berbew | 59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8b

Analysis

max time kernel
94s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
Size

94KB
MD5

3afce5f793d2095615b630ff5d3f9d30
SHA1

9f652c72d6ff42cb4d4b0f9523def7816910b868
SHA256

59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8b
SHA512

89fd4e94af48ee0e8d964f99a5d7ef4f438a5455256acd12e80384889afa4f196425b5083e2694991c50f25293af4b426a877695f08bd4f164cd1a6546853b28
SSDEEP

1536:n51KlwgWgsCcgo8dbg2LHrMQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:Klig3HrMQH2qC7ZQOlzSLUK64

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 43 IoCs

pid	Process
3556	Ajfhnjhq.exe
3460	Aqppkd32.exe
2412	Agjhgngj.exe
1824	Andqdh32.exe
1356	Aeniabfd.exe
4948	Afoeiklb.exe
2240	Anfmjhmd.exe
1048	Agoabn32.exe
936	Bmkjkd32.exe
556	Bcebhoii.exe
1188	Bmngqdpj.exe
4472	Bchomn32.exe
2216	Bjagjhnc.exe
4828	Beglgani.exe
4516	Bjddphlq.exe
2576	Banllbdn.exe
3152	Bfkedibe.exe
572	Bnbmefbg.exe
4880	Bcoenmao.exe
3448	Cmgjgcgo.exe
404	Cdabcm32.exe
1400	Cjkjpgfi.exe
4116	Ceqnmpfo.exe
3388	Chokikeb.exe
540	Cnicfe32.exe
2792	Ceckcp32.exe
2936	Cfdhkhjj.exe
228	Cmnpgb32.exe
3392	Ceehho32.exe
2272	Cdhhdlid.exe
4836	Cnnlaehj.exe
4916	Ddjejl32.exe
1992	Dhfajjoj.exe
3732	Dopigd32.exe
4444	Dhhnpjmh.exe
4596	Dmefhako.exe
5112	Dhkjej32.exe
324	Daconoae.exe
1056	Dhmgki32.exe
1444	Dogogcpo.exe
4732	Deagdn32.exe
492	Dknpmdfc.exe
5032	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	5032	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 3556	2044	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe	82
PID 2044 wrote to memory of 3556	2044	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe	82
PID 2044 wrote to memory of 3556	2044	59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe	82
PID 3556 wrote to memory of 3460	3556	Ajfhnjhq.exe	83
PID 3556 wrote to memory of 3460	3556	Ajfhnjhq.exe	83
PID 3556 wrote to memory of 3460	3556	Ajfhnjhq.exe	83
PID 3460 wrote to memory of 2412	3460	Aqppkd32.exe	84
PID 3460 wrote to memory of 2412	3460	Aqppkd32.exe	84
PID 3460 wrote to memory of 2412	3460	Aqppkd32.exe	84
PID 2412 wrote to memory of 1824	2412	Agjhgngj.exe	85
PID 2412 wrote to memory of 1824	2412	Agjhgngj.exe	85
PID 2412 wrote to memory of 1824	2412	Agjhgngj.exe	85
PID 1824 wrote to memory of 1356	1824	Andqdh32.exe	86
PID 1824 wrote to memory of 1356	1824	Andqdh32.exe	86
PID 1824 wrote to memory of 1356	1824	Andqdh32.exe	86
PID 1356 wrote to memory of 4948	1356	Aeniabfd.exe	87
PID 1356 wrote to memory of 4948	1356	Aeniabfd.exe	87
PID 1356 wrote to memory of 4948	1356	Aeniabfd.exe	87
PID 4948 wrote to memory of 2240	4948	Afoeiklb.exe	88
PID 4948 wrote to memory of 2240	4948	Afoeiklb.exe	88
PID 4948 wrote to memory of 2240	4948	Afoeiklb.exe	88
PID 2240 wrote to memory of 1048	2240	Anfmjhmd.exe	89
PID 2240 wrote to memory of 1048	2240	Anfmjhmd.exe	89
PID 2240 wrote to memory of 1048	2240	Anfmjhmd.exe	89
PID 1048 wrote to memory of 936	1048	Agoabn32.exe	90
PID 1048 wrote to memory of 936	1048	Agoabn32.exe	90
PID 1048 wrote to memory of 936	1048	Agoabn32.exe	90
PID 936 wrote to memory of 556	936	Bmkjkd32.exe	91
PID 936 wrote to memory of 556	936	Bmkjkd32.exe	91
PID 936 wrote to memory of 556	936	Bmkjkd32.exe	91
PID 556 wrote to memory of 1188	556	Bcebhoii.exe	92
PID 556 wrote to memory of 1188	556	Bcebhoii.exe	92
PID 556 wrote to memory of 1188	556	Bcebhoii.exe	92
PID 1188 wrote to memory of 4472	1188	Bmngqdpj.exe	93
PID 1188 wrote to memory of 4472	1188	Bmngqdpj.exe	93
PID 1188 wrote to memory of 4472	1188	Bmngqdpj.exe	93
PID 4472 wrote to memory of 2216	4472	Bchomn32.exe	94
PID 4472 wrote to memory of 2216	4472	Bchomn32.exe	94
PID 4472 wrote to memory of 2216	4472	Bchomn32.exe	94
PID 2216 wrote to memory of 4828	2216	Bjagjhnc.exe	95
PID 2216 wrote to memory of 4828	2216	Bjagjhnc.exe	95
PID 2216 wrote to memory of 4828	2216	Bjagjhnc.exe	95
PID 4828 wrote to memory of 4516	4828	Beglgani.exe	96
PID 4828 wrote to memory of 4516	4828	Beglgani.exe	96
PID 4828 wrote to memory of 4516	4828	Beglgani.exe	96
PID 4516 wrote to memory of 2576	4516	Bjddphlq.exe	97
PID 4516 wrote to memory of 2576	4516	Bjddphlq.exe	97
PID 4516 wrote to memory of 2576	4516	Bjddphlq.exe	97
PID 2576 wrote to memory of 3152	2576	Banllbdn.exe	98
PID 2576 wrote to memory of 3152	2576	Banllbdn.exe	98
PID 2576 wrote to memory of 3152	2576	Banllbdn.exe	98
PID 3152 wrote to memory of 572	3152	Bfkedibe.exe	99
PID 3152 wrote to memory of 572	3152	Bfkedibe.exe	99
PID 3152 wrote to memory of 572	3152	Bfkedibe.exe	99
PID 572 wrote to memory of 4880	572	Bnbmefbg.exe	100
PID 572 wrote to memory of 4880	572	Bnbmefbg.exe	100
PID 572 wrote to memory of 4880	572	Bnbmefbg.exe	100
PID 4880 wrote to memory of 3448	4880	Bcoenmao.exe	101
PID 4880 wrote to memory of 3448	4880	Bcoenmao.exe	101
PID 4880 wrote to memory of 3448	4880	Bcoenmao.exe	101
PID 3448 wrote to memory of 404	3448	Cmgjgcgo.exe	102
PID 3448 wrote to memory of 404	3448	Cmgjgcgo.exe	102
PID 3448 wrote to memory of 404	3448	Cmgjgcgo.exe	102
PID 404 wrote to memory of 1400	404	Cdabcm32.exe	103

C:\Users\Admin\AppData\Local\Temp\59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe
"C:\Users\Admin\AppData\Local\Temp\59640239427d472e9caac12a16a5558a66d2b920d085487d10e38791a2a89e8bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\Ajfhnjhq.exe
  C:\Windows\system32\Ajfhnjhq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\Aqppkd32.exe
    C:\Windows\system32\Aqppkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\Agjhgngj.exe
      C:\Windows\system32\Agjhgngj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:492
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 212
        45⤵
        Program crash
        
        PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5032 -ip 5032
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
94KB

MD5
7730bff6e803d06893c456ef2d171989

SHA1
951a83c203232de77b422fd20fae945326b5cd66

SHA256
e5cd2e8ce87dd1afa886f612a30176b0c556f051a6e925ab4c793915e9642c95

SHA512
63227b1a4307d7c849b2559f7da53fe92b2f3e68b19c4bbe28174e03581a2024a050ccf14a76b827151fd4e4a6bdfab3d084a2e0da306817755b54e3342585ce

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
94KB

MD5
f26ef50c91f2edb9da121eb6e820e503

SHA1
6da1d9c3ab118d59f157b5aace0d7c54374bb255

SHA256
adcb4dc96d6b41d03725246a2bfe282deaa86a0e54abb35433d88518e0387437

SHA512
d30370503b8dea7294b7b9e9deafa94b837d4ab5c0ac6cd742e83fb17597f340199503534fadb985b256bb3ce7c901f5667e0a06f6a9cbf6689f36184ef53958

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
94KB

MD5
ada8fb7b2560731f4256c6bce9cf02f9

SHA1
853ffb720b873c5b834f90e7c2241e279dc40f86

SHA256
92649d72d4199525a8a9534ef3aab9a2ce880f892ce87863d8e24279a00c1e21

SHA512
b3f25e826be17f9e3f0ad7b7dde6fe4cad7d13bff6b254e1471519294c5d0819edd9bb0bed73795c7dc7524a5e7b4998476a8e6550d39f58086e9193733ea897

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
94KB

MD5
13d657aaecf2106b7e07da66669e8fdc

SHA1
52cd70802c3a00df97d3cda471e55a817838fa62

SHA256
e4dd1c222ce08a6dfbbfb6a16fbe0fa650a77272856cbad01a1b0a88466d235a

SHA512
c3a4ca16979bac1104b1f61ac9263abf132cc58b0b459fd230549b1f7da056040cc8324c3840413659b0d58d681cd47982869f9a3b4b379fce9d76a58792bfd5

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
94KB

MD5
b0584b358b0862628a7db83d87ccc2f2

SHA1
fe587b1342a254c597d678802cf5618fd654c2d6

SHA256
69865e38e9ec70fad74d8a7abd707af18c7617bf80d3406181b65b779d87e8a4

SHA512
a4f48beaab09c379501d25b61b20fec872d799650308ebf7e42402c852d4bf6fc7bdd3a1b1e7570053370a2d64057d6ebb82bf753b2e82a69b08be4a0a491600

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
94KB

MD5
c44a05db2d1e942f6fff6f4d57dddf5d

SHA1
d60131a776cfee4c6d832d4dc14b9246dcf47939

SHA256
ceae5918a7e8563f2e9bab1cf6eb98f93686f42ce5777a7c7c54327b39d2c63c

SHA512
95258c2f87457f509fb176e3396cadc6874295baec6dc5307ef3d9a100739fe03fcf791820b7982352f5ffe593c1ede33ce691bad1c23970011eecfa6de082e2

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
94KB

MD5
31dfb01e6f22ad77b088e1472fe163a3

SHA1
c953f2d773dcd6190c79d34d60476f6a3be3b03b

SHA256
6272496f1843d520c0aa3632d4968b2a8349670b8a3afeb5b69d5b03d23fad6e

SHA512
69a678b72b23754d17671a6f9bd408389749136a058c56740a21ef8c207ae6818da9df241ed62f510d62e7e94d563e662fcea894aa643a746f7dc3dce0dac9d1

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
94KB

MD5
825b231791610b0868abb1e741b1cbc2

SHA1
6551f9b20153f8289b7eb803c64ab58ba282db28

SHA256
b3a6071dff0575468b25e488a36a49386591baea55ac0da3f85acdd6b6e5a9a4

SHA512
8f0ce22ca5d68579a62afd7959c5b05cdbae1eacd8398633059e2c76a9a56a4643b25d2b293dc6710b94040228def16636854afeb655964232dcc26a8998096f

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
94KB

MD5
3a5a3b1c0064dea50c7ed96e61f01bfa

SHA1
9d5ea573ec9a85accb7605bc08a7d21b1e817dc7

SHA256
c74c941edffff467e7f4f6902d69724375628fbc972258125aac2b7463492ab6

SHA512
629f8ebd61c7297511739eefe3a6ae21a942e0be55a51d81d2c32858433c1f711a6fda311eae4c9d3236cc4ac1b4bf84ee4c85609c3195cf9828bd9ed4518d73

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
94KB

MD5
6ed09341e928e47ec0e2cda3b9fb362b

SHA1
9dc3737aebcb2405084c815c90e4b4e918f4cee5

SHA256
229fa406211d232f10d5fb3b0fb2a3fda45f9452cb6427b2f8fef2cbcf6cf049

SHA512
2e1783678bb1849bb6e7f07c050e7f20967e3dfb31c813dc72955163e0d2a71859e07c37d098bd484d525b3673c391898224d229c3bbf9970475586593dcc56b

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
94KB

MD5
49cae8645477b9878e738deb71a7f474

SHA1
1b48138be074840737565579c1ea0baebd5c35e7

SHA256
f56c5246649ccf55ab13c21dc97d5bf6f21ce38636b84e382b2a7bd416db3b11

SHA512
d4f9b42a0ae5339b7f16d35cd44f4447f203bfe85442c34e921ba05413402bef4ce36f0d7b4366bd41f3ff78701e2e243a8735d1d3ab838370ceb1b6ae3f83f2

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
94KB

MD5
f2046277213509bd751eac58308e7485

SHA1
68d573c505812730ee802162961f1eafafb7d8cd

SHA256
e63ec6bea257d4ed6ea424e681ec78aaa1f4affa8e402fd54d412959e72b2b5f

SHA512
e048c28f3c3c26e6d87bb44e193e4265a87bcbb43e760e5ca84c7ded663e73b9671ac0956be4e40b52363bac30c7e444cb0304665dda10fc0209fd3ea916c9ea

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
94KB

MD5
7a2c296e3c967b1c216154df210ec2f4

SHA1
1831d97f8ed8a331c4571495f266fe7448f19a52

SHA256
fc10cdc0c5bab274a3e306e6745c617b3689437ca6e7fb4c157f1092bdf63da8

SHA512
3f012f15289c63d206d1e08932b7664a6f7cfecb21ff20b12a24601aebe244cd4bd66e6914a45bb67133ab779e128a3da4d8137d32e7a8d0eeb24a0d33914bc0

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
94KB

MD5
044857130eda47276cec70ade4aaa6a1

SHA1
d472001113245818e88b05217227d2e84c28120d

SHA256
6dadd6bac4606f928ba5cd58ea99e87ec11f9d491817d6cd49e8dcb746345789

SHA512
1a90696b209f8354f4570c35e44358ea1d3e1fda0db44aca0b365a44a3e9bdf2da7b2482ce2bf3eb37e4d32232414e8f3da9e4b1a42a2c1709547be68a513ebb

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
94KB

MD5
f8c9fadf413b8d57f0dad93faf2c4cd1

SHA1
bb7b01c76521ebb99fc21cf8817c825b5ba727cf

SHA256
744537360e7cf02f10a83cc485bd111af7def19895ac21946877fd1f9d5fcc06

SHA512
e7043536bd4de97f300c6004d57fec23cfe2d5921e31358c34b503b905e52a9016694170da82b35c1ac86a4bbf1af4c680a660020726c97195a846f8cba26626

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
94KB

MD5
2cc0f45ca2be6d4668910cdcb589589b

SHA1
0d882f98dc6cfa4e00ff49fa24741ea9aa03f097

SHA256
266f0a254a449a603fe9a58d23bb3901a046330add7baec99d8fe12292569ac2

SHA512
34c5f9d66b16025a01ce18fd051ea915246436a1adebe26e9b800ece2d99b34465698785b189f83cb35a819e298e11f735ce4f49dad9ff1f2b05c6a10368e9ec

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
94KB

MD5
7f53ffd447722a75fba9b453784b542a

SHA1
89538e394dd9ad1593c275cdcd4b679aca34d436

SHA256
b21d41df9e2c1629795992d84ccdd569fd1ea53ff368e410088d4cf9498d6338

SHA512
649a2e82bc94bd660a5129a8d7d71a569aecba819cda45a989eb3d6a5ed9124d9dc44accbf40ee01f118c5d9aef692bb7717ec8e1a43128f2e7747524ad7e76e

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
94KB

MD5
4ebcbdbcc6fef3c7e3c92e4d8f893745

SHA1
95143aea7f01834341ad73299792362d62a02b13

SHA256
f2ca57295dd133e77ee1e316bd02a4f14940cfccd4a74b82727d63f40a13f179

SHA512
4757d6cda33581e6113c99c0638f29312591dfee13648ef0b86b059f9bac8965e7e5bc045178a056ef210c74d5036a42883d8735a10bd5d143fae187c0c0c1f4

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
94KB

MD5
2c31a5b97c0870468eacf9a9b877a498

SHA1
3e22e58f699d35f375f15e3aa0b2367637f0d16e

SHA256
e661be8e7499c2be21d3b27140cd214561e8a6dbc4a19ecb3020e282b0f8894a

SHA512
05f15b3d6148ae9d8abef65f7f74df81c3c7271f5f8fd214039aa65209ff6392ca7ebd1863409433ea4faecae88d270a54347b2e67efebebb6d1686be77837df

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
94KB

MD5
9ae85027cf04966a1ce12a4a2862bd43

SHA1
705bed9f5596ccfdaad304f30de488e413bfb821

SHA256
e02810ef3f9d8161603babc76eaf7e590189e8a5f0f96746d7f1a5fbac08ebcb

SHA512
58f74c5d2e751f8d34b598fe1f7be45bc08118fecbb9084a35fc2dc9147be196b458b8cea56985ae374e15d24cbd67a260ba43e7d440513695882810834283c7

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
94KB

MD5
2e5fcb292767812f3ca00e48e60c1847

SHA1
c71ddc6a1321256e45ff070f1b66627446a61ff8

SHA256
a0be99684c3c159370be82ba6578dfef96012b67b63d5baf353a696a7fe6fc4e

SHA512
742060aa610182eed2a0217db6d1fe68bc944971496889d3bac6112b84bab1d55972d8ed465d968b3b23cc662cfa9a281e6376e66fc2bdd1f54bafe1af7d5289

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
94KB

MD5
0c36f67a1b04a3374aafe0942cc75b90

SHA1
a7c76fc7c17124b2fa13085989ec21d4383c9481

SHA256
ceb66f771a26181c2be37e8f2294fcd4a3fe2a328cefd88f39124e4df9da7be0

SHA512
f2e70b7a0c82087162883f8f3771ae795c559e42221f176621eb53828436c7c7d4b7df49c642005bce7d556da8d94a98c57ff73ed671c67b43169368b9f7637f

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
94KB

MD5
e0f725d7ab8dd169e07cb0302d6c7c8f

SHA1
6020b33057cc813c6baf2df6c201f3222e5dc313

SHA256
6ee960a6677afde4882430f2e31b3f3febb55e75f3873c294f7388953c465cb3

SHA512
b0c0508341308e8e7692970cd658078ee215443d7e3909ce755513b69a932a5983ccbf9d75ab958f5a0a737ff528bfe50603857ac3acb0b25c06cfcdfd0560cb

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
94KB

MD5
e95543724fe6a663a48a1b45883ee321

SHA1
497d0c897e0ac09bad3afc9e0fff6408835e2492

SHA256
8c528967db25349ceba97bc139a537b0457528a9e59c6472bd298b50e1337392

SHA512
94991a4c0a48a27b0982c333e3a751408782cdada6235d1e65f89c528907df8f377767c8a50fa26e90026d78487e35576d7d84acf0dcef866a92e831bdd6fa72

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
94KB

MD5
9a1574fa4b4a4988ebf8a5fb87271c11

SHA1
5e35850a690d9515e8374ca884ee4b266e73b734

SHA256
677572bd5fe29b27a7502d477c71dd5ebf4190ccec4c71f0b5402f9b83489ed6

SHA512
fce80183cad8bf6c59c4f021213997485ce56d294fb708f3a5b8ff97521e939455df67ba5ce3a97216cb5de95e7baef6c7aa115931e351b1c2178ed07ecf1d66

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
94KB

MD5
1b8ea39378d0c353376d96213545d39a

SHA1
adc1c4abf1cf1cbd7213f8d7e657a5fef687f707

SHA256
49e4b7a2b61710cedce56deb12d3ac624a8a24244c089cb1798daaeae072233b

SHA512
700ba25fcec3473e4c95a40be07a483775e791ccb1264465709e19499e5123e4b00f6a862e94934120bd1b06b9ee76f2a55f11e7bc3ed1d46a986006f3194c02

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
94KB

MD5
3bea6042c2914c3094c740d64bcbdf2d

SHA1
c4d25274060cbae415696447bc6d67743022da32

SHA256
143debf62d940a05df8c0a11d0846e5659474ac639902c83c48e0988be460efa

SHA512
842c980111b1888825aff7292937d185cd9680db38d1fa9b9c9bb1efd21cbafde9b38db02720254db44dc8ce2121d8f68905303cfa943505a3588d5dd2b38cbb

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
94KB

MD5
83bf7d5e039c42f445094d4a3c4aa226

SHA1
5716bb04bf3d90fd937915bceab0e4dcf61d73ad

SHA256
254c30e3dfab7873a7d8203912495924b79660d3eec4f4dca14c41396ca6a816

SHA512
6c89dfed450e98d8760e2f7f0062408c5b331ded4ed856df54c1c172065cc283ddf861613c674904804192edfa255246acbe50a7601ee1ec89e03609a29add8e

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
94KB

MD5
a1c1856135b53ae176e8f60e713e90da

SHA1
55151a2f1b65f26f61b74ac2264c2cf188d81587

SHA256
a9025e3c56e8bc81ad09cc37220ddfdf12b2c189758af4572d8e3c56177e7a30

SHA512
935b8e1baf8f073963a2e85315dd68f1bd8c8351d91d2aa475bcdaaa487fd17d1c2092cd422ad97f14aacc7744e8dcbc9752a3437c61ee28800511a0e4927eab

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
94KB

MD5
d2cf58a76f094600b68663ae4f7e33bb

SHA1
5d0411f31c10ac5f21e74977a39f53537005e046

SHA256
ed96248474d06753246c2789865aeae9e0d7942247c13927a0d56d360e4c92a5

SHA512
b707131bf3593d07d9f5dfbd94081489fd18763707d0949217acb49000c5d99919e7d569678f496a9be1404d508c2f479e80f4c2ca2a56f69b0f6f3c773c4e18

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
94KB

MD5
a8c6fe660bd9b400f5a6715cbb45471e

SHA1
bd1bf8ebcde206d336264120880d9f8ee541ea2b

SHA256
52128ca953d0a1956212cb187fce6d8fc503a5c06b6d9fc415bc3401ab515c22

SHA512
a172b9b6114eb473f88c9b403971c84153cc6f31b3e9c8672c7e3707b45d4533426c782f9808be9bd35ebbcb978c528b244b94b6d750d2ff2cd0870a2970652c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
94KB

MD5
ce03f5445603726b0a6345abbc9d3976

SHA1
5134501246c04ac5a3e7a4d101cc5b46f29af6df

SHA256
898737c7abc3285658ff8a3be1107193631ff4a9a44c8715496807ee7fc50801

SHA512
2e6565a86301c4b1cefe34175278bbb95558b054b5457d6c5c7562078f3c21c4dfbe6b5c2ee3fc2e59622f38af63615404ccc5e5cd97ace8bc7ba42082202ee5

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
94KB

MD5
5ead87cb8cbbbc350689cd8837f61fa5

SHA1
9890fc1f97eaed242cc24671e2ce7dd4334a3f18

SHA256
e3ffb951b6f5bd0e78bb45c13b5fafc7e98df99067338b2dbd0b4366fcc340c3

SHA512
df1e993ac4eb630d38494f1e506237e8f5c62dd0ee7c5f4f3fa266aa4b0af19f4febf5bbae443f31314277e274589793fdd0c3a03eeade8f2668481974ee09cf

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
94KB

MD5
b658181cc7587ed3d0e007a988b163c4

SHA1
fa76e3551469acb17de0bacc660c8646e773cb73

SHA256
68eaeda075e09df699bd9665e2c1ac47cf18d1326c95df09bdb7e1812decd9b6

SHA512
e7d168d8a1e4020e53e705bba2dac8309c7e04b48ebbe0737b4d3b49d9d7442dc625e0c9d6ee4c5f6688ccf3d828691ad2713f1bc6b90508505ddb25592733e0

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
94KB

MD5
f3b2f20e1dd5edc2f8b70075031c8fb0

SHA1
cfd332628682c7a6ddb71996f716fd5504f78e00

SHA256
7b3886a39c6b70ae2c5577c9edbc1fb67618b00f293b25d2ac0d98a485962578

SHA512
723c5f262c24b132fb328378586e0ffbc41f217904c8c205a6a084fd1a58f42f2cb38a03d6ece8a844726064a8d6359cc67669fb44bf4c2834025a89f1431e2b

Download Submit
memory/228-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/228-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/324-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/324-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/492-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/492-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/572-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/572-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1056-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1056-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1188-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1188-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1400-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1824-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1824-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2216-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-226-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3152-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3152-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3392-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3392-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4116-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4836-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4836-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads