berbew | f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992af

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Size

74KB
MD5

68eb4977d1c513a99808770db82badd0
SHA1

f2260b2c3511de1bd41aa09327c8501e52fe2c2f
SHA256

f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992af
SHA512

d53a7e3831549b40a40a66e691f65df3630942d67c6db7180724c0fedaf75d9091172fd9fa8d4eba37657fab11e1df7db7bc2f3d193433c9f78dc63df07eb9da
SSDEEP

1536:gb63vMrFYTpKNum4rB718sykrajMrBXXM9b5/sgi:gb63vwFY1Sum4rR18vFM58hi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1712	Ndhmhh32.exe
2584	Nggjdc32.exe
5036	Nfjjppmm.exe
2336	Odkjng32.exe
4248	Ogifjcdp.exe
932	Oflgep32.exe
3964	Olfobjbg.exe
3532	Ocpgod32.exe
2488	Ofnckp32.exe
3304	Oneklm32.exe
5100	Odocigqg.exe
2432	Ognpebpj.exe
636	Ojllan32.exe
4596	Olkhmi32.exe
968	Ocdqjceo.exe
2524	Oddmdf32.exe
3568	Ojaelm32.exe
4136	Pqknig32.exe
4128	Pgefeajb.exe
4468	Pnonbk32.exe
1772	Pqmjog32.exe
4284	Pclgkb32.exe
544	Pnakhkol.exe
1824	Pqpgdfnp.exe
4908	Pdkcde32.exe
5056	Pflplnlg.exe
4996	Pqbdjfln.exe
2592	Pgllfp32.exe
4824	Pjjhbl32.exe
1268	Pcbmka32.exe
3752	Pfaigm32.exe
2936	Qmkadgpo.exe
2476	Qdbiedpa.exe
1056	Qfcfml32.exe
1868	Qqijje32.exe
3092	Qgcbgo32.exe
952	Ajanck32.exe
3288	Ampkof32.exe
4200	Adgbpc32.exe
3056	Afhohlbj.exe
4340	Anogiicl.exe
2092	Aqncedbp.exe
3088	Aclpap32.exe
4924	Ajfhnjhq.exe
1224	Amddjegd.exe
2024	Aqppkd32.exe
5076	Acnlgp32.exe
1344	Ajhddjfn.exe
1668	Amgapeea.exe
4916	Aeniabfd.exe
832	Afoeiklb.exe
4220	Anfmjhmd.exe
1900	Aepefb32.exe
2880	Accfbokl.exe
1672	Bjmnoi32.exe
3008	Bnhjohkb.exe
2500	Bebblb32.exe
2884	Bganhm32.exe
2372	Bjokdipf.exe
2468	Bmngqdpj.exe
2136	Bjagjhnc.exe
3036	Bmpcfdmg.exe
4904	Bgehcmmm.exe
980	Bjddphlq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5136	224	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1712	1448	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe	82
PID 1448 wrote to memory of 1712	1448	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe	82
PID 1448 wrote to memory of 1712	1448	f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe	82
PID 1712 wrote to memory of 2584	1712	Ndhmhh32.exe	83
PID 1712 wrote to memory of 2584	1712	Ndhmhh32.exe	83
PID 1712 wrote to memory of 2584	1712	Ndhmhh32.exe	83
PID 2584 wrote to memory of 5036	2584	Nggjdc32.exe	84
PID 2584 wrote to memory of 5036	2584	Nggjdc32.exe	84
PID 2584 wrote to memory of 5036	2584	Nggjdc32.exe	84
PID 5036 wrote to memory of 2336	5036	Nfjjppmm.exe	85
PID 5036 wrote to memory of 2336	5036	Nfjjppmm.exe	85
PID 5036 wrote to memory of 2336	5036	Nfjjppmm.exe	85
PID 2336 wrote to memory of 4248	2336	Odkjng32.exe	86
PID 2336 wrote to memory of 4248	2336	Odkjng32.exe	86
PID 2336 wrote to memory of 4248	2336	Odkjng32.exe	86
PID 4248 wrote to memory of 932	4248	Ogifjcdp.exe	87
PID 4248 wrote to memory of 932	4248	Ogifjcdp.exe	87
PID 4248 wrote to memory of 932	4248	Ogifjcdp.exe	87
PID 932 wrote to memory of 3964	932	Oflgep32.exe	88
PID 932 wrote to memory of 3964	932	Oflgep32.exe	88
PID 932 wrote to memory of 3964	932	Oflgep32.exe	88
PID 3964 wrote to memory of 3532	3964	Olfobjbg.exe	89
PID 3964 wrote to memory of 3532	3964	Olfobjbg.exe	89
PID 3964 wrote to memory of 3532	3964	Olfobjbg.exe	89
PID 3532 wrote to memory of 2488	3532	Ocpgod32.exe	90
PID 3532 wrote to memory of 2488	3532	Ocpgod32.exe	90
PID 3532 wrote to memory of 2488	3532	Ocpgod32.exe	90
PID 2488 wrote to memory of 3304	2488	Ofnckp32.exe	91
PID 2488 wrote to memory of 3304	2488	Ofnckp32.exe	91
PID 2488 wrote to memory of 3304	2488	Ofnckp32.exe	91
PID 3304 wrote to memory of 5100	3304	Oneklm32.exe	92
PID 3304 wrote to memory of 5100	3304	Oneklm32.exe	92
PID 3304 wrote to memory of 5100	3304	Oneklm32.exe	92
PID 5100 wrote to memory of 2432	5100	Odocigqg.exe	93
PID 5100 wrote to memory of 2432	5100	Odocigqg.exe	93
PID 5100 wrote to memory of 2432	5100	Odocigqg.exe	93
PID 2432 wrote to memory of 636	2432	Ognpebpj.exe	94
PID 2432 wrote to memory of 636	2432	Ognpebpj.exe	94
PID 2432 wrote to memory of 636	2432	Ognpebpj.exe	94
PID 636 wrote to memory of 4596	636	Ojllan32.exe	95
PID 636 wrote to memory of 4596	636	Ojllan32.exe	95
PID 636 wrote to memory of 4596	636	Ojllan32.exe	95
PID 4596 wrote to memory of 968	4596	Olkhmi32.exe	96
PID 4596 wrote to memory of 968	4596	Olkhmi32.exe	96
PID 4596 wrote to memory of 968	4596	Olkhmi32.exe	96
PID 968 wrote to memory of 2524	968	Ocdqjceo.exe	97
PID 968 wrote to memory of 2524	968	Ocdqjceo.exe	97
PID 968 wrote to memory of 2524	968	Ocdqjceo.exe	97
PID 2524 wrote to memory of 3568	2524	Oddmdf32.exe	98
PID 2524 wrote to memory of 3568	2524	Oddmdf32.exe	98
PID 2524 wrote to memory of 3568	2524	Oddmdf32.exe	98
PID 3568 wrote to memory of 4136	3568	Ojaelm32.exe	99
PID 3568 wrote to memory of 4136	3568	Ojaelm32.exe	99
PID 3568 wrote to memory of 4136	3568	Ojaelm32.exe	99
PID 4136 wrote to memory of 4128	4136	Pqknig32.exe	100
PID 4136 wrote to memory of 4128	4136	Pqknig32.exe	100
PID 4136 wrote to memory of 4128	4136	Pqknig32.exe	100
PID 4128 wrote to memory of 4468	4128	Pgefeajb.exe	101
PID 4128 wrote to memory of 4468	4128	Pgefeajb.exe	101
PID 4128 wrote to memory of 4468	4128	Pgefeajb.exe	101
PID 4468 wrote to memory of 1772	4468	Pnonbk32.exe	102
PID 4468 wrote to memory of 1772	4468	Pnonbk32.exe	102
PID 4468 wrote to memory of 1772	4468	Pnonbk32.exe	102
PID 1772 wrote to memory of 4284	1772	Pqmjog32.exe	103

C:\Users\Admin\AppData\Local\Temp\f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe
"C:\Users\Admin\AppData\Local\Temp\f61cfb4b216066ced28b2b37d5315346be117a3728f7f32415ff2743bd3992afN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\Ndhmhh32.exe
  C:\Windows\system32\Ndhmhh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\Nggjdc32.exe
    C:\Windows\system32\Nggjdc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\Nfjjppmm.exe
      C:\Windows\system32\Nfjjppmm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        73⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1580
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        83⤵
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        84⤵
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        85⤵
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        91⤵
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 420
        103⤵
        Program crash
        
        PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 224 -ip 224
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
74KB

MD5
4935d5895fb9531f2e48acc4ed444c91

SHA1
ec394001c86479e305f5f5ac28fc0120806567e3

SHA256
25d3ac43426dcffb6cf3c972b6f91afb3495dd119225a078063bf68542cc2fe2

SHA512
47fd9eb172f755f0ef7bbe63e480f52bf7217fa78a4879ceea3ab28ebf2caa3cee88c38063759f4da5d3ef4cca4db5515220252915dcdc974dad71e3caf417a3

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
74KB

MD5
9dbce5234ec9f6af22c37839deda6c5f

SHA1
6471d1f308a79fb932e1530974c1c350777e09f4

SHA256
2e74e35d738d3ea5ad6de9feab1db6bc97c859b36a1eaefa02a646934f290a60

SHA512
7101fcb8ebe0f1ed48336d6fbb3e9a693112e4e033f8aee1f67b406934f5737f0f907120c93746dca3a1c41fc81b88a9d5f8985bda3435e2513d643c1f214580

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
74KB

MD5
57ac3ef336e1ea099f8436528d9e4180

SHA1
75afb688ae450ac79851dbd618ec8f0f35108bad

SHA256
03bd460d48ba326a40d57eb1ec84ece491ab7bd1f5538ddd2e63d19f435a11af

SHA512
7b3ff259c354e2d82962a2200c1cdf1376bdb3f8cdf06b71ee0fe7482cf7c6dceaf947d6a429c27751f067f3da8d74bae1e442ee79e72ebb8239a46a87ba91d1

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
74KB

MD5
99a28cde4701783759299327a00a622a

SHA1
d05a14c60dc0f0b5ad0ddc91fdf051b7e7681f45

SHA256
884d8fb4f5b62c3432a0e5787810f4f487d21252fb98a3a41314350dc66ad139

SHA512
f607301a3fe4685997728dd6e29165553dc0350ad5e01702588d3a3140688c745cec218a9f110d61489a7101ca42569f2282792d835cb3be7cc1b5d748d386c3

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
74KB

MD5
756e8ef7c96500e192f5a7b980441e04

SHA1
627b3d3a6a3f29ec8ac75254b197dcfc1ede62db

SHA256
74bcc7a63f13294630f096ec5b3f268a91ff9c55e023c4ba58b4bcba4cf84d5e

SHA512
28b19ed934a0f4e9495aa76556a689266e643c9830c0551595cd14f1db3f9495dd6f223b032c64f29778faf57029066bda65ab874f75bfd08a80696c2b16aa2d

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
74KB

MD5
50f0af504f45e399e8ab05e974025920

SHA1
7da32204ea7befb64a34cd315f053ab1c9b115c0

SHA256
938b750342c4d20452cb30d22f1876b81e5c891d8a72ef40e0df82b4032433ff

SHA512
145acfb7916968fca9bf1d18d094296096964c3185c87aa6c157e1ade464739d8fc7d99cc623e962235b3872b0a9fbdcdc4e7b48f2d996fbd2ac59c46de61dd2

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
74KB

MD5
fef8691455000b8b9c8fa51f3fa2a6e6

SHA1
0bf15fc3cfee3580c3a9d23b5436e0f19b6f1f70

SHA256
26be16327eaa9eb59deeafd922b4f07f269478af9dae60c5d8a31d0de276b252

SHA512
821821c2315b5c892ecd3751d33c766cb0b0c71545fe830124b56638dcd0a00b2fac63df7fbbd4d5888332b05db5f4fd2b98c4e8d1df65b5ed48d49e4b7e412c

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
74KB

MD5
02bc62d5b14b87645f5dc5412a42c8f0

SHA1
a6f49523bd0a98951151cc8c514cffa5ad48a5cb

SHA256
6e07491b0de860bc27ae1027390821b79d7777aa32fedf0903b99fce19bb3b45

SHA512
7c5db5f273f299c292294dbcf42e05720c841cfd7e28e2e6c9ba35bc762326c04d8a91b295755ac716d08b4deafabeac00e614987fc17ed17636040240679352

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
74KB

MD5
964ba00832cb4fab400b898e79a1a82d

SHA1
9e90c0fa96c43cf1add697a54822fb1e618bf921

SHA256
7fce0a06934788a8291146b1f1dbed320644f4d379edf6296262f7cbf3539345

SHA512
d9730412cbe9ce1f6ce127dafc2a786a1cace3c3a15a04e67e4005a2885f88e87cf83152a58452d66dcfc4df0c1510b523d4973bd73946b3e18febc7a659be1a

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
74KB

MD5
f4a11cff525ec6292f1e357d033ceae3

SHA1
123df3ac124ba3bb0f76b8003441ca1da6fdc87a

SHA256
e8f70b89ab1c3bdb84fcdfca288991ceda95d9d42ba8d04e034643649cde56b4

SHA512
8fc6e659256c566a595d07a25c639990fc75426e07a2dbc9b738017f62e2297a892cc78ae30007a3206129d00723e0f445116484824afa3c39b7abc67a601211

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
74KB

MD5
2e006b6b9c8fb6d977949c335436184c

SHA1
d61472ce6a3150a8124dde0088b8e795b8f418f4

SHA256
1bc7cbec590bb628de898bb350b7bae65a21e26ce100b390f31990583f5e1758

SHA512
3540a5b917b16029a63c54870c17552b799134fc1c66de2885642c52da867712af557bf3846be68d40d4993773bb0f0d030e17f206c0a33f73a3b89fa9bbc699

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
74KB

MD5
bff1a832b00da4c066f3981dcf096022

SHA1
556da0eb0d0a5d819d72b395907bdf4fa02cea41

SHA256
bc0685b26a47c8bfbfe1fba3daeefcbeeb7f03ed3f657d50b2141d21f41b5111

SHA512
4e15c3cfb51418003fa2ec72e52be850520020dce9162a2160424bc81df748bbf170f8ece0bea9d8204b2ea7d07bf9a21d79a071fe028861c4307b9f029ca382

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
74KB

MD5
1f368053d6aa32079d78998bde57f1bc

SHA1
0aca535e0046e2f4682a562a2d0815c35c03c3c8

SHA256
6758f3262e0da33d9ec80e29adc271de6b5ea975c62a9cf6b35a0719b604db5f

SHA512
c1bc8ce7b83de4bd4c580008a8bdf82f10c3fc2484dca3649c4bc369bef728d72ab91d11eff1b22b09f9af4db31dbc308069d967d4309403522129506e2919f8

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
74KB

MD5
8ab01c05456a5ec36cdb363b03f3ecbd

SHA1
07974d17e02357ab4506a229fffbac9a735783a8

SHA256
6038788445a750c62c042b1788dc03308f7ce7da1ceccf07af85b8ec3a0f75a5

SHA512
730f5bf926137b11bb43f1f410ca7f346ebb718cd1bebeab5898f9524574e0f36bd5a8db17651c6137843b2da769782d0694f8e55480cbdd09e1342c5400e4fe

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
74KB

MD5
92391992382640162708ec34cdb7a52b

SHA1
f2555019f320642a205e2d37dd68d022f730be3f

SHA256
8368018ed5aeaf7c130b42ea844b5a53f290e69a68ffc15fe2b86de89f148410

SHA512
9e8e253ea4b9bc80c236e934bb0c23ca3c2894e877ff324e87d9a7b2720b1b6b31244d12e46169c65463c96f3a7716126667e02d0bffc9aabc30b4109e055dc6

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
74KB

MD5
99728141689e8a48c09b36813405a933

SHA1
c5388258c721a7f0b087a5b1620881e08798ffed

SHA256
98fe1830a918524fd4c34e5f1c99c717dcda732c8d3a6c4342b4eb4836485402

SHA512
e7b69adff5a04e2e2337a3e3337b958ea4dbfa7e2a59c72b21c0767ef5ce6c69ee3550d4024e302f098d4046e56c77928fee92a826b00b741d6ea566025c7839

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
74KB

MD5
b51c8d186cc5be333dfa57679ab3f28d

SHA1
4cffd63c73969cf5e832c550f7af14e0ec122ad7

SHA256
fe9984bb03fde389694264200cccd6dfc180fcdcb3b9b91f64b9d270defe92e7

SHA512
75f5bf318c3d3c144ad45ce40ff75d0bb044700ae30850efda348822197542d8d8d50e48508cb91a71abe9f4573b04ad4ef7568fd062fc21aa49476db2f623aa

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
74KB

MD5
cb909d8a70e210d4a7e5939f1bb54f8d

SHA1
f71455faa3eeea0827c3ebccb86e121ff157f8eb

SHA256
e0927a98fc1ec55d2aa7a72440ffa5a718ca2d2c8c1ac5dd30a5d59c13c1266a

SHA512
6a9a0a39e884e0399d267ac64f71152dde66d680d6ef6ec141171962c5fa0a1984ce0e1d3a072c8089e69461c2fa17d695a0a31c6dbf08ede3cc6a114da3bbf7

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
74KB

MD5
5a4dc83c9b9b6a28d0f9838cf8cfa6c9

SHA1
55cf440492c6b068e60ef2309ef682db16decff6

SHA256
d26db82922ee8c6b815b29d6e6a4879801f6fd48e0fb48d8513e8c74608cb888

SHA512
f0c168ec63a8289b705532e8abedae786b879f0566d4fe28afd54b05409b0e229c0de5d3c6df7e20ff47254bab3f5b282eb61104b61cd9203eec9464f4ee326a

Download Submit
C:\Windows\SysWOW64\Djoeni32.dll

Filesize
7KB

MD5
24df8cee7f86e9c1f8e4c2202981470c

SHA1
b398318b1c75dd3ed40f187325b088c3c6160c4c

SHA256
25513daa187e6b29e123e7288640d45ba4c687e858a952d225d0f1a02e640c2b

SHA512
d49885c74ff68e2146fa168734e5d3d574deaed82fa3bb43ec90b50e0b43d3ace9aa39931c482f344ac8746916f805ae00d636930a140feba96a76972f62db75

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
74KB

MD5
ded10f57be7c4ee06d42c34b5d2b2668

SHA1
9c613e0d142dc257e881673da207e432b90b0448

SHA256
41f34dd2d9b7bde2649cfd2741b174e0d3b5f4b2a9012e43fb0ac4b1b7436a3f

SHA512
ce59156313747d8eae53ef2d67b904ca3c15b159a09fab701bf0ef5753a22e4b2c5f6a2f58ba1872ff2739f49a71db681695621bb4024eb3f5c6bf04a1547cf4

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
74KB

MD5
0a3e3f66c9cfd8f2ce121e46967a1400

SHA1
a6001473960d8480f3e8df2e9bf65442fee08ddb

SHA256
67e92968f1eb229f9ff4b7d9f07b62114dd586603f333e28795ab2710486219b

SHA512
7ff832b77634dce71352c8a6328e2c035893d1555be499ebb2c71c63867c1a7dc723df0590030318757b447f7592d2e3b106bd4c94d009a1fd05cff5eba3c4fa

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
74KB

MD5
195e64c1e3354dfe407cb15f10060641

SHA1
2bcc6790e08f4514b12d567c02a79127e5a4b171

SHA256
ae77bf34e240b845421cefdbfd3b4999e9f606d68485bf7025992aa4b29e625c

SHA512
b7dc20cf4994e3c6e4b4e33e22d9b27c1c65e561d0d72bf683fe4ac5dc26366f3cf423fb05451b69c2a80545a0979b8b1267dcaf2f2406ee749a10f2ef26bfa4

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
74KB

MD5
59235a8f7f064d9fe209308d91333163

SHA1
f44a460860486d74faac80b794a59ba0e5cbd205

SHA256
635a68101add62b097444dd6e4ea56b903f5589b7ea771a2ed9127bc60bc0ff3

SHA512
6facd4c16d526bd318263e22e55812dd56b8d7508126877ea01888768faec5ab9bc3038606b087d3cc2dbdfbc1d3a5603322fadd13cf8ded6d054e6186602e4b

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
74KB

MD5
90ae67f414c8986a0bf1dd71ceb40ea5

SHA1
35fde75718d01975b2a92191be8fe4212ea86620

SHA256
26236a5e6510d12e2a5147338f10ab77c8979752e6e40bb3e8516185fd60ef8a

SHA512
6e8ffb3d47b2fd314a9e74237a27118e7d8739861bf032094612b71d44b0030c80c0e047d826f531b076877b2c35b5bdcaf46e4a94b13950ee308ad1cd642218

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
74KB

MD5
5b4e619cf77ecbd66410e815acd5a30b

SHA1
33529f496b4f645a3000a844ad39681b9870c81b

SHA256
a6350dcf9462a5e1ba27003a17b2dbbbfa9cf268357e05009c24f814fc206766

SHA512
2c0f9a204a55d1a5a7023422098edc1e75464d78dd24ac8780bd4b022a677682170119585c84289f87487b76ba82ab2d58e558a72d898d7e5e10434d3e0ce9d2

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
74KB

MD5
25551ae3c483cecccac3591da0214ae4

SHA1
1cc06196ea1bd0a1f935929a7ac06949dfcbccb4

SHA256
0acf061b2c544721abddfb597496df14324d5721ceab27925111b8b8575bde42

SHA512
e34d4310481159c521a161133208d180f26f90b168150c128b6f86d6c0cec5c14f3fcffbd8f06323367c2683ea660303e49e2ae309b2049c3b6b4274f3b2e476

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
74KB

MD5
e5f0857bc681db032025c6f47f16e3ed

SHA1
8f73ad6eca0d04a9661df1c322e5dac66e2e73fb

SHA256
7b0e9ce7ed0bec111c356f42addb114f4b5fe7aaeb82d95971bd1c95708e8daf

SHA512
54f0b7b1fa2007598a2355554a10c93c099d6103ef64db9a2667124c425591dfb4364b4f45e98a7c2e1a2f81c7157ae36a5f30491592e481e7c5a0d21df8f206

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
74KB

MD5
aa5e545942606b4b099586e6255a46b3

SHA1
da328c2376e67a9ef05f527bb94179659c5677f8

SHA256
5e2dd47218729cc6ed9505ac01662731eb8086d72386f66ad4ca75d090b9069d

SHA512
57f6c8c40fd320220372a3de137332d2dd439a144652bda1a1d69de071bb7bd54ea63043b54bd3687d3f23d7e6f95e80dc4644477f8b4eeb27bfedebe6c07552

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
74KB

MD5
b79f24871cd3c50a80c53584f3f1492b

SHA1
fe418844c634e5fe0d268835ab7bc9a143183ed7

SHA256
f9819f7232a3405108413f5d3619de6e8ba073d58cd0e36785cde4043b4198cc

SHA512
7b0ca80af05fa26888f7537f2b3c2e29525f5afc3e7b091f3996b04efd855edcd03b3d19b7f494bdacdd68951382a6aa1d414ea7aae03cdf3338478cf8e04e1b

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
74KB

MD5
97f7f09f1b2be8f8b26ea784d8cd6b35

SHA1
fe3470d93699ba62b097bed91cefae9fdc2f8e88

SHA256
d352993115e3be750bf71ae363c1ea245b4f0d2334768486578b7635f1922733

SHA512
f94e90ad56c4c6662a37b01a3dcdd66fd75c339adc1b4ef32d5ed51af993fe3322231bf7a1dcd464824d7ff3e8465c18963c62743fd92242b701605e37ffc6a1

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
74KB

MD5
b41eb29b2b2d0dea05e46f152f805297

SHA1
de5c3bf34a4b292c0130f0b1be3b7cdb31944213

SHA256
a524cbacb31edd5dfd2fe8da5558eca68eea7db6ea4f92f322eb3fe77508738d

SHA512
3bba905b06ba8e4cc5d28e57d832657f35d40e11b621d8e08f5150a403967d3d65ba389099ad50c7cf163ac399aa9b6a91bf0926e3c404662e7921c1d94cdfcb

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
74KB

MD5
6b421e7fdfad5305c74cc2ed89d1691f

SHA1
b4e92b14246a853caa21e4ccb82aab35383be74f

SHA256
25c1b410829879afb41ca40c20298ea57730113b15c394cd91fb807e8674c70f

SHA512
7788776cd6e63c3152282d042340620e67c43b8fea70898ce824dec6fd7f70aab436fed8dfe445abea10c8ba28a22cefed061acb2dafe40e3e1a829f4daa0c9f

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
74KB

MD5
f8f3b75c853e58b20713c0466ab9ad9b

SHA1
59a5204d8b20bf499d3ff119c50ab8c694f01acd

SHA256
2b03dd78c47058408fcc72eb881ccf6da54a843332b87fca9734207762d44271

SHA512
afce5d525721c699108905ff215e44010a05e18df01eff8a4a6ac7d6743e8c9a4fc62ad638e78a79335311d90a096e8ce99e10b5c40de32a18ec46c74f4d7970

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
74KB

MD5
732baa6acd2397dc5ae0c74a077d1707

SHA1
25f837f283292611ec75e9b4f2a339c9ef70b13f

SHA256
5745a910d7cfdf22e4b0fa470a46b9639575c6dd60d3feb9091b7a193ecde7b4

SHA512
a121b4ea91cd29015881b38ac50375e197b9ef8abf5789c2a13dcf2b554dd7c0b8cada768d154d8f7c5cc1c659aff3d90e2771900f4fe16dd2d26e09c39f1ff3

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
74KB

MD5
2dd502519f2f96babee7f99273f6a259

SHA1
ae94c2d55f4b178d6f757f48b0a98346fee73e18

SHA256
00975cddad72acdd18d239020569b383833884dd585717b00c09eaa6124290f5

SHA512
1bee923bd6a14282157b94ca750f817573c82384dc360de0ac2755bae15f6bd6404fca44f1c970fe5cb10a524d666565d5f0709660f8e6362d588fb4f0636edf

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
74KB

MD5
48622f243c290f3be6b9f664471f2b55

SHA1
f5937bd141c75c194113828d8f656d55789eed6b

SHA256
525231916a4c4b6c4fa09bd2c60db3a4208d23ed1f139379130e04bc05fc6d86

SHA512
efdf87b3829c79ea2fb99093be1383c10a252f8d6870990754a6d4f22d76dfa4709907ce6846a202c98936a10d7b3abcfdf30faea2a408a4c35696e22d044ec5

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
74KB

MD5
c080bbe84ca3783a4d1ef903989063bc

SHA1
f9a4992ab21e32c11e9d61cc068fe6b3201b7a42

SHA256
c2f35d854b7b5f7c9d16d29dc3884f38ce3100cffd6cf51c867c007e5400c053

SHA512
4c1993b69657574fc35210b033f2415b5c10a3b3667556e048286f939f1e356a6e38a1d3c878af5c04f19acc4d0fbfe415b6d449b5551870c481e3fc307f9b08

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
74KB

MD5
d031dcb17b96751c8fe14b6c9a192612

SHA1
883bda70f94d65b44fc96a1a3995d292a3dfad77

SHA256
84946cddc72f997e017f5abf5512abe118d9fdaf424ebbe6e4923feb49025d88

SHA512
01848b29f14694c49bdabeb0183d2fc3e12e8e242fc42e33a4880c015ebf24e2f36df964e9df4b680615f9501419a9edb8e4ed520c6236f46a35ce853cc0deba

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
74KB

MD5
96e3bfc47674e8d6b4ccb5aaae601255

SHA1
f0ce5219b9699a19d1c667bd6cba4fd6d906bc9c

SHA256
053640b4a7c9a599e95585093afd5836f7b1144b6dd0537df99ba7258310a935

SHA512
365ee7f824049b33698b726c33f7b2c12383ae0e5a0ed86c63df91263a4ad7c99a3659d418f058cbf774b93ac309ec91a0f82239bc7c2c456908ab0327fd3edd

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
74KB

MD5
dc3ec859d69fed2b06115975da62d903

SHA1
4fd573fffd395c7a8b857e8b5bab8efea9e52218

SHA256
0da18552cdf668cf3a8031e121c43802c79a4c99d480c207da95fc1248794d5c

SHA512
01ee8bfd6f762cb2a951a0d3552a81b64de78119fcec56ed7952a212185642dcf9a5f622e924f9082a3ac832b72a3df8eba3fa5cfd2c6b38e4bf886262b22398

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
74KB

MD5
db48e5c111ffef24f8a22456f96094ef

SHA1
73ac786907f79851b8cc1d6e2d7fbd7e9b8700e5

SHA256
8d68e40fc69fbb48bb98cf48bfd701cec93bc5e38217d75b2f2fbf6ec81f472c

SHA512
ea05b1a5a0542ed07c6772ffb25f6bb1b3e00334def1dad8033376d804561be932dd868adfc334d8f7adb87d7f42cc097fd03bf363547652ad904a707a47d22a

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
74KB

MD5
8c61173d1feadf336cbe3cbefbf60db1

SHA1
ce7aa336143f2edac5837a6f0c4d294db9dd25dc

SHA256
98ade5103453d762329d6bf9501550434fa6abce7433de0e60c6596ee932bb0a

SHA512
6545ffdd84da8e420e1bfe5a48afa794542c53b0cc76e55bc0957d2fc9498e3d28d25ded7e2e4c2fd2ef0dd7adcfa94b8556e1545b0f7cf6f9b59168afd83925

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
74KB

MD5
7d67177f27e5941afb6d6e25b58d4434

SHA1
74251188ca8d76017fa01a7c8947904248b781b2

SHA256
44239f03195a2ea87b80cdc7a26edff5b091d861e8b6c7c83194c88a06b502a3

SHA512
3246007bf3b131b42b25908daad786a6d2655b153aed55f795476e0cfc339b1f32ec1f58f74650676e6c1d0e385d9d200dae491247046a65ed3b7f685c380fd3

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
74KB

MD5
4937bc118ac5146304b6bf98e8070730

SHA1
62f8993d78f768090ae4320ce83fef0407b13cd1

SHA256
7ae39919216bea5048c9acd462d624b4ac5457620159b547b081a4967147000b

SHA512
a6b77bacf25a616c76dfd6daf37e96360ce79ab7d684eaddf0f54e7a48d21a72105634834eafc07e070aacec16dd0ea59a6de02b64bd30d7fac8864535aef588

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
74KB

MD5
104b4a9dc37878b0cf208958d05f062c

SHA1
22d7dd66f85e37842e385aabc2a9b7b2f5eb1d19

SHA256
1a8495c1a1b3f7d767e71399f9c082cac39c4b7d1740f84cf09ec75976d92064

SHA512
0c65f405ccadc005ed393efd6bef2b483826052c8fc3ee581dd5a9528ecaeffeb8b4976c54bd6367a92029bf60bf2382217ccd316aa280b4912a50a8cb75d6fb

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
74KB

MD5
5b1505057fc72190f4f143cc3c6c0546

SHA1
a6016093aecf7d27dc50e9fbf9b7fa66800dc0e8

SHA256
b08fd902bbf790a3186ad527138cb0f52f1d1d9e64640a4016897e936fe4fba7

SHA512
2538054749586e14945bf278892f32144b3df5de488c047211df9431e5464bf2f63813d78f26efb18f35487e3ba8f8cb6472871f45786390bfa4cd8f1a552a64

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
74KB

MD5
acf3eeefc3343fb6e659e50c1cb760ca

SHA1
0afbf91a66f5976b0431833c05b1fae0d4586c6f

SHA256
f445e25e4e617de2bd1a4da2cd7615ab4287ff0d95735f6fe5853d240f88d065

SHA512
a43f227cd6a1a0ccbae75fc25a64ed02789a63aceb10e7147896956d989aa08ba97487c22b330830a1e7ccf9ee394e53af117de04cdd717e865b4ff849bec30f

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
74KB

MD5
c5f5e60957db203157a6b8d19b0d9392

SHA1
7812c9aa0c734f2eab9f6f3c36a58306c435a15f

SHA256
7ee49b270b4955214b00884ef85ec7a0e84dd37f4c100c119abc0db6f0bbff7f

SHA512
0a5e855a48ce1d8bcaf050de710a93aa1337aef04f350b49455e5b79de5a8059f54d7e2207007ef998b18872d611002d5be108e52ed76ddfd611054f2d57da4c

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
74KB

MD5
951cd17a46ca713812513f78c374877e

SHA1
530e7f01100be8f94076a81de9aed5ed71f30080

SHA256
c3102ad35b639c8bdf15637005744a8e71dba9799dedcb35028e0791b74104b7

SHA512
54d5f1ef012bcfbac915955c3669fcc2c9e04c9ee4c22f18a9de404fdd3529bd321ebf88ea717c61259139729d916040a4900bed2869b5c720553106b56f5e0b

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
74KB

MD5
f02f7fceabc94f523481ce56df6ee9bf

SHA1
6c47e0a13369b33cce51e6f70b92724788dd1e30

SHA256
10751f4d8024e0cb00a2ff64519c6c50d3916f74cf3d4ab8a64fbd8372baa8c7

SHA512
e304eb20c933b6b87500c9e2d9951724d1ad230d17fec1c24b06a1a26235d54f4a6e73b5640e0479289a81d1fbb85bab47ad0e4e5c29dc1d8bf1b1aeb7b3e41b

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
74KB

MD5
7b75d7496d727ed7c18d61afda49a153

SHA1
79377da63990a0d144fb9f1edb6f222bdb98be0b

SHA256
8509e160ebdf5a1fa25cd9215b1f8e2717240c4e98e58777b87712edbdc32e1b

SHA512
e8ef0340b2d2d92712d5dffa780c9c5ef84a6bd725fa57a01a59f423ecc0a3e388f6bb0808677230804add149ec7a5a2e84d609cf903d831f2deeb3caaf134fd

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
74KB

MD5
6766de30607fd3551317e6dee322fb05

SHA1
220bfd590f926956ae28ba38ae5c701be1c1fd01

SHA256
bc0be5d35bcfeed02eef4bce7e50f5883cde010de10191a556a41f73e27420f8

SHA512
05de4a0c5a0d1783073815b7545bf35a447326435d74d045e41a5d955c1b40bcbd70074dd605b95cb589c2d8e1ac34bb6b18318231a54b3ac3f52b42492c515b

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
74KB

MD5
11007bcebd2184c898d8c446c8bbc34d

SHA1
e776e7e95c7d6f005fe711e9428f2ff7f41a920f

SHA256
4e737aa95ff15afb159e552907ab485751506f6cbadaf46fb05e7b4c80dba0db

SHA512
0d9a770e29fdb736e7d652861d9805190ae07e6603b39654a81ba53c72bef1d4002c9174cdd9978a733b3eca191289640c717c1134ccfc0f7b6142a3359f460f

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
74KB

MD5
04422c0a1bba1bf918acff43ef1db9d4

SHA1
8743149478dad6f408e177a5b67b2b6d87a5fcb7

SHA256
9e4eb3757c1296e2bb0312edb6950f2618db7611dfe4d1ade10746af3b3f120e

SHA512
b1fe64918d65e29fcba23c8572b090dd7895a09b3fec2146cada418cce28d5e5e13baa473d14cbddb53f87ccbe6aec22040d21660f70247a772802877e416967

Download Submit
memory/448-491-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/544-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/636-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/720-479-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/832-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/932-581-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/932-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/952-287-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/968-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/980-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1056-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1064-497-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1224-335-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1268-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1284-589-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1332-485-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1344-353-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1440-561-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1448-539-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1448-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1580-519-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1600-568-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1648-509-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1668-359-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-395-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-546-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1772-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1824-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1868-275-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1900-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-467-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2024-341-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2092-317-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2136-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2264-575-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2316-554-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2324-455-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2336-567-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2336-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2372-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2432-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2468-425-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2476-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2500-407-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2524-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2584-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2584-553-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2592-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2596-473-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2880-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2884-413-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3008-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3032-527-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3036-437-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3056-305-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3088-323-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3092-281-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3288-293-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3304-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3532-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3568-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3576-503-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3752-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3808-533-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3964-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3964-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4048-461-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4116-540-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4128-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4136-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4200-299-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4220-377-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4248-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4248-574-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4284-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4340-311-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4468-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4484-269-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4588-521-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4596-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-582-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4824-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-547-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4904-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4908-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-365-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4924-329-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4996-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5036-560-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5036-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5056-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-347-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5100-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads