berbew | f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe
Size

48KB
MD5

aaab0345d60bcf375a4a04799b445f11
SHA1

1845c6a6f3e6953e7647fe4fd29750e76b2d30c1
SHA256

f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0
SHA512

1cf8d918ea89c9bddb7eb61af6702cb260c764ea1a7bf99c916b9031428e51f55cf97e91484d16328bb9764fb49220876eb438b6531063b83101484c08481b40
SSDEEP

768:zsYSvB1Wy838CXUaup21NLPyDpyuuKebPMG2ebqvQZp5/1H5a:zhuaMuNLMAudeYG29QtM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 53 IoCs

pid	Process
1596	Bmbplc32.exe
2476	Beihma32.exe
1616	Bjfaeh32.exe
1576	Bnbmefbg.exe
1488	Bapiabak.exe
2492	Belebq32.exe
3540	Chjaol32.exe
4672	Cjinkg32.exe
1972	Cmgjgcgo.exe
4916	Cenahpha.exe
2556	Chmndlge.exe
3680	Cfpnph32.exe
372	Cnffqf32.exe
3464	Cmiflbel.exe
2908	Ceqnmpfo.exe
3240	Chokikeb.exe
1452	Cjmgfgdf.exe
8	Cmlcbbcj.exe
2236	Cagobalc.exe
3916	Cdfkolkf.exe
4092	Cfdhkhjj.exe
2524	Cjpckf32.exe
936	Cmnpgb32.exe
1620	Ceehho32.exe
3984	Chcddk32.exe
1460	Cnnlaehj.exe
3024	Calhnpgn.exe
3088	Ddjejl32.exe
2148	Dhfajjoj.exe
4020	Djdmffnn.exe
2572	Dmcibama.exe
1560	Dejacond.exe
2800	Ddmaok32.exe
4448	Dfknkg32.exe
3520	Djgjlelk.exe
3020	Dobfld32.exe
2584	Dmefhako.exe
3696	Delnin32.exe
2000	Ddonekbl.exe
4208	Dfnjafap.exe
3260	Dodbbdbb.exe
1180	Daconoae.exe
4648	Deokon32.exe
1776	Ddakjkqi.exe
1768	Dfpgffpm.exe
772	Dkkcge32.exe
3236	Dmjocp32.exe
1116	Daekdooc.exe
3244	Deagdn32.exe
3804	Dhocqigp.exe
3536	Dgbdlf32.exe
5056	Dknpmdfc.exe
4164	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1296	4164	WerFault.exe	135

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1596	2932	f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe	83
PID 2932 wrote to memory of 1596	2932	f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe	83
PID 2932 wrote to memory of 1596	2932	f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe	83
PID 1596 wrote to memory of 2476	1596	Bmbplc32.exe	84
PID 1596 wrote to memory of 2476	1596	Bmbplc32.exe	84
PID 1596 wrote to memory of 2476	1596	Bmbplc32.exe	84
PID 2476 wrote to memory of 1616	2476	Beihma32.exe	85
PID 2476 wrote to memory of 1616	2476	Beihma32.exe	85
PID 2476 wrote to memory of 1616	2476	Beihma32.exe	85
PID 1616 wrote to memory of 1576	1616	Bjfaeh32.exe	86
PID 1616 wrote to memory of 1576	1616	Bjfaeh32.exe	86
PID 1616 wrote to memory of 1576	1616	Bjfaeh32.exe	86
PID 1576 wrote to memory of 1488	1576	Bnbmefbg.exe	87
PID 1576 wrote to memory of 1488	1576	Bnbmefbg.exe	87
PID 1576 wrote to memory of 1488	1576	Bnbmefbg.exe	87
PID 1488 wrote to memory of 2492	1488	Bapiabak.exe	88
PID 1488 wrote to memory of 2492	1488	Bapiabak.exe	88
PID 1488 wrote to memory of 2492	1488	Bapiabak.exe	88
PID 2492 wrote to memory of 3540	2492	Belebq32.exe	89
PID 2492 wrote to memory of 3540	2492	Belebq32.exe	89
PID 2492 wrote to memory of 3540	2492	Belebq32.exe	89
PID 3540 wrote to memory of 4672	3540	Chjaol32.exe	90
PID 3540 wrote to memory of 4672	3540	Chjaol32.exe	90
PID 3540 wrote to memory of 4672	3540	Chjaol32.exe	90
PID 4672 wrote to memory of 1972	4672	Cjinkg32.exe	91
PID 4672 wrote to memory of 1972	4672	Cjinkg32.exe	91
PID 4672 wrote to memory of 1972	4672	Cjinkg32.exe	91
PID 1972 wrote to memory of 4916	1972	Cmgjgcgo.exe	92
PID 1972 wrote to memory of 4916	1972	Cmgjgcgo.exe	92
PID 1972 wrote to memory of 4916	1972	Cmgjgcgo.exe	92
PID 4916 wrote to memory of 2556	4916	Cenahpha.exe	93
PID 4916 wrote to memory of 2556	4916	Cenahpha.exe	93
PID 4916 wrote to memory of 2556	4916	Cenahpha.exe	93
PID 2556 wrote to memory of 3680	2556	Chmndlge.exe	94
PID 2556 wrote to memory of 3680	2556	Chmndlge.exe	94
PID 2556 wrote to memory of 3680	2556	Chmndlge.exe	94
PID 3680 wrote to memory of 372	3680	Cfpnph32.exe	95
PID 3680 wrote to memory of 372	3680	Cfpnph32.exe	95
PID 3680 wrote to memory of 372	3680	Cfpnph32.exe	95
PID 372 wrote to memory of 3464	372	Cnffqf32.exe	96
PID 372 wrote to memory of 3464	372	Cnffqf32.exe	96
PID 372 wrote to memory of 3464	372	Cnffqf32.exe	96
PID 3464 wrote to memory of 2908	3464	Cmiflbel.exe	97
PID 3464 wrote to memory of 2908	3464	Cmiflbel.exe	97
PID 3464 wrote to memory of 2908	3464	Cmiflbel.exe	97
PID 2908 wrote to memory of 3240	2908	Ceqnmpfo.exe	98
PID 2908 wrote to memory of 3240	2908	Ceqnmpfo.exe	98
PID 2908 wrote to memory of 3240	2908	Ceqnmpfo.exe	98
PID 3240 wrote to memory of 1452	3240	Chokikeb.exe	99
PID 3240 wrote to memory of 1452	3240	Chokikeb.exe	99
PID 3240 wrote to memory of 1452	3240	Chokikeb.exe	99
PID 1452 wrote to memory of 8	1452	Cjmgfgdf.exe	100
PID 1452 wrote to memory of 8	1452	Cjmgfgdf.exe	100
PID 1452 wrote to memory of 8	1452	Cjmgfgdf.exe	100
PID 8 wrote to memory of 2236	8	Cmlcbbcj.exe	101
PID 8 wrote to memory of 2236	8	Cmlcbbcj.exe	101
PID 8 wrote to memory of 2236	8	Cmlcbbcj.exe	101
PID 2236 wrote to memory of 3916	2236	Cagobalc.exe	102
PID 2236 wrote to memory of 3916	2236	Cagobalc.exe	102
PID 2236 wrote to memory of 3916	2236	Cagobalc.exe	102
PID 3916 wrote to memory of 4092	3916	Cdfkolkf.exe	103
PID 3916 wrote to memory of 4092	3916	Cdfkolkf.exe	103
PID 3916 wrote to memory of 4092	3916	Cdfkolkf.exe	103
PID 4092 wrote to memory of 2524	4092	Cfdhkhjj.exe	104

C:\Users\Admin\AppData\Local\Temp\f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe
"C:\Users\Admin\AppData\Local\Temp\f574ebc9b806aff4f5b9c3363ebe1cba10140d4ff42db4e2096afe3ebfacb4c0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\Beihma32.exe
    C:\Windows\system32\Beihma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\Bjfaeh32.exe
      C:\Windows\system32\Bjfaeh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 396
        55⤵
        Program crash
        
        PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4164 -ip 4164
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
48KB

MD5
5210c5276f3c9ca5c27b855f597dcedd

SHA1
cb0685d77e3dc2ac46d3e39ff1bece4956c386fd

SHA256
82a3faf26bc12f11dd370d95a736c9f833b42d8ac79ac4941b1abed61176e8d3

SHA512
1621528c68a57c4e9dff57ab195ac67ccf5da883ef598665f505b985ba8608fda6bfd7119424f1e8d1db87e015db5be5718bd8d4064d389c138d7dbda6798412

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
48KB

MD5
4091d81cacbaa45ace5c793ba0f06d81

SHA1
3f3034589f6ff4b24052c614bf45a744eaf777cd

SHA256
62404ff195170373322cb49851576abb67aa4763fde3f180b5752a407c9f4624

SHA512
09ef7cfe3f05eef9d6325ad1e3bdc53a754eed72cb6cfd9dc0b5a407df71e03fda40984f66c060558a5b7196a91e863647535279b674dc427976475ec1b24354

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
48KB

MD5
b59fb0743720ae7d6006962d5945864f

SHA1
6fdeca5c0b8c24f6b56b68e9e1e662dd57e10ed0

SHA256
a272b0f4ef2a30a98ca33ce83bf3e2c1faac5be7701a57912d28ac69709ec2fc

SHA512
0e2fc18b024188a16328d8e62c82156cc0ab8e911e3c59ba4b1e390b830a2c043279c74dfd3d4441573937e03fbc67614c602b9e9d70e45501d1c13528455b00

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
48KB

MD5
3252953f7163d6740a19e377758f6257

SHA1
c2aba6bbd258cd2b14927f5e96f9ec765d326d0c

SHA256
c35b9661971061a3321a06a78aa5cee99173884d856b4ebd959486f2c17bebd0

SHA512
000e94cb3a325eb808677be72149e9ecaa4501850d39a62b79bf02695711921089900f391e5433c32f65fded4a03764903371be1666556e63407bde431c2db02

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
48KB

MD5
a2d6c6dce310398e5548177f5e4410c2

SHA1
412ea2095fad086abfa0fd0b3a053e08ab44ddf8

SHA256
784c9b38d74643703c9286f084cccfd94cbf12a04357a6f6631c83b19c0a16f2

SHA512
ee73b30e570730673cdc39c0749421510b5d0137fcc3142a9f6a4fcc58e752f51cfb3d66fda011be3005acda8b44fd481c4d233584247d32fbfdf43bb8f3bc6d

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
48KB

MD5
52a3a5d288e2e22874595b00dd9f8f9e

SHA1
17df86fb87f365f9e367c998580f806c6acd5ff9

SHA256
a6b6d35588ccc1e4bf948ce172755dcf84f0c399c7dd3d5eaa1427b9a1539a60

SHA512
05e7566b7a5ec4189add67469cbf1244f3cad96789fa139d4db182c92293cff05b8e416fc035d32f1626d756e46017ec0877344fb1de9fae480aa1b9257f3769

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
48KB

MD5
2cf229d574828773ceb80a803006d0d0

SHA1
07ef3cd3a016dc5efa3d9c2a3cacfdd353c834ed

SHA256
df7fbf97c429ff8a8b7cd37571a68613fc0fd78e2d9efe81eced851bdcac28be

SHA512
f401c7a956f2a78bf4e0fb154071768c92773b0cab9f07aa1f9f3894baf7aa81b55fecb0126fe95e5341696f6fa318c83d2666b1669fc996eda4c1bad57aec9e

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
48KB

MD5
8dd8eeb7bae9d2086f0d3f9a3023e4a5

SHA1
c09edee0467bdadf7c91cc041b7fd3518ec85091

SHA256
52ba3ceb41e0d1eab2ab0d40b7d48553a0f078959b2517df82d528a667af794f

SHA512
55e8c5fc23f77dd84c7514cffb48eec1c31a638f7937f07a2239ffe980aecdc709f44afa40b7a728bef60a5023847af67b61c4874bbdca6cc25a417c5f4b6ecb

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
48KB

MD5
14cc5381a845d20d96453d8f8b5cc3c6

SHA1
59f707b9bea6da2e43f6f702ac7d150b10c86a2f

SHA256
3d2534fe11c6f1b51c902602b87c77f7854d510c8b580e51f9e20999449214ee

SHA512
ee03bdc6cab89448b3697cebff60f0d2a6fcd9b5834a15db9e5c2b0849a879588ce4a98cf3ff40bc7040b69ffb14432c2bfec5dbd257ecc72c9c5403d4cff810

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
48KB

MD5
198081e1941ada49b27c4cff59cc0a19

SHA1
2544863ae51c7b5f35ad910a87daed1d83780c3e

SHA256
5e2fba1a8e355ed0b64df44ad6e9fa4140e595ad4f86d3b8d4db8ebb5ac59d3c

SHA512
7c8c1680d86b0d81e6b1bd8858bc2a8ce6f54f82b9dc69173aefd11c4bc02b7c917309a58aff261d97e8633977a102f3c4fea17ea9203499bcb0c362d4bac460

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
48KB

MD5
6a1dd5a680d09f3ae2e105459581c928

SHA1
797cc379b11579502c2e2d49aed2848ff0dd1990

SHA256
23899c481b4201a4fd8159d09e11448b57def25a242f62658e7f897d63abe363

SHA512
9666af2c136b4ad1f8ee1e9fa0a72fdc1fe853f076205d8c0cd38cbac670500b313f346beb3cd91ddb936b841762f2259cd97b2891f5af9aee54e166bebf15b8

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
48KB

MD5
d2a21916fad4ce2208c518f431de1d35

SHA1
c454dc5468c045e0df77a6c1de72a6621f4d1d3c

SHA256
ce9e4c270ec83a665bd29708e539ee596f1f543a5a153472208d3d683ecf10c4

SHA512
552d08ba3b2d0c39267f3861af9d53160d3e96f29b418ecb821d114cbea0b3df8a7cfb9f9057201d928987453685482829cf2a1e1a1a7551ded5dc3d477b89a4

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
48KB

MD5
3ba563248a1a83afcdb8b884012fec6d

SHA1
96c62ad311a436f7f37ba50621afce213f4ff5f5

SHA256
251b81b1fa8989407a6e5fcd479eb7639188fd64fcde49bec9c262caa9f7030f

SHA512
2af7e66604cda132d2a51fed5f25f185eb8bdce4bb6bfdf6f4550819553e96407c31957853564f9b4053eaa63ac48fad5f8e0bab74b778c202a1f7bc83005381

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
48KB

MD5
dccd4aa690848088613e188b92d66d3a

SHA1
763e9500e9d088c8b63030136ef71aef2d5005a1

SHA256
9c5edb3e047dec9292c6916f3dba3f9fd94bcc310c83d0ef3693fecb4077d0f4

SHA512
66973fbdeea4f84901b5b4b5b4459df5ca34799b77b2b7e03db8e4cc41d7b18655a42c671a126d6a4710e925856eeeb8a45e69251557f217cf8ed4917420bf77

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
48KB

MD5
4bd90c8d5694fb0920a7be3dc99ab6a5

SHA1
cf8755249025bb4bbbc3ac2b8b5a71174d149d69

SHA256
f80d21a0aeee398716b1db2581aae2742c47ca55d3ad7efac00009b38d2fc4d9

SHA512
9d87286abc1fa7160d30517203b96016cf1e4447828ae9cb331d23e83af8eb79092c04764ad5ea6958db9422d5f2357e205426f109446a352cd74670a6b159ab

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
48KB

MD5
ccf8a268fa66d0f82c456bc6ee145011

SHA1
7dbe6f01569544c097fdd4f3fd670b7defce6af3

SHA256
b0da0bc09e114c67a823c42bd7d5b6f86323a168ca2ca24ad8549ef59b02e3d1

SHA512
396d257c40dc8307cdf47d7075647643bd540a591cf141efd6263f91362cf828c925dbd4d587c1f6424d2c006af5d80dac6278abe27527e1ed2ce65f720afdaa

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
48KB

MD5
917c78716805ec7d9572bc955464c2c1

SHA1
87b7d05cef219ace0ecc34aaaaf3b0b3c4dce5e4

SHA256
ee03a97f20af3b9bb12de989ef7773603a0218e71f011a6f3ca35d87de94aeb4

SHA512
cb45ea7dde83c2a820022be4462a49ffc4c9cc6b945bc37d8718906f20b309a506c780348fda6b4fc33a102c9588e468c263dc15c913f2ca2c7a1cf70a9286c9

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
48KB

MD5
b100542916b50084904f9d68393faa42

SHA1
2dd45fa8111810c8aef30ad0f911005bf35e55ea

SHA256
0a15107a78f7abf262c0c1de7997f47b96398bc0fede91d2b0d0b49cef94fdfc

SHA512
66f7cb466abb30eb76970a4ed6aa64ec3384c0bcf12af1b70cc19f11090a8a53a1c21f14e2add9f05e581b4466fca3c488d2eeb38a12f8c52a744f246e64d91f

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
48KB

MD5
2a44dfa07767fc343ff6489f4d54fceb

SHA1
5a2e1330002fd4c30c03e8f6a7fb5c2adacd240a

SHA256
a09bbb5c027e226168d4e710dde6f829db8bc6ea62fcb17971188dddc1add883

SHA512
cdb284c2625f5d52d02e30615bd28ee8da58017d2158c73c7131626d26b6ca2f9abe23720dba31a7bb90473494c24577a27dec05231633dc8c318e1c06584a0d

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
48KB

MD5
1fc6b85f827e5b376bbf1bd93586d897

SHA1
c867bb4c8f5cb6e9887a869e96ccd7b6fb80d77c

SHA256
ee1ce61522fde69c1a5231ae3b502ca9e4e43f0a464cec080bd3149b5d2eea6a

SHA512
707e375fe8f40eb26f1082b4fb8e772e980327d5734e34a7b0333789fc1f88bb4eb7ef4a288e3d4a2a0bc76d08fcd0a2417320480fde87fcb4a7fd0215ebe60a

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
48KB

MD5
d0e36058ded6dbce07857c0f2149f8c9

SHA1
34004213b39c2f287506291441cf515e649ff618

SHA256
c68d978d1efd37a3ef57feb728b3d690fe404bf0c33711a46f7704d14c937966

SHA512
34b0c6389dd748a87fa91f2c9b8d8b3d93361f877285d91c9d08a8f222e77e50138f7116c2e40864e9a73a002e0842851df2df592ea70931455c913bc68599f4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
48KB

MD5
338b593baa5b19835fd5986933a24963

SHA1
d4dfd930bc9f9c61b93144ea1696ec6b6f64c749

SHA256
c94487ea61aa1801629b3c48bb90b75561451ff311cb0c10fbd907ce02c12703

SHA512
e6e42424d1d1438fa058d7913f8e20c95290a5c1b2bf72e629053522d1721cf4babd95be41020551f3e4ae7cad42a06bf94db1648b095e01c0ba5c00ae7120f4

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
48KB

MD5
9b5d52b72bbff4f1a0d84976fa46afaa

SHA1
0d4f7196133a66a21801323a72152b99bbc3359e

SHA256
c0ee8bfe55b3cf57882c4903ab336c1cc04e5c40438fbf32ffeefc766952520a

SHA512
01a9d4462ef4feb4c1870c953bdf43f7569b22febd1c71d6a2111d37cb60a68a9e732066d63d45742eaa046bcd0b8ac37d9f32bf023e90da08568e1422157f08

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
48KB

MD5
366ea69639bcb6d8b49d0a7c063be363

SHA1
2f04f7a31d8ce29d7be8e2a4418ba959ea9780e1

SHA256
d239a89601e696e3a0eb54a42a6642a37b845ce80e2522bb50054cb2c9ae7690

SHA512
bf0c7bd12ffc9268d88484f03573182efb8c6b20ca999fa4aa16d60fcf4ae3421ce2ee4cc53d48f3fd0d46f017f621a83b7dbccdd756cceff98a3f0548908b01

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
48KB

MD5
26e63a905efd51ee2dbc3c48763a87a5

SHA1
4a23a061f1c5fb226c0f6e13e3c4715b2609569a

SHA256
79f179eea2814f2f747a90d0e8dd037758af55c13dc56e15a7cce0b6ec606448

SHA512
d00e528974ab9ff3de027d62ceb1cdd836d90911e38e74fce70ff45ff7607db53b74c34c3522f6815be095535abf76ec9e612d19ff1d91bc6d5e5d5f7ddc9347

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
48KB

MD5
d4f46889ca7629a1ecac1942a72ce43b

SHA1
3d329829c5d6baac30b7b89beece89d6f440c995

SHA256
ba3ef1d22162f232621e71a256073e4203457221a4b36e002bbf0b8df9d769e7

SHA512
aea4468b843d14a41ee49c900480cceb2aad8a7709effffb94c0eae97594801451731b34eb96c026e2e554bd45a5e2da419fa9e0400808b5efad88ed5b0c0ebd

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
48KB

MD5
52a00083b6db6300d290f216c0e189fb

SHA1
0c5dbfeaf8639ff5af4f3540993a8a7a2e6e60c4

SHA256
5fac1184a5bb4d0bba75ff370ffabfc0db43082690de85fd306ebbf5f591486a

SHA512
ed9dce175a5f6775bc6fcebe4633e5cbb37ae0df03f090f682f95c481decbd2d61dd5e0af277d00e2280300a19a8324e9dd751d81e13a60c9af51e7543966d38

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
48KB

MD5
79bbaee105938ac5d48917d129ad597e

SHA1
f88bd238f724adc37f7a8d84eb3cafe9c36b1902

SHA256
80aaa2c1bc636ee3e26ed742bd3219942d43e6e3595bd01eab8e4322755f734d

SHA512
86a849ff49aaa6d178ad4ab888791cfc4520135a4f03184ff116dc3e4343d6915831b8c7cf46ca496ba584935e5cd54757a6f5750b17da68b348a0bd0ed11c02

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
48KB

MD5
117df5988056da27d3497bedde2e1f5c

SHA1
c56a06879d98f14f3e1e5d8c847e94446428a7e9

SHA256
3d575a7c3f3146c30c1dd1cc48de5198416f92a0fa06b78a4668ac846ec2e6ec

SHA512
1808b7cf06ed9adb41f3ab89243ee2dc6bd8e1db95199f52c06b2d376cc2f93d2283c06a382d29777435a1f9149017db036347210ed93e72da305d1cc024b3cd

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
48KB

MD5
1cfc3a01cb7fb8fe0be410980b7fa981

SHA1
f2dc931aacf79d39254829d76114d5ff05e7d6ea

SHA256
c0faa80707e2ab90609bbd143cea377c6066148e13d5471c671237008577ee90

SHA512
5f12aba9245638da1a808094eeb622dc731a2755b68d00466d874597f9d9963e6452603eb06df25616a1e5d3f309b1698525a0017e81b341a7903962aca983a8

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
48KB

MD5
f5deeef6538ee158ae2386a99b12fa48

SHA1
a349159de83792ecaf3e9936c604fd90fc5be2e1

SHA256
b69d5fe40d88297c901a28c699d9536195989e6eb60919a6d67f2ab66c6a8502

SHA512
1b26e81925764c14465c92c1b5faff1803ab110b470a6fbc817df5986c2e1fee5d3b499e2dd4547a3acc0b9a70a605ca9f39ce20de76ef97d84a6867a83b4e09

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
48KB

MD5
4d9a6cfe88de8e70704ff4205a31f228

SHA1
f82b9a8c0f98208d733536e0aab114f4ffaabf5e

SHA256
1e044063ef78e2917192a3d40bce19b31e0dfe404d318504b29373586b624a1e

SHA512
1f12e5dc387fe7fbecccbf0792181c81fefb534a2998990fa96e6bce16c72773f07bd5f71a0362e94a0cf90f8a4aafb5f335ff7deb3558361428339781c3ef96

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
48KB

MD5
acc67334c5773d384c864311853f1ad9

SHA1
13030d6d54dec9a6a389939aa0c2df05d5404bcd

SHA256
63c2f265f4bbc15d4bb0e4d3f58a19af5805684d2ca40a77d67cd78e2ea24195

SHA512
d8dd3d09f0124abfd541993350716cf9c10699c4d521bd3cde98ffcd94d7f051620cd21613d6b2d8fd380fb016548a49609e475fcd8ed49fa9f8c49afb80e8dc

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
48KB

MD5
c652eb6df1d59d6eac153573ee0e523e

SHA1
1350e3c414b88449a4132e9f0eb545736e3c8c3c

SHA256
6838683aa628766fcb1931c624fc1f278b85cdd30765df1f4d9fd2dcf30e8636

SHA512
dcce28a9ddd4019dc24df0d7ecde3d164ac88e99fdccec1c72f32a3cf8af1c83e948ffac2f687d4604d4329aadf8ce3bee231fcff553a947c77dcfa6d0f802a5

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
48KB

MD5
b2d18b8d3bae30666d072d42df8333ce

SHA1
c6860a394c9c40b4c23c1ded24d6a15e239a668b

SHA256
44d5f503aa8f787ba798670b208802da05aaff907c70645a2abde2efed064926

SHA512
cefedc8972144fec766e3305b9725c50c32d79cd8d34ead45c2d72d2d8ff3486f62ae98c27acdfca0de8f6ff4ba1f8a03afbff2d188c114bf3b68c4091a2b820

Download Submit
memory/8-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1180-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-421-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3240-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3240-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3804-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3804-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4164-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads