berbew | e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe
Size

64KB
MD5

9ece1fe331306a236da94bcad9081c4c
SHA1

0c0e502622c8789b7de31b59c7cdc5b09e11e0ba
SHA256

e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc
SHA512

6b1cd763a6b8240938dbe00632c28c2c8b3e2650c59a7773d4fcdf02bc0b66f62d7092dd0cd482509d8ab39f0b49b7612bd4c3c87358afd6bf25182d6caa0fb4
SSDEEP

1536:TsXtFQBqBMYbjvrfWkM7zELLcVQBUrTrXt8WgldRtTcYSoV1iL+iALMH6:TGnQqBMYfzGzELHUKtTcYSoV1iL+9Ma

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 47 IoCs

pid	Process
4024	Agglboim.exe
2400	Ajfhnjhq.exe
2476	Amddjegd.exe
3044	Aeklkchg.exe
3560	Agjhgngj.exe
3532	Ajhddjfn.exe
3704	Amgapeea.exe
3680	Acqimo32.exe
4888	Ajkaii32.exe
4656	Aadifclh.exe
3688	Agoabn32.exe
1292	Bnhjohkb.exe
2616	Bagflcje.exe
2556	Bganhm32.exe
1748	Bjokdipf.exe
4828	Bmngqdpj.exe
2764	Bchomn32.exe
3884	Bffkij32.exe
736	Bmpcfdmg.exe
2820	Bcjlcn32.exe
5068	Bfhhoi32.exe
1856	Bmbplc32.exe
3096	Beihma32.exe
3484	Bfkedibe.exe
3264	Bjfaeh32.exe
2272	Belebq32.exe
3904	Chjaol32.exe
4936	Cjinkg32.exe
3140	Cmgjgcgo.exe
4988	Cdabcm32.exe
4228	Chmndlge.exe
2908	Cmiflbel.exe
5040	Ceqnmpfo.exe
4876	Cjmgfgdf.exe
712	Cjpckf32.exe
3528	Cdhhdlid.exe
1184	Calhnpgn.exe
1048	Dfiafg32.exe
1000	Danecp32.exe
4364	Dfknkg32.exe
1452	Daqbip32.exe
5004	Dhkjej32.exe
404	Dodbbdbb.exe
1836	Ddakjkqi.exe
3048	Dmjocp32.exe
2176	Dgbdlf32.exe
2956	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5028	2956	WerFault.exe	128

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4024	5036	e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe	81
PID 5036 wrote to memory of 4024	5036	e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe	81
PID 5036 wrote to memory of 4024	5036	e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe	81
PID 4024 wrote to memory of 2400	4024	Agglboim.exe	82
PID 4024 wrote to memory of 2400	4024	Agglboim.exe	82
PID 4024 wrote to memory of 2400	4024	Agglboim.exe	82
PID 2400 wrote to memory of 2476	2400	Ajfhnjhq.exe	83
PID 2400 wrote to memory of 2476	2400	Ajfhnjhq.exe	83
PID 2400 wrote to memory of 2476	2400	Ajfhnjhq.exe	83
PID 2476 wrote to memory of 3044	2476	Amddjegd.exe	84
PID 2476 wrote to memory of 3044	2476	Amddjegd.exe	84
PID 2476 wrote to memory of 3044	2476	Amddjegd.exe	84
PID 3044 wrote to memory of 3560	3044	Aeklkchg.exe	85
PID 3044 wrote to memory of 3560	3044	Aeklkchg.exe	85
PID 3044 wrote to memory of 3560	3044	Aeklkchg.exe	85
PID 3560 wrote to memory of 3532	3560	Agjhgngj.exe	86
PID 3560 wrote to memory of 3532	3560	Agjhgngj.exe	86
PID 3560 wrote to memory of 3532	3560	Agjhgngj.exe	86
PID 3532 wrote to memory of 3704	3532	Ajhddjfn.exe	87
PID 3532 wrote to memory of 3704	3532	Ajhddjfn.exe	87
PID 3532 wrote to memory of 3704	3532	Ajhddjfn.exe	87
PID 3704 wrote to memory of 3680	3704	Amgapeea.exe	88
PID 3704 wrote to memory of 3680	3704	Amgapeea.exe	88
PID 3704 wrote to memory of 3680	3704	Amgapeea.exe	88
PID 3680 wrote to memory of 4888	3680	Acqimo32.exe	89
PID 3680 wrote to memory of 4888	3680	Acqimo32.exe	89
PID 3680 wrote to memory of 4888	3680	Acqimo32.exe	89
PID 4888 wrote to memory of 4656	4888	Ajkaii32.exe	90
PID 4888 wrote to memory of 4656	4888	Ajkaii32.exe	90
PID 4888 wrote to memory of 4656	4888	Ajkaii32.exe	90
PID 4656 wrote to memory of 3688	4656	Aadifclh.exe	91
PID 4656 wrote to memory of 3688	4656	Aadifclh.exe	91
PID 4656 wrote to memory of 3688	4656	Aadifclh.exe	91
PID 3688 wrote to memory of 1292	3688	Agoabn32.exe	92
PID 3688 wrote to memory of 1292	3688	Agoabn32.exe	92
PID 3688 wrote to memory of 1292	3688	Agoabn32.exe	92
PID 1292 wrote to memory of 2616	1292	Bnhjohkb.exe	93
PID 1292 wrote to memory of 2616	1292	Bnhjohkb.exe	93
PID 1292 wrote to memory of 2616	1292	Bnhjohkb.exe	93
PID 2616 wrote to memory of 2556	2616	Bagflcje.exe	94
PID 2616 wrote to memory of 2556	2616	Bagflcje.exe	94
PID 2616 wrote to memory of 2556	2616	Bagflcje.exe	94
PID 2556 wrote to memory of 1748	2556	Bganhm32.exe	95
PID 2556 wrote to memory of 1748	2556	Bganhm32.exe	95
PID 2556 wrote to memory of 1748	2556	Bganhm32.exe	95
PID 1748 wrote to memory of 4828	1748	Bjokdipf.exe	96
PID 1748 wrote to memory of 4828	1748	Bjokdipf.exe	96
PID 1748 wrote to memory of 4828	1748	Bjokdipf.exe	96
PID 4828 wrote to memory of 2764	4828	Bmngqdpj.exe	97
PID 4828 wrote to memory of 2764	4828	Bmngqdpj.exe	97
PID 4828 wrote to memory of 2764	4828	Bmngqdpj.exe	97
PID 2764 wrote to memory of 3884	2764	Bchomn32.exe	98
PID 2764 wrote to memory of 3884	2764	Bchomn32.exe	98
PID 2764 wrote to memory of 3884	2764	Bchomn32.exe	98
PID 3884 wrote to memory of 736	3884	Bffkij32.exe	99
PID 3884 wrote to memory of 736	3884	Bffkij32.exe	99
PID 3884 wrote to memory of 736	3884	Bffkij32.exe	99
PID 736 wrote to memory of 2820	736	Bmpcfdmg.exe	100
PID 736 wrote to memory of 2820	736	Bmpcfdmg.exe	100
PID 736 wrote to memory of 2820	736	Bmpcfdmg.exe	100
PID 2820 wrote to memory of 5068	2820	Bcjlcn32.exe	101
PID 2820 wrote to memory of 5068	2820	Bcjlcn32.exe	101
PID 2820 wrote to memory of 5068	2820	Bcjlcn32.exe	101
PID 5068 wrote to memory of 1856	5068	Bfhhoi32.exe	102

C:\Users\Admin\AppData\Local\Temp\e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe
"C:\Users\Admin\AppData\Local\Temp\e689fc0ca79fb84ea946106ff67e6208eba5ee4cf96308760a63dc0bde61b4fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\Agglboim.exe
  C:\Windows\system32\Agglboim.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\Ajfhnjhq.exe
    C:\Windows\system32\Ajfhnjhq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\Amddjegd.exe
      C:\Windows\system32\Amddjegd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 184
        50⤵
        Program crash
        
        PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2956 -ip 2956
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
64KB

MD5
5f05f09ce3fceba57e5327ad78d76c8f

SHA1
dc208ec2b9b1c2f144f3a066df89ac1306daf841

SHA256
5f5c5fe06b73017d98dd9ecc98c351dfab1e5eccb0a55ba352ea861b9bbbbc1c

SHA512
df8271352f7f5838925f811ff9b1b0a8854441ae2b476ae49100539d986dac8a79078815d74690186b83e60b4ad51b51061097791517f8fa18d91f4a9383d4f2

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
64KB

MD5
bdc6a06ce48c83fb4c9dad2481d3e85c

SHA1
3a7887406add9f381312c96eae318de9f291c7a9

SHA256
69c2fb177695ca8ac34490b642e06d06e8dc475046f9b5fede6372f9c85fbb26

SHA512
f5a6a1117d0a32eb984ab8bbb52a9a112d837f42e12bbaf4f4e7cf3a7552d0ea975f7e732f13512494013b868f5a966d9580353fb71ad8f66c7a46c4bcfd58bc

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
64KB

MD5
2a7c4ccba56564d6ff7921337cb1769d

SHA1
1d1ba542e04febb0d670ca7f7a559d31cffe925a

SHA256
08b6d54bac93ac1a87175d05d45658ca8c6b02da964bdd9e0c8df2e45a36c85e

SHA512
8d151863816d43bb364465fddf0fb8140f3b38a6519a12ac74366507c7e1927d021331602a8b860d4c46b5c860d6b25f9242bce1b3bbce0919145d9e0d361b4a

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
64KB

MD5
4f75155a87743158ae1590d97acf54af

SHA1
d9383020bd2b4305583dea1f77e04b559f9f7ad2

SHA256
136f32d48806434c0e18de6c7482e2c8b1164c1da083f37af04b104f4490f215

SHA512
ae90d9a523be9275e27d1fa775f91012a9d0332a0e3d2c314336b6e7d91332d73e895b182c025fbf957a45aa033046f703791c2a07fc7fbc3e4b5460de511984

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
64KB

MD5
e3a3a5426084ba83d48b56ca4a99690e

SHA1
e044b8fd8058615c43434e03df5e27bea63bb729

SHA256
42b830207a36f8a1ef00d4d1ee7233e49903a98cb0330a04140c68b2dc1923ff

SHA512
e166046f4e7b75919e14fd362a4dc08a8230c90a0d0e366f18872ad4b0cf18c42e330aa098c1cc8e7e1dee8931ca18292b134c0c065a9b5ec7467e46c79a4b4a

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
64KB

MD5
f78594b4ac82dc5cf1dc679bee83e60e

SHA1
775491d04f0d4be072cbb7e1e88c108e70512f6f

SHA256
994ee7c62b11cc41c0ba8d75e2611780d71b0d24b5efaae8c8d960f8b5e29c7c

SHA512
65481403abc855d850d7e8893cb5bf34372e7eb4f45dd5c1632682bc472ad9def3e96444466b378aff9fa9b5c304f4083f982b19f8060baa0727428b6d220c8a

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
64KB

MD5
89d868d4ebfbc7d5a3d01d7ac83dd7ce

SHA1
7a714805bdfe5e3010292d56c9ba3c6ea3ccdfa5

SHA256
8f7ff571a457e2c339d91811b9e275cf70c5ffa4124fc7f75d2f124e198591af

SHA512
8923f858651d66d71915af37f226f54ab8a81f1f74ca270bca3acdc27378158e673b47941af835849f730e13611cb82d828d086ee66c85c1321c5978bb9e6894

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
64KB

MD5
0c8a34b5a937ad4787ccfa99903ffaa9

SHA1
dd3c97c70fad24eb5a069cc0b3fec832f41b48f7

SHA256
4a1fb5c20d533f6c8ad313afd4640578757144f643ee6065fb983153031d0582

SHA512
5b08f13d04220fc4f112641b2fcaec6c3e294b00b421a93a4b1b0cb05f6a387d6b1341902f51f7059a6d9ab1e0c9a08a02f24147384a832ce5cc2530b136d126

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
64KB

MD5
115a857daabe30f8f1a2a226a42a005b

SHA1
defcb037aad7cede5c8c12a91051a562f385dd21

SHA256
4706b49c82f064daa7c0012e9b36e3fecd30569f980b1bb2be9b28c42a551127

SHA512
4fada699645afd37690834d67c3eedcef1d5e22dbecfba669534725c9fe4111a38d947639a00bb2ff0601985104b130d7207db5f5114d817dca7b458280d412d

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
64KB

MD5
089c215c908586764a72d993447961ec

SHA1
12dbd5a301cde173fe946bf5a04afa5252c76426

SHA256
8f93003fe5d50ca1aad29ea563ddd90df2edd343a0f5b508d777a8fb34e8a597

SHA512
b019a90403ee5a6f37bb32520703e1f75185e768220d98fc3a05944ef99afd6c78eef6158cdfb97ce3e96c8117a9c003aab3766c3f1bd974918d9ab0ad141fba

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
64KB

MD5
4bc9ddd9b46af371d22ee67bf3ccca41

SHA1
4fb2eedceffcbf6bc3abc9c51340f081949d9b77

SHA256
0fcc1d042cc93107f0920bb322fd04de0f127a7a5fe9a9a9082eed43244db9b7

SHA512
ea82f897b82bd550bb16b0ce1be72e63d710f2e0492a35c7353a3fb283281dcec6baca94cdbcee8804759740e0294f1a30b120a5b209eca7d43578cc9835f75a

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
64KB

MD5
2447b43d27d8ea17198cc2be76c49643

SHA1
8926bb1ce87b6d7e892b3cedcb71e306b1d5fced

SHA256
ad8dbaff5e39271c86987040a0af7956fc0a66796c3d3967f34eb8563149e582

SHA512
aa76519513638db8ead99d616b4a5590885ec6003523f3cc406735c8f3dc409cf750c472712c61271e6ee16ba11289533da8be7448675d015389a8a0c4204e0a

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
64KB

MD5
6b722e3652bd9bf36d2376517869300e

SHA1
34b0b100bf51f6d2f57da237ebfcf51341667297

SHA256
bc8cc5b1442fdab4262d8e80ab651e7870de4e0274d2d682f2ed3cb919023ee8

SHA512
89f2ae532c97e6e09c6ee2074064885bfe5e0dd12925ad72159abca74918947ff13503fc619575d45b9dc581149dc260bc52685caefa5bd545c7b9bb633ac1ae

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
64KB

MD5
686a06795f692c8056ff4e990b7b744c

SHA1
fe30ef7e19e61dea48ccd7110f2aaae5bba754a7

SHA256
b99e4ae7a2fd4c6cdda4c8c9c041b548d34fa84ddadc115f6a77326de23e157f

SHA512
1bf791929f18eea70e1d8ce79a092501c711b7c281d41fa545845eff9d82cd80a1c32cb0f55bfd1e4e24a009e7661ce6eddf0a2cfcfd988fb3bfa24657d5dac5

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
64KB

MD5
4eb5328ac4f41f8c20bee088155df038

SHA1
5e134e2ead4cb0c75b0e12aadce6690de28bfb1f

SHA256
9b746fa22715160c93f01d89dc2ac390108effb05e9e27a5682d2b4f1a37a0c9

SHA512
4ee24b4ec58bcc1ca17ee6cdd3ccb8ba2316efcac6d276dfb1ab851d750143650ba61cdf915c7b42d81e042822c2cf629b3c46a1a87545f7e19c5afebbb49380

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
64KB

MD5
404f0e32be516f7f9169c50c9a8299fa

SHA1
f09482ab9e0f1ebe817ca914994ce90110dea6b8

SHA256
1bc17973b89f0bc9524453ed3f8444b2c02112a666c1ddaddec358a2d7e9e003

SHA512
a128aaa760cb386e43a3b64144ff765165e1e67c10bf6c8770da81758de6c2649b5af8c5d3fe749e4d401aecb474ac4583b4403483325eba0c6ecd4d55f5ee5f

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
64KB

MD5
4a15290c799db58bcd5eb0a253d971b8

SHA1
6ecc31a2d8b74d67849c48ed8c21df21c15dea8a

SHA256
896065ccbec4bd811d99a2965983633cafd4e6bdc21ed3b8596be40a76156f50

SHA512
be469a4afef3d257b76d04744c8afa5a3227dada9c6081df4c864aed6ea2c699b2c3e7a5643cda4e3ab3b1b083806f57977bca5ed9269a70ecd50ef700e60303

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
64KB

MD5
97374bc7467c82db28911bc89b920d1d

SHA1
4a5dc132bfa7fb6ad9523cdf475f7662b245d297

SHA256
f86a71c0f3def635d1b49a5b4051a1aa1aadf77664339894058402dd351e4e42

SHA512
055e49dcbd45a28125974045659e15d8cc549b76a24340d5cd5344d5e7c83749a0195950bc161c61751c1cae550d7fd801970c1e6a250bd0b6015d342a6676cd

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
64KB

MD5
07945c69ad2ca2b490d65c601ea05626

SHA1
bae6a76821938827f04af97108cb7c1540871a61

SHA256
168401a35f6acb8f694f10d597f300c17c56d159382f7d7d185bd36af06fcee9

SHA512
e8f09dc6dd1b06f743cc08f214a65827d9244ca911c33c53ab6cba7cdfe9b931aaa85bb6d5f9817da5384ff4c9cae6bbad2f9fa42c991de1f71d8d8807f3d1c0

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
64KB

MD5
37dea13987f26aff5ef4093bf205e292

SHA1
fce76c5e076769d802329d1b230f2640d35d9a1b

SHA256
e113f5d5f6d43a8540d27b7d8e701f2a911e5c16e8310ac1702dacf7ecec838f

SHA512
9a5b3a20cabdb7eff06bacb945cf88dc9f2e6f9f24631dde607920be60b6729428d487c21ca8cf9340a9c9ff368d8152a06452ec204e4f47fd03aaf821f6e93d

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
0cde38d75e6b3a5c6f52fb46ca44c453

SHA1
c03e67cf17967139ee7d6d7297fe06e087af603e

SHA256
ef2b8152f46510694147d83c7872bfe1419d3882b809abb9154125ca68a1de7b

SHA512
81ab0eea347b3074c20237cbbdb744b3a738805e173b2d9f85fc119b0ca60c8a02729df77ea2adc13fccd91b9451572fac60b133d92f6c2d063fe0bebe12b4a3

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
64KB

MD5
45059ffa61dbe5fa542e67df681a2ea8

SHA1
90e161005866c89997eb28655a9f2b52929e1269

SHA256
9014f631577322c948a96b2365a8079f382f8f66ac4a44f59536f1af11653212

SHA512
818814bd64f863669f29dc89c47ad4a00c1314f41ca794d80f830d7c70dcd5c9fc40d7243538e8596edf433aceed4501c36ae9e5f4fd86ece8f1f3d28590dad9

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
64KB

MD5
33609e703a32cd1fcae8eda8e571a288

SHA1
a102e031572c249424425c9288b5ae4a5ac60a98

SHA256
4c89d4537fccf3cb3ef9efcab02cfede5435f2ed2716f100aaeacd48c4c70839

SHA512
d80f2336b417c832a1ff5e21cc267af4de832bab5d9bf3693fd3c9afd4cc1cb28cb6bff7e254778df6a8c4d4de0d2cada0c975b68690e987c045e24e9bc851fe

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
64KB

MD5
9673e325dd8e2055157ac0aafec0360c

SHA1
cb910124fb2537b11b7cdc31efb3162be5fd483c

SHA256
d14444a9ee7c4c036c5196606a4b13c64acf55f5c88c414b868f06e91333a1ad

SHA512
b8542d76fe44b91d442770ae19fbde239121b954f1db4e1ed0e6b4dc01fc9682d16229b038b4964197f6706a3593408f52a46308e7cdb5cce885e121dbc15a7c

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
e29142939e6b00ca7da8338ea6b84fc2

SHA1
a799c266caa25cdc22b6b9781fddffc74ec7d3dc

SHA256
7c2e330995aa4c001a1902885b9a5701924737f65f0fa50b94dd9bb5fccacdd2

SHA512
d10e33ae82fca60a51890ee58a49d8682c64694d670c9f346f7a54c6591e606e063b5c00539e91dd233699213eb54762c6b29de15aa7e6713c61fe8c241e2b8e

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
64KB

MD5
52cf4a70ecee922bbfe00547015edeb0

SHA1
e3c2a08c4a40d294efa2d67db7dcbaafdf03a225

SHA256
df6a0d53e8a3d8b46d045791a7c5a8af5801d4a888224ce506e529e3acfa8e6a

SHA512
5615979e9b63cba5a1112c9472cdd894b1481a7077d42347a590ac8de4f65e33be05bc993979bc2ba52f3dd300c73aa7d6fd1465908a8492fa0053cfac4d43b1

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
64KB

MD5
c60226eeaaec435c63837cc8806d45d6

SHA1
eb5b453411fab40bd603a8ade9ec48db9968fc84

SHA256
e7d435cd79a1f736440cdf577d2eaeae787626215482378fdadf37d50b78ef20

SHA512
f06a95c455a9d7401d928c22328f9f0d819ff1c99d2d19006365f6ab2c35156b1c764a8b2469919097d41f5f7472844a70450fdd3b703064e09a1b596398dba0

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
64KB

MD5
bbc7627e9a183504384e9e0298ce4b13

SHA1
619035c2479fabbf5f2cb5c8d4ab16195139fd4e

SHA256
943771676428c393472cf1ba964c6afbcae721a0e733f1d603647450faf439df

SHA512
cfb76e1b351c5592a452713be6e8ffb60cf5c9fecdda53af32b822430bfcee59b634bd2109626d6cea74ca6762172284f2c2bc25d0eba12ce195d5155238419d

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
9010ba184f88f8b3c3f49cf9954e3ca6

SHA1
d819a4f7592d39d383d6208a558e7c2079ba8298

SHA256
96e7bd303cd20d142e5fa6c9343b26447fdc8407cdbbe6194954f1995dcd1214

SHA512
69c22e0e0448bc42b62b2bedf029ff7ede644eca919df180f5c08a5b8734678002273f03ad770c9a74c026b68388d64809da90284b87300caffca7261301d199

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
c247988cbce074a2886309e3a349e911

SHA1
045c40d71d047dd6387338c1996268be5113cf9c

SHA256
da29469306601ddaa4f65c1434e941bb1f02d04a5203daadf71ed85a85c2072f

SHA512
48d8555d0d4a5826c8e698e77676d48134e4a138af185cb09921cb4d776cc8aedd2cea5630c08a62ae4e6fefbfdb001065527e57ae0aeb6a4e59ab58064b1aaf

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
64KB

MD5
f03142243fa8326f05557089287b9880

SHA1
c512b1f9ed6ff148d4ffc80b4d412955e8dc0b37

SHA256
75cb6d141d0107f379cafcf86b5b3452e2ca5e929460291a08ae2121ce2ae7c9

SHA512
b23ab15cd18b0193dfbea8857b07d6be272ec80dc969fb9cde7e50aea914ff2992be2061e3bce391a727b9cf60a5b10665d798f1beff592116fad51bdc21d52f

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
b48a2466220d7b6a409441caafcc6e3f

SHA1
d136025a41f779c71a42ab9e555da0b4cf820b2a

SHA256
d8509e319980692d74c57e30db39b7182fc437d3bf337290d6d96c355954721f

SHA512
aaf73853849bc7b370493e78194f456858a7e00d9adce817746f79ecbf0e17a96926c1d73235117978e3675b3094f9ab8aace6ff1adbdad0358597f872198e14

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
997e79390757285aee24a6b069820bd7

SHA1
df24c6a30d4911b4d158e755dc2b8c39baad2132

SHA256
d3ed31707b2f86a1000190eb7a605404ccec4449db3c9be0d4a39769d08aff6e

SHA512
3168cd46b197dbf5006d3981c23103a9cb3fb55ad7f4ce3d5ec120b44896b0f5899683717e67683f0e9ab75642b0d9adadc1e1a71af779eec6e23b7ebdc1c6fa

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
eed96963846280dcaf28a6a3cbe4098f

SHA1
81d1c74d8be239bc210a89c8e70669fd4ea7ba42

SHA256
23ee690c34fa32fe01ff3be8188abe6ab850ce8a27896c9ad3913e86eb869af6

SHA512
12f81920110615aaba4e9f5a1aaa95ded82ce5574e0d564edd91211bdddaaeb126f231f4897d7847b66c69b578e23c01443f03cc7b7ca5aa638ccc99a7ab5775

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
64KB

MD5
4ba8ad2ad4b9ca7ff2a8df0338c0e75f

SHA1
47738957f11e4249fb80fe5f42a33edbdac3462c

SHA256
c66a0fc021047c7b76bc1509801e562c7f5b3f5d423385331cedf0190198b082

SHA512
80f390f2c482d34b96736268d6ae4d1a316c33b9335bf899c460079a49b4e064892bcfd49109086ff42e882e77c7b6444168c7e82ea60b38d84755d108531eff

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
1c0c926382130a95b8c20f46a9dfc7c1

SHA1
4d905916e35eb58b6efcf5d18e9f546e9ae49269

SHA256
a08f0412163d5370b0a9f4df628a0d7dce3b0db248a883c21cf363e36b13e6e6

SHA512
e8cf6a7cca06adfe8fadcd5dbed279f128a9d7e11557595d9760891769325ea3414f62a0065a54985a50c566cac968efead34f1cb7e5c84b9ec35f8e83a522ba

Download Submit
memory/404-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/404-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/712-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/712-361-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1000-300-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1000-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1048-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1048-294-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1184-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1184-288-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1292-384-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1292-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1452-312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1836-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1836-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1856-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1856-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2272-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2272-209-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2400-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2400-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2476-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2476-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2764-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2764-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3096-373-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3096-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3140-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3140-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3264-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3484-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3484-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3528-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3528-282-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3532-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3532-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3680-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3680-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3688-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3688-385-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3704-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3704-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3884-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3884-378-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3904-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3904-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4024-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4024-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4228-366-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4228-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4364-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4364-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4828-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4828-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4876-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4876-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-241-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-354-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5036-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5036-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5040-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5068-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5068-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads