berbew | 23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dff

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
Size

128KB
MD5

be739895f97638c84cc4fae4b4484580
SHA1

93ff669a83415fd9335f465f5123b15c55ea9800
SHA256

23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dff
SHA512

7b7481efa62cf7e84b3baa0b73de3e2034cc5c77aedad8dcb9c6fc8cc93ed2ec42fb6334f1f950c13053bf3e99d66f5f100ef4f3e5acf4476a4efdca0b31a605
SSDEEP

3072:KWotLK0JNR3NUS5DSCopsIm81+jq2832dp5Xp+7+10l:ty9USZSCZj81+jq4peBl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djhphncm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqdajkkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdajkkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgejac32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgldibq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfoqmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enakbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkepi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojald32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojald32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecejkf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdjhndl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 35 IoCs

pid	Process
2136	Cgejac32.exe
2728	Ckafbbph.exe
2092	Cdikkg32.exe
2484	Cghggc32.exe
2460	Cjfccn32.exe
2996	Cldooj32.exe
592	Djhphncm.exe
1408	Dlgldibq.exe
2924	Dfoqmo32.exe
2952	Dhnmij32.exe
1628	Dogefd32.exe
1856	Dbfabp32.exe
2756	Dlkepi32.exe
2332	Dojald32.exe
2352	Dfdjhndl.exe
1716	Dlnbeh32.exe
1608	Dbkknojp.exe
2120	Ddigjkid.exe
2872	Dggcffhg.exe
1168	Enakbp32.exe
1952	Edkcojga.exe
1700	Egjpkffe.exe
1708	Endhhp32.exe
2816	Eqbddk32.exe
2360	Ejkima32.exe
1652	Enfenplo.exe
2688	Enhacojl.exe
2564	Emkaol32.exe
3056	Ecejkf32.exe
2456	Efcfga32.exe
2580	Emnndlod.exe
2532	Eplkpgnh.exe
708	Effcma32.exe
1400	Fmpkjkma.exe
2972	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2132	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
2132	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
2136	Cgejac32.exe
2136	Cgejac32.exe
2728	Ckafbbph.exe
2728	Ckafbbph.exe
2092	Cdikkg32.exe
2092	Cdikkg32.exe
2484	Cghggc32.exe
2484	Cghggc32.exe
2460	Cjfccn32.exe
2460	Cjfccn32.exe
2996	Cldooj32.exe
2996	Cldooj32.exe
592	Djhphncm.exe
592	Djhphncm.exe
1408	Dlgldibq.exe
1408	Dlgldibq.exe
2924	Dfoqmo32.exe
2924	Dfoqmo32.exe
2952	Dhnmij32.exe
2952	Dhnmij32.exe
1628	Dogefd32.exe
1628	Dogefd32.exe
1856	Dbfabp32.exe
1856	Dbfabp32.exe
2756	Dlkepi32.exe
2756	Dlkepi32.exe
2332	Dojald32.exe
2332	Dojald32.exe
2352	Dfdjhndl.exe
2352	Dfdjhndl.exe
1716	Dlnbeh32.exe
1716	Dlnbeh32.exe
1608	Dbkknojp.exe
1608	Dbkknojp.exe
2120	Ddigjkid.exe
2120	Ddigjkid.exe
2872	Dggcffhg.exe
2872	Dggcffhg.exe
1168	Enakbp32.exe
1168	Enakbp32.exe
1952	Edkcojga.exe
1952	Edkcojga.exe
1700	Egjpkffe.exe
1700	Egjpkffe.exe
1708	Endhhp32.exe
1708	Endhhp32.exe
2816	Eqbddk32.exe
2816	Eqbddk32.exe
2360	Ejkima32.exe
2360	Ejkima32.exe
2180	Eqdajkkb.exe
2180	Eqdajkkb.exe
2688	Enhacojl.exe
2688	Enhacojl.exe
2564	Emkaol32.exe
2564	Emkaol32.exe
3056	Ecejkf32.exe
3056	Ecejkf32.exe
2456	Efcfga32.exe
2456	Efcfga32.exe
2580	Emnndlod.exe
2580	Emnndlod.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Inegme32.dll	Efcfga32.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Enakbp32.exe	Dggcffhg.exe
File opened for modification	C:\Windows\SysWOW64\Dogefd32.exe	Dhnmij32.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Ecejkf32.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Dhnmij32.exe	Dfoqmo32.exe
File created	C:\Windows\SysWOW64\Dlnbeh32.exe	Dfdjhndl.exe
File opened for modification	C:\Windows\SysWOW64\Dlnbeh32.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Lfnjef32.dll	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Ecejkf32.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Mnghjbjl.dll	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Abofbl32.dll	Effcma32.exe
File created	C:\Windows\SysWOW64\Lqelfddi.dll	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Edkcojga.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Fmpkjkma.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Mledlaqd.dll	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Gogcek32.dll	Enakbp32.exe
File opened for modification	C:\Windows\SysWOW64\Fmpkjkma.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Cldooj32.exe	Cjfccn32.exe
File created	C:\Windows\SysWOW64\Jfiilbkl.dll	Dlnbeh32.exe
File opened for modification	C:\Windows\SysWOW64\Enakbp32.exe	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Lednakhd.dll	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Abkphdmd.dll	Edkcojga.exe
File created	C:\Windows\SysWOW64\Fdilpjih.dll	Ecejkf32.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	Dogefd32.exe
File created	C:\Windows\SysWOW64\Dggcffhg.exe	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Bdacap32.dll	Emkaol32.exe
File created	C:\Windows\SysWOW64\Cgejac32.exe	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
File opened for modification	C:\Windows\SysWOW64\Dggcffhg.exe	Ddigjkid.exe
File opened for modification	C:\Windows\SysWOW64\Dfdjhndl.exe	Dojald32.exe
File created	C:\Windows\SysWOW64\Endhhp32.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Mmjale32.dll	Eqbddk32.exe
File opened for modification	C:\Windows\SysWOW64\Endhhp32.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Bebpkk32.dll	Ckafbbph.exe
File created	C:\Windows\SysWOW64\Ajfaqa32.dll	Dbfabp32.exe
File opened for modification	C:\Windows\SysWOW64\Egjpkffe.exe	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fmpkjkma.exe
File created	C:\Windows\SysWOW64\Cjfccn32.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Fahgfoih.dll	Cghggc32.exe
File created	C:\Windows\SysWOW64\Mfacfkje.dll	Djhphncm.exe
File created	C:\Windows\SysWOW64\Dfoqmo32.exe	Dlgldibq.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Cdikkg32.exe	Ckafbbph.exe
File opened for modification	C:\Windows\SysWOW64\Cdikkg32.exe	Ckafbbph.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Eqbddk32.exe
File created	C:\Windows\SysWOW64\Hdjlnm32.dll	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
File created	C:\Windows\SysWOW64\Jaegglem.dll	Cldooj32.exe
File created	C:\Windows\SysWOW64\Dogefd32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Efcfga32.exe	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Eplkpgnh.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Ckafbbph.exe	Cgejac32.exe
File created	C:\Windows\SysWOW64\Cghggc32.exe	Cdikkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjfccn32.exe	Cghggc32.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	Dojald32.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Mhofcjea.dll	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fmpkjkma.exe
File opened for modification	C:\Windows\SysWOW64\Cgejac32.exe	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	Eqdajkkb.exe
File created	C:\Windows\SysWOW64\Gjhfbach.dll	Cgejac32.exe
File created	C:\Windows\SysWOW64\Jchafg32.dll	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Egjpkffe.exe	Edkcojga.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2904	2972	WerFault.exe	63

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enfenplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkknojp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enakbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejkima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhnmij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojald32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggcffhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emkaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effcma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqdajkkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecejkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnndlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckafbbph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cldooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfoqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endhhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqbddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgejac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djhphncm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmpkjkma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgldibq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdjhndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlnbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddigjkid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egjpkffe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdikkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhacojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll"	Dojald32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojald32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll"	Eqbddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll"	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll"	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll"	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqdajkkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll"	Ckafbbph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlgldibq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll"	Endhhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll"	Enfenplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojald32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddigjkid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fmpkjkma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djhphncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll"	Dogefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgejac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll"	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cldooj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2136	2132	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe	28
PID 2132 wrote to memory of 2136	2132	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe	28
PID 2132 wrote to memory of 2136	2132	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe	28
PID 2132 wrote to memory of 2136	2132	23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe	28
PID 2136 wrote to memory of 2728	2136	Cgejac32.exe	29
PID 2136 wrote to memory of 2728	2136	Cgejac32.exe	29
PID 2136 wrote to memory of 2728	2136	Cgejac32.exe	29
PID 2136 wrote to memory of 2728	2136	Cgejac32.exe	29
PID 2728 wrote to memory of 2092	2728	Ckafbbph.exe	30
PID 2728 wrote to memory of 2092	2728	Ckafbbph.exe	30
PID 2728 wrote to memory of 2092	2728	Ckafbbph.exe	30
PID 2728 wrote to memory of 2092	2728	Ckafbbph.exe	30
PID 2092 wrote to memory of 2484	2092	Cdikkg32.exe	31
PID 2092 wrote to memory of 2484	2092	Cdikkg32.exe	31
PID 2092 wrote to memory of 2484	2092	Cdikkg32.exe	31
PID 2092 wrote to memory of 2484	2092	Cdikkg32.exe	31
PID 2484 wrote to memory of 2460	2484	Cghggc32.exe	32
PID 2484 wrote to memory of 2460	2484	Cghggc32.exe	32
PID 2484 wrote to memory of 2460	2484	Cghggc32.exe	32
PID 2484 wrote to memory of 2460	2484	Cghggc32.exe	32
PID 2460 wrote to memory of 2996	2460	Cjfccn32.exe	33
PID 2460 wrote to memory of 2996	2460	Cjfccn32.exe	33
PID 2460 wrote to memory of 2996	2460	Cjfccn32.exe	33
PID 2460 wrote to memory of 2996	2460	Cjfccn32.exe	33
PID 2996 wrote to memory of 592	2996	Cldooj32.exe	34
PID 2996 wrote to memory of 592	2996	Cldooj32.exe	34
PID 2996 wrote to memory of 592	2996	Cldooj32.exe	34
PID 2996 wrote to memory of 592	2996	Cldooj32.exe	34
PID 592 wrote to memory of 1408	592	Djhphncm.exe	35
PID 592 wrote to memory of 1408	592	Djhphncm.exe	35
PID 592 wrote to memory of 1408	592	Djhphncm.exe	35
PID 592 wrote to memory of 1408	592	Djhphncm.exe	35
PID 1408 wrote to memory of 2924	1408	Dlgldibq.exe	36
PID 1408 wrote to memory of 2924	1408	Dlgldibq.exe	36
PID 1408 wrote to memory of 2924	1408	Dlgldibq.exe	36
PID 1408 wrote to memory of 2924	1408	Dlgldibq.exe	36
PID 2924 wrote to memory of 2952	2924	Dfoqmo32.exe	37
PID 2924 wrote to memory of 2952	2924	Dfoqmo32.exe	37
PID 2924 wrote to memory of 2952	2924	Dfoqmo32.exe	37
PID 2924 wrote to memory of 2952	2924	Dfoqmo32.exe	37
PID 2952 wrote to memory of 1628	2952	Dhnmij32.exe	38
PID 2952 wrote to memory of 1628	2952	Dhnmij32.exe	38
PID 2952 wrote to memory of 1628	2952	Dhnmij32.exe	38
PID 2952 wrote to memory of 1628	2952	Dhnmij32.exe	38
PID 1628 wrote to memory of 1856	1628	Dogefd32.exe	39
PID 1628 wrote to memory of 1856	1628	Dogefd32.exe	39
PID 1628 wrote to memory of 1856	1628	Dogefd32.exe	39
PID 1628 wrote to memory of 1856	1628	Dogefd32.exe	39
PID 1856 wrote to memory of 2756	1856	Dbfabp32.exe	40
PID 1856 wrote to memory of 2756	1856	Dbfabp32.exe	40
PID 1856 wrote to memory of 2756	1856	Dbfabp32.exe	40
PID 1856 wrote to memory of 2756	1856	Dbfabp32.exe	40
PID 2756 wrote to memory of 2332	2756	Dlkepi32.exe	41
PID 2756 wrote to memory of 2332	2756	Dlkepi32.exe	41
PID 2756 wrote to memory of 2332	2756	Dlkepi32.exe	41
PID 2756 wrote to memory of 2332	2756	Dlkepi32.exe	41
PID 2332 wrote to memory of 2352	2332	Dojald32.exe	42
PID 2332 wrote to memory of 2352	2332	Dojald32.exe	42
PID 2332 wrote to memory of 2352	2332	Dojald32.exe	42
PID 2332 wrote to memory of 2352	2332	Dojald32.exe	42
PID 2352 wrote to memory of 1716	2352	Dfdjhndl.exe	43
PID 2352 wrote to memory of 1716	2352	Dfdjhndl.exe	43
PID 2352 wrote to memory of 1716	2352	Dfdjhndl.exe	43
PID 2352 wrote to memory of 1716	2352	Dfdjhndl.exe	43

C:\Users\Admin\AppData\Local\Temp\23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe
"C:\Users\Admin\AppData\Local\Temp\23791859385ec5aa9334f1b756e6c015eb6ab604486d77d9d79844bd13334dffN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\Cgejac32.exe
  C:\Windows\system32\Cgejac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\Ckafbbph.exe
    C:\Windows\system32\Ckafbbph.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\Cdikkg32.exe
      C:\Windows\system32\Cdikkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\Cghggc32.exe
        
        C:\Windows\system32\Cghggc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\Cjfccn32.exe
        
        C:\Windows\system32\Cjfccn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Cldooj32.exe
        
        C:\Windows\system32\Cldooj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Djhphncm.exe
        
        C:\Windows\system32\Djhphncm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Dlgldibq.exe
        
        C:\Windows\system32\Dlgldibq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Dfoqmo32.exe
        
        C:\Windows\system32\Dfoqmo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Dogefd32.exe
        
        C:\Windows\system32\Dogefd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Dbfabp32.exe
        
        C:\Windows\system32\Dbfabp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Dojald32.exe
        
        C:\Windows\system32\Dojald32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Dlnbeh32.exe
        
        C:\Windows\system32\Dlnbeh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Dbkknojp.exe
        
        C:\Windows\system32\Dbkknojp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Ddigjkid.exe
        
        C:\Windows\system32\Ddigjkid.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Dggcffhg.exe
        
        C:\Windows\system32\Dggcffhg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Enakbp32.exe
        
        C:\Windows\system32\Enakbp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Egjpkffe.exe
        
        C:\Windows\system32\Egjpkffe.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Eqbddk32.exe
        
        C:\Windows\system32\Eqbddk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Eqdajkkb.exe
        
        C:\Windows\system32\Eqdajkkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Emkaol32.exe
        
        C:\Windows\system32\Emkaol32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ecejkf32.exe
        
        C:\Windows\system32\Ecejkf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Fmpkjkma.exe
        
        C:\Windows\system32\Fmpkjkma.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 140
        38⤵
        Program crash
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgejac32.exe

Filesize
128KB

MD5
1298be17a0679e00014aebecfded7d8a

SHA1
101d8e1c227be3e7f074af3250ffe3e35c172438

SHA256
2259715a2c55b3abbf208e49c6dc27cabe151902956d5db634bac24af91492c7

SHA512
8f99f28340840bd964f0004ed38026dc56561e46456e7b3f07dbf2a86a13ff3d30b5e8c52b12599e190bf853a9736282d6e42c8ec16489e0960bbc0858b9a236

Download Submit
C:\Windows\SysWOW64\Cjfccn32.exe

Filesize
128KB

MD5
201ae0d929a50803e57530d87e734c43

SHA1
9182a856fd05a96b68d9960295d1fe8afcf0e75e

SHA256
184d9d9e0bfe3758ed3acf1b4a51097963bf1ceafa55835ad6c110c258b30c00

SHA512
a6d09749c57c8e54d8a8984fdf3d9083b8185ed3bafce57303f57137f2bfc2767e7470f49051942194ff3f02780eddc72996460f223d31a0c1adcc848e11a394

Download Submit
C:\Windows\SysWOW64\Dbfabp32.exe

Filesize
128KB

MD5
e4ba476d08fad605812882bf6861cdb5

SHA1
1e08f21f04d803f8bbd859de2f024380ffb3d330

SHA256
ad4226cf2944cb4b99b1c4ee1ae9e512470b01d831974e51f71e28da6da80c4e

SHA512
b1ce865dcfc20659ca6a4b8f3048a043df5f4de0708180a26553a3037f0926c593050f158ee743d99903c6baa861eee88d857973a55c8ec52aaa16f7bb34dabd

Download Submit
C:\Windows\SysWOW64\Dbkknojp.exe

Filesize
128KB

MD5
1e2f936443eedb5dddee335f70070cb6

SHA1
0c4d67e5f56afb5eb9e1350465d5b1845c6f4035

SHA256
a25603318b94d4cda68a3a3652a0b06d8cf935000aa2c0bdd27ddc4777fba359

SHA512
54507cfa93fdf744c247857fb4f54047a52788b02b6c771ea233cf027fd420bd56421d4016815a60df043d0fda1701a2e1dbb86f8cfd498b7ad940dc720471df

Download Submit
C:\Windows\SysWOW64\Ddigjkid.exe

Filesize
128KB

MD5
cb72c5157dd8778c68c8d66fb8e7391f

SHA1
86bff2f44709bf7972ab0ac4411e396755a9d922

SHA256
932509cd6459fa371a3c4cf03e5e7ba7f6674988da0fb746679f80a8447a187c

SHA512
32818cffd4b7e52c2fa6b330884784f472cb167aaf5827e13803b5b2c8b87e312fbff94150154618f3e003274b5064d55ec3abc384dd1c56b0e346fb7d405ba7

Download Submit
C:\Windows\SysWOW64\Dggcffhg.exe

Filesize
128KB

MD5
a7cea8c1fafabcfdbf30145913cbe4ba

SHA1
4f0b11b669b25b24164f4fd71fe2f3a82df6c763

SHA256
d26c19f3829eb9cc6679406b57a4dadbcd729c0ca72aa6f284b74bd54c649819

SHA512
13d48d3979439a262b2bf66e0de117b930029acfb1e161be473276b8b3ea17783b93824741d80d5d8e15207ca6fd3e76cb38a320c601a6962bf3494413f22fd3

Download Submit
C:\Windows\SysWOW64\Dlkepi32.exe

Filesize
128KB

MD5
fae09918e0a6faca0b3b90e322c9a20c

SHA1
2dba64687a627a4e4638af6ce6bdcfde1da59d48

SHA256
ba23ec92f6e5343f44e297406d5e81b8c625de500b13b52e34a54c1084ae57f2

SHA512
d18c6a825005325dae8e87944d9e128fca95995856ab02599012dee8ce12029665ac0bbcce9718f45c869b602d3c7f99146ac5d8a68839ee29a5ceda1a809912

Download Submit
C:\Windows\SysWOW64\Dojald32.exe

Filesize
128KB

MD5
b9f8ae62fce87f1570a772aa48f7ca2f

SHA1
d428c6039f95d1854a8eaa6ee6ae70469304e93b

SHA256
20c9ff0f55173dc4ca780eca239d250a804b34dc1329dd3c25bf159ff5840ef4

SHA512
63228e3e9581c389f682da869647a2daf5a16cba1bd89fe09d2e4ad2f3937dc0ca94f48f13ec1ee01b86708f294523a0341c435ebf39d7ce3aecbb04dfd15a16

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
128KB

MD5
01e77e98feaedee0f486bd628a01a6c2

SHA1
0fa905c9af54198fad49a46b653a0c46a8368e8b

SHA256
ef54bed338cc5b83da1ab31129a5beeaaae2afb68f3c01bd195ef979a4924d70

SHA512
e88abbec88eb78daaa58f315f9bef0347f7dd2d87778fbac11e30b71ef4fa520402a6fd32e1cf0c0d8644d83a23970b6e5cf2be6a2316d684880da17d83d0ec0

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
128KB

MD5
4782c41787029de22930256a5458b49f

SHA1
b0a99dfb86531175156a4d0dbc3b3c062ae2f6f4

SHA256
670b02e095371fa452ee8130dc5d951245541045d561b2ee908c857410667eed

SHA512
82c8b85097c7b25154b5df0bf5a3f8b52d3715883f0c4d64dd057692deb3e3691f00be6bcd40b190d83255ccb85190c0e4657b0f2f1231b159574f4e9e7416ad

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
128KB

MD5
f51d96a1589b2dc6562c3038c5b6df68

SHA1
eb87ec2fb1ed8c33a10ca49938810ae313746257

SHA256
cea8b027894b3e46fbad1c036c7f086f5a3b2fbf8203e91f6bb03567668a620a

SHA512
21703d42b2b9bd6987a3bf83a4b89bfd728d9545cf1a70991b7798f360944ea9fa33bad3e122b60b26222c9ce9756aac7abd6a9f2e7ad17d0a8a2e50fda042cc

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
128KB

MD5
0f70d35614cab5b4a1d07fd13966eb85

SHA1
f28ca6b931470c894c734c2afc69bbbc43732d2d

SHA256
ff7e6837ce814e5d7fca7eeb30b119dfb24ce61231107bc5d5dd878913de3c2e

SHA512
73d1365277b665c4ee5b428b29876c7c2b3173172419f531d70c7c80ec674eae530f0634f47b1f7aeb821353be6020dc1c26fc602c1b1f8c6be6eca97025a64c

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
128KB

MD5
b8bc1ceae0d2c226ab5f5db5ef880cad

SHA1
ba8a3067b880362fb4e56f672e101847dd0c0db5

SHA256
404c3c10807d54c0b08c2d141dd73799b3905c4f51d633c98f92ae907926a558

SHA512
ea737a7dff4027bd4e53b5be471d3c91e77523420fd3f0ca1978c8eda295b1022c7fd1620cde410f9bb614b871d7feee14845717aefa9c9f110e0bd1d7801df2

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
128KB

MD5
cbaf53aaf82ccd3b72239c381ed8b812

SHA1
9232c528b20bbb5e1de5cd6bf555d625ebecaa25

SHA256
90badaf760b3124fd6d6a72929a4b915c3e28b904a3f9872e967dbafe31613a0

SHA512
61e37135116f9d9d421f97f218502661d012037b6714754da4b27034880b02d3fcdd533dcbf2ac2652546277b9c5ce3dd61db3a9fba5700d7d406deddcfae33a

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
128KB

MD5
2887e18e6a8cd0a7b292eac26365f441

SHA1
ca7af0e88094c910d8510955d061befb4bd408e0

SHA256
65ab92e94f35f444d2e3a28d0cbe94b0e2ca2cd8a917090558d0f39f6ef7e7bc

SHA512
f336e544a04dfcf8236c923e0038b731a2387b4ec76aaa4b47945767c779f77d3959ef52d6d5e38b97fab68f8ca92f9bda7f9cd31f7beb6269eee4e089e0b20b

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
128KB

MD5
ce32bb886bf64c8e6a3aa418a063c64e

SHA1
c650bb9022d25f0bbba34c089576e43a5b4fdbee

SHA256
cc667c9d709f7ec181072b04f9396de188be6e365fd5e1dc9921e82b28754f60

SHA512
1c49922826b8b6186f49f36060176f787a684ece042fa89889a15886b60116295c347fe6938fa8b1c398caa7340f60fa480f6037c055a572c1dfd8ff5919ef0b

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
128KB

MD5
89f8cac07e7c8666f39628915169f93e

SHA1
b5649f611fcf8b99b7bcf6d7925b31f52b857f3b

SHA256
9930344250d6368ea85e2915487493f71f9034a5d53e6cfe3a9d4840de79b0e7

SHA512
8aea718eef54f48321bdab8352499974d328d37ac80e433990f0fde3952793595521b985ce6e49c569c20803d15d8fbc6992cdb9e67405243db17d05a4c655ab

Download Submit
C:\Windows\SysWOW64\Endhhp32.exe

Filesize
128KB

MD5
c4c4ede1cf1c93c456e56138336d01e7

SHA1
2867de072405159024b3dab48dd293542ea58a62

SHA256
7601202c8dc0cc0eee615d940afbbd841d3869e2383e3729b640cf5619c10da3

SHA512
9a86419d5a7a3f4511d7b917e424c82be71ea9b62692d8160d725a516606e84e62d25673a19be395e1881586b42f40caf3eb29d5058c9fac436644ec03667e32

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
128KB

MD5
1aa0736f4aa13a37b201a56d7ee614a4

SHA1
07c1b9764d92ad1afbe14e6d05eec9e61099d4ff

SHA256
1e7f2111c898c9bd5bcb743c67d79a59920275117385bb758d9446d5252af18f

SHA512
eef1e6aef7bc8054d587e581bd9a88cdaecfe1b314791adb286cabc8d353262e8ee81a8e188227d7c52c713d555a3db431550d0e5efab5467cce2a0c51a2f773

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
128KB

MD5
5b6055bf8a4a8809185681db5cb851fa

SHA1
d081add8facf0bc96c2f51d37a96ff352865ca05

SHA256
88bd02f83cbcdd9663532a31dc4a3cb56a6bd2126065a335410e28ff53589c12

SHA512
988369c2d93ea687327a9018c158f0a953bf6cf1ef8cae1453d9770fa35a6420b60dfdfa61c543bcc8a7ee2b2f2103f290fb5fce9e2bb535ae054cfc6739d4a2

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
128KB

MD5
09cfd3f76a3756759e6c703fe7164733

SHA1
f523f14ad92faa7f691c85c42ac092fbbc1c1fdb

SHA256
69eb559ebd288e85f8b422650970d65fe0ec6836c8c164793932eb7c3a8825da

SHA512
2771f77d6e7433fdcfd83b0a550ac19aa9b22a22af63f8d24bcecde81b8665fe2b2e94c2d37f3ae5d9b2fd34f0f27910711a895063acee42b01d962d2050e4dc

Download Submit
C:\Windows\SysWOW64\Eqbddk32.exe

Filesize
128KB

MD5
06dda67190c75d0da6d888f10f961ebb

SHA1
a27d9f22bbe86f7d1a6c0ed4cf4cf11c588b757e

SHA256
3342a82e3138610f55abd028cede9bf69aa9355b2e7ea03ecdaf0849ec0f3a7c

SHA512
64989acf22fe3c6236f1333b7c8d81ef33aa08ecf0d239bca46c70d7a1e781d1d6a424951b775815f2e8f6731a563ba0207f20c51eaaa534531652a8f1a3db07

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
128KB

MD5
cec88718af49c561011b57ec90964c49

SHA1
35921e8c6c340c5b0cc810142b1f3b5290a90718

SHA256
ebed3f2e07549d47ec4597c95c3b044207c0dce819d0f1a075556fdc8364be1a

SHA512
76c34d41abd89a209f52cb72893712579b17cf59bb5438a59cf7876c98cd71605342cafb56f1ee5797135cb1ca4a696d73502615ccef1931296bcd752be8787a

Download Submit
C:\Windows\SysWOW64\Fmpkjkma.exe

Filesize
128KB

MD5
97584e958febbe8a14c3356c62464986

SHA1
23e5ae09e738cc825425742efd8875e350cfdab4

SHA256
c6cb1b66690804d2652870f9bb084ccc9b3dc01379949117a6b884c72abbde08

SHA512
277f3a06e2eea7eda0ef9b758444c00fe5e575c39617dc52581d35d68440d8391e0950c66fe856c722dfa3cb626fabb0dac2d4455a58c2d8ffb99cd3bf77d5a7

Download Submit
\Windows\SysWOW64\Cdikkg32.exe

Filesize
128KB

MD5
4a7c058dd36fb22e7587f7e185f65e28

SHA1
9380b1fa436979062923d204c81d2590944862fa

SHA256
03f4d3acc718126fffbff330e782d4e22946a7d0c05314de06f212eb197eded1

SHA512
be3c99250a8cffcfaa61818bb780dd7b5d3ac650561e4f1629d8c4e620e453914760c5ef2c0bfef75ef00c8b71c5b302665debd1ad78fb285db7c1388854f07f

Download Submit
\Windows\SysWOW64\Cghggc32.exe

Filesize
128KB

MD5
91f4ad806ce261a2dce20afe2581e2b3

SHA1
ca3aea98b981d7aea88ea2fda0f647a184df608f

SHA256
88482d0b9875a8f491a63ef7e44201a117acb0d2c917af825013bc3299089163

SHA512
908407213cc1f7d1daa52fd1a4e883c9fc9e5843e60fa4e926c5762e596da0fd3f73e6b1b07bdb60255fb922cd04488e4b8fb03872448673e221ae08e8d1ca13

Download Submit
\Windows\SysWOW64\Ckafbbph.exe

Filesize
128KB

MD5
c64056e6d70830c483db73662b204e68

SHA1
5398fee534f49aa50689a58e4f6eac5869133f0e

SHA256
32373bc777e5a824bd1b3b3df10941f2538ad93ba725e456f19855797b9f11df

SHA512
80f675c8e13ffd54f8928313ee4e6fff9af95f83259595b63def2957f33603f822a9835e4676fe73eba450e87da5b627dca07a9c8911e8f46897287cc335c3d1

Download Submit
\Windows\SysWOW64\Cldooj32.exe

Filesize
128KB

MD5
03668c3fb6f6dbf15cf866f9a544c760

SHA1
a055d0c134ed59fab2009a15fb0f386b5423ae7b

SHA256
eaecf348f2560c6226d2147209b1bbae77189c31c573b508d145182dd6beebe4

SHA512
d8ce5c40043e8a42a70fe6699eb6fb093d40d6746e02d5313b6dff7ed774a9b2087b09b2d424741db40990627a04d0475f57e4b71ff193041a2e1886a37fc059

Download Submit
\Windows\SysWOW64\Dfdjhndl.exe

Filesize
128KB

MD5
5ef4c5c8c93914331b8aab6b8701716d

SHA1
1a80d9109cb78fb7443000e3f7b48408b52917fd

SHA256
da64d0a28bc2c6e294999f96b37df80cf88a453b962272c5cb2ba631779a20b3

SHA512
70bd5cdfa2a8266adb19dd3f345d0ef994425f1ddf99cc41e3e97ffaabf2fd89bc5f8121f810094085b0aaeeb64477a49f344614f040df671182ac947bc1831e

Download Submit
\Windows\SysWOW64\Dfoqmo32.exe

Filesize
128KB

MD5
9a6359248c081f3e1dd60ab98bd04d07

SHA1
ea795486fb37fec155d2d4943c917d428770d2e1

SHA256
756af5947fab266215ce36a6fc88575478c9aa0c25e377fe32bb1ea00285a131

SHA512
b8419eed8ac89f4b8242bf790bde66801d5606a1aa5fcd502f3ac891b8fc9c3410bc24356e68fab9c9b2b7f6fdce8eb5fcd39ce288dc76c2936d2517c0025bd2

Download Submit
\Windows\SysWOW64\Dhnmij32.exe

Filesize
128KB

MD5
519a090aa7bd9d166b8c75cafd634b6c

SHA1
db8a229d6995b6fd1f0b321df2fbf7f28e3966bc

SHA256
a89dd8059983327e26bb26c4f4b2307e7f6689d4cf75c2779e769f83eed9207e

SHA512
e3098682a4f1ca20e2296e4c69c99aab01407cb2079ee2a59b94878f8155d0bad8d91bcc7eed9d57045e426cd0e5cd81cf4ad23196e9f99dfbacac6adc2042b0

Download Submit
\Windows\SysWOW64\Djhphncm.exe

Filesize
128KB

MD5
b51eb84428b064e2c3829ebbd4e6ffb9

SHA1
5b3e826c6a893ab3d95b70931e1c502e63741185

SHA256
c5780342384844dac82e0a050f360a1c82739cbe62f9b169fb0140468f735f84

SHA512
af27b3ca179adfb3ccbf0454abe1d5d935919371a644e920aa24d4fff25cfb399b5e1632f0f93fa1739949a98c14695b26fc538d7897ce15ce560e1289238e66

Download Submit
\Windows\SysWOW64\Dlgldibq.exe

Filesize
128KB

MD5
1f33ee9dedaa37622f2f9e8da06204cb

SHA1
e58381b0e622df6473bf6ade641e60ad9d377216

SHA256
832a54dac5e2b95e4eeb3a9048724c19f25303fd28ecb503ac4e6be85ee1ed82

SHA512
c6dd0a2e4f006215cff9acce3f3f39e682ab7a0702af64ef745fa438cf66620ffc306590efa51b702fea7656850e5423b4efaaeacb3c6b79f0bdfc41d1ec0249

Download Submit
\Windows\SysWOW64\Dlnbeh32.exe

Filesize
128KB

MD5
46d439d43620be5f8dff2d42ab9c6389

SHA1
9dd2f2f2cc6d542fb990e75022ffe92ad04e7ce3

SHA256
dd1c6a3fa9bdc25fcf6fd26c7a956a4d589119eb56b6d5afb5066bc0b397ec9f

SHA512
48a717547a3de15e5951790f26910a31afd9666d8197dddd927bc6c490a88272aa11865ef1635d7923f40d0c583901d85347444755eec37f7d8cc62dc943d0e2

Download Submit
\Windows\SysWOW64\Dogefd32.exe

Filesize
128KB

MD5
42c045dde7446039476a8e6928617cb9

SHA1
ff1a234a03ebea7212e156d6140ea863072dcd19

SHA256
7beb20bdd8deea356f10145e0af20b794cb0c83b2b23a7884bc3fb280f2fb870

SHA512
57ad02e28f0df56b85f06f480b204cb6e2463bd318f6c3e164d8dfb1b2ab6d3b256b978bae8665d45828867e3478e1e154654b93d7de8a6cc6332fcc7d16c012

Download Submit
memory/592-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/708-398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/708-404-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1168-262-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1168-258-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1168-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1168-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-415-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1400-416-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1400-410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-112-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1408-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-319-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1652-318-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1652-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-284-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1700-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-283-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1708-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-295-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/1708-294-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/1716-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1716-434-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-166-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1856-426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-427-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1856-158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-272-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1952-273-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1952-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-47-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2092-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-237-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2120-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-17-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2132-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-362-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2136-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-329-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2180-445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-330-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2180-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-191-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2332-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-211-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2352-432-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2352-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-433-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-316-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2360-315-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2360-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-376-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2456-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-77-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2460-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-386-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-394-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2564-351-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2564-352-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2564-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-384-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2580-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-341-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2688-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-340-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2728-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-379-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-306-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2816-305-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/2872-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-251-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2872-250-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2924-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-131-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-138-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2972-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads