496bc4

SHA1
4ec7564d2d72a388dfb0ae3b64e9c8a14a7047ce

SHA256
b06d5c9a7809a754f714a8abd4b309d32b439aa6104bbf749eb1b6330e44e8c9

SHA512
5a9e5dd77ff14a188bf50906f8305d13383f55ce0a2472a27bbeaddd5ec781c92661c0e9b546b17f2deb87be4711e05628071deb72bc99d3f0510621973b28bc

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
96KB

MD5
f34464ebc378d54be34af736530424e9

SHA1
0bfe61b26b691918710d8b8578e089c12d93e011

SHA256
05c735b37d5d096154ea439c78a837e1a93264c9d4d6e379a482490242570ec5

SHA512
eac067591c54fca3024fe643f676bdd327434b8c07293514ea79c123eb13ed607b031c397dec2bd22628c572b44dfe9fd61a61fda505abba07c9b505c13d4ae5

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
96KB

MD5
90ad219cac85cd099c6f96356e336d7f

SHA1
df5718ecc1e882ed27a7880a03f91cee27432b00

SHA256
af45e073e2fca960b382e18f1d61d9d086bc910a86a75e9069a060456b3cc74b

SHA512
08d40dafc7b59984aa3df3a7d7160fdd4dca1bfe224f9e8eacaa12b80858401efe3836b488c0ea8018b92cd8e46842433c8e90200728549f4b058d7b590d905b

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
96KB

MD5
d31032fde3c276ccc6c33b75f2b5f39b

SHA1
04790c82039b5341be4aab202c37ce57a1cd09f2

SHA256
24ff4d3158f3deda7410c752118ceda5a9f8004b8ab6a0475d3e59ebfcb779bb

SHA512
25461979aeeb1ca64de2121a15169397e12190431913e58c1fa4d851b7baf96166a90c1eaa0a26bfe686292827b2ef0768fd6f6d59143d9505b89965f3ac1efb

Download Submit
C:\Windows\SysWOW64\Lcnaga32.dll

Filesize
7KB

MD5
b8db4e7201ada544b5d8c3de225a3eba

SHA1
0f961bb94cea4836fedb331b26a98a4665a4da3f

SHA256
bcb91849a17b8949a6b5a75f727714f7e88e2e5687bc45b3be42081b09d6ded1

SHA512
88411364afc6c6654b8e1ec21f5acfcee893eae08193305955c9adaa9d7139fe17948523a6cb3073112706e7b549520fb0102a65930c64e916dcd24457b4d438

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
96KB

MD5
d52edc1798221e386eb1ea9ee5440382

SHA1
ad2ae0def43b7986787c7524ff8b670603372fbb

SHA256
fbfb51aa813f0ab14dc291bc1e296292c43ba6718fb6395a40be27403cbc92f0

SHA512
4cfd1417763667c2fe8da360eb4a9e30ea3b046d9b05d9fc039a0fe53c5da147acfdc7dd196224da37f6072538ded99fa02439f7c35203c58724376cd40bf01b

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
96KB

MD5
8d44953e4247185bb30c57bf7f18ec75

SHA1
6bfdb100ef4b37a51cee92e37ab7aa314248ae4d

SHA256
a5d5f30dc48b418fdb6abcc6a5c57e00c78a8c77264bdbfc36e0449b68d3de69

SHA512
02cee668f3c98387909b5fe1cef1cd3903c52cdb6d6ed8fb2fadd9095d669bdb984cf061c85900cc531f7fcc0425a5b368d241259f5490a57beb350721a32756

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
96KB

MD5
e1d5b00ad98755d026d8153ae6f98f18

SHA1
ab26d62d9e4e56171c8b577cf04cae916191df53

SHA256
292fbf4512b6581cf5cd29388012241bcade4a04d255dfa4ead2e8d7a0d91e62

SHA512
4a13278b2e72d22b3129ebde7473f942ae3c80c6b71a9b3b86f9c1d75012a54b91d8a92152a1b7a8f071b0506ad5835324e6474aeb48163ae3b125551c0e4a42

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
96KB

MD5
c553bbe0eb38a9b65853f2bf1ee137e8

SHA1
e946679a4c6da594994cc3e63de14de4c35feb58

SHA256
d2360641eb1bf349fc2fb2c3c5802cadf8e21d7ace63dc39d47df3ff37d48190

SHA512
937f612d1431cec32632ef10c1269163cf280943f3d6c61994f466302d98325e3ecb75c814795f96c1662634ee405e9bc381fbdfee55d8cf24aaa8cf5992926f

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
96KB

MD5
6dff5eddd94a329f95fd2b514d789c5b

SHA1
bc47ac07fc0f76e098d2d5e50908b736577c2723

SHA256
dc8a9f9ce2a7eb11f4784cf383aed73c88e4c69dae6c38b4bf361af45193d91e

SHA512
b12cc77b96e945e1329724e2978797cf8fcdcfc0c4e7b7d88c5b310fc78c95be5f4299f96924bb824017384a36d2473607562b823d8e17b6005f4323b2033dc1

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
96KB

MD5
43984a703aaa96be657c7c8ec8f152ac

SHA1
771f9e53286681c9950b1ee3a16ce5c21caf70a6

SHA256
0521f65ef95ffae5a5b50762eb59dc43c8255cac94f1579823d554a80545aff3

SHA512
1b95ab1b58a37ffa5b32f81274f30f74eec6e1c51acff516645cf61851b3fd4144daa61ec84f20c807ff9897bf431be7483801af4677768e94a8c4f93a398fab

Download Submit
\Windows\SysWOW64\Neplhf32.exe

Filesize
96KB

MD5
bf562b05cb88555d9b1222ef2e4c4ade

SHA1
69ec540836bd8a67f24bb287d0a544fb36c8a03c

SHA256
122cb030542d0504308bb0907cbd08c5b7cce347c12cb739a25d29f6e0173afd

SHA512
4ca5ed610cccd57a5d2228ab0f8f6843caf7ebc31624fe566042b3e1d17c735d67a24043d8337e1103333e55e2341fc2956b608b239db9ec22d2d677a0423332

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
96KB

MD5
4ba4df5afe23ee7c848768b1fd55f02e

SHA1
0f8edc555b9e1fd26bfcc457ce123570dd1b97d8

SHA256
52c914632632d675e9298cda2ae3723600f311b5b8c784900d47d49ab3d2d6b1

SHA512
fd2f6e7fe0c6e0b74acaddd510c18e85632634e66969cf165615818033306e77d95817b03b934645e2d012733fca6de9e12eadc5ebb514275574f9e9704df947

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
96KB

MD5
9552acc963596393bcdbd42cabd066f4

SHA1
4a398d45faea342aa117a0a01d4c09119af04887

SHA256
dd48be2fe16607314c4cf69b0b5d0da4e233c6b5611dbd0c5e18887edf3a145b

SHA512
b1a597aa021fb2b96a227fcf8fa9b7687e071e40cb7c0d6c3a9a13644037d9206c80df3ddb085a6d8bc31d8cdf0539230dc539e70af444181baf907d967b45f3

Download Submit
\Windows\SysWOW64\Ocdmaj32.exe

Filesize
96KB

MD5
14f510768f507e15180647b0ee39bde3

SHA1
b119caccf37f0eb44d910c52f8114944fce7190b

SHA256
6a7fe2d1533706d0d9b0c45bff15c6ed58fd44eed34dc51e08607eda093823b2

SHA512
f4c4a5cd0031d0dba4c7e4b81ea7643f33068ea2ddb83528af8bc92f6658f0b5383adff97d593c3626a75f1bd65e199e471b98a3bf66af7474a047d5e4c84e1d

Download Submit
\Windows\SysWOW64\Ocfigjlp.exe

Filesize
96KB

MD5
f9e40ff7a9e732a89c736a3f1a7d51d5

SHA1
1f4bed43439d300c8fbae7fcc328f3d11e9f62a3

SHA256
875591c68258f60d5d5626ae74f9761daeaac4b63f0972322f6ba743922de680

SHA512
6c7b899b4ac8847d9033bac6ff68388375122e22c8f96a94e5ad368868f4b074f2071e1418abbb45df10d08ee759551661a81ec5674e83a26aab8ae0902998b5

Download Submit
\Windows\SysWOW64\Oegbheiq.exe

Filesize
96KB

MD5
dcd67828842caeadb3efeaa95dabb084

SHA1
ff3b32bdd2259484b9cc2cc37e6aca08c7144f9d

SHA256
5729fa0f768483317f692934b52c963ffbc7e383b6d529a76531ed2a6b4fd8be

SHA512
8ff7337bbd9dd89035115c64ef9b404a10d2570ac319da93c54b11caba05c021281b831e135d62a0f4060d00dc5691d9db7c181771412f3d902a817710b610eb

Download Submit
\Windows\SysWOW64\Ogkkfmml.exe

Filesize
96KB

MD5
51b6040c134328ba40e55e85139c09c0

SHA1
6ba7324dc7ee11054162855611ea7563333dbec2

SHA256
903c705c6608982cd2e1c9ab8d7018fe9c70a5ce1e39a108e6a23b98862176af

SHA512
d30114c76ae34151b2f08b4e9d3705b61a7551555ef02b44ec0ed57d1c06c324eeb5f4083a0da460ead6caeabcf13acf4bbfd61e26ee163297b06e378a3794ca

Download Submit
\Windows\SysWOW64\Olonpp32.exe

Filesize
96KB

MD5
f036c421f4881c15d7816cbe93425a7e

SHA1
3b88b7fded0a63e221365360591cd35b9a37027c

SHA256
0839a3213d98b6c10a87a40a34790b1792693f55ef01c35edd5435d4a69438d1

SHA512
d0b10e6b0983e61c2d37735376f6574e53eed4a43055f5e89962b663ca641701a9f4671dd0b742cb6c21ad5cd22f32f3cce5a4e7866d3e854d51ca75f8645824

Download Submit
\Windows\SysWOW64\Onbgmg32.exe

Filesize
96KB

MD5
789fd684ecb735c5c205cde56f1e7697

SHA1
1a56a9ee90551b273b0d9490187dd0e8f8c82f25

SHA256
08edc13cbc107b914f1ba9bd2e6ca22bf98547788124971e9e3eb0e12bb471ed

SHA512
78999142d12f4228c3baffb9505fc5ab30626091612de9187ebcc2d669d8f6e288df3272c5823baaea734035456e876f0b60fc26bb7db796373bc69959febc90

Download Submit
\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
96KB

MD5
c35b7f864dcb3ed99789f7ee32074ae3

SHA1
4a8ca8ce03f8c286a118e33fe34ae57c45349040

SHA256
06f01cacce980c4934e1eff56016bad304423d9302ae26b324fcb665c77bf4a9

SHA512
bf9236dd4fd8140ba4b4b14388a494445a4cee5db7448b083ac29c0b2ec05ffc3e25985adae5a310e154f47e3ee8ca7265987f36a88c69c496b2c2695aca215c

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
96KB

MD5
0258eab133eef63e6345fd460713894c

SHA1
be19e5d7f61d9d11291e44f10ff37d9f7d3a45d6

SHA256
af9c1ae711d8197e8a7c5b2f14f359bc3fe051b900876668085bbd38a8d4c079

SHA512
cf2b6376620ff36a134901809d81731e1a8e8c7c1d2d1b69ec91151205910d9160e907ab740c6e85667764528c630c3cbae24f0e9a4b30e73a67f31a9350a320

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
96KB

MD5
3833724500f3905c52fbcb81ebd622af

SHA1
6748e2c934623876cbc39c2c920517d235fed15e

SHA256
69e102f6d19e800977a08fe42ae7f649b8b5fcea9a49f61101125cca81238e37

SHA512
be32d5e36667d2f383fcf98f8dd63ae0334ffe98ede77ee6048539873ba51a95b6c5471e587a8f0b21535e93ea5159d40a6f8bd1dbbd81485e56d9e7a95c7bad

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
96KB

MD5
39f18dc1d0ca7349333fe7996412ec3d

SHA1
563f1a5f04261592d9703f263eb553f37cc7aa9b

SHA256
19ec09c829a1f139c471de5e88dc312caa0cc07328b76f7fbf2f63a555e3f28c

SHA512
d2e9cd32730c4d216ae5177e11a8951d80e505924a5fbc1e30399df76d7863ebe6701b55f638e69ef66cc51d4bce9b65c60b450e593427d2e236b9d223cb2ee5

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
96KB

MD5
ca67ae030a2de309b4e4a485783ca6e7

SHA1
f22641f3dac51a2969ffd09f08a09d307d821e0e

SHA256
518464eb0ba77d5df74818d7fcb6eee76c8c0f3710cb1868d7d3d7eb7f36b3b2

SHA512
dc5b778d67ff9cae6ec460ab701cce4d536df1c926a17752da6c855f8e7e79c94dd277bd041ddb2e9d0360391cd7540375af0312953b32099f889fcf2e19e0fe

Download Submit
memory/788-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-275-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/788-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/788-276-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/796-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/796-254-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/796-253-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/904-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/904-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1096-222-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1096-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1484-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1484-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1484-88-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/1520-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-286-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1520-287-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1532-239-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/1532-234-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-342-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1644-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-341-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1656-233-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/1656-232-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/1656-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-297-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1776-298-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1776-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-451-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-115-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1988-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2052-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-408-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/2072-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2116-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2144-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2164-264-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2164-265-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2164-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2308-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2504-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-391-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2536-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-445-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-396-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2628-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2628-365-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2628-364-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2628-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-309-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2652-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-308-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2676-354-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2676-353-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2676-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-62-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2708-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-415-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2708-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-409-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-420-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2832-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-20-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2844-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-51-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2844-52-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2864-34-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2864-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-6-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2876-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-320-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/2916-319-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/2916-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-331-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2952-330-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2952-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-172-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/3004-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-431-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads