berbew | e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419

Analysis

max time kernel
30s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 03:40

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe
Size

94KB
MD5

265682af3456131290ab255235d93194
SHA1

cf5b64ed6f45f7f46366a2e5695642a914e9e009
SHA256

e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419
SHA512

5da963abc0e0ec39cd62700e4b34d05f4a07f7dfb8b9443b09a3ccf81cf187c14e2e100cca2602cdaca1e0a268efdc5d01560fb471991e5c0ff0c9f7326db34b
SSDEEP

1536:pHFlgFyteGV735BzEUDVBL0PrwZ4KQ78KbeSLGIfCOUY+0zv47BR9L4DT2EnINs:tKWr9bJZMwFIxDLGIfIdwg6+ob

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 45 IoCs

pid	Process
1552	Aminee32.exe
4360	Accfbokl.exe
2684	Bjmnoi32.exe
940	Bagflcje.exe
1572	Bcebhoii.exe
1600	Bjokdipf.exe
3236	Baicac32.exe
3496	Bgcknmop.exe
2720	Bjagjhnc.exe
4728	Bmpcfdmg.exe
1508	Beglgani.exe
1716	Bmbplc32.exe
1468	Bhhdil32.exe
788	Bjfaeh32.exe
3012	Bapiabak.exe
2388	Chjaol32.exe
2808	Cjinkg32.exe
1568	Cabfga32.exe
1840	Chmndlge.exe
4704	Cjkjpgfi.exe
3692	Caebma32.exe
620	Chokikeb.exe
3588	Cjmgfgdf.exe
4636	Cagobalc.exe
4528	Chagok32.exe
1524	Cjpckf32.exe
4908	Cmnpgb32.exe
2400	Cajlhqjp.exe
744	Chcddk32.exe
2660	Cmqmma32.exe
560	Dfiafg32.exe
1208	Dopigd32.exe
4284	Ddmaok32.exe
1824	Dfknkg32.exe
1480	Dmefhako.exe
3204	Delnin32.exe
3044	Dfnjafap.exe
4464	Dmgbnq32.exe
772	Deokon32.exe
4468	Dfpgffpm.exe
1296	Dkkcge32.exe
452	Daekdooc.exe
1900	Dddhpjof.exe
2964	Dknpmdfc.exe
5088	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4428	5088	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1552	4376	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe	82
PID 4376 wrote to memory of 1552	4376	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe	82
PID 4376 wrote to memory of 1552	4376	e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe	82
PID 1552 wrote to memory of 4360	1552	Aminee32.exe	83
PID 1552 wrote to memory of 4360	1552	Aminee32.exe	83
PID 1552 wrote to memory of 4360	1552	Aminee32.exe	83
PID 4360 wrote to memory of 2684	4360	Accfbokl.exe	84
PID 4360 wrote to memory of 2684	4360	Accfbokl.exe	84
PID 4360 wrote to memory of 2684	4360	Accfbokl.exe	84
PID 2684 wrote to memory of 940	2684	Bjmnoi32.exe	85
PID 2684 wrote to memory of 940	2684	Bjmnoi32.exe	85
PID 2684 wrote to memory of 940	2684	Bjmnoi32.exe	85
PID 940 wrote to memory of 1572	940	Bagflcje.exe	86
PID 940 wrote to memory of 1572	940	Bagflcje.exe	86
PID 940 wrote to memory of 1572	940	Bagflcje.exe	86
PID 1572 wrote to memory of 1600	1572	Bcebhoii.exe	87
PID 1572 wrote to memory of 1600	1572	Bcebhoii.exe	87
PID 1572 wrote to memory of 1600	1572	Bcebhoii.exe	87
PID 1600 wrote to memory of 3236	1600	Bjokdipf.exe	88
PID 1600 wrote to memory of 3236	1600	Bjokdipf.exe	88
PID 1600 wrote to memory of 3236	1600	Bjokdipf.exe	88
PID 3236 wrote to memory of 3496	3236	Baicac32.exe	89
PID 3236 wrote to memory of 3496	3236	Baicac32.exe	89
PID 3236 wrote to memory of 3496	3236	Baicac32.exe	89
PID 3496 wrote to memory of 2720	3496	Bgcknmop.exe	90
PID 3496 wrote to memory of 2720	3496	Bgcknmop.exe	90
PID 3496 wrote to memory of 2720	3496	Bgcknmop.exe	90
PID 2720 wrote to memory of 4728	2720	Bjagjhnc.exe	91
PID 2720 wrote to memory of 4728	2720	Bjagjhnc.exe	91
PID 2720 wrote to memory of 4728	2720	Bjagjhnc.exe	91
PID 4728 wrote to memory of 1508	4728	Bmpcfdmg.exe	92
PID 4728 wrote to memory of 1508	4728	Bmpcfdmg.exe	92
PID 4728 wrote to memory of 1508	4728	Bmpcfdmg.exe	92
PID 1508 wrote to memory of 1716	1508	Beglgani.exe	93
PID 1508 wrote to memory of 1716	1508	Beglgani.exe	93
PID 1508 wrote to memory of 1716	1508	Beglgani.exe	93
PID 1716 wrote to memory of 1468	1716	Bmbplc32.exe	94
PID 1716 wrote to memory of 1468	1716	Bmbplc32.exe	94
PID 1716 wrote to memory of 1468	1716	Bmbplc32.exe	94
PID 1468 wrote to memory of 788	1468	Bhhdil32.exe	95
PID 1468 wrote to memory of 788	1468	Bhhdil32.exe	95
PID 1468 wrote to memory of 788	1468	Bhhdil32.exe	95
PID 788 wrote to memory of 3012	788	Bjfaeh32.exe	96
PID 788 wrote to memory of 3012	788	Bjfaeh32.exe	96
PID 788 wrote to memory of 3012	788	Bjfaeh32.exe	96
PID 3012 wrote to memory of 2388	3012	Bapiabak.exe	97
PID 3012 wrote to memory of 2388	3012	Bapiabak.exe	97
PID 3012 wrote to memory of 2388	3012	Bapiabak.exe	97
PID 2388 wrote to memory of 2808	2388	Chjaol32.exe	98
PID 2388 wrote to memory of 2808	2388	Chjaol32.exe	98
PID 2388 wrote to memory of 2808	2388	Chjaol32.exe	98
PID 2808 wrote to memory of 1568	2808	Cjinkg32.exe	99
PID 2808 wrote to memory of 1568	2808	Cjinkg32.exe	99
PID 2808 wrote to memory of 1568	2808	Cjinkg32.exe	99
PID 1568 wrote to memory of 1840	1568	Cabfga32.exe	100
PID 1568 wrote to memory of 1840	1568	Cabfga32.exe	100
PID 1568 wrote to memory of 1840	1568	Cabfga32.exe	100
PID 1840 wrote to memory of 4704	1840	Chmndlge.exe	101
PID 1840 wrote to memory of 4704	1840	Chmndlge.exe	101
PID 1840 wrote to memory of 4704	1840	Chmndlge.exe	101
PID 4704 wrote to memory of 3692	4704	Cjkjpgfi.exe	102
PID 4704 wrote to memory of 3692	4704	Cjkjpgfi.exe	102
PID 4704 wrote to memory of 3692	4704	Cjkjpgfi.exe	102
PID 3692 wrote to memory of 620	3692	Caebma32.exe	103

C:\Users\Admin\AppData\Local\Temp\e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe
"C:\Users\Admin\AppData\Local\Temp\e34367d9ce0735c755e1419dda2d3f1a45c13a4a5c013ba27e8d886a8d8fb419.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\Aminee32.exe
  C:\Windows\system32\Aminee32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\Accfbokl.exe
    C:\Windows\system32\Accfbokl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SysWOW64\Bjmnoi32.exe
      C:\Windows\system32\Bjmnoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 420
        47⤵
        Program crash
        
        PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5088 -ip 5088
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
94KB

MD5
0c6c0258657e5f87714388104022760d

SHA1
9817f302df48f0f1da7313f2f436b02b68b8f50a

SHA256
ad552234a186326bfdbcb920063b41af707a80472f23f8136ed219a8a35c7da4

SHA512
a37ac0d574e48953d347cfe872b22cbfb9703b48a867706398b58e9c8d42aa0b1c70bc8210ed9bf560fc1f734175fd2a4597890c52f94076666eae74d1083477

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
94KB

MD5
8e768704fc956430540be146ba73b0a9

SHA1
8c3139cdc4338c9e8e5ddf98c9879a8773fb7892

SHA256
ebf2d48895480b668bc769bbb1e41f2a6639988b6a979a4059a8bab991931334

SHA512
46e3e34c8cc5fccb8e90f8a42dbfe8b455508d9db45fd416304d4e0dc187fa60de8a7e8d8d503dfaca5a0a3232ef6ebe1d9a757a926a8a0f6044fa02256a62d3

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
94KB

MD5
a06afd96fd9909f6d696d0befa404b1a

SHA1
bfd0dd9d60b8f4f56c6cffe6300cdb8e1bf1f9c6

SHA256
45b322281ed76d789ec374ea563fd00174905a42fdb5f552dac4e2ee8a250a3b

SHA512
bda52d481835a25c23f9d79aea614771ad4b7a240efd155ef12150cfdcfe95e6f8b16c0729d346833c0d516e3d2fbe9b050cd5a48c34d92b3bca8c479f03d4f8

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
94KB

MD5
081a762c19dd14ab144d3046ca0d82b9

SHA1
79e7284dd20cccb312fa74d94a643dd5bbefd949

SHA256
0872cfbca8a30642b7eb984eb529c8bd7e61c67935c6d780b57daa9662bdc76e

SHA512
b1a4e764cb1a9cfd2e21f5262ba17e68c3d046d5bb609c7e1a9f149deafa3c7e4fc1d983c722de93f14a7e2c6f017fd6790e5b897da5b88ae52c9b503e51cf6a

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
94KB

MD5
47bdb6c546a2dbbb4a5ad171b5769788

SHA1
6ff71b8aca2a5a3a8429634ff71e742fb6b3b5fd

SHA256
372159126a9c7bc9f4eef9fffe5e77e9198046f6f7712fffd697177b67ddbdaf

SHA512
886b037a8e0461554cfc6b2f39bf3ba3030728701ec2d84e4266f7362a85730935bd165362977df35464fc4f966b251acbba3642116fe976990b9cc6e6aed598

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
94KB

MD5
e4bdb96d3e5a0fe30480262d826c58dd

SHA1
c6e493ecd0b81461d52323eda291e0307478584d

SHA256
bd5eddc06a03c00035ae4bf474721c50f8c5327658ccd6e843c62bca788ec5aa

SHA512
e044e0387f0c21cf80f8f711226a4afc66168f123bf2f636af8ecd9876e5f63bcb8188636ea794bcf3f715bfb52cd2191eba0a47a83a669fbf642e49172b4269

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
94KB

MD5
f2ad52dbc7501f7c003484348716e771

SHA1
475257f66f3630d8be5be8cf26a551507823a7b2

SHA256
9e2450e765c7e92d0760061aeaea7c5abbb224eff9d419df119ddb10417d3f42

SHA512
90cafb6e164e517d2733a4cf42dfd964b5bcfa4f0275988760b6403f884137c38b375854e4311546f8989698a2f54aa28259f527a701392d82450dd9e0833be6

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
94KB

MD5
433353f88cca3f347b56907227cbdaef

SHA1
cad8378969973ab58a95424a5044a367481636d7

SHA256
80f94cc0b4b1dde0aa302727e7982cc656bc344291381e082d428eccca8c210c

SHA512
d418f5911d9d8d376406ed9f01340daaba173760c8caae5b4c2bc6cb3b03b10c5ee2f8a5aeaa68c833679e8973935075746d166bfecb8f909bcb6326c17ae740

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
94KB

MD5
e68c261949dd753463a2f1cbed9f6fec

SHA1
dadd8423f28c25296a8779331e189bd71b908961

SHA256
dda9fa365f58cd5812c959cf62aeb197bd766a85a26c7df167043023377b72d0

SHA512
beb7804eef7524cf6e52229b309ecd35f3d008d275d643a39ec9f90b6e854cc41866779665d90423bf457fe3e905d3e09c4f5a92506ca82d6159918ad0631bf8

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
94KB

MD5
355eae2dfce5c50df4f2b4a7f2a37649

SHA1
f141fa31ac017d18d32e9423d2953ab2e42be29b

SHA256
f16a5d807fd0386b7faa9bb45899835875af6564e4f2a39f6c8ac667430823f4

SHA512
bae1d525357bd389411e1be8e7b49999390485876cbcb97da9c62e53f30b829460b935b1cf633b7cfb634e8c0936960c69caca9356de5dcf3d16d8dfef65fcaa

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
94KB

MD5
e64a1952e2328987f8dcc0db537c30c3

SHA1
dcd27d6e185c3ac81b720cba3fb10a3e6d6b3c22

SHA256
3d7d20172bc88cd233ba6f5c0b9b6e13f72508ec2213381172a2acccbe319072

SHA512
ae9a65fe7825c46c1814f538b6489b5d5966a9454fd187439073bb7e9412eed0fe845a720b1a6cbd72eb107b108c9cc9fa7e87cf1c810bbee27ee537e55732f8

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
94KB

MD5
7d626c6ae6773aa2d214352b08f7b5d0

SHA1
45923e3619f7020f4ce65a74e6644a0bc09ea98e

SHA256
e2c1a64fc63931715dc8962cfbbc3541f93c30cc79e47b45a60d2e1abfad99d4

SHA512
9c6d56b83d65a606339d18f17eaa70087ca803f7ed774a40ad129a63617537953e2c03518bea4fb73cf17ae88cb1e1a710976a58a750c24264d1dbb5f6af47fc

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
94KB

MD5
0c752a8b4850f559ef925df157ef53d6

SHA1
600db9314fa0da1028dd8d3aac1e45921d28d3f3

SHA256
2281136f39cfc74209ce9f2cc5fcd7e0d92e51223f150f132510f7df0fc890f7

SHA512
2361f88b3288212ffa3c08846d31dbd126ea86a355c17e1b3e7df8e86d6d21570064fd48df9b28d55fb2ec7964b3c320cb942eb0f27c24fd9535bafa2d8b8557

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
94KB

MD5
5d3b7735b5458dbb4b7e550a14c98128

SHA1
247bb5a77adaa9e511dd065ae5543e1f794efb5b

SHA256
c527901ea00160dfc4bc965ed4f80a25878d9a7ea0174828f038def6ef7af616

SHA512
09d2da020a8e17dc3be807bccd78c62411635b8aa7d20f42bb54ac28e0e7fd8523f79ad8dbab2c69c59138cadc60d4d570d12e0a1c9ecfb3b56dae5cf2746b88

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
94KB

MD5
14f221cf9438bd3ea0a732ed09fed503

SHA1
dd75e4e0bbfd01ad058acf2ce93049446a55f3f9

SHA256
e900e88ae3c048a368618ebeb365e4c0077e6158574dffb1350974dd2ea19a4f

SHA512
0baf8ba0a7ddfb4bd475bdb1ab26bc4bc0d3e6b7ef3905729ec20a357cbd8b5d60a22288e80d4f331f3bba64b3716809de2edefa773cceb20ec0cfe9782bb928

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
94KB

MD5
b7917c10bfb6435961ccae4773d7e30f

SHA1
fc13569eb55c26c31906dbefd535724a58cdcef0

SHA256
e47f23cfcfdaeefc07c6904c906bb2dad897e1d12606e4443532197c9a99a19b

SHA512
0245813033fae194042e4fd306d52e8b684789e451e2cb2b94adcfe1fee30cf7e7e903355d7ab4c2c9d5d262a00e54a617e58268f6ed4a4415e3257949adfaa8

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
94KB

MD5
a3fe94a02a3b15396ef535e7ed00b900

SHA1
be4ef7d11ab141cde049014980a0b84b7c5e0400

SHA256
cbda1988defd97595129d535afa84238f20ecd9c57bb3a8ac42db28812d844ec

SHA512
774ceb975a2a2a50ddfc845cc467539438b3f7946611fca037094e2c393659f0a80869b532652ffd7e3ee8f6fec320513fc8032c8737a93d2312f431a53a8b68

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
94KB

MD5
010269e31a95dafb655707012890a94d

SHA1
6d412de29009500da7c7ecdf30988eb9346dfb29

SHA256
e64dea56b0ce0dd5303bf4e6cb2fa2a0beedbe96c9f356b63fa23b4ae35b52de

SHA512
22b3c104727921774acc028e2af7d23f9eedc9ff62439ab291bdf795bd0828cde102d8051bff3a11cb0655589f51b5e8862c4c568b389aaaae02eddf9968fb67

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
94KB

MD5
42d4df256e38d0518b7df754b6fa929b

SHA1
cd89f97189331f45c4d7ad0a41d78d04a53027f9

SHA256
8c1eefe35a95d9dde82267988ab95def1af00f77801786ecab3bf59881317490

SHA512
2ad02343c2a8d05fd553d2c749b97cd9f17c5cb9470aa5c8f81dc5a72f22fd78a3faf27fd42a161696abef6c2ac411018528db3cad2c1ea885a13fc3931d2140

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
94KB

MD5
0579383b41af3afb8d0a923a151033ac

SHA1
e43ffc0d435e7b8fa147134c45fdcd895cfed919

SHA256
869ae5ee13e415998486ed6207b52c5db6b4fe04bc044ec23038abda09e429f2

SHA512
bf2db116d7c752687fbd31fcafe25e63cfa686e0ce7ed9dddcc606d27393eaf70f021df92e9ab4ebdfffaeea6f7065777da238f97d0ff25275cc478315e6d8dd

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
94KB

MD5
cb429ebfcfe91cf065a94211b55bb4f2

SHA1
0f39f49942491a4d8e085d8b800e6655fe6f830b

SHA256
65a8f4ed41eeb8cba1b79e74a9e4e3310297e0d9c695bcdfb71ceca480428301

SHA512
69233f9f4fd6bf8d675828bbf3ed81514b39e34f6299b8bde3726da860951d1f7ad4f538dba83af436df50b2c2f8e36c2cbad0cf6df3354f8d68373114585ac1

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
94KB

MD5
c58d68382075b83689aea6fc6dfbf988

SHA1
011fee283f80ebb2de257d72c288e7470857ea87

SHA256
6a217ee6c259a878412ec32b38055514028702ab5806bf769248526b3f019367

SHA512
720339f2d4b4c83f6ea7fd44daa0883c4c1fc986a0cb6bd76af882e0ae4a695bfcf5c160be2294b9b77067016f1fc531175f6efbeecd39622be87ddabee38513

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
94KB

MD5
ab2f30d715a3de5410f705eebbf7a6c2

SHA1
c7222b340592f6d34d54caa5a68ff8ba5c24fcd7

SHA256
5acf27f1130a566d3c3383bca993b758eccbacd86cd3146317265926ec7c5468

SHA512
84c42feb22c73ce600de2d57dd0d194161cb59b7f7eba7bdea58511322c3c2df6524948fd0979fd8c1dbffa233fae546fdf5bad9ca73ebe80cdebd717da9ce13

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
94KB

MD5
104daf4356d60893cd8a4674f8a0ad8e

SHA1
320050192bb89270649f9f00c52cb4c52c9b37d3

SHA256
7f2bf57715d9ff61bd89efa8fae68985630f4033529dc422c07301749b4ff29b

SHA512
9b1784ca838660dcd31c585aff9a5abd012c268dd9aa7aa3b516b76618e82ab7c47748d195951dd4845d74ed2670a93f187f7f163419d74edbd4b22d4611307f

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
94KB

MD5
acec2a8e76178b32eb69ddc9d6bde047

SHA1
ecbdf5be061d845219f74cb64f913fbdc9a0b456

SHA256
fc4e138a6a7cba28387e7845509d291d849d11a6cd7ef9ab39d830a8b1aebc2d

SHA512
2e20c279494cbeded0ed73c5bb29693b1ab066f4505461a6e3945d7ddc83be0ef6cf6bdca16a4b0c4608c492e96c1af0274698cba43496786bcf83e95bf4fa95

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
94KB

MD5
71693d65c2187124bb1022e077c648e4

SHA1
94a7a8f8b7ee7616433968f4d6edd9288ad4317a

SHA256
b5da1902af174d647646610b269d553dea0a75eefb9049d4c90ef12589f42af8

SHA512
72f8a3278cd6cd8510431731a8c3a3615606bcbf1d269ea429f5d281836e5a4f973039a37b9288401a0c35bdf05f007aa6de7aefdac4bc3e106f4b251b19f4ff

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
94KB

MD5
e88cf8a4779d4e8bbf874055339a8cd0

SHA1
8979ad473b691d2ccaee0fa77d2ccfbf34e5943b

SHA256
59413494597d25fc294adef6e6cdc43beae4923b755d38fd3e127b1a5d14125d

SHA512
24ff4874626b2a619d935d6361a842265ca5e8db29e4b3289f6a56abf27cbebc2b91dd2bbaccf6d27533a0d5b19269757006aef8e313cea43dc385f9e8b6790d

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
94KB

MD5
4a8d52fe5af4cd5f4506c74bf6de609f

SHA1
1185550133f098bce4d51068ea56709b579be49e

SHA256
aa0bfd340e26895a813746db5a96d6ced06f950cdb7395e45d17b8c0d65ed3e9

SHA512
decebb31bde2fcdce7f7db290ce645151e7f9a010cea3c88838ddfddff8dba30434d015b99045a852eef3fa5009fd201d38a4c402456782a7d542ac24d0d1bcb

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
94KB

MD5
676fd9c27dba9b277f103b3f85be7ebc

SHA1
6f3b9a0d6f47f5b2b31f3e5cfde900ea7385b793

SHA256
aadc96d659b1d55fc32d15edcaa8774ad3ab6012232da246ebbe71eae254241e

SHA512
9d63d45d814c8acfabd46173559bb1b0efa2f29cc62872ca96641750d5a72fcc00af0533ea1b1920e4ae17190cae69ab72d843105bc78387de0c3be719a27d9c

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
94KB

MD5
fcdf5eeb3a85157ac7666e43b7724633

SHA1
fb6b6ca267c5f7881b01a549e7b282e613293b0a

SHA256
31dccba8f87b35213c11dfc9026296bb7819d2bc358bdef212c742412ec708aa

SHA512
e6994d0e01df5579f7ab9eaa43dfba3c02ca1768387030882a99db54ddcccae8cca40fcd941db1d5668b9e0ee800f81991b34d57330cbbe93c3ab33d20c27cc5

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
94KB

MD5
639ac1f28c52fc3ea52394f2dbb68d15

SHA1
9846fdc8405b8990beda61b85135dabdd5c9d76c

SHA256
3561cc99ad657a9437f65ecff7a97ab69023cc2e2477d09b5d67082a939c083b

SHA512
60d2cc1a3506c1aeed1be642a8b07b4c1372327873150f85edc50580834689747a83a77c36593eb21bcd2c160f3dc0a70bfa2e4b8a377e6197b99ecd2efd0c62

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
94KB

MD5
9dfda0765f866a9ad4574a689e1efa54

SHA1
9fee3c4da9235a941b157b16c261c68be833ece5

SHA256
8444fd27127a682f3e8a49c9b8049d48ace924723395b634125d52904e01f2fc

SHA512
adb51c5d299e6186956a378982f43a168a34b1c228bf19f1568cbfb626c37f6cd41a264392dfb99f1d665ad871376b9ce026846be231dd790a8b2be1a1309b7c

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
94KB

MD5
5d212236d2e86db4f157e265e51c2b36

SHA1
5b9dfdadf94dbca215782a8a67d2994687cf79a9

SHA256
ae2a4b34829c92649d34217c6d361c8bc7b87fee0823d29c2b473ecd1cd3a984

SHA512
c74e5b25bf9ec492675872e38d702975814d0df1f324d73675d97d42d6dc807b3f65c916e22fc7b49393ec7ca7c67417653d9837de7461d495eea17f82df9c5b

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
94KB

MD5
7991cb102d571fc7bb99c1548104ce39

SHA1
8c2717702bd3b5833d12ddf8825a488b0b18e5e1

SHA256
f768fee9097d3cf9ac996f1bdae497831ad113136dae98103ca7eae89358cd63

SHA512
052229bcf9a23fdda77b6a0690d88cca1adfa6776f1ff65c86900f55519fc674d5447f5b71e650da4a515fa0f40d3e0a00bf07c95eda2ccc55473ff78cd8ef32

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
94KB

MD5
b3a3ac9cdc560fe116249065a3376bb4

SHA1
3df3c78fbc230f5b39b978c977ebf0b86535d69e

SHA256
83b3e9008b2ba91b64deea00ebb04dba2f31272ee6d96505bbcd052ab60fc63e

SHA512
5400cab52ed9fa12b319479213c1c729b4a14f22f59f9f5e45144634bedf4bb6c3ec7686473fca3391328bcc86ff34745ff907edacf3e490ba840a2234707296

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
94KB

MD5
3bf01aed3f23e0dd1b2000a07a5ed2e7

SHA1
48df664f9c6470a4555c1dda2da357c73d0b8bc5

SHA256
7f1845ccf3bef4dc40b9fa817f4ec5d62bc457a3f607533e8ce57f02bbe0c505

SHA512
93288d7662e7036a208609c8267764a90da55769607286a63c6e375316f48183d4b4ae3061e5ad6df1ca6f0eee5fea9ac4f876e6017a7cd589de14f8e3ebf0a9

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
94KB

MD5
520e6d05b7f0269ccbd40ce0f4f9c67b

SHA1
f84ba0ccd054b879a904a602bcd1b61eec5dfe2a

SHA256
f7e7cd9671375add8555d05b4ed70f7654f60e7d322ebdedc01dd55719d4080c

SHA512
48e3bd38d58b0d59cd75b1b34713dcec57136a4e0f4519e8297e54599d8335dff629360a93c4a0e0fa0688880a604ebd72af96979e38148f76c1283a4ba3c1c2

Download Submit
C:\Windows\SysWOW64\Eeiakn32.dll

Filesize
7KB

MD5
b3499f9fd43ddd685acea123f3487d09

SHA1
82bc85af405a2201e2cb4c6bcf360cab3ab7b828

SHA256
c60eadc6a67cfc5785b3a8f978000fcf77d6f71354c1c6f0680e589859360276

SHA512
410257ebe37b1636aa9458d47c81c1b0bc441512e7375a71350fece193b7ca7a0cbc686c2156fc11ff0acf46c1fcbf400c6e82d92a2f96b8e513ae63e492101c

Download Submit
memory/452-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/560-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/560-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/620-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/620-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/744-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/744-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/788-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/788-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1296-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1296-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1716-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1716-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1824-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1824-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1840-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3692-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3692-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4704-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4728-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4728-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4908-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4908-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads