berbew | 4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6c

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe
Size

45KB
MD5

82514b26c4bb89356dd445489f502e40
SHA1

f17937a3f759cd109b227e0b4b0d1d3418799143
SHA256

4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6c
SHA512

0fd35f09958d6b401ce53977a2d0c25284e5c45d165d715287d56270c15f43e5b369cf4d53c4c0638d726b717ce370a20d447bd2eef1563e38f8e6e586ba0d53
SSDEEP

768:IospSlQlks+g0VCtoJSKev9qO32jDzYsLTHOn/1H5yCf:qSob0VC+It98B0we

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 47 IoCs

pid	Process
2196	Bgehcmmm.exe
2108	Bjddphlq.exe
1440	Bmbplc32.exe
3412	Bclhhnca.exe
1272	Bhhdil32.exe
2856	Bfkedibe.exe
2284	Bmemac32.exe
4876	Bcoenmao.exe
4236	Cfmajipb.exe
1964	Cndikf32.exe
1336	Cmgjgcgo.exe
4540	Cenahpha.exe
868	Chmndlge.exe
4768	Cjkjpgfi.exe
832	Caebma32.exe
4920	Cdcoim32.exe
1308	Cjmgfgdf.exe
1188	Cmlcbbcj.exe
1044	Ceckcp32.exe
4260	Chagok32.exe
372	Cnkplejl.exe
2076	Cmnpgb32.exe
3632	Cdhhdlid.exe
1180	Cffdpghg.exe
3732	Cjbpaf32.exe
4212	Cmqmma32.exe
4604	Cegdnopg.exe
3332	Dfiafg32.exe
1384	Dopigd32.exe
1616	Danecp32.exe
3936	Dejacond.exe
3500	Dhhnpjmh.exe
1244	Dobfld32.exe
948	Daqbip32.exe
4988	Ddonekbl.exe
1992	Dfnjafap.exe
2952	Dodbbdbb.exe
4844	Daconoae.exe
2648	Deokon32.exe
1072	Dhmgki32.exe
1516	Dfpgffpm.exe
3964	Dogogcpo.exe
4460	Dmjocp32.exe
5048	Dddhpjof.exe
4720	Dhocqigp.exe
4312	Dknpmdfc.exe
3984	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4820	3984	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2196	1532	4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe	83
PID 1532 wrote to memory of 2196	1532	4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe	83
PID 1532 wrote to memory of 2196	1532	4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe	83
PID 2196 wrote to memory of 2108	2196	Bgehcmmm.exe	84
PID 2196 wrote to memory of 2108	2196	Bgehcmmm.exe	84
PID 2196 wrote to memory of 2108	2196	Bgehcmmm.exe	84
PID 2108 wrote to memory of 1440	2108	Bjddphlq.exe	85
PID 2108 wrote to memory of 1440	2108	Bjddphlq.exe	85
PID 2108 wrote to memory of 1440	2108	Bjddphlq.exe	85
PID 1440 wrote to memory of 3412	1440	Bmbplc32.exe	86
PID 1440 wrote to memory of 3412	1440	Bmbplc32.exe	86
PID 1440 wrote to memory of 3412	1440	Bmbplc32.exe	86
PID 3412 wrote to memory of 1272	3412	Bclhhnca.exe	87
PID 3412 wrote to memory of 1272	3412	Bclhhnca.exe	87
PID 3412 wrote to memory of 1272	3412	Bclhhnca.exe	87
PID 1272 wrote to memory of 2856	1272	Bhhdil32.exe	89
PID 1272 wrote to memory of 2856	1272	Bhhdil32.exe	89
PID 1272 wrote to memory of 2856	1272	Bhhdil32.exe	89
PID 2856 wrote to memory of 2284	2856	Bfkedibe.exe	90
PID 2856 wrote to memory of 2284	2856	Bfkedibe.exe	90
PID 2856 wrote to memory of 2284	2856	Bfkedibe.exe	90
PID 2284 wrote to memory of 4876	2284	Bmemac32.exe	91
PID 2284 wrote to memory of 4876	2284	Bmemac32.exe	91
PID 2284 wrote to memory of 4876	2284	Bmemac32.exe	91
PID 4876 wrote to memory of 4236	4876	Bcoenmao.exe	93
PID 4876 wrote to memory of 4236	4876	Bcoenmao.exe	93
PID 4876 wrote to memory of 4236	4876	Bcoenmao.exe	93
PID 4236 wrote to memory of 1964	4236	Cfmajipb.exe	94
PID 4236 wrote to memory of 1964	4236	Cfmajipb.exe	94
PID 4236 wrote to memory of 1964	4236	Cfmajipb.exe	94
PID 1964 wrote to memory of 1336	1964	Cndikf32.exe	95
PID 1964 wrote to memory of 1336	1964	Cndikf32.exe	95
PID 1964 wrote to memory of 1336	1964	Cndikf32.exe	95
PID 1336 wrote to memory of 4540	1336	Cmgjgcgo.exe	96
PID 1336 wrote to memory of 4540	1336	Cmgjgcgo.exe	96
PID 1336 wrote to memory of 4540	1336	Cmgjgcgo.exe	96
PID 4540 wrote to memory of 868	4540	Cenahpha.exe	97
PID 4540 wrote to memory of 868	4540	Cenahpha.exe	97
PID 4540 wrote to memory of 868	4540	Cenahpha.exe	97
PID 868 wrote to memory of 4768	868	Chmndlge.exe	98
PID 868 wrote to memory of 4768	868	Chmndlge.exe	98
PID 868 wrote to memory of 4768	868	Chmndlge.exe	98
PID 4768 wrote to memory of 832	4768	Cjkjpgfi.exe	99
PID 4768 wrote to memory of 832	4768	Cjkjpgfi.exe	99
PID 4768 wrote to memory of 832	4768	Cjkjpgfi.exe	99
PID 832 wrote to memory of 4920	832	Caebma32.exe	101
PID 832 wrote to memory of 4920	832	Caebma32.exe	101
PID 832 wrote to memory of 4920	832	Caebma32.exe	101
PID 4920 wrote to memory of 1308	4920	Cdcoim32.exe	102
PID 4920 wrote to memory of 1308	4920	Cdcoim32.exe	102
PID 4920 wrote to memory of 1308	4920	Cdcoim32.exe	102
PID 1308 wrote to memory of 1188	1308	Cjmgfgdf.exe	103
PID 1308 wrote to memory of 1188	1308	Cjmgfgdf.exe	103
PID 1308 wrote to memory of 1188	1308	Cjmgfgdf.exe	103
PID 1188 wrote to memory of 1044	1188	Cmlcbbcj.exe	104
PID 1188 wrote to memory of 1044	1188	Cmlcbbcj.exe	104
PID 1188 wrote to memory of 1044	1188	Cmlcbbcj.exe	104
PID 1044 wrote to memory of 4260	1044	Ceckcp32.exe	105
PID 1044 wrote to memory of 4260	1044	Ceckcp32.exe	105
PID 1044 wrote to memory of 4260	1044	Ceckcp32.exe	105
PID 4260 wrote to memory of 372	4260	Chagok32.exe	106
PID 4260 wrote to memory of 372	4260	Chagok32.exe	106
PID 4260 wrote to memory of 372	4260	Chagok32.exe	106
PID 372 wrote to memory of 2076	372	Cnkplejl.exe	107

C:\Users\Admin\AppData\Local\Temp\4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe
"C:\Users\Admin\AppData\Local\Temp\4b7fde62f19b5559dabbb7629ac43bfcb17110891746ac89c1e6c6942fcd7f6cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\Bgehcmmm.exe
  C:\Windows\system32\Bgehcmmm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\Bjddphlq.exe
    C:\Windows\system32\Bjddphlq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\Bmbplc32.exe
      C:\Windows\system32\Bmbplc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 404
        49⤵
        Program crash
        
        PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3984 -ip 3984
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
45KB

MD5
8d6b4e9061a4092e8cd8948a67adfbfb

SHA1
34a7fcddfea69f45f140e9c17cb442b361ad2c14

SHA256
3b15709e283cc941dd1724f2774b07576e60f6bdd51b978d1351e549ffd7ca37

SHA512
8956b1e4daaee08af81615ea465b450bf50ffdcde1ed0b373ccfd56b6be57ad06dfb83aab7510961bba6de76cf2b76118de39f60c9de9f06c732d8c1f70b2ca0

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
45KB

MD5
627f3d8b29552ab45e9cc79a9fdc2eea

SHA1
3bb66f305510737bad00256fcc04c70db4705419

SHA256
a36bc05ed3635a75e5021975632ad37275cd70864f81261656ebfbdba0929bd4

SHA512
b27dc868baca5be9e3c8d2052372055f2b7ae9cd3dac93cdb1b1d29bf5fbf1a8dd6b76d94fe91fdb47f321e1d835694bbe3432a9f0a4b83d456470ef22255bd1

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
45KB

MD5
b00ffd52fd8c9e22c23aa1cd6a3470c0

SHA1
5a8c865308b0f836a03cee456961e959392f173b

SHA256
406723dc6b17496dea061bf23d5f865008c946a57e822a66840fddae34b0085c

SHA512
7a4e7644e875d77ddd36361f12b9359cab2388f45e6e7916a79a0c4c2ef8b0a3a63374ca63303b0aa31c803546c94569023eaac75ba98b22b5f9f7e1d688f7e3

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
45KB

MD5
94076de9b238686237f752853669e399

SHA1
35d76f41902c28cd21df3a570a68a7122049b4da

SHA256
cf51e60980d77943b821f87075a9b74a109a0893022488fc4e07f6b5415633ed

SHA512
d577df3f865b9d95584619b18bae651cc23ff6040bcaf1245c2819d831c3da92d87a164f4e291dae245fba1fb6ffdce721c8e6af1d7a3162bd2f19fdb557a4e5

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
45KB

MD5
1d8bbf8ba3ab669097a6cc55d67ac1f2

SHA1
da98dd2ce2f845a74c5e98dc893d21d8505ecc75

SHA256
f38d6ab7b91a6e0808164d7844cfddcc4e26309f3b7567aea9f9891f003edb30

SHA512
d0ce3fb91354548be411eed9469f349f536865843220c585b31f64bb05e8f3a4270d223fdfc336a92ebde7c7bcce7be7f5444801f0f19f8b9905e93303ce0980

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
45KB

MD5
c85ea192d86388ffce4b8b2129b9e837

SHA1
0fa9fe1b2f2aa158b62700526a1d9a750eca5750

SHA256
98def76fcf20c105aee47648be4e9181d8bcb503e9bc86060c8b3071a0e39ecd

SHA512
d9bfa230aa14f1bea83949111654c595f302639feefd566658daca3a23fdfbde60b22b29fb7f2e243a1bdc6c113b1ad66d215e1be18223e5d0ab0de4ff70185f

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
45KB

MD5
69111f666cbfb724ebe778e705e295e9

SHA1
e57391770ad784dda4e913ad879a38c234bddc5c

SHA256
75ae260bd14621bf76a3fa199bd0779e7ee0f9ed460d73e47ec8a43dc22fc3d5

SHA512
c4cb329f13c66f57bcebafa6d6f121e9b146ae02aa20a67e6012ef703034405d3b4f2aad504e14bff9e98ec29c0d025c9ad236e1f02697c2366926493ee65852

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
45KB

MD5
e95566f8409d8d32742b7dbd49e4e9c0

SHA1
bdb186982d5086e90b8457c72818032f54821519

SHA256
8a21eb5a5e076e7b79f075f18ffac018ab4d7e7ca3253a6a1a385568e4850d48

SHA512
3950f07c6fd12148c392caeccc0693b323f0ecad3992e6c19061d7952e9e62061d495685c549c69c7fe6619d94fbd1e600ee5a041d285aa20a5f8d48a8d7aa77

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
45KB

MD5
66414fb8fb20d78374cea852a1ea462a

SHA1
c1f29a80a973633c5ccc63747b930a04f4e8df38

SHA256
125af8d6a996958c755a1ec5471153ca67bd69c05990027c4749eaf20ad209b8

SHA512
6171ca766abea7cf9feef08bdc1f77304431449b86a85d1f1675cb4b58044ddf7366e2b5a2289dff15d1313f945769f2d1e992ffe1402c99a9eb98d7c914dc3e

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
45KB

MD5
d7f03a33859667ccab0b5b5d80b2adb5

SHA1
b6861eb62366262d0508cafba449217d052d739f

SHA256
19eb215ac94e507dfae9a2567af43443d4fd9321e9daa1d47da497f526d3a783

SHA512
90c63a1afdcecbb48c1a537f01edb5f4c81bac45b92f31f69923ddd7fda65e51082848a0311706dcbbbc538e72280b776b75a56af4d9e4c641350c2042241b97

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
45KB

MD5
3b7e6ce3d788db2d2ffbc7a8a27332ca

SHA1
7afb8e97e06e77726fa7a98e6ec352918664e68b

SHA256
bed2847b0a3e4e840a3024e414d6564639f7d8acb9c4423d1b6f53d499ecc0e8

SHA512
39c8704ee0f3ff051346ae28a3bb784b5fc851ab6dc935076a6e64ce1138bbe09d5f5977a4a09dbc749fef1cbab753c289091a79abb808d1bf78e44fbd1347ec

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
45KB

MD5
1ebdc607f9db423ca809ffb3347cec57

SHA1
4f6257ee984c0304d26c2206318a439cbabd4eac

SHA256
7f91ed2c71656f41841e97d9e2ba4315957478d4d2d4e4ae700eede7a609427c

SHA512
ae8664b03fcf7415489f4f05eefc16307a96001071217bf89801436bd6b7203e3753662116fa5cb16177bc1b09ee12ed7fec3fb108f597f72f1d101a5a6edfe6

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
45KB

MD5
0539be31211802b4a603e74b721161f0

SHA1
268bd462a828ce511b519c48718409c01ac34f4f

SHA256
807655d4255282c0699b3159c8062b857773c5a12079a326109304deb44193b1

SHA512
f7a87628cec56c30b1bbb6d78739df0368067abad354feede2e79606bbd34d6b37d7a4e36af1eec008befe6321e0f8ff8b8be3e1aa344abcd5b751219dd8bee0

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
45KB

MD5
f51a94e58d7d0be1c2a8ea1670e263e0

SHA1
94bae6b7aecf48086d997c1c33cc980ec0ceb72b

SHA256
4a7a7e064cb871e2d59c1ec7133c9b66fcc7dfa75c1ea0f4276aabbd2bcfa1e6

SHA512
4129a877703027ac043d4c4b97e719d875d36d570937937251e8ce9a7f51939f7257c2e8089f4eabb71440314aeb1caa70c54b388c1af7c7edecd078d5f4c651

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
45KB

MD5
cdc97fe55f3bdfcc13ab8f91cc2621d5

SHA1
0c6e18915c84c611abdb961a625f890f1cda97e6

SHA256
850bc15e5a4f1e74d6f2e430f3255d7bff5e50e1f1d4e7d5a0ff8df7d7dcfaef

SHA512
0117032c63a6c3b9954805144ecd05d1bd217a329c4ce6e4cdb334cf293523d51876a0a4a21728bc199610f944e09ea121d06bec1b681588e7b60f92436a170b

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
45KB

MD5
cbde7b9bd6acd54d89c5c001177eab01

SHA1
165f8e4f40891158a78d199f9b3d6dd1ab925098

SHA256
2297a6d043c34c0b467c6018796f8a32180aa834a399f73d8c344cb390503852

SHA512
259d160647c0498c3af94dd1faaeabf52a8c2f2d1d180baff13f5f82b350489241e46b6ed3d51a2c80cf3ec4d88b30d1c08b07ba0593ec25d0414f83ef7d8f7c

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
45KB

MD5
51de47981e28ee5788a11e38fbfa0794

SHA1
edc6812e77fdfce5f9695d20995c0e9d5a824f49

SHA256
a3473576ff4ab7b1667efea839fa153da2f184ec4dee4c61313b4ee2aa042f36

SHA512
106c39edfd0fdae1f88be4fd33fb47dc790d026a1e6e79383da9fc648832cee26c4798ea54d5c98ecba994946dd87ed4f451a64ace927188272207645fb548fc

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
45KB

MD5
a521ec89fcc9c97bc9106d4e3a983482

SHA1
704e7414a476ac737b160880d46293b7b357f927

SHA256
7c8784fa717641bd6c4b5b488e0d5e140821fe84094550dce8279459b7488a32

SHA512
0bbd4b5955660e1a7635c86b6b4101730fca2097162b8955b58e09deaa532b7c66ffe055da8e253e9697db3f0d684f7e5c0f3f43ccd1d1c75cef63951a9e779b

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
45KB

MD5
6bce7c8e9af55d36eff598afbf78619e

SHA1
11698b130aac94c29df5969f03419c4a650145b9

SHA256
56b514652fe1a930f9426b9e166dce23f650ebbd4dd75b107c6e18eb258f5097

SHA512
28a66e1527be4e7aa74c9cd9f30d2e33a01b9e4dabb9bb7423f7969c6b9a3ffa5a8f1ae40eaa46361df35d9b9502e5520209d0b2634f7beaa8286ae093a5a0b0

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
45KB

MD5
c751bc16b90eccf93fc8a05a3a0248c9

SHA1
77cdc8ed43d9f7c9548a5bffa99595d8122b4b1b

SHA256
23d52913e44206ebda70e3e86041dccfbd529739c6329d11d6807736ef1eac3e

SHA512
2fd8f4c9c2f7e9816f923d2490963507a369a13eb658defd284a0c3a25ab8bf5777c571eb64d01999d6093f37f40cc8115df321de01138352148045f67f99cab

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
45KB

MD5
e3e9f63033e6a0e58c93b89b862e24e8

SHA1
a2d1752f64124905f890e6aa64391090aa0f7ea3

SHA256
0c249e52c5b85e5a20488bb8fbb045a2ad186b4264d505388cc86efda8572d4a

SHA512
d91afd7a66079fabcd1efda3ee8020d1337db3236b93b74b0e34b3960de102801dadf518190871476de4c79eac02edd1d62af8429f06bd36ba479c063aa634e6

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
45KB

MD5
506a085938300cf2bed168706d03e988

SHA1
e873398f49195f955b9a193bf5b680fdd3d2c5d8

SHA256
12223b4c0204dc2cf799ca4a219346524790c9b46d7d51eca3d13c06fa2230fc

SHA512
82d8e1ef3bf60277c4fce690290674c512119aaa11a40af4bf052c1958bc0515bcf540c8191191cde3c6b91dddccf3f9e3434aa5ca08430008cad82e52294ef6

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
45KB

MD5
b1b07353b7b9ec0c8c8703aea8f9db61

SHA1
e785313ce36ae3c0a317fdf38cf8a87c23db2f61

SHA256
3c20df2114d7c0cc8c316f5c8689e83bd109d1d63f1d592e359ae082a74625c8

SHA512
6c8149e037b4b63188cff36e6101e5e4318b77af387819e13ca948cb50dc0b0e17486602d7052e7726ff59dbfdd1589ffab7365c41831e864b1884633d374a97

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
45KB

MD5
a7f28972c700e08571053da97aa876f5

SHA1
2951a2799563f3045535ccd69ae1c3a997c0b81b

SHA256
da42b9337f4c844c7d4d00388988599f61295c23afeb8f812b8aaea49bedfef1

SHA512
8dc2ba5ebf0354ea6799074ad233ead82be363e8e0ce8b6532326033f41888fd7c7636e3bb031fd6283e0a6fe21f792b6df866c55e2a8d0a1cfe0faee820f220

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
45KB

MD5
af451946ebac7b6f59732f58c341e1e6

SHA1
47709f292ea9c165116589528b95ebb6f70fd06f

SHA256
d76cbaac1a7b3e047daa68bb53c3e4fbb3b87509f4b4dd6f81a382d574aa954b

SHA512
a0c7e9fd67aee597e783c2c3f800550a52a5c002905b2960fa6cb2bf14358ce36854191bc0e4be31ad0e09bfe13d06c6cb12f2dc3bc3ece1abac018d07fe845d

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
45KB

MD5
114037e155715cae9ce3a26721b316f0

SHA1
5eab7e22bdb252ba94a59d103c7de2ba6ac74666

SHA256
13078a0a067fc9202e472286aa7a52fc829fceee6cea0b9a5069725b3b279298

SHA512
88f9cdb3dd6ea44990783acfbfabdffad88cf8cfa1df4752a68dac69343e3559a86b3875ff24cd8f8001bacd8f1849039f9d520083534e43ce67d14b6489e516

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
45KB

MD5
452f1fce8670003127708bf5d9cb7f58

SHA1
8c33b5c6f700582a0b7d2fbb4afec5b188cb36e0

SHA256
1ba5e25b6a766ac6c6e96dcc99e4efa5c572894f38385270495b1f5fc5fa3f4c

SHA512
a7b5d8f7ef9153e207db3fa99febd32dafd74dc8c83169fe56fbc41c1702681d7abdee6f8ea3f47801ff9ed586b0327a8796b9f5104eab903eec4b5c0c552562

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
45KB

MD5
666f5e73e7f155076de29f5fd409dda4

SHA1
192db9dda6012ce00b621caf76ba8578028ddc22

SHA256
1b2c5ce4d8d84bd35921fed29a96c675c61d67166d977b37eac1e51516fb312a

SHA512
4601f40c036e31232928967498d94d9ab75d00de6b7de13565a1f4910f22d6c5c047db5355f924b4f2a21f10f4d6301b0220ab9a1547c3b6a09d81e736527113

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
45KB

MD5
8d216bd0dfa2ca923945a7a901544ac8

SHA1
62e0c0a4631e1e25302724eb669dcb4939a90d2c

SHA256
ac93f6e87070d3ab7cbbfe5d7a09a9d0f1352d5460b27cf51431b20fb42f0c4a

SHA512
8ea9a62b5477b60556b389210ddb70e88e9ad9991a9c24b4c584f639d94a111ca163fcbb14f16a885a6e1f1ca6a7cde9c77dcde5d935c0973ac15d3cfd7f6009

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
45KB

MD5
d4261f4dc542d579cfd8d96fd6be8dac

SHA1
5687f3fd855f1323b60207b0f5b143a04323a257

SHA256
c8b4f14ba33afd8782e3dd433ab23e84025e30e1c4a2f701a9db7b3332fd55ad

SHA512
8daf40a3a7fd405a0ffe3851e6e3d961aff3b9db7ed35ddcc1d29788907be648127b6a48233f4b98e5b7c1ddbef44e9e59b79216429772013be56a1658cb0cbe

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
45KB

MD5
b9f67d28246156fa694af971152e2d3b

SHA1
9e9f9221baa4a716598ab267a9ac9c215a22ad69

SHA256
09fe728c363e86bf250eaeae6f69673ee554e550e4f4f22be1de2e61f9f1dc2f

SHA512
b6b934867bdc2032c74cf054da6ac57fcf36a9684c2b129a4d8eda45764c5468b186b04b4db7017fd82d0c40be3b67a27037f418d4510b556971c646f44703d9

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
45KB

MD5
f41a004107c7f1e6ce5cb6f003a3d332

SHA1
43b0f88ac622f553684c66266fac7ff93e7ec10c

SHA256
3b2b7a8267f037ab000188101aa01b2507b741b851e569c1b289fe65268c7af8

SHA512
dcc9d2df13b893f70f112ad40c90c1b37919470f0d3382c02c13539a96ea5c4afca9f0343650b1c7267bbdfd5093ac66171ed5464b947a6ca6adacb8c51a35ac

Download Submit
memory/372-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads