berbew | b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
Size

104KB
MD5

d4db44c2a4eb5be5ff2afcd957f05960
SHA1

30f13d2af5aa6f780519993348c8d34789102b41
SHA256

b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2
SHA512

02c758ac8f5c417589876d09fc490cec2f0389e62785208e52984f69e28f32cc23068277aab91d43f3f2f47a6c53dd2de0e69d6e8abbd33d6d265eac16cd567e
SSDEEP

3072:bom21boiQQmqV/no4SBXe54x7cEGrhkngpDvchkqbAIQ:Q13QQmqSQ54x4brq2Ah

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 48 IoCs

pid	Process
3896	Pjmehkqk.exe
2652	Qgqeappe.exe
4112	Qddfkd32.exe
2808	Ampkof32.exe
1944	Ageolo32.exe
2292	Ambgef32.exe
4104	Agglboim.exe
3288	Amddjegd.exe
1636	Acnlgp32.exe
2776	Amgapeea.exe
1416	Afoeiklb.exe
5044	Aadifclh.exe
4912	Bfabnjjp.exe
2000	Bagflcje.exe
3424	Bfdodjhm.exe
4636	Bmngqdpj.exe
2824	Bgcknmop.exe
1088	Balpgb32.exe
2872	Bcjlcn32.exe
3324	Bjddphlq.exe
1588	Banllbdn.exe
4032	Bjfaeh32.exe
376	Bapiabak.exe
1400	Chjaol32.exe
2888	Cmgjgcgo.exe
3860	Cdabcm32.exe
1304	Cjkjpgfi.exe
1532	Caebma32.exe
2500	Cfbkeh32.exe
2060	Cnicfe32.exe
1320	Ceckcp32.exe
4520	Chagok32.exe
3868	Cnkplejl.exe
760	Ceehho32.exe
1248	Cjbpaf32.exe
3216	Calhnpgn.exe
1664	Dhfajjoj.exe
2240	Djdmffnn.exe
2364	Ddmaok32.exe
2708	Dobfld32.exe
1768	Delnin32.exe
2840	Dfnjafap.exe
2356	Daconoae.exe
3444	Dhmgki32.exe
3724	Dkkcge32.exe
4240	Daekdooc.exe
1980	Dgbdlf32.exe
400	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4976	400	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 3896	1960	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe	83
PID 1960 wrote to memory of 3896	1960	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe	83
PID 1960 wrote to memory of 3896	1960	b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe	83
PID 3896 wrote to memory of 2652	3896	Pjmehkqk.exe	84
PID 3896 wrote to memory of 2652	3896	Pjmehkqk.exe	84
PID 3896 wrote to memory of 2652	3896	Pjmehkqk.exe	84
PID 2652 wrote to memory of 4112	2652	Qgqeappe.exe	86
PID 2652 wrote to memory of 4112	2652	Qgqeappe.exe	86
PID 2652 wrote to memory of 4112	2652	Qgqeappe.exe	86
PID 4112 wrote to memory of 2808	4112	Qddfkd32.exe	87
PID 4112 wrote to memory of 2808	4112	Qddfkd32.exe	87
PID 4112 wrote to memory of 2808	4112	Qddfkd32.exe	87
PID 2808 wrote to memory of 1944	2808	Ampkof32.exe	88
PID 2808 wrote to memory of 1944	2808	Ampkof32.exe	88
PID 2808 wrote to memory of 1944	2808	Ampkof32.exe	88
PID 1944 wrote to memory of 2292	1944	Ageolo32.exe	89
PID 1944 wrote to memory of 2292	1944	Ageolo32.exe	89
PID 1944 wrote to memory of 2292	1944	Ageolo32.exe	89
PID 2292 wrote to memory of 4104	2292	Ambgef32.exe	90
PID 2292 wrote to memory of 4104	2292	Ambgef32.exe	90
PID 2292 wrote to memory of 4104	2292	Ambgef32.exe	90
PID 4104 wrote to memory of 3288	4104	Agglboim.exe	91
PID 4104 wrote to memory of 3288	4104	Agglboim.exe	91
PID 4104 wrote to memory of 3288	4104	Agglboim.exe	91
PID 3288 wrote to memory of 1636	3288	Amddjegd.exe	92
PID 3288 wrote to memory of 1636	3288	Amddjegd.exe	92
PID 3288 wrote to memory of 1636	3288	Amddjegd.exe	92
PID 1636 wrote to memory of 2776	1636	Acnlgp32.exe	93
PID 1636 wrote to memory of 2776	1636	Acnlgp32.exe	93
PID 1636 wrote to memory of 2776	1636	Acnlgp32.exe	93
PID 2776 wrote to memory of 1416	2776	Amgapeea.exe	94
PID 2776 wrote to memory of 1416	2776	Amgapeea.exe	94
PID 2776 wrote to memory of 1416	2776	Amgapeea.exe	94
PID 1416 wrote to memory of 5044	1416	Afoeiklb.exe	96
PID 1416 wrote to memory of 5044	1416	Afoeiklb.exe	96
PID 1416 wrote to memory of 5044	1416	Afoeiklb.exe	96
PID 5044 wrote to memory of 4912	5044	Aadifclh.exe	97
PID 5044 wrote to memory of 4912	5044	Aadifclh.exe	97
PID 5044 wrote to memory of 4912	5044	Aadifclh.exe	97
PID 4912 wrote to memory of 2000	4912	Bfabnjjp.exe	98
PID 4912 wrote to memory of 2000	4912	Bfabnjjp.exe	98
PID 4912 wrote to memory of 2000	4912	Bfabnjjp.exe	98
PID 2000 wrote to memory of 3424	2000	Bagflcje.exe	99
PID 2000 wrote to memory of 3424	2000	Bagflcje.exe	99
PID 2000 wrote to memory of 3424	2000	Bagflcje.exe	99
PID 3424 wrote to memory of 4636	3424	Bfdodjhm.exe	100
PID 3424 wrote to memory of 4636	3424	Bfdodjhm.exe	100
PID 3424 wrote to memory of 4636	3424	Bfdodjhm.exe	100
PID 4636 wrote to memory of 2824	4636	Bmngqdpj.exe	101
PID 4636 wrote to memory of 2824	4636	Bmngqdpj.exe	101
PID 4636 wrote to memory of 2824	4636	Bmngqdpj.exe	101
PID 2824 wrote to memory of 1088	2824	Bgcknmop.exe	102
PID 2824 wrote to memory of 1088	2824	Bgcknmop.exe	102
PID 2824 wrote to memory of 1088	2824	Bgcknmop.exe	102
PID 1088 wrote to memory of 2872	1088	Balpgb32.exe	103
PID 1088 wrote to memory of 2872	1088	Balpgb32.exe	103
PID 1088 wrote to memory of 2872	1088	Balpgb32.exe	103
PID 2872 wrote to memory of 3324	2872	Bcjlcn32.exe	104
PID 2872 wrote to memory of 3324	2872	Bcjlcn32.exe	104
PID 2872 wrote to memory of 3324	2872	Bcjlcn32.exe	104
PID 3324 wrote to memory of 1588	3324	Bjddphlq.exe	105
PID 3324 wrote to memory of 1588	3324	Bjddphlq.exe	105
PID 3324 wrote to memory of 1588	3324	Bjddphlq.exe	105
PID 1588 wrote to memory of 4032	1588	Banllbdn.exe	106

C:\Users\Admin\AppData\Local\Temp\b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe
"C:\Users\Admin\AppData\Local\Temp\b845239f8874892426ac82b7b2183e51e20148344a76efbdd0f8c1aad2fc31f2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\Pjmehkqk.exe
  C:\Windows\system32\Pjmehkqk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\Qgqeappe.exe
    C:\Windows\system32\Qgqeappe.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\Qddfkd32.exe
      C:\Windows\system32\Qddfkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 408
        50⤵
        Program crash
        
        PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 400 -ip 400
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
104KB

MD5
15a715d0b1fa752fdbf9f7506326d63e

SHA1
3be11f754f431d69d4cc2639afb587947c5da596

SHA256
80fb7378b61352f1d7b0701e6031d1cb04886d11be5a0f6cd04e54dbf5d1f0ca

SHA512
5448837fe46091e6608514c1cfc7085a77dce2063a320591387a2da74bc7999bf1fbd2a04add636f5e46bc2ed4a5efbe08eb5d1d3e6a469353b9d5b0bdacf51b

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
104KB

MD5
49e9ed4b75f388d483accb219d2024f1

SHA1
3b872d16eec38d5cc6133a3cff6af989bf4828f8

SHA256
492f265a809f08b8509eb389f92731e6d969668fbbf4e5f902b3f2c3db6c370f

SHA512
1f77dd1d2f9f02f7396a7597f810f2b893d79bab5c3aa8fc9f8f707f8e1b56923b11ed5753630bb3b9a7306c99348104fc3e7ba3567bc337e80ce230d5b0851a

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
104KB

MD5
dffbd625d822fc27a32769c31438d875

SHA1
d15f586de11a31c7a8e451eb7cfc8dfaa7487d80

SHA256
e5a963393e10bba1edd1957ccc24af180e58f82cbf8ee9a87396c8f10c376b6e

SHA512
de61f5b434b0fa0e682872c4dcc78c530dad57fc2e7690bb832abbaab82e168c0dc6988400a73cdebcba94662c4450fe22a2c4d7766bffa9af1c2430374fad10

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
104KB

MD5
55b20634bbf268bc88fe277e765ce13e

SHA1
00c916dde54c6d0f1cae8dc64f155209fdc33974

SHA256
84bba680977b4aa9365f244905b8053b7fb0414cba59720aa27378077748caf1

SHA512
14abc886f58a373073eb260ed2ec369c14a22974ec6e6282cb369d448009b9479b4709295016b20bf3e53ee6411467e4dd5e8e5be03d427f01cb4aa6cb992d43

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
104KB

MD5
1c5016a1c832f31018b2a59449c6d4c4

SHA1
60dbe6d30c882276eff03555b98327ae52fd268b

SHA256
b9a9cfd3690b35d4e580272e9de5f4720ce5e97e4d6779f1d1f6f30636624539

SHA512
0081865d8d2fac684388cfb52909557474fdd5cd6021fd91e3c1b0ac628fd3cc92e86b12a656a39adff50cd9764b43578a5fca2472a324d62af2507ccd8ba126

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
104KB

MD5
c5d6e0a203eb5a9e1d463b363309f9b2

SHA1
644a580c30c7e21452734084f71654e32003a3c4

SHA256
c9f6850a9ae5f86900daa60f7e13821d5ce9f1f210bf993b48354cefc73072dd

SHA512
9279c2664cb699db9d67627752fd2eb027f47d1137ae71ac98600a0a1ddb55af1511b6a8f532efea58c47a9cf4019c76e2832de284dade8e5b85043757f44353

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
104KB

MD5
0e7157715d5fa7985d95f29524b971d6

SHA1
9830e767b28b08367e29a2b423601955d72de23f

SHA256
990427122b12730ea4f5b0999a052941aaadbd599e9bc7151add6193e5beb371

SHA512
6af704dd4fac9e5573eff812f587a64a1b065b4d5942991977a98d973131e5b9937fa4c4cc292f1f99d091a3870312b5980f8725038907cd370c9775b4b294bb

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
104KB

MD5
69a50a58ad418d96e2272a763cb09fe1

SHA1
57f5bfc166761aa06681df9c0817518edabaec54

SHA256
f5a206eeb91d33fce4cbb0dd51c0abbb487f01e4135b7366050781dbec7314da

SHA512
fb5a9e0c2dfbfe1483f31e7f9269c8edb75b307e824e7ce5672ec5c0f410bd166601a9fb8afdfade7119fb56d4af3a80d5287096df83fd747fbe0b6121f66c44

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
104KB

MD5
81a3b19916f01abdbd875f91b94fa8b1

SHA1
f49fba171ea3fcfa25e228b6c160f9d9b161d7ed

SHA256
f220a4bbac9be9121cb9002134f5da2610daf0263d92dd8dfe468fcbc80163f1

SHA512
5433fbb33e7cc9d89a514e1486a41ba97f0097babe76cf6cf8726cb7e1755f80c7ab0b4d380e8d4609832490f639367f2186bb9f3e7216dcb6170965d577cff4

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
104KB

MD5
55ee275c95cc5dfe937ceba28b86989c

SHA1
f8f9b2cb76536b4b0b52fdfd978a760895dd136c

SHA256
d44f660d3f96a607543b2132ae4bd02c376c27ddacb51799ce8e4876e4a109e0

SHA512
5c425c376771e6e69259b41fc500496d5c896af3060f5677598211426e07268950255d1c204f386fac4afe20cfd6506dfd2126a5dcedbc3ae3653d7eec254d4d

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
104KB

MD5
a5aebc2aa3579f33c5e4cc8669a11275

SHA1
c91b8aabccb2036ff1ee52fb80a43edcee72cfa4

SHA256
480af1d90db0cf4fadd19d937481c835edff18eb1a40a7e9c657fa15c03cdcf3

SHA512
017b88432343b17a35fa2bd05e18b1e04da371d18e79954f8d166dd547c28f52faafd300ff6127e35a7b4ed5ad5100430c26d1f1fc00a7aea5ed222527849b30

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
104KB

MD5
18fe9ae0f3d13e480e37f12aac345c7f

SHA1
83b800bf0b6696487171ec087c43e06c3bfea3dd

SHA256
86a072e93558fe34016a51d95ab8a5491429b417c115508976a062545f061e50

SHA512
7baed7d6d4ed5004da9ff81e0f0b69aaac9b5eeb70e83a631c8338082739331fd15fba364e855c8004eacc9ace6eba2aef55afbd9a4f07417630d88376edde9f

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
104KB

MD5
cc68d9e9b502b598d9f2a49e71462548

SHA1
7ac0603c392ff224620e3f6d73f201ee4efcdee5

SHA256
063f40bdb027397f88aea4d1ad1325ed0a5a60e9509ef938bc862c79f4503a38

SHA512
e1b9e788f4e31b000f2ab359c2ffba075165c759a8f474779f0f67757f8e377c4aed7615c8b8d2d5e4e41932cdfb92694a6e9ac27eda144a475cb6faa23dcd97

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
104KB

MD5
04267ae164fd5bbcb32b024479ad1486

SHA1
01265c919b4cba09af438df06ab594e5a41e2cfe

SHA256
68f3b31ff56453dc982cf90197cdce8b767a6e7cadd0e5db39386f73a3a0c8f4

SHA512
74d7a6aeb13c66b19d99c23b3687003650ce8364985f6d55aef1c57e127600f9f6bdb77841aeda8ebabfb1b6f1acad7247ed60cf07bc5db51e147654f06819a2

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
104KB

MD5
e64f7e0f1ebf21c15a02336cf357ee82

SHA1
0913460f5a7f7109d5dc21cebeacd797ac76c101

SHA256
c3b847c04465f14fa323da32c3c8921707d8f0a166c8c357eb721ab38a3cc3c3

SHA512
7f489458f39f5b81ba52ba0735106a9e772cb9c27f6012d53aeb74647c94df23beeac32fe12b47fa41814bd15308aede193029359c1f782497786f0d3dfe2638

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
104KB

MD5
1451b562332bc460af3689b4b4848e37

SHA1
d068659f7d14a49ebe051f20b099b118ba3c2854

SHA256
4330b2aa3f9895ef13f98e56e8b37a5b75dc6c7823d92a001a005f2f137fc7d6

SHA512
4192f7ecb8a03e9f9a16210b1ae8ddb048441eea843bcb966b091b92802c80bdba246e4ff880e8d9e8adf03b07040735643b8c1d9a1368cfb5fa8496dd5df23a

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
104KB

MD5
a41dcf58127f6be70509091829ecb3de

SHA1
46e7c8f94dabbb42f49bb999cfc7ebe7e289092e

SHA256
dfbb85b00922f8820e36501a6c11a78b4e17e7ee291ddca6b5c5020e6b4477e3

SHA512
b9db3daa42314c10f421f42f98ea4443968900a3c033852636f49988b9bd116a58e6817331b2d6f92a2f728fbdbc9707f94af8f0f356a38cb58af8103a8e0a24

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
104KB

MD5
0531c026d56e6eeeadbfe6e8f0fcade3

SHA1
efdfc0509ea63283412dd3e90b5ceb5a046a793d

SHA256
43ccb17ba36746ca36763db0f52ef1ef017aac1e2cb3332ac1d4dc83f0d93e39

SHA512
7380047add06dd32ef0c14beaee491dcbb01ebf37d10e0150b778d491796bcb30275f7166542cc4b60c2b2e18a2164a5745172a8efb0a09e9164258c5054bb3c

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
104KB

MD5
1381e623e53fc56576911c620bb0451c

SHA1
df71af2c77339d2e64ff8f15c278ad03025145e9

SHA256
4e7f47047dbb57e753e7bdec7a950a94e2cb734431aefe71d5f4c7dca6c3cab2

SHA512
21d3f343e1988f29191b44753ccf66d408b3aabbf56bb1933be42dc1c2cf76692aa6e49d14ae24d7c5aee233255752de1fde3955694fecf4e3dd3ed4e4ae5682

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
104KB

MD5
540f36eaee3404f1a235982455135b3d

SHA1
ed18247d26b7b3d9a0e89628dfafaa2112972be8

SHA256
b64bd24589287f5d54f8d05d7313caa66a997e3e4e18e77c92dc9194137a849b

SHA512
ceb43a8b2701d9b04198f3ad3cd159e8252f658f410b02d37fc157a15c8cbd689a033a0bcb2554e2c57306bcea8a637ea36adfee8526a7811fc6d218996448dd

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
104KB

MD5
5e779f5bee7a2ddb82f71e3a2caaadcb

SHA1
f0a8faa10505984312e104180640d48c93bc9212

SHA256
a6c2dd8a7f28d5bf9dc317e248224f78e183f96d7d0b953bcadb72f7ce22e775

SHA512
bbb1eb647d2aba526fe44d2d9359c520e9eeabd240286c126ca795a97ae132ecb4e69a68527b4e1eba6a15b8d8ffaf7f660095aa8ac5b266e50857f613963f0f

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
104KB

MD5
744eaf146f5061b767e6e86b61102e90

SHA1
cb5912d3529aabd7d7a4efc11fde5420aa4729ba

SHA256
b87c694bde53cf293402af5784a3585915c31940469138f5dd0be490435da0d5

SHA512
602d55214c04b799901766298a4b4532902d0bff46c7221697f56b20056e3c20425c2b8143a2eeb589a28ef473c6aa77c3fa867051b7b8f505100967ba237a60

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
104KB

MD5
1fdc433ebb7fc77b305c03f97edefce8

SHA1
67cc2b1d5a112c12095725cb92ae9b6cceddc9f0

SHA256
a227260f3f9e6e2635638b639eeed4b81b55438e907c82c82585608cc19e2c5c

SHA512
4b1a33eda07c27df42a0ce90e7fdfbc5d9217d0098f2e9c9a46e17b52af45fc94d430a3824b41e7c7f14f2a97f1ea58ea18c9d6743af15f600d15b3012d7e775

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
104KB

MD5
e188c47ebf36751e812646033ad28a9a

SHA1
a273766446752577cff96d8358c1f82598f4ab14

SHA256
cdb182888bc8942135883e912ab81a2836dbe4f2c40f20aa7da1681305f476d0

SHA512
0e6b0da4ab496eb03a988f01cafc7be15e264ebafd4514358890f2f2bbf1863fa47ec74ad9493b22d50b521c6a0a60c2758cf78df87060bc3c7352a4857406b8

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
104KB

MD5
cde729874939a328f1573ff8c49cb2a5

SHA1
306e4558ad3a91b617a01e159bbbd3068a749ab5

SHA256
d09b9b2267bb2f3897988349cec4a519449d50c13dbe0736256804e148b32afc

SHA512
482f8fbaa3b27749f0aaa7298764cbbdb3802aa3427f9affe7ff3725a651478896616450ac006553aed77c8c3e0805b75a6b10d178b6968836c682d03ce844af

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
104KB

MD5
b80d962179119967ef9612a52cee0840

SHA1
5c3a3c0a9de1f25241da51379afa4488859c9872

SHA256
ac161a46298b98ab163465337033157d37375255bd755570e798db2d68e47f49

SHA512
d2f6fea639040521f1bbbd782132e1887d1c2e1b6658e328edee3d65a948449199d3666596c7aac3b0f94e2e23b9328f230b7c3da7161c86cd8f3213a075c522

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
104KB

MD5
46a8ef0415572a675a04607b82bf940b

SHA1
b2310870f7ded55af2085d8ab17c938ede076251

SHA256
69321be6082a31b02b91cdaa62f7f9e32208d0ecd16dfbd377e9ba1d18155bc3

SHA512
7ae40c28a69e2f56cf8d386b22eeb76994eaddd93db29cca4dd79ddc83cb3695178890fcedc84e89cc23cd0b3533a9c0b160ba418f45162f8473a01dfdb59806

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
104KB

MD5
fa3813cc3535939e38a7977f340b4b2d

SHA1
9814701e1856b57cfd092ef33b4a7dc8c974be3b

SHA256
6bed303804d4cf0949d1668e529b609a3e7f8e032b139275ee0979dd36848f0c

SHA512
fe155ddb306b16f4c51d068b23f6b7b05bd2ad6f3eadb686d6b9c900dcd57a7f89fbcb56d25ffbd6001169d22a742fa0295d27b89ac149bf9d549d0c93f31596

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
104KB

MD5
f516162442ed0f7c2ba98ae30a232a1c

SHA1
dfe1d2f76daa1608488b437d53c24ad65874b6f6

SHA256
9cff19f79a1ef540c4b47efbc46a030bc6a023bc2c5f63571fe9472e8e887ce5

SHA512
8fa67f440b99940fc244b5e1e6b5563028f1a332c1d9ae4b15e548bd18ac6ca5be7e3d76b1b008c2d6192f3c0a61eb1f6dcda95d10558489f9c48edb7a6c3322

Download Submit
C:\Windows\SysWOW64\Efmolq32.dll

Filesize
7KB

MD5
7496b21d0bccdf7c3ef83ae4f97202cd

SHA1
1a14fda8e4bf7e14c95f9f355f83b859ad5cffe5

SHA256
f693d9dc0756711d410c213656347538fdfc54671d9a11aed2407afc92a3ac98

SHA512
9f3344a5477def754b6ebc729e64f295d3951103667e4bcadc1b63af5654366bdee044dd4927c30c2e44716aebe4b312f6b509c4d4bc7a387632999d91c3ec08

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
104KB

MD5
3e87c4cec7d068dad0603f2c55f6b868

SHA1
73f352371e7f07d6ff5630ef41d000a5899a5545

SHA256
18e2fb39eddae096b1bf4e538c4fed198e6f6d4122db567f978947aec6acc638

SHA512
54f48e107c6101791d01e532accdcf731ee40f752976660e3f2b4bb4c06b9cd1f407a366011c00c4d807094a8013677a289d7dc1eb64765706563cc5cfbcb7fa

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
104KB

MD5
ba4ad96cc5b05f7933a320874fb9110e

SHA1
d23ec57265c4e24f1d62eedb6d52302c830f98bb

SHA256
62e689021cedc5d7fdfd1fa570adffd3790f62e20c4220d0491c362ad7f06d9b

SHA512
5b72bc5de450674d1202e21962e6310d0fe9fb0a622af35fd89fdd9be2fafdda156be8e59ec0e141e69ed084652f139e9dc50534efbfd4e9cebccca9e47b468c

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
104KB

MD5
55c0252ba31d70aa5cae46569a64fa36

SHA1
22a239ab3661ecf78b99af18e14e0d7d351e53e3

SHA256
83a4abe0f898a9e6092d0a1e3db1929331c6f4568a95933cdf967f4ccc2b3042

SHA512
9cc6cf57282871032595c4a2f031847c895920095264fe0d621b7549e6c9c2af8e75d882acb25f875840389b1abb38e6e6a4d03837ca185799acb0bb7b6934b7

Download Submit
memory/376-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/376-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/760-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/760-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1304-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1304-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1320-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1320-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1416-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1416-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1664-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1664-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1768-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1768-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2000-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2000-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2500-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2500-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2652-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2652-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3216-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3216-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3424-385-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3424-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3444-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3444-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3724-355-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3724-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3896-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3896-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4240-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4240-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads