berbew | 0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/01/2025, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
Size

93KB
MD5

5ec9f73b036bc81d49e4e5094feada70
SHA1

ea2fd558a6d9903d72ba3da3aecdaccbe822b91e
SHA256

0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4
SHA512

d3a8ef0c8c0efbdfab46360d534daba62f721d67178d0136295c198810e09e774bd05c1c9e477b9912b0891557ef1055e19d8e7037868e3f5eff263afacf9fc6
SSDEEP

1536:SGXD3GIVmjrwhDBJMOGtgoI1DaYfMZRWuLsV+1B:lXD2N/wpGRIgYfc0DV+1B

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 35 IoCs

pid	Process
2236	Aojabdlf.exe
2896	Afdiondb.exe
2788	Aakjdo32.exe
2992	Alqnah32.exe
2860	Abmgjo32.exe
1360	Ahgofi32.exe
1696	Aoagccfn.exe
1644	Aqbdkk32.exe
2884	Bkhhhd32.exe
1936	Bbbpenco.exe
552	Bgoime32.exe
1332	Bmlael32.exe
2960	Bceibfgj.exe
2424	Bjpaop32.exe
2144	Boljgg32.exe
1724	Bffbdadk.exe
1380	Bqlfaj32.exe
1924	Bfioia32.exe
1776	Bigkel32.exe
528	Bkegah32.exe
1580	Ccmpce32.exe
1656	Cfkloq32.exe
3028	Cmedlk32.exe
1028	Cnfqccna.exe
1800	Cfmhdpnc.exe
792	Cepipm32.exe
2820	Ckjamgmk.exe
2704	Cagienkb.exe
2952	Caifjn32.exe
2716	Cgcnghpl.exe
2596	Cmpgpond.exe
984	Ccjoli32.exe
2876	Djdgic32.exe
2764	Dmbcen32.exe
2284	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1160	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
1160	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
2236	Aojabdlf.exe
2236	Aojabdlf.exe
2896	Afdiondb.exe
2896	Afdiondb.exe
2788	Aakjdo32.exe
2788	Aakjdo32.exe
2992	Alqnah32.exe
2992	Alqnah32.exe
2860	Abmgjo32.exe
2860	Abmgjo32.exe
1360	Ahgofi32.exe
1360	Ahgofi32.exe
1696	Aoagccfn.exe
1696	Aoagccfn.exe
1644	Aqbdkk32.exe
1644	Aqbdkk32.exe
2884	Bkhhhd32.exe
2884	Bkhhhd32.exe
1936	Bbbpenco.exe
1936	Bbbpenco.exe
552	Bgoime32.exe
552	Bgoime32.exe
1332	Bmlael32.exe
1332	Bmlael32.exe
2960	Bceibfgj.exe
2960	Bceibfgj.exe
2424	Bjpaop32.exe
2424	Bjpaop32.exe
2144	Boljgg32.exe
2144	Boljgg32.exe
1724	Bffbdadk.exe
1724	Bffbdadk.exe
1380	Bqlfaj32.exe
1380	Bqlfaj32.exe
1924	Bfioia32.exe
1924	Bfioia32.exe
1776	Bigkel32.exe
1776	Bigkel32.exe
528	Bkegah32.exe
528	Bkegah32.exe
1580	Ccmpce32.exe
1580	Ccmpce32.exe
1656	Cfkloq32.exe
1656	Cfkloq32.exe
3028	Cmedlk32.exe
3028	Cmedlk32.exe
1028	Cnfqccna.exe
1028	Cnfqccna.exe
1800	Cfmhdpnc.exe
1800	Cfmhdpnc.exe
792	Cepipm32.exe
792	Cepipm32.exe
2820	Ckjamgmk.exe
2820	Ckjamgmk.exe
2704	Cagienkb.exe
2704	Cagienkb.exe
2952	Caifjn32.exe
2952	Caifjn32.exe
2716	Cgcnghpl.exe
2716	Cgcnghpl.exe
2596	Cmpgpond.exe
2596	Cmpgpond.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Afdiondb.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Aoagccfn.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Ahgofi32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Ahgofi32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Khoqme32.dll	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1880	2284	WerFault.exe	65

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2236	1160	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe	31
PID 1160 wrote to memory of 2236	1160	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe	31
PID 1160 wrote to memory of 2236	1160	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe	31
PID 1160 wrote to memory of 2236	1160	0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe	31
PID 2236 wrote to memory of 2896	2236	Aojabdlf.exe	32
PID 2236 wrote to memory of 2896	2236	Aojabdlf.exe	32
PID 2236 wrote to memory of 2896	2236	Aojabdlf.exe	32
PID 2236 wrote to memory of 2896	2236	Aojabdlf.exe	32
PID 2896 wrote to memory of 2788	2896	Afdiondb.exe	33
PID 2896 wrote to memory of 2788	2896	Afdiondb.exe	33
PID 2896 wrote to memory of 2788	2896	Afdiondb.exe	33
PID 2896 wrote to memory of 2788	2896	Afdiondb.exe	33
PID 2788 wrote to memory of 2992	2788	Aakjdo32.exe	34
PID 2788 wrote to memory of 2992	2788	Aakjdo32.exe	34
PID 2788 wrote to memory of 2992	2788	Aakjdo32.exe	34
PID 2788 wrote to memory of 2992	2788	Aakjdo32.exe	34
PID 2992 wrote to memory of 2860	2992	Alqnah32.exe	35
PID 2992 wrote to memory of 2860	2992	Alqnah32.exe	35
PID 2992 wrote to memory of 2860	2992	Alqnah32.exe	35
PID 2992 wrote to memory of 2860	2992	Alqnah32.exe	35
PID 2860 wrote to memory of 1360	2860	Abmgjo32.exe	36
PID 2860 wrote to memory of 1360	2860	Abmgjo32.exe	36
PID 2860 wrote to memory of 1360	2860	Abmgjo32.exe	36
PID 2860 wrote to memory of 1360	2860	Abmgjo32.exe	36
PID 1360 wrote to memory of 1696	1360	Ahgofi32.exe	37
PID 1360 wrote to memory of 1696	1360	Ahgofi32.exe	37
PID 1360 wrote to memory of 1696	1360	Ahgofi32.exe	37
PID 1360 wrote to memory of 1696	1360	Ahgofi32.exe	37
PID 1696 wrote to memory of 1644	1696	Aoagccfn.exe	38
PID 1696 wrote to memory of 1644	1696	Aoagccfn.exe	38
PID 1696 wrote to memory of 1644	1696	Aoagccfn.exe	38
PID 1696 wrote to memory of 1644	1696	Aoagccfn.exe	38
PID 1644 wrote to memory of 2884	1644	Aqbdkk32.exe	39
PID 1644 wrote to memory of 2884	1644	Aqbdkk32.exe	39
PID 1644 wrote to memory of 2884	1644	Aqbdkk32.exe	39
PID 1644 wrote to memory of 2884	1644	Aqbdkk32.exe	39
PID 2884 wrote to memory of 1936	2884	Bkhhhd32.exe	40
PID 2884 wrote to memory of 1936	2884	Bkhhhd32.exe	40
PID 2884 wrote to memory of 1936	2884	Bkhhhd32.exe	40
PID 2884 wrote to memory of 1936	2884	Bkhhhd32.exe	40
PID 1936 wrote to memory of 552	1936	Bbbpenco.exe	41
PID 1936 wrote to memory of 552	1936	Bbbpenco.exe	41
PID 1936 wrote to memory of 552	1936	Bbbpenco.exe	41
PID 1936 wrote to memory of 552	1936	Bbbpenco.exe	41
PID 552 wrote to memory of 1332	552	Bgoime32.exe	42
PID 552 wrote to memory of 1332	552	Bgoime32.exe	42
PID 552 wrote to memory of 1332	552	Bgoime32.exe	42
PID 552 wrote to memory of 1332	552	Bgoime32.exe	42
PID 1332 wrote to memory of 2960	1332	Bmlael32.exe	43
PID 1332 wrote to memory of 2960	1332	Bmlael32.exe	43
PID 1332 wrote to memory of 2960	1332	Bmlael32.exe	43
PID 1332 wrote to memory of 2960	1332	Bmlael32.exe	43
PID 2960 wrote to memory of 2424	2960	Bceibfgj.exe	44
PID 2960 wrote to memory of 2424	2960	Bceibfgj.exe	44
PID 2960 wrote to memory of 2424	2960	Bceibfgj.exe	44
PID 2960 wrote to memory of 2424	2960	Bceibfgj.exe	44
PID 2424 wrote to memory of 2144	2424	Bjpaop32.exe	45
PID 2424 wrote to memory of 2144	2424	Bjpaop32.exe	45
PID 2424 wrote to memory of 2144	2424	Bjpaop32.exe	45
PID 2424 wrote to memory of 2144	2424	Bjpaop32.exe	45
PID 2144 wrote to memory of 1724	2144	Boljgg32.exe	46
PID 2144 wrote to memory of 1724	2144	Boljgg32.exe	46
PID 2144 wrote to memory of 1724	2144	Boljgg32.exe	46
PID 2144 wrote to memory of 1724	2144	Boljgg32.exe	46

C:\Users\Admin\AppData\Local\Temp\0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe
"C:\Users\Admin\AppData\Local\Temp\0e57b6029b5962d246b7be53e823c5d12ed1ea2eca7580504e4f3bd4f98ce1a4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\Aojabdlf.exe
  C:\Windows\system32\Aojabdlf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\Afdiondb.exe
    C:\Windows\system32\Afdiondb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Aakjdo32.exe
      C:\Windows\system32\Aakjdo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 144
        37⤵
        Program crash
        
        PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afdiondb.exe

Filesize
93KB

MD5
cb9377889c30d024f76394d3f5205192

SHA1
1739eec043b7b4dd13661729f5f4ccca112a0ac3

SHA256
bbedba67fde7fe0f777c4e23e07867c3d6d36dcabf07948ccd8e200db06e7971

SHA512
8d7cc5991625084891498250c38ee41165a1092f2a8c6d3fb95b284c821d4249e9dfa1c41b37aae529dec745a8e3168c68e87347ff7370c5c408a21282484462

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
93KB

MD5
e898b9d0a8975d9b743c8788afd0d156

SHA1
c220745afa8096b57a883e7d540002251f6a31a3

SHA256
a25d22aa4342371b0a20e967f7f35592df5be95fc37b3e3fd2a8197659d72ab0

SHA512
de44b4faa206f3b582eab35241b9dae741ed53fe59b8967ed3cf6556c02776c79b7aa4743946767fac7e5aa2bfe9718bfe76c476f30dbe4e7f778b623ea5e5d5

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
93KB

MD5
1215e4016f6cae5b739046b0feecd4d8

SHA1
3d3ea5090bf6cd6919d525e199fe81add22b7590

SHA256
86b3efe3df6432449c77e2af1e124fde8faf64e28b0ccceac231c45a50f1978c

SHA512
960c1e2ea0681f12a566593b66c6d830f293416be451e160481d686e9ff55720040c7315b1c07f11ac20b20b4a3675f4bd839f6406864886b00f2de0e0c3933e

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
93KB

MD5
0a9634d88a2934776e2d5aa60179458c

SHA1
159513ac91da18ebf83f4f29209a60e95dc9542c

SHA256
d6cfffed283de886437a0d2103848b74765560fc301396064f46031fcef98aaa

SHA512
15e3c02a03db42cb83b5e24117647dc743ae119783395d64e95a0b994c0f0153a590a678d99e925269be96b4468834d58f73e1d2f1fbda31e41a1b116bab7c5a

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
93KB

MD5
ebca5cf35a0e7d00ef5fcf35f979d0a7

SHA1
103723aea93e50f97880b5de487ff163fe093d7a

SHA256
0c272623365f1bbafe8a081cfec6f10d85f83a7649e65409757971eb736b8d07

SHA512
163669111e4cf647861779e3c1e2c1c82de2287715ac524fa23192af06feae435b34614ece5c925fece9c456cccd9531376549a1f2f96c00233198fe9cdfd380

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
93KB

MD5
07042f36755388716e49b7d578d6651a

SHA1
8c5a04bd303aeff5b0dca14ebf08e3d514104ade

SHA256
e7579e0833e4d5f072c710ca12e7fffc526a1280a6a9eb1c540c7c3d5eeb563b

SHA512
33174f890c5bbc14e336c616c38c4a0aa2febe22c2f2ae6d6c312cff192e182ab294d4384b9a805793a3bd8aca0b3a666dae1b0f6a518a56291d16b7da2f9183

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
93KB

MD5
fb2d8c2d5349c3f773eec6037f19424c

SHA1
a111ab3716ee2516c0ea8e77e9f4a06d94d34e5e

SHA256
4c23e36f4ce47021f3379d1ee4c958e8b85ad9deb20896f944aa4f5c54352b6f

SHA512
9ddb80de4ea7cf0bf7b0a4c1e8271c154d8764b63cb0497c55becc51b36c6659cf3873314b6a66cf11fdd451714d3f62c59f74232450e842fab43cfb1707a4e0

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
93KB

MD5
84b8e4f4f6f85b437c96fb3994491d1a

SHA1
64f3acd4cae3c0ebea01ac103d8937d4fbcf4cb5

SHA256
be4d713d61e197b5c3373d9ad4946400811b7170acc53e617c4eecb1152e732b

SHA512
e98ee81cd2b837e871e41dbc6b61be76b2680e5859c84479c976b6015679360162d09c8821079b59855dead6768229a94b5586cde370dea27e574d4a6828fa1f

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
93KB

MD5
75a219f72502d055adba3a6015b3057c

SHA1
99c17b2fcc697f84700a2f2e768c12e57b27e206

SHA256
0bcd51c63acef19c62c0b51a51262664e5adc9b02bb35aa653630fdc4bac862d

SHA512
7f0638df1194c8ce8eaaae177ed2eb34f668cb866b1b3474af56f612b4aad526b0280760b574601cb56b0cbd3cf9cfe2d2b2cd1c12e9aa3dd3ce4826fe8db507

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
93KB

MD5
6059e8bb49852a3bda6fb4d6c2df8a03

SHA1
ea5a0098f9077e2ec5ec478180dd2be79a24e3c0

SHA256
5379ba7f4941db15a93fa19e4d12f25e0a731e1130027dcbc0fe2a0e5dc07474

SHA512
385ac5aaa793644fdd8d219d7654a28878adcfbb657c43f4e3f7729a990a987fb55625f166789bc24cd53738bec39f2b3cd7308f93eec448fa33e6626ca8256f

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
93KB

MD5
20836b71a814325277c94f7334e6b2e8

SHA1
34bd16b915ae2e4628896d8805b70a505bfc9978

SHA256
593ec19aa819e82f2152893eeeb4470c7399bef92049063e7ee1f873a933856d

SHA512
6a4668fcf88f5b5adc83e31d5493117d9b71cd873c35cd86deebf1dad6b03f99c78d7b7fc8fa430ae38361436a83dfe22ad199a4d45bf77745b4b9b5c139b05a

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
93KB

MD5
ca1578782dd69163d99608fb0bb77054

SHA1
c24cdcacfcde2b1e8c2fb5f7c8156d02fc42aec3

SHA256
e3c3d82a2a5bebcb1338b3cb42723096d96dea02b49fab133c3c44ee40cdc39d

SHA512
edacc41b328d834ea0a05cf6e5876afbcff0d5d4b723c676afb1e24dbff5e56380ed7de737cd485aecc498e7321bbd79ab4dae8fba5b6b9863125b40f33f5c7c

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
93KB

MD5
edd570c2a16ea8a1d0e840562142233a

SHA1
52beb41f60aef3f7a85c708d844818bb7e1c9f97

SHA256
894a05ba48522086b1227e5256030205de26d7aac090c99923ccc5975add4f3e

SHA512
160fe090e5db9f83d87405c920c83f3894f6d20afce54010b05c92eebf2617526b4bab75203c215286c2aa9370ecae65f0b1727494e5229471e562c02737107f

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
93KB

MD5
8c9b799e3778e49d084ef19bf3d420f9

SHA1
df73b1af8c656e38a71b704af5359c57c84c8b3d

SHA256
2602b9f613d55486a0864c573d8edaffc50340803b08fdff34d964036e370db8

SHA512
8e1fbb5e187bc3f819b054306c34966063f22a7a713aaaa469dff6a228947aa0b84b3a2673df183e88e2bb9d505dfc7c0b70512effb8e953cef191a9bfed0fe4

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
93KB

MD5
85bfd5d319059eab17a4a86ac43b572d

SHA1
11b8a8d549c64427535dd17328b06bbd76326c01

SHA256
be676b6c22d775c2e00a9dc60d0f5deca0a56821d40ad287d11fcfd0dcb57869

SHA512
2e2e914a797ccfd85348db244b8706ab1d83c2f35cdc1d6b2a50dd677d8f5bea71a6817cd966fa6ff69cefb7308cb70c99607ae84777b57253e707366c04fe88

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
93KB

MD5
c156799b23ea67b6c035317297b3fccd

SHA1
0fc10002ffdc04785a6ced933b43c91be545531e

SHA256
6567b2a2bceac77cf5d52f203d74294543db87b34b56cb54796824677d69d1ae

SHA512
4c07e5d17df147204f81c86639904e34b943a379fcd5ce5ae1e0a5c877177bd66dbda303f4dc6e25e68b5bfc758c1a710c37aee1537cb52bae7fda6bc6b24c1d

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
93KB

MD5
182e069e349fa17704d154eb039d33aa

SHA1
4e68983f426d0282e9aaac231761e110a5cc42af

SHA256
2839098fa81281db9d7178aa6d84ec74c212a84b4b866e1c4b48eceaf07f76f0

SHA512
dffd800555c734b74f7789fa319e0534aeb5e13aed720f1f2a3c934879b8d56434509c98d72974dc34c97e4e595c5d4a27acbadb34295497f10a7b797252d94a

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
93KB

MD5
8a523c06015834b1f8cfbc6d4c1a021f

SHA1
5748d255dbaab4846840f9ced0904c1dbe1e4475

SHA256
47412ef40418a0cf0cb08535bb89117e2d678533e8f50878d4a25ec2ef227b99

SHA512
828f5967334e47c7d6424663d8f43618610b3337186c1288be75a172b6fbc70ccf4c3feff6451d5f999c1fdbcf157cdbbf5c9292b9f4e43e7ed8bd2e84c4ff59

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
57e9da90e01e59f2b125982006e0a19f

SHA1
d8ea9ce3bd1e12675200dccaceca33fcd558c975

SHA256
7b1535b4527d14bd86d5026fc5111d00929449c82ed1f27556659b265925b1fe

SHA512
0fe497de35f1c04a2374fea7e00d97b1c21ad525e87956989778b4e6faa10cb1b2e16f97036ff78183e2b7dc0845d3e7bf8e259089f02dc59134488f2b44f4c8

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
93KB

MD5
4c7d6eda30bd039a74f18e381796b955

SHA1
9ff60a7ae50e8017df3628f35f856f7f9b610a76

SHA256
8d0eb8d779ba75cb18297344d796e980dd76b312358ed1bc6f8f9dfd468756f3

SHA512
527dff08b1fcd1ce0101de4d08f0c16ce2d2a85207e24d605736bdf539c3cfd8fcfc8a6136c3857add2771d51bd2f94d800a0c246444af4a616883c32af3d540

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
93KB

MD5
84c7283682401b1602ef063723aecbc9

SHA1
707f9493b2380a3ff2c4d262da6fd7896cbeedf3

SHA256
c2af4dc6289862ce856314c1e1b7de049c392a73568cf9ae6d78ce2c26205441

SHA512
075c38dc01060b7acbda231db9ce3408fd449c8b4822a39b0b147bd633823be75054044c0f200fc6745bf98d20c2d0d7cb4846e7805f667564dc914b8c0bda58

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
93KB

MD5
8e5325d1c8db215d329a3eada6bcae6c

SHA1
e35e740378dc239f68f53f8206118f4bcdcaeb28

SHA256
b8025e62a7beb9cb79a68db1d3f05fe8eed182908bd180a28af177302fa8e47b

SHA512
3f83053feba9c84e444821b3ae0bc8d227d907c1c2b5727a4d4c89195d3be5ba7bd2637cc5a45b967db14f34d872b56ef2c119b9860445b6c0ce549c9c7603ba

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
93KB

MD5
57ba8e2ee45bf70313b92e7fdd05813b

SHA1
50431a80c46f8ac7a10b272df619ce92d1ed82d8

SHA256
df53dc0ed56477daa6ef2eaf18f2e30e1d17f283f2041059d0a346755586b73d

SHA512
98ac9f7ba66d34282c027dd4d03fdfd472cfa2fafbc26d3a23b4b27b4c90d0e18a9bc0b6a85526a8cb3597a5191fecf358ecf38b817fb191659e7a1f526e7bc1

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
93KB

MD5
eaa930670725ad9ef6a16b6cd7111d52

SHA1
943ea0b917598e6daca37dc4a67f0811fb471ce0

SHA256
1105cb1e54a7804a18bb6931e9a71a80e23d24d64908414b98a929e1bdf9029e

SHA512
c4eb88616a9141c5dbdd1c7ed2f05ad26414a0843973d509afdde872be8e232d522cbbbf217cbe3b07d5bc2851cdb2c5273384822239e16951451b22aec596b7

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
0e15f65f55f2041beaad8416b4b73742

SHA1
534d24676872c61a7d1ec4fbd9241d0a8c3f8321

SHA256
0314b5cd60b38aca585164a5b7a3bb54bfacf4b9b93a301a657fb94907d150e6

SHA512
6f21aee09fa9376ab8622ece7e377ff2e8be6ed17175bd7c82a1d278706bfcaa7dca96e3764656197c6a2f1a26c217fe3226fdc8e3fee5b206115466ba21bf78

Download Submit
\Windows\SysWOW64\Aakjdo32.exe

Filesize
93KB

MD5
bd2d17d590b3e032591d0670ec10bd73

SHA1
e480d5d5987a0e7661926b7581a9323de76ca823

SHA256
79474fe2791f13de3262d16d32bf9670c85e28be61098721ef521dd9a241d864

SHA512
fddc6c8acc66223fe6e3d7ae25e69a460c050f8f1c58bd544722b32fdbc47df267ecf3d5c5e664c80b3a777939819ed3fee21bc3dcd04e04c8b4b4590cb2af67

Download Submit
\Windows\SysWOW64\Abmgjo32.exe

Filesize
93KB

MD5
11134718dbce04e52ee3ea6bf34a23d7

SHA1
e28df21f891bddfeb9232a27af18d5c203950566

SHA256
0e335e060858fe31b85b97f80472860708969f62c6da7ea0204d4f88ae205834

SHA512
56ed7eb30ff004c774057ccd989f567ca1b6bec45a987e52250dbbb48717a33da5f0157139c1a29de21c944407d1b07ba17c790d5263fd608c89599c24cec2ea

Download Submit
\Windows\SysWOW64\Aoagccfn.exe

Filesize
93KB

MD5
2ee8fd5476fd47fc3c956671233e1712

SHA1
baec65a76fa8101e4968f848fb0d4fcda4dc4952

SHA256
85f71582a5bc2e4311e7f5fe1d6c8e26e95b347a5d12bc308d89c2aa55109bdf

SHA512
f57e22a3b272b7bec0abdcdb145c7c9898b9907904ac9f10410efafae4bc44e4310048dec61c7456ac7393077b62759074188d9ffbe01975ac70c329037e825f

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
93KB

MD5
b80f7d8b8c7387d57dd27414e4475ff2

SHA1
0e2bfefd58d28e9b51f36a0aa9118c1358c5ade4

SHA256
520311e9f77aea017aacf511634b873e0214e9b092f5fd7111f59feb843acfc6

SHA512
cd7192ac6ba668396580b7ab84e0346986db82ae0d32b263d64a1817f9fa1a5d394a86ee1ea0e7efca63a210ae515fb8a655777fbe24997e15fe5d7d2878c06c

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
93KB

MD5
0c0e440bd094216ced6929f825d17bed

SHA1
6d367fdbb93f0865033da91e36adeb2f8a553924

SHA256
00380120685d7bd88d92a22e48f938dbbff568656ab98221374bbfbcccb342f1

SHA512
ec885fee75678796cd61b10618f51328957398ee385de96894eba07bffdfea73fb8870f9722e5577a78b72117197c71c31a15da21f068dcfdfc57bc7c9dc6e17

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
93KB

MD5
b346bc1a5b6ad40149be7b1fe9148502

SHA1
fcc691b0a1031014667b61d8fb940ebf4005d55f

SHA256
527e9553785c91e6eeb2ce51bf0c9979d3a778c8bb97dfdf16ad5fdf146f08c9

SHA512
e9e6853e5d0ec4258dcaa5349b72185c6fd888f1fa7bce70317f18158098edb7078d27ac3e64430f105d91cc65329e711d5d88c93708219f070013b8bcb161e1

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
93KB

MD5
c5633477236ee82e04204013a23e992e

SHA1
0bf84003fc06c4bb309b7312a68818b4ac64f2ad

SHA256
39feec01c5cc5b8b601571971602e50c544c106bdf07b8af31cc848f620ad7c8

SHA512
18ed78b07db04a6961f494f01652731b0eb69e59d4893da0fac4170b57c4b272f853c5d635892dbf366ca8bb09fa8aa03513fcbf72a5b8f1375c1b38c7afe13d

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
93KB

MD5
ce0a9d4326329434be51676245371c3b

SHA1
94e2452645070e7c53ee4c063cbc36766b2947ca

SHA256
4e9102b019269a56d400539d34bccb072c42532ba9d5c3dc5fa598f7b420693e

SHA512
7ff033743d0516dd08348efdcca116f90cb5c93f051deff3179f177608cb657cd14ef74a3c5b66bf9ea654406abf96b8cea4207ad28fff38aaaab6de2786dcca

Download Submit
\Windows\SysWOW64\Bmlael32.exe

Filesize
93KB

MD5
cbd49cff67adf1392480b9cd6b880c60

SHA1
b379b5597c006aa5aaa9bd5551961bf4afb8e533

SHA256
36269de821289471a3308abc905a11286e5cb1ee70cd18d210f1624c6ecbf4ac

SHA512
301b305e965e8eeb9c7f58d87fbe6c09763e28c4307c735f18bd281992d8056a171134c9f5441c27e1ef485cf7815c041ebbc2a83bc1dcbc0a3ed52817b39ad9

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
93KB

MD5
332350999878b7b1f7ba83258cc81724

SHA1
5c3ee0a083c64322e32737b1a00edf07dddfc3b8

SHA256
d4abf24e5b134ae7f945ac66fc140c405727b7f08b3471c1e993dc493550c088

SHA512
44a9b4656372ad6c552fd7659e53f93df0a9d8d28ed192bfd12c4d905040513899e49c1e53dc13c7d4f24e99cdd22c95dba8faf685d0bc0d2d39487cc26705ae

Download Submit
memory/528-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-261-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/528-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-322-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/792-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-317-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/984-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-389-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/984-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-301-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1028-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-299-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1028-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1160-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1332-173-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1332-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-90-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1380-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-115-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1656-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-277-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1696-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-222-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1724-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-311-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1800-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-310-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1800-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-240-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1936-143-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1936-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2236-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-346-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2236-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2284-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-196-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2596-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-345-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2704-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-365-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2764-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-54-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2788-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-333-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2820-332-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2820-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2896-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-353-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2952-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-182-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2992-384-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2992-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-63-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2992-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-289-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads