berbew | fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d

Analysis

max time kernel
96s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
Size

104KB
MD5

d5057a6cf81a2c8714fa8f284d4862a8
SHA1

42989c3ca5a05bf289bdd6ee5f1a6168a6e24428
SHA256

fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d
SHA512

886d8b305755228c4489a7430270d319980a329e0ed4bd446f0d02224b98fafaa57fea2549b019a5ed8e8b559a0d2a4a49d15cf75bba2d1399d0401d9b1959b5
SSDEEP

3072:PBMfAd1Zz5q3i569e+30366e5Hx7cEGrhkngpDvchkqbAIQ:PBvV5Ki569N46R5Hx4brq2Ah

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 46 IoCs

pid	Process
5000	Ageolo32.exe
2212	Ajckij32.exe
744	Aeiofcji.exe
3916	Afjlnk32.exe
2844	Anadoi32.exe
4712	Aeklkchg.exe
4576	Afmhck32.exe
4516	Aabmqd32.exe
2900	Aglemn32.exe
2864	Ajkaii32.exe
1640	Accfbokl.exe
1928	Bjmnoi32.exe
2804	Bmkjkd32.exe
3292	Bfdodjhm.exe
2148	Baicac32.exe
1324	Beeoaapl.exe
664	Bffkij32.exe
3992	Bmpcfdmg.exe
2164	Bcjlcn32.exe
4868	Bfhhoi32.exe
4404	Bnpppgdj.exe
1228	Beihma32.exe
3024	Bfkedibe.exe
3480	Bapiabak.exe
3988	Cmgjgcgo.exe
740	Chmndlge.exe
4456	Cmiflbel.exe
3232	Cfbkeh32.exe
4948	Cmlcbbcj.exe
2692	Cjpckf32.exe
2992	Ceehho32.exe
4336	Cjbpaf32.exe
512	Calhnpgn.exe
4436	Dhfajjoj.exe
404	Dmcibama.exe
2836	Dhhnpjmh.exe
2220	Dobfld32.exe
2100	Dmefhako.exe
2244	Dfnjafap.exe
1696	Dodbbdbb.exe
880	Ddakjkqi.exe
4476	Dkkcge32.exe
1484	Dmjocp32.exe
2328	Dhocqigp.exe
4072	Dknpmdfc.exe
4204	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Afmhck32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4916	4204	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 5000	3876	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe	82
PID 3876 wrote to memory of 5000	3876	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe	82
PID 3876 wrote to memory of 5000	3876	fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe	82
PID 5000 wrote to memory of 2212	5000	Ageolo32.exe	83
PID 5000 wrote to memory of 2212	5000	Ageolo32.exe	83
PID 5000 wrote to memory of 2212	5000	Ageolo32.exe	83
PID 2212 wrote to memory of 744	2212	Ajckij32.exe	84
PID 2212 wrote to memory of 744	2212	Ajckij32.exe	84
PID 2212 wrote to memory of 744	2212	Ajckij32.exe	84
PID 744 wrote to memory of 3916	744	Aeiofcji.exe	85
PID 744 wrote to memory of 3916	744	Aeiofcji.exe	85
PID 744 wrote to memory of 3916	744	Aeiofcji.exe	85
PID 3916 wrote to memory of 2844	3916	Afjlnk32.exe	86
PID 3916 wrote to memory of 2844	3916	Afjlnk32.exe	86
PID 3916 wrote to memory of 2844	3916	Afjlnk32.exe	86
PID 2844 wrote to memory of 4712	2844	Anadoi32.exe	87
PID 2844 wrote to memory of 4712	2844	Anadoi32.exe	87
PID 2844 wrote to memory of 4712	2844	Anadoi32.exe	87
PID 4712 wrote to memory of 4576	4712	Aeklkchg.exe	88
PID 4712 wrote to memory of 4576	4712	Aeklkchg.exe	88
PID 4712 wrote to memory of 4576	4712	Aeklkchg.exe	88
PID 4576 wrote to memory of 4516	4576	Afmhck32.exe	89
PID 4576 wrote to memory of 4516	4576	Afmhck32.exe	89
PID 4576 wrote to memory of 4516	4576	Afmhck32.exe	89
PID 4516 wrote to memory of 2900	4516	Aabmqd32.exe	90
PID 4516 wrote to memory of 2900	4516	Aabmqd32.exe	90
PID 4516 wrote to memory of 2900	4516	Aabmqd32.exe	90
PID 2900 wrote to memory of 2864	2900	Aglemn32.exe	91
PID 2900 wrote to memory of 2864	2900	Aglemn32.exe	91
PID 2900 wrote to memory of 2864	2900	Aglemn32.exe	91
PID 2864 wrote to memory of 1640	2864	Ajkaii32.exe	92
PID 2864 wrote to memory of 1640	2864	Ajkaii32.exe	92
PID 2864 wrote to memory of 1640	2864	Ajkaii32.exe	92
PID 1640 wrote to memory of 1928	1640	Accfbokl.exe	93
PID 1640 wrote to memory of 1928	1640	Accfbokl.exe	93
PID 1640 wrote to memory of 1928	1640	Accfbokl.exe	93
PID 1928 wrote to memory of 2804	1928	Bjmnoi32.exe	94
PID 1928 wrote to memory of 2804	1928	Bjmnoi32.exe	94
PID 1928 wrote to memory of 2804	1928	Bjmnoi32.exe	94
PID 2804 wrote to memory of 3292	2804	Bmkjkd32.exe	95
PID 2804 wrote to memory of 3292	2804	Bmkjkd32.exe	95
PID 2804 wrote to memory of 3292	2804	Bmkjkd32.exe	95
PID 3292 wrote to memory of 2148	3292	Bfdodjhm.exe	96
PID 3292 wrote to memory of 2148	3292	Bfdodjhm.exe	96
PID 3292 wrote to memory of 2148	3292	Bfdodjhm.exe	96
PID 2148 wrote to memory of 1324	2148	Baicac32.exe	97
PID 2148 wrote to memory of 1324	2148	Baicac32.exe	97
PID 2148 wrote to memory of 1324	2148	Baicac32.exe	97
PID 1324 wrote to memory of 664	1324	Beeoaapl.exe	98
PID 1324 wrote to memory of 664	1324	Beeoaapl.exe	98
PID 1324 wrote to memory of 664	1324	Beeoaapl.exe	98
PID 664 wrote to memory of 3992	664	Bffkij32.exe	99
PID 664 wrote to memory of 3992	664	Bffkij32.exe	99
PID 664 wrote to memory of 3992	664	Bffkij32.exe	99
PID 3992 wrote to memory of 2164	3992	Bmpcfdmg.exe	100
PID 3992 wrote to memory of 2164	3992	Bmpcfdmg.exe	100
PID 3992 wrote to memory of 2164	3992	Bmpcfdmg.exe	100
PID 2164 wrote to memory of 4868	2164	Bcjlcn32.exe	101
PID 2164 wrote to memory of 4868	2164	Bcjlcn32.exe	101
PID 2164 wrote to memory of 4868	2164	Bcjlcn32.exe	101
PID 4868 wrote to memory of 4404	4868	Bfhhoi32.exe	102
PID 4868 wrote to memory of 4404	4868	Bfhhoi32.exe	102
PID 4868 wrote to memory of 4404	4868	Bfhhoi32.exe	102
PID 4404 wrote to memory of 1228	4404	Bnpppgdj.exe	103

C:\Users\Admin\AppData\Local\Temp\fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe
"C:\Users\Admin\AppData\Local\Temp\fd9d379c89a133f0c9a2cca4ed6420002542e5e539b926f41163d0e41daf666d.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\Ageolo32.exe
  C:\Windows\system32\Ageolo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\Ajckij32.exe
    C:\Windows\system32\Ajckij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\Aeiofcji.exe
      C:\Windows\system32\Aeiofcji.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 420
        48⤵
        Program crash
        
        PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4204 -ip 4204
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
104KB

MD5
5d1d9d273f37107ce72b2d5f0bbfa0fc

SHA1
1013dee526a758e7b23ae9695a73f997c80526d2

SHA256
d3d6a806f2f07e34b59f6a9bed626efec299a0872785427e7cadc0d7908079d2

SHA512
f063e5aa901a6808dc56df60fe265ab8bde61fb0e22243d2b5901ae9c7df21fd188e4040443f6b2f9852577f49cdf9d5908d9d90bb9f40c676f6703b83690913

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
104KB

MD5
9e492464481df7ceaf2f012c91dcb594

SHA1
6d0462b06211ecbbd90451aab396b081593b8671

SHA256
85bcd383e71fe4048a66ac526b67bcd1546e88bce7114ac1ff63257422d13306

SHA512
17b1bc4571eb53cdfd58a6d68b22c20abfe9316499f6eb859798bb1b2d82bd78912c814d0d89a4f5d6b064f95c4244355bfde804516a5cd3d9d2dc9c2d037f91

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
104KB

MD5
12bcd33c5f60305c89087e7fe0fd7080

SHA1
bc62d517025f928bab78aa364b5c7c95d98224ad

SHA256
d6057b4c84a720a273b96fe7657f418278702cc563f223d0bc95621c58643ca6

SHA512
97172d438ed4a760c25029cc0d2488063b1d4daf794a46c58bc6ffc213bca354ec6569f02ec717aff35fa3825632b4bff89c6bc1f664dc1e5b6627f6f8fe52da

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
104KB

MD5
93ce45bece60870736e38d51fbe4bc29

SHA1
8c9741d4cf88839ba5bc3d1017e4151bb3f299a2

SHA256
16b0f7225bbf62dce8076db0c3b20f8e5edfda3a167bb5048d3f890150bd04bb

SHA512
8d1184cd52c80a38f5fc781a256a18d684e4a6902bb008f4d776ca142e05963eacc2416cfc4de03355d7951d4bf4967d2348e4861ba07830928f20d8a5c885d1

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
104KB

MD5
4f559d241e27ba418617c4ff7de9e265

SHA1
795f7483482d46adf875281c424872993bd74d08

SHA256
7246c7acc10619ea5072071eaa72929622d30009a354cedaf7ee826e12a62429

SHA512
0e5cf7730d420402d52e681c2440396f91f8f5c9959dd9f3083d1969313deae05f15c23be8a836bb0cfe02a7d76fc96c5a283d3a20264d66599884dc5c0af11a

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
104KB

MD5
3e552f8aeb8e202bb917e2c2e1f0a775

SHA1
6e07667a233dfb9191af8449943cbcbd5f18c9a9

SHA256
52ea52cac6423579a8c9c87d4570aeb744a4c7dd91e4f028f85faf5057e7ca37

SHA512
71aa81510c65cff9ec420487c70102c4fe18e5b532022b2859df7066bed51646a172b70fc8907576dc05951ee58c0d3c8d4a2c75d288582fafec5903990414d0

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
104KB

MD5
35f4e0955785d0dd512e27a5cf348391

SHA1
869be56d4d559f5b4638e89f50b797b829511c38

SHA256
79977ca58bf45cd5642f718094ad8675677cb6e2fa98766530d3ed5d7a1d993f

SHA512
7a28ee52e9721544c3faa559dac883545a31cd6585d374d78e3346cbcafea1034925d7212c12b68c584c3bde5ff19bb3160495bddaa99b274704807f5b90d525

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
104KB

MD5
30264c16c3fe99f5c313fa1f1c359517

SHA1
e09c7ab0f9508f8cd6d3fa7c6b4e6dd2296c60b3

SHA256
c2889457b7a6c6279b7037cae15792a146d1cb9152da567980f1c4193520d4be

SHA512
17ac6343113bb6f04af9e95e562c2ce5c7643f82ba0b7299c8575d9baffc432714fc60ddd692b7fe04bda583ea29b8d8fa368c055bbc08600676d2a8d2d3b82a

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
104KB

MD5
45da229cb13582f84936c60aff86552e

SHA1
5667522c42989134221226fdb823515e99e45eb2

SHA256
330144aa933d7cef31572f29d946c28b04510f8331548ea7da6b627f0750f73a

SHA512
63095fb81450f599e939c6910db782935c184c0712058ecb0de53311826c7e5a482eff38d7174cb48fe9e1a8a45f9547807ee3e71662564ad5645b355b5f5f47

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
104KB

MD5
9b08b4e5889c9f8ab5363f6dd38db7e6

SHA1
15630d8891dfdeba29792417b02f03cdc7432418

SHA256
d0159775ea0789b601e6ff468e3e54c2d201fec0b1db0059d6cc58020075c287

SHA512
e41572be042ad79a498522610e884c686fc2a91e29f981713410e15f486ded870fa5383a9d70df714d7cd312361dfa3fe6998f0b044c0e3d642aea1603e6f60b

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
104KB

MD5
7400f70f1bb3a495901e5caf40de47a3

SHA1
0bed78f7e3560dcda668bf59929a66294eba62b3

SHA256
ae33409ea80a5b8af42bbc21c369f8a1ddbbecd06c38d5cb3f246ac5b7429d0a

SHA512
f3c63ae23258fd3c9fa6c0f3057e66f874c4f679e3f35d3286f3daf653279932f18a1a626f1de4acd68473e2c4c124fd2cc12a73c6a318787ad8142aa6d260a6

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
104KB

MD5
9cb1ea15b3d5bb4cc85fd54ede8f1b3e

SHA1
85a5b50bf2cad4774da0e1e2b575467844cb30d3

SHA256
3e9456824dcb10d18565b766c0491f3809feb7b29d11a4ae37e8320e5f50d291

SHA512
df81a1bee1412ef635f32a865703396f371623850da221e1e08ca8b57a7859241be66c42b1c0fbb125a823614a17a2058f2bfe720913244ab4060d623f2edbd8

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
104KB

MD5
e18196fd23337d2ec901b503b52bfca3

SHA1
98b5bc9778dbd6cfed6eb10d380c7dce71e7fadb

SHA256
159073dd2471bdb3c91620ae56f45b8b8ebcd9e27ef0c666d963b1f377821b5e

SHA512
33873c92fc65ee296a020b117e0085c1575ffb2025348b56875359edf159ab52aa5943864f5cd4b39089ef0838368e0235e9cc4fbeffa3b8321132bee6f8db4b

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
104KB

MD5
72af60d4268dde6cab1b4092302d6ccf

SHA1
625d2abae9ea93c6531168ddda5315e9bdcee91f

SHA256
cda3ea9cf29cda90b0d7fdcdea5ea3e97d2eb3ad9f681b6d39ef4e0d01098fd2

SHA512
2d4b28b2f85781ca739d43dba58bcb7eef61f22a453bf54a06c6df98be9f407ace838fc3beffcc4c23d8dcbb5e8a980ee5d793959d0ba935078f9b806e134bb4

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
104KB

MD5
e12b8a58134bfc3b69331f1d74846f61

SHA1
897c19bcab09b7521e6c2d92c9d18174277d67ea

SHA256
e0a03f5a6c6e325864f5e7151c0b16ec5ca8ec230188f062645d03f39a74e44e

SHA512
fd7407f4d8afabdb0e8fc565291ea5ced1dc0e3144cafa60530aaea6d658549d6c7e2553dc0c97a82ef75ddcdc8241884b567092b7afe53867af8738ff7f61cb

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
104KB

MD5
abf87d904f2ad3a8abdbdd1d54d6023d

SHA1
0dd322387bf56bb6efd5e74479b50b3bf5efd8b1

SHA256
653e95d73c6935bbebc6d3cf7df34d942b0b8e5768ad961eb09f093b9571bb57

SHA512
8a5d76a46e1d69c45cb2c177d2fab1ab2bb542cdd50fa4ac685b821c2765c732fc4b1a54cc762c75b6d1e75e86c7e6fd921f969e918151b58fcba48965adcfd9

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
104KB

MD5
435d6bb7e73373c8be0729550eca0888

SHA1
7f53249e8c7d84aafd605b4c1c4bcef4cf435401

SHA256
2dea52263f9142b24315ad8c60be0c50a318c783a3fdd40b1ab4a8a2d4bd2588

SHA512
d5b447915ada3fba42cac0c8e835cb4fab9c2d27cfcd32901f8f7f067cbce7097d24e671454875cf098a776878ea0cce01e60d877d94e8f2c7a6060732f92ca4

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
104KB

MD5
384de9de166500745e49187057dbc7ff

SHA1
fee3a74e15d625fb360f4425332b2ca59cef2f16

SHA256
18f8bd68ba3a933410dd84e31ff85b210687666c9ffd55425ed3e6c6d87c2ab7

SHA512
d8ae357446fd9f46fb994218ce04dc80d8958855e87c910c62e6dce9312baeb039367dd350d0d5154a46becc0f813c2c06136a07b85f577220530b442b246990

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
104KB

MD5
e5b49b80df51a49024ca31cb481b72d8

SHA1
9fc4cb6a9a92ab5504aa76b15c57a5b3bd3422ba

SHA256
316b86cc3cbaeafc22086187b238904fac56730813762cdc4ea7652f7e4ba249

SHA512
b3e9c70c6d152e1ecad5337d11a0317a3b09171bec115b8bf78163c149533c7bbe5c8dd329d7c30bf033cf2bd59b368f662a988a38793eccfa14946593faa272

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
104KB

MD5
613ead023470efe09136f37ff2d2655d

SHA1
c528c664bdf292953dea8d682815e8f5f2a27c82

SHA256
22f2653d4099937c2c1e0655e158259245af30a4ef02cc6a0e9b8151b6c8cfbf

SHA512
99658e5227a9f3d73c3834e228cdffa831ea06325b95750a604d03b34746643e8e797ae8b97615773652c0a7f71a3099be6b899805e4f973c6a1ff140585e8e4

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
104KB

MD5
18106cff3ac71d0f98b292c747a8c419

SHA1
d4df159c42008c886c2ec06787915b0a953c6529

SHA256
405d8621dbc6104997c77c2e4a9c51516884f9f01173118a10b6df35b584c1c4

SHA512
7e62cf6281a20d5feb9a39401c3a7f91f40fdae2241ef34bdbf7e22be3e65d8d2c83921241778e29909b0c3f27a76426f7b08b446dc4571a5ee0a233e45187e7

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
104KB

MD5
c130e51bcecf26be4204496b6fe1205e

SHA1
5ed460b9c099650c6c775ab21cc223facec89c09

SHA256
17582808d2b6587377b43b336d12b39d9cf369b59e0f2eecdba09aa2bb5a09bc

SHA512
7002a7f6ba67ec2dfda9333aadb5a0d5458e360607994b0e4b5e25ffc6872b8c8c7c585dbb20f1c5868e8fd2729b571fb43f4ff14267c1ad22bdbd91943ca7b9

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
104KB

MD5
de451a0bc436013b09ac01fb9dd436a3

SHA1
df5025877e1e520ccd5de199ac0c75341d07ab73

SHA256
7b76a9a57181264fa304a8006be058c64523faed15693a6557ecdcc9ea43dffe

SHA512
966913354e7fdb6dc19b111c23aac18343f2f1dfbd387b1a51a31c6e9b7d78933746e86b8e3adb11511fcc04b7969fccf08421b830ccb8e1ba50aa0a5180f3d3

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
104KB

MD5
4b52d0015ddc8355969f509925c4cf1d

SHA1
580116193a31030045269bcec65ee9380cc2dc1a

SHA256
6b93022f8b5919937c3b18150bf670e471bf4142e2be6c154407eb68d5ea64cb

SHA512
109b4b47637532d2bd58753866374f1318cc0e2c8c1f9688168b56d4249ece0fe94418698c78537ea3ae87e7fc79cd616387e9a4bde814ad1535bb56e10d68a6

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
104KB

MD5
213e9d9c4d7383e9ed5631046e0ec044

SHA1
b36ea93f1554c492cc3f090a7429be52bfbac73a

SHA256
40a0c6e6927c02fe9a820f2cdaa8bc84ce8766e87a270ebda237372c4c6e9d92

SHA512
e2cb798462bdf378c16a50e813ea91aea5f8544d69a2fa4bd1216fdd9befef235c0d56d779ac6668f745d03a55633a6ff967f9214dbe960b35d0c9060ea40c07

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
104KB

MD5
be128383c0a95992779b48bc720f395a

SHA1
8773d084cc21c1f84b289e348fcf5a21732380bd

SHA256
26a45195293098c1c23cef359df7ed85aeedd1f425bbf4e6bba2c55ea6fcd594

SHA512
3ac4b0bc2099e50baad013974b65cf69115841d21c436dd21a2248c0b76bf16a9c27c751df6fad95bdde4b76370bb64404efbe2463fa9894e3669cc27d70c9f4

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
104KB

MD5
680f1334aa75b0e42765c014f2a43455

SHA1
76570bb02c4e27b9364d8e5a3e55f214f3356d8b

SHA256
f6f212ac83c94ee66a96af22a539e3822ef4fdf44028ff7de4ac7332630a0528

SHA512
80d2fed9c5db065fd12ee083ac39346793b163ecedaee0c68031acd903ecc8ab6d0ad4eb69c64a1f4932ec6ff37ff3f11bcec3187678dfa07a485a65d1c7e773

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
104KB

MD5
f50d6ea75ac82c8e6da902b46dcf58b5

SHA1
742f24fc022b33b87876e2b6f45cf58862232dad

SHA256
dba5882adb196ca7958d18727cdeef05f652645b23403682f11db74ac081fd0d

SHA512
4b28fe98da18f969fe96535fea934be555f5de3eb88495d3b9b70ad485eaac6248944d17ac07f3438f4dde0ee5cf16f0aaf78f1d8b69748719ae5965e362a889

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
104KB

MD5
2c1c4489550d6cb50443cc4da5cffd4a

SHA1
e5829218ec3d6e788df599b93e98e696c3cf9cc4

SHA256
7ce20c3bcdf73eac82f7f131265aac989ce98784aa416efe5ad2249b0db9f8ab

SHA512
e613a6e99d7efb03c7b1cef36744be0b0d50e92bec1bc69b9cd34e1408a4dd706457c54fa78f2af5d583c348d315c576a5e57be03d6556e3974ecd7e6b477d88

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
104KB

MD5
979c424740ec134178bb80ad3b2c6455

SHA1
6e33dae1473713d406c20744df7b13e39b7c37d7

SHA256
d2dfa679515fd92242a7222c39c839e4061e20e18ed44f2313004a198f25a959

SHA512
7b2d017c363a4bbf1df3fd7c90dc443f3917888897553cc67e742401c40de628897fc533ce9dd614ba974d09685c726aed0d49efbbd906dead5bc3d4e732beca

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
104KB

MD5
ffb88452046b70fb40f6b16a550b841d

SHA1
6dd2d2823a000ca0a542512a701954ca87a0c38d

SHA256
86436b6e709aea335bbb82fcb4aab63155fc54ae04313d101f2f548f590964c4

SHA512
f90c1842006915347d8929bdacd5cd439160febce6da6f5b141ffa80601cb2cb5f4157b9091021f38af728a29c2180135371327c28d17e23ad76d157971389ed

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
104KB

MD5
65f05b4d375a5dc8b12fdb961d0911bf

SHA1
ab15216945f336e6616083b8e5e9bf5f5d1e98d0

SHA256
ea8cd3068c7913e4fd469a325e5b3508ed4c1db8ebeb0eec33a224c7a22b8001

SHA512
08d9da742702bbebb95fc7983b7fa7a92b72113987e0ef6e21a1c4837ff38a11e274cf959740426a5209fe8b22617dab0b544562d6b43dbd7baf84fc382b6d36

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
104KB

MD5
5f1eb8c203db50f8127991f64c9e1b28

SHA1
5a47feed985f55d31ac5bd21c1cdd24cde4ebee5

SHA256
64f59cea7f7bdf66b02f2864bf9891bae3a046ee18db8fbee61a19d8cd5e8a6a

SHA512
c83a66d5aad398e6501be88125a82cbc93e093e2daa2e30b57f949a86c59f66c491105dd204d3d4b0ad9087da254c479305ab4c1ce7a8d0514bf4b81d8841e88

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
104KB

MD5
8e92e58cf0e060807fa31a892f4e53f8

SHA1
1db16ac6c90846c3b36d1bdf336c77f25e577113

SHA256
87e7e7765e21988c0b79832fc106c39519d6ac6a331b5564fe0f27bac72e1037

SHA512
bb4400f6e04b662c35a88ef0fd51e33b97458f36534b7ab9100225df734295b7973b166440df37e6cfadae287af4e31a724c30419a5ca9f732e12c5cbb7d8b3c

Download Submit
C:\Windows\SysWOW64\Gfnphnen.dll

Filesize
7KB

MD5
201ff5728ae7efb06ceb44d5e653a9fe

SHA1
52e52dbd77976ae50e291e20d3244a9a53d742d5

SHA256
a4d5b4c7d7e71d8730d0227224a1bcd4714d09a8ce2d02633a3dd9bfcd827209

SHA512
100746c75b930a98b67d0d8c9d94c5e2e020fd84521a34b41e7e37d0cffdc7d1c31e8c34ad03d0dde187914cc35cbf5381784119cd0e822616e0eee1bb1aa8ac

Download Submit
memory/404-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/512-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/512-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/740-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/740-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/880-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/880-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1324-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1324-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1484-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1484-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1696-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1696-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2220-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2804-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2804-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2900-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3480-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3480-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3916-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3916-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4456-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4456-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-385-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads