berbew | 0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exe001.exe
Size

80KB
MD5

aa26e4a0ae74ad691c896aab8f6b6d20
SHA1

34e58f204e82caeba550253a4f3948a5ea556449
SHA256

0be5a6d038af15814cd6ee1dcdb1cab645f36b53356d86150f75c778b0362231
SHA512

0aa926a89bbbc928319902d42e0999f35839571d206499f7fe3c2f8ae39453894f861bd55ae4aed3a3096054a580c5d0e96dece17e225f5281e2acdec3514f78
SSDEEP

1536:N1axMpEQWi53baie+aHgXrKbNdxgI5XL2LiCYrum8SPG2:DaxMpr53bai1aAXrOrxg6oiVT8SL

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	exe001.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 52 IoCs

pid	Process
4188	Ambgef32.exe
1616	Aclpap32.exe
4268	Anadoi32.exe
744	Agjhgngj.exe
2860	Andqdh32.exe
1276	Aeniabfd.exe
1916	Ajkaii32.exe
1772	Aminee32.exe
372	Bfabnjjp.exe
4740	Bjmnoi32.exe
440	Bcebhoii.exe
2844	Bfdodjhm.exe
4656	Baicac32.exe
116	Bgcknmop.exe
3032	Bmpcfdmg.exe
2052	Bcjlcn32.exe
716	Bfhhoi32.exe
3664	Banllbdn.exe
5048	Bhhdil32.exe
3964	Bnbmefbg.exe
3772	Bcoenmao.exe
1548	Cjinkg32.exe
3052	Cmgjgcgo.exe
3144	Cdabcm32.exe
4380	Cjkjpgfi.exe
1516	Cmiflbel.exe
3900	Caebma32.exe
1156	Cfbkeh32.exe
4412	Cnicfe32.exe
4128	Cagobalc.exe
4536	Cdfkolkf.exe
2724	Cfdhkhjj.exe
748	Cmnpgb32.exe
3028	Cdhhdlid.exe
1680	Cffdpghg.exe
212	Cnnlaehj.exe
2148	Cegdnopg.exe
1940	Dhfajjoj.exe
1980	Djdmffnn.exe
1304	Danecp32.exe
4528	Dhhnpjmh.exe
3676	Djgjlelk.exe
1792	Daqbip32.exe
3280	Dhkjej32.exe
540	Dkifae32.exe
4716	Dmgbnq32.exe
1820	Daconoae.exe
1652	Dfpgffpm.exe
4792	Dmjocp32.exe
4348	Dddhpjof.exe
5008	Dgbdlf32.exe
3168	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4692	3168	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	exe001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	exe001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	exe001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	exe001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	exe001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4188	3360	exe001.exe	83
PID 3360 wrote to memory of 4188	3360	exe001.exe	83
PID 3360 wrote to memory of 4188	3360	exe001.exe	83
PID 4188 wrote to memory of 1616	4188	Ambgef32.exe	84
PID 4188 wrote to memory of 1616	4188	Ambgef32.exe	84
PID 4188 wrote to memory of 1616	4188	Ambgef32.exe	84
PID 1616 wrote to memory of 4268	1616	Aclpap32.exe	85
PID 1616 wrote to memory of 4268	1616	Aclpap32.exe	85
PID 1616 wrote to memory of 4268	1616	Aclpap32.exe	85
PID 4268 wrote to memory of 744	4268	Anadoi32.exe	86
PID 4268 wrote to memory of 744	4268	Anadoi32.exe	86
PID 4268 wrote to memory of 744	4268	Anadoi32.exe	86
PID 744 wrote to memory of 2860	744	Agjhgngj.exe	87
PID 744 wrote to memory of 2860	744	Agjhgngj.exe	87
PID 744 wrote to memory of 2860	744	Agjhgngj.exe	87
PID 2860 wrote to memory of 1276	2860	Andqdh32.exe	88
PID 2860 wrote to memory of 1276	2860	Andqdh32.exe	88
PID 2860 wrote to memory of 1276	2860	Andqdh32.exe	88
PID 1276 wrote to memory of 1916	1276	Aeniabfd.exe	89
PID 1276 wrote to memory of 1916	1276	Aeniabfd.exe	89
PID 1276 wrote to memory of 1916	1276	Aeniabfd.exe	89
PID 1916 wrote to memory of 1772	1916	Ajkaii32.exe	90
PID 1916 wrote to memory of 1772	1916	Ajkaii32.exe	90
PID 1916 wrote to memory of 1772	1916	Ajkaii32.exe	90
PID 1772 wrote to memory of 372	1772	Aminee32.exe	92
PID 1772 wrote to memory of 372	1772	Aminee32.exe	92
PID 1772 wrote to memory of 372	1772	Aminee32.exe	92
PID 372 wrote to memory of 4740	372	Bfabnjjp.exe	93
PID 372 wrote to memory of 4740	372	Bfabnjjp.exe	93
PID 372 wrote to memory of 4740	372	Bfabnjjp.exe	93
PID 4740 wrote to memory of 440	4740	Bjmnoi32.exe	94
PID 4740 wrote to memory of 440	4740	Bjmnoi32.exe	94
PID 4740 wrote to memory of 440	4740	Bjmnoi32.exe	94
PID 440 wrote to memory of 2844	440	Bcebhoii.exe	95
PID 440 wrote to memory of 2844	440	Bcebhoii.exe	95
PID 440 wrote to memory of 2844	440	Bcebhoii.exe	95
PID 2844 wrote to memory of 4656	2844	Bfdodjhm.exe	96
PID 2844 wrote to memory of 4656	2844	Bfdodjhm.exe	96
PID 2844 wrote to memory of 4656	2844	Bfdodjhm.exe	96
PID 4656 wrote to memory of 116	4656	Baicac32.exe	97
PID 4656 wrote to memory of 116	4656	Baicac32.exe	97
PID 4656 wrote to memory of 116	4656	Baicac32.exe	97
PID 116 wrote to memory of 3032	116	Bgcknmop.exe	98
PID 116 wrote to memory of 3032	116	Bgcknmop.exe	98
PID 116 wrote to memory of 3032	116	Bgcknmop.exe	98
PID 3032 wrote to memory of 2052	3032	Bmpcfdmg.exe	99
PID 3032 wrote to memory of 2052	3032	Bmpcfdmg.exe	99
PID 3032 wrote to memory of 2052	3032	Bmpcfdmg.exe	99
PID 2052 wrote to memory of 716	2052	Bcjlcn32.exe	100
PID 2052 wrote to memory of 716	2052	Bcjlcn32.exe	100
PID 2052 wrote to memory of 716	2052	Bcjlcn32.exe	100
PID 716 wrote to memory of 3664	716	Bfhhoi32.exe	102
PID 716 wrote to memory of 3664	716	Bfhhoi32.exe	102
PID 716 wrote to memory of 3664	716	Bfhhoi32.exe	102
PID 3664 wrote to memory of 5048	3664	Banllbdn.exe	103
PID 3664 wrote to memory of 5048	3664	Banllbdn.exe	103
PID 3664 wrote to memory of 5048	3664	Banllbdn.exe	103
PID 5048 wrote to memory of 3964	5048	Bhhdil32.exe	104
PID 5048 wrote to memory of 3964	5048	Bhhdil32.exe	104
PID 5048 wrote to memory of 3964	5048	Bhhdil32.exe	104
PID 3964 wrote to memory of 3772	3964	Bnbmefbg.exe	105
PID 3964 wrote to memory of 3772	3964	Bnbmefbg.exe	105
PID 3964 wrote to memory of 3772	3964	Bnbmefbg.exe	105
PID 3772 wrote to memory of 1548	3772	Bcoenmao.exe	106

C:\Users\Admin\AppData\Local\Temp\exe001.exe
"C:\Users\Admin\AppData\Local\Temp\exe001.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\SysWOW64\Ambgef32.exe
  C:\Windows\system32\Ambgef32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\Aclpap32.exe
    C:\Windows\system32\Aclpap32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\Anadoi32.exe
      C:\Windows\system32\Anadoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 404
        54⤵
        Program crash
        
        PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3168 -ip 3168
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
80KB

MD5
1c1b4840fba95c86e6d22a5b5f64a213

SHA1
ed9dd101e58d74b580eec0aca8bd6cf7a54a8f33

SHA256
83f6ec5842aae2be08c1ab94c157f513603de413ab23203e41933d1075f26add

SHA512
e45e76660036e0125dfde4567e327e842698b7e339922351c14a2179c2f10d1663acc8dfd79372768c845a27da39a53a951dcb591b144fa6ac7a502d79e7c88e

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
80KB

MD5
c5e65b0307eaa3e65d9f863ff380ab08

SHA1
90eef17ea5cdd400dec3573efd6d81f4ba0bf3ca

SHA256
4fa6f2fb52eaf69de7bc32b9fc2b62b2ea146e21cd28ef65a6798d9367fa38c5

SHA512
c0fb407273e7d2ff4eb59541b155f1811c2fb1dc3bc358e1784b3b030109d327d25bd965267c9fb5d3f4983faa964b0708094d576cce1cbf2f9f24cc0da9ce13

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
80KB

MD5
124b4a7f7de5638ec343e1ac57e443bf

SHA1
d71685ee092581ff55d81558609b9d5376246eba

SHA256
ac5c96028feef5be5f24b88d2491f9f1d134f56c0393cfbca323cc586eb4cc53

SHA512
1f85c78a562b11b95b268ba825e2f7044f2d640428eeebc38187b9ea7255ece17429928888ae18d2a01501b1a53224b2f3e684b109e10e323082a1adaf53c57a

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
80KB

MD5
fcb4e809b7dc45a18041bb0890f5128f

SHA1
b59e8f251b78a55052802c3aceee2ca006a18d1a

SHA256
884fd7e82219ec1f3a4c4faafaf4eac8e5252826d8c085a19fad8d47548f67df

SHA512
470d7b0527656fbacb77e4d069b6f173136dd362ed86f4d7cab0385ace6905bf5fe57e74f98d5ad7e3ad92ec106c10d01deda6b0d385985565e373e97aadb6d8

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
80KB

MD5
223298194c6d40607a1660a115715196

SHA1
342625d2cd0330be0fa6df6c093b299b208473fa

SHA256
02600f0f6526077c76e0dd08e1cca88808e299973da8afcc75edd57e4141feee

SHA512
153932e3714064acf4d279db81d9c474e2eef5e4564ec4762ff6b651bb798d66bd08059c889f49c515fd6b1347d57b5b65ae646e1311a7fbdf24427aacc4d530

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
80KB

MD5
9342c056a54eb89cd4cd71491578c92e

SHA1
6cf41f99298a72b2e7298325e0ee7e0796dc07bd

SHA256
81a884f21a470dfaf1e90321b69d5e26a3e401b8ee0f02a3dbd76f339076318c

SHA512
d7d47243e7fc2c9c215515500835829cf6724eba9203a4d722a303f06a6c5431f627d68b7aa8fa56becbbbcf24415a0fd983baacb13a79607e8e830d19ffb332

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
80KB

MD5
1170b95998a9fa85b8be3ade4a911b5c

SHA1
1abca98604edf20d863d96030079cf5a649c7e82

SHA256
5ebe2841faea8bcbe6f9ca83215111d975c0cf17e356571bab957b41b3ff05d9

SHA512
a2c39cd08225a6d90edff3c1817363348ff1b708d5da40e2bf2af12b52d603575de3d9c0be212bd7c6df91d97159ef5558be831c7a5744674708d720bf082a61

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
80KB

MD5
6fd39a22013c158b35a7335ed37c8dfa

SHA1
cf0aa7ad640ffd40debce00504cde061f6af0484

SHA256
6584fc96234a8c56aef2b09fe31044cb314ecb6494a581a2901dd7d960d79d29

SHA512
ba320dbc1dfe0ce6a257ff3b88dde577483713805e6b222613a569a424f5557dbae4d09901020ad1271a1353ce4cacdb6b1ed26825fe75305bdc3a42b5df3262

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
80KB

MD5
b5fa6a99eb7e7ec86c97883ab2bbd780

SHA1
1da119c69b12920fe81ec3e94a977db6868222e5

SHA256
0ed0b7af203be053aa9c9635a401f010354f21c7c91d32df2ff70847020ace77

SHA512
9755a020096ac9591e407b6f9dc1856cbeadc693c7cb989f10a0b02db01142be02c4a6c32a54fb2a1870fe3f2f290507ec9380fde2b45dfb182f2b619e37f8d9

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
80KB

MD5
fae1de897d3abb26f3018dc48d3b890d

SHA1
2a27049727c4cafdcada60eee10e3aed6efebcd5

SHA256
c3de3b8930533e067ac1f8c82de48206f14744510df5e70c870b55bbe196d916

SHA512
893ed110faaed59807b383df76e9c9e56c59dcdd718eaf9181493ee60882dbc8ae7ba9eae605d60b8e6297c92ca541a4d8c3915548df92559d4cbb514208ec4f

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
80KB

MD5
4f5ef63d769bda9559c43014b1b2e362

SHA1
5170f7ed2a186ed8670136f2b64b69475e73525a

SHA256
5b8cfdab31b17ddf28d7376b95871c0bfd40899455407425df5a259d792cb30a

SHA512
e89722a3609adbc371b4c30ac94394ec631dcf2892d1a1545feb3df5cc4c6fbc1a2f359a8fbee04d479b117b65a27b5f110f814db3e8123674a73a840f6de1e1

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
80KB

MD5
136c04b0a8c66efedf4bf007c8fc373d

SHA1
d4f0d9066b08dfddf79964d11f0f11f47c0585ea

SHA256
0161dde60836931044ffd13e89cb16f3797ba2b508774b6a8bd65ea9a99bff1b

SHA512
198bff6cfbf9a2b6f448307e27698ef2a809efcd0f2a0d4021bc3e02168481fb0c516dd0df68c52816cb602d2e8dee1cfc44f7fe07dac9eb16fbed29ab64fdd2

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
80KB

MD5
7d9def3dda29ff112f21d6f6d7b451a3

SHA1
ab393a86629efa859087ba9b9c0dfbed13c8a6a9

SHA256
dadb12fef8792589b71b52ece25c53134614753ddaab787ac4fac56b5d6bc61e

SHA512
c70364929543132070b366b01161697efd83d005a70b5c5fea3cff7209baf535b7dcd0e3def4ca7587fa7c4effc60eb03fc2ffe1ce690617372d70e64f032a78

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
80KB

MD5
fd7ad51e8c2b20f10973fdc304fb80b9

SHA1
288aad34348593c96b758cc3e04b8f150a90413b

SHA256
59bd0a259f8ac1467f7ece67457218ab9b962e7d5abd46883e2026b0a35d450d

SHA512
9229549d90b9ed106c251caa651219c841460a5411e280f5f52a3d97089b241513a5ed5c4635a1ba20851188a5f0bff51d6c3ba2ed77936a8f497e1e21939b81

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
80KB

MD5
b927c1cc0b0035dd367eaaf30c8c436f

SHA1
8195fa573de94ff7f89a52ea2f7775c4c0511e6a

SHA256
092d79a90f9d019b1bdd574c21f88a5a0705c532b940a440e69687a0f0646fb6

SHA512
1d2cb0a7c9ff147d942cafcc4143e77303918909a4d4d274dcdaa03db5559a7e3307a1e8b4645978e5f38e665a923f7ff3c17f22317f11eeba72a1ee27331112

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
80KB

MD5
6fa0abc3b1c9e8e2ed8be5e579c74fbf

SHA1
2a980dd4c7b05c2cb748a3cdd3b57a2ec985f569

SHA256
4e8ccee2c6de62288997fadd133e411de8d43921cacbab2b6f89c96f196622bd

SHA512
67d8f74421fb061e61b7574d36a312db94ea5895a932b9f04969b8da041526d38b3bcc674cd213d0ed27a6705a6bb98930c1ed631150949330b4c8395a91a57d

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
80KB

MD5
505261c3adf8d64e7584abc173e8e7f3

SHA1
00d8c6f6ab567630e1d5ca9fff135dcfa8d74ba9

SHA256
87e955606f84fd020065f5dc197ca015c8132f1d30a2ebd72faa8f289fb461a4

SHA512
3871821aad83ad3615c392e5c9d6443df0c4d9501d046cf702d7557507de83b7c45aa3e66a8fe269bfbbedd42859d1e51121f537870f8f8511a5140369a5b4fc

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
80KB

MD5
5c1befff0a6f191d42277e1bca707822

SHA1
0f4c36904c1082d325e0429e5d7979fc54050ef7

SHA256
0587f464d4acc828ff107ee0159e5779c40889667bfa3cf8b332e538665ecb25

SHA512
db6cf4f756a0fcfe20cc6d37f1e066aa2fea8cab50f47c10997299cffc390bbd95b89a00b5c3680f493ea77a44b304234a7c6ff74d6527e4f7619c89beddbd60

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
80KB

MD5
e8d469b1ecac7e578ffb519ec523824d

SHA1
638e5b286214bb6859a9f59ecb87ca94042497d7

SHA256
6b38d082ad870c7e77e398832058c5e8a0237ea6a15360b37a22b9faddffc1fc

SHA512
5ea9be4951c5129e28a77beda60ee3dece07bb09a56e76dd6a112abefccc48c6023be9316c4738785248a37995fa9ea4eb303da3bc1262e48b8151cab4af53a8

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
80KB

MD5
351ac67be49b264d44fa86fa3011028e

SHA1
1787bdc3f336bab8af54bf491794acab8028ab7b

SHA256
e9b4511afc939fff1db1a87782edf7868eaae0bae2fd80430b75cf84af218e4b

SHA512
808ebfc679a4b03d75179f20dc589db038ad85b46516e05d1aa699e71979bc0b069de4acf09978217f7da7592d4043e0885a31928d2a8d0fbd680184f4c9b21f

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
80KB

MD5
82d1a29fc2e32bb01a829ca63d8a449f

SHA1
bf1bfe18a8cd720352edf0b38c75f7918ad5385a

SHA256
2878f7ba15407d8a1c6c8d42a977e0b1100de557e96c0e151ba903c38db92c18

SHA512
d367901a3f9bf448ce243b04d1aec396a49297c65276e27107519089ede95bcbfda920b6421ab28ff0950ad779c51b372d9cc01e4c3de63ed6a3317671f8ee1f

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
80KB

MD5
8cea9238236473c6a534918c37bafb35

SHA1
c6a62e4eb147146c8fd7227b8956459e8b8975e5

SHA256
3f67cd5c3cbe08e6b3ff0f8028ed6bf78d441929a58e27b30f49757ac45e77c8

SHA512
ad28c85ea002ae09f6a5a3aa9652825e78416369de36328e75e96104f19ca8113ba04ff5576a383a1e09afca9e36ecb336a7fe229aea74019938687e0907a5ad

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
80KB

MD5
c787d99b7b468c8260aee182243aa63a

SHA1
5f0d36e8e66534b679b624377b4fd1982d826601

SHA256
e3c80d9708c88df109fa7af333a700a6d8b5edb781ba5aad1639f16ed71229d8

SHA512
203cec580acddf4adebe2093c2f28410a847b9702afc281130b9a09f55424a96c95585ccad5fc680ecd8bfc2a042a812f9234e13e967da6b9e01b03bac0482c8

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
80KB

MD5
5cb92bd6d5fc48c24f17efaee723a4fb

SHA1
e13360cf04aafc37512f1237ef0fcffc93c53aa2

SHA256
6662a114481c7cd634194773e9389b0c78b069de2e979435691d48f06a4bf1e4

SHA512
6231a6b514110d8dc13f064c55ff42b486a7dce489231b3b4a03ef9172f72b4c560e458390adc64ce5d5ecb3cdbcc7b6c8186c80d5fd4f36e3b8099507c76be4

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
80KB

MD5
56b2b811c1339a7b6dff3359bc71b648

SHA1
84bbe8ac945b5903fb995047a95a11d356238af3

SHA256
2451c79aa4593e39415708625a8d311b2c9ac2bca95e69245905da4c82f44a4a

SHA512
18aa19478637ca430e88362586927b4f101b6f87970c038d34571824c099d442a1b9f0c2e91c54c5892c613898a13c75ce06abcc048afc4a5887426c7004308f

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
80KB

MD5
67ba014208055ffc6a94183cc45caf49

SHA1
7b3d850ece3f82fbfa03b67c4c8dc61c5306e89d

SHA256
386d7e4c30bd9197c870aba74f7bb6d58532fc45e4b7c3ab5a582d371f3592d0

SHA512
4f180c0f32ff06ea4a9f1d5ddb5036a36f8c7704a99eb3949f55127575248965a7e213111fe7fc99a265a8dfacd52ee974ab73cf7bbf5a91b3401ab17db7c1cc

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
80KB

MD5
2206e1839b0073d5f1edf31ba24b451d

SHA1
a82257c2562129362884a857c912242fcb5697dd

SHA256
edbf9b9131465024314598719619b0ec21ad0f6d15fc55c33cf44d5c351c22f0

SHA512
35bc9011d7859e9baccdaf2a36ccbfca0ef1544e14e023f5664b9c3894f3c928283318a608a904fd7b4f78e8878da5c5c890f75597859d9645f54ceb745f7818

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
80KB

MD5
aecf2791fdd40296346273b7008e41be

SHA1
52da10d5416c7cc0aecad18e51bbd2fa63f2faa1

SHA256
171d7b450d5b9500deca7b365e55ce044481172377985ee710ce899135eea8a1

SHA512
9c2760035a91596ac6feac609407075e37131a5e5893342b7dd2b87b8684ad9e653dc6f80f9b85e9f3dd2b7705d75afbc17c0c6dd0980e48f21867e22c1f38c0

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
80KB

MD5
cfbed178e8d297796ae2b3aff9f74928

SHA1
203f214cab3bf6cfe03fa4d3dcd28c3508c7ef2b

SHA256
ee2f945f8a4e32c8511c16413ec65ac53a741a96bf1897b241a4780dfbc5c4ec

SHA512
dd4126286a74bcbfcaaf8ad51352c5f18d4a00f6b36e32eb144114af9ddbaddf6d71332813d5865d762688e50df566072d3165cd4e928506ee696c475018d3ac

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
80KB

MD5
4bfda1b346af6df944581d8ed8b0e009

SHA1
09ccbc5bc5dbec31d1779efc67ba3c8c62afa7fe

SHA256
8a406d8c17282e21534bcee2712e9cd2db956e709b2a61c1ba3da06c41d0f15c

SHA512
d4228a5afe32cb75e02133aa82ee5ecd3d412ab825084778545accf3cd74a0e4726acb30e0d5a65a6a01fe1308188fa5d69a7d9cc56159747172ab18b721a4f2

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
882fff57df1a56c5f2337d451ed80894

SHA1
cbe901fe7d5d3f9e509f33146b82b58c090cb73a

SHA256
ab34366b741379b387bf4db01dd1f8e2c1144b8426b347d627537af0b3a547b8

SHA512
62640605e58d4570ad0775188c2c3edff71779351e4f17ee678b8373632f82437995365abad2ca7422504d64bc708b8bb6bbccd025435a18c7028314e3c7b080

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
80KB

MD5
6f0897e94f6efcff0a7236bf8bcbf5ea

SHA1
55c0e4998dde6ff1ba0752f0dcb127d13b683c75

SHA256
b5a0e0f346009f725185699e932f84651e6dd4e5ae946d389af252ba4a7d46b8

SHA512
25baf1f8535c54d2767bf95be96966933c995c989502ffafccffa0e1d339e82fd68eaef4db899caa5c46fdaeb8bccf0bdb4b84dee63d6f27885e0a0acf64f580

Download Submit
memory/116-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3360-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads