berbew | 30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
Size

96KB
MD5

914b8f7f848fee8a9f07b015148c0003
SHA1

c725554999937537f9db30db46090fd6ca411e1b
SHA256

30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90
SHA512

fdf980628d59fa4a3bb4d24eeb7cb8fb14ff1185ea9ca245adc130610b46c5f60cf817ea3f785f34c1c7c52d9e934b81563c744237bd63cc32e86fab2757b845
SSDEEP

1536:pDAJKEirRA9Y5fQzrydUJ/i4AONC6QUwpo+ehrUQVoMdUT+irF:5A79YFQHyd+vHQNpNehr1Rhk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djegekil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djegekil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddhomdje.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 45 IoCs

pid	Process
3480	Dphiaffa.exe
4768	Dgbanq32.exe
2268	Dnljkk32.exe
3364	Ddfbgelh.exe
5088	Dgdncplk.exe
4596	Dickplko.exe
4604	Ddhomdje.exe
452	Dggkipii.exe
1000	Djegekil.exe
5068	Dpopbepi.exe
5092	Dgihop32.exe
4508	Dncpkjoc.exe
3076	Ddmhhd32.exe
4464	Egkddo32.exe
1236	Enemaimp.exe
3780	Ecbeip32.exe
5000	Ekimjn32.exe
1640	Eaceghcg.exe
2108	Egpnooan.exe
412	Ejojljqa.exe
3008	Ephbhd32.exe
2172	Ecgodpgb.exe
2748	Egbken32.exe
4860	Eahobg32.exe
1760	Edfknb32.exe
1656	Ekqckmfb.exe
2188	Eajlhg32.exe
4340	Edihdb32.exe
2216	Fkcpql32.exe
2180	Famhmfkl.exe
2584	Fdkdibjp.exe
4372	Fgiaemic.exe
2428	Fncibg32.exe
5012	Fdmaoahm.exe
4368	Fglnkm32.exe
2244	Fjjjgh32.exe
1768	Fbaahf32.exe
1672	Fdpnda32.exe
4308	Fgnjqm32.exe
2636	Fnhbmgmk.exe
1644	Fcekfnkb.exe
3180	Fklcgk32.exe
2156	Fnjocf32.exe
4032	Fqikob32.exe
4304	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dickplko.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Ddhomdje.exe	Dickplko.exe
File created	C:\Windows\SysWOW64\Jjnmkgom.dll	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Egpnooan.exe	Eaceghcg.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Jodamh32.dll	Egbken32.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Ejojljqa.exe	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Ddfbgelh.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Ekimjn32.exe	Ecbeip32.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Egbken32.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Famhmfkl.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Fgnjqm32.exe	Fdpnda32.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Ejojljqa.exe
File opened for modification	C:\Windows\SysWOW64\Fbaahf32.exe	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddhomdje.exe	Dickplko.exe
File created	C:\Windows\SysWOW64\Fllinoed.dll	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Ecgodpgb.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Enemaimp.exe	Egkddo32.exe
File opened for modification	C:\Windows\SysWOW64\Eaceghcg.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Enemaimp.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Eahobg32.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Fdkdibjp.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Nhbjnc32.dll	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Eclhcj32.dll	Edfknb32.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Gokfdpdo.dll	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Djojepof.dll	Fncibg32.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Djegekil.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Flpbbbdk.dll	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Fkcpql32.exe
File opened for modification	C:\Windows\SysWOW64\Fjjjgh32.exe	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dncpkjoc.exe	Dgihop32.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Pjcblekh.dll	Dickplko.exe
File created	C:\Windows\SysWOW64\Imhcpepk.dll	Ekqckmfb.exe
File opened for modification	C:\Windows\SysWOW64\Fkcpql32.exe	Edihdb32.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Ikpndppf.dll	Dggkipii.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
File opened for modification	C:\Windows\SysWOW64\Dgihop32.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Dncpkjoc.exe	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmhhd32.exe	Dncpkjoc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1400	4304	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djegekil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgodpgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfbgelh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejojljqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eahobg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djegekil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbigo32.dll"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djojepof.dll"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djegekil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclhcj32.dll"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Djegekil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foolmeif.dll"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 3480	3840	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe	88
PID 3840 wrote to memory of 3480	3840	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe	88
PID 3840 wrote to memory of 3480	3840	30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe	88
PID 3480 wrote to memory of 4768	3480	Dphiaffa.exe	89
PID 3480 wrote to memory of 4768	3480	Dphiaffa.exe	89
PID 3480 wrote to memory of 4768	3480	Dphiaffa.exe	89
PID 4768 wrote to memory of 2268	4768	Dgbanq32.exe	90
PID 4768 wrote to memory of 2268	4768	Dgbanq32.exe	90
PID 4768 wrote to memory of 2268	4768	Dgbanq32.exe	90
PID 2268 wrote to memory of 3364	2268	Dnljkk32.exe	91
PID 2268 wrote to memory of 3364	2268	Dnljkk32.exe	91
PID 2268 wrote to memory of 3364	2268	Dnljkk32.exe	91
PID 3364 wrote to memory of 5088	3364	Ddfbgelh.exe	92
PID 3364 wrote to memory of 5088	3364	Ddfbgelh.exe	92
PID 3364 wrote to memory of 5088	3364	Ddfbgelh.exe	92
PID 5088 wrote to memory of 4596	5088	Dgdncplk.exe	94
PID 5088 wrote to memory of 4596	5088	Dgdncplk.exe	94
PID 5088 wrote to memory of 4596	5088	Dgdncplk.exe	94
PID 4596 wrote to memory of 4604	4596	Dickplko.exe	95
PID 4596 wrote to memory of 4604	4596	Dickplko.exe	95
PID 4596 wrote to memory of 4604	4596	Dickplko.exe	95
PID 4604 wrote to memory of 452	4604	Ddhomdje.exe	96
PID 4604 wrote to memory of 452	4604	Ddhomdje.exe	96
PID 4604 wrote to memory of 452	4604	Ddhomdje.exe	96
PID 452 wrote to memory of 1000	452	Dggkipii.exe	97
PID 452 wrote to memory of 1000	452	Dggkipii.exe	97
PID 452 wrote to memory of 1000	452	Dggkipii.exe	97
PID 1000 wrote to memory of 5068	1000	Djegekil.exe	98
PID 1000 wrote to memory of 5068	1000	Djegekil.exe	98
PID 1000 wrote to memory of 5068	1000	Djegekil.exe	98
PID 5068 wrote to memory of 5092	5068	Dpopbepi.exe	99
PID 5068 wrote to memory of 5092	5068	Dpopbepi.exe	99
PID 5068 wrote to memory of 5092	5068	Dpopbepi.exe	99
PID 5092 wrote to memory of 4508	5092	Dgihop32.exe	100
PID 5092 wrote to memory of 4508	5092	Dgihop32.exe	100
PID 5092 wrote to memory of 4508	5092	Dgihop32.exe	100
PID 4508 wrote to memory of 3076	4508	Dncpkjoc.exe	101
PID 4508 wrote to memory of 3076	4508	Dncpkjoc.exe	101
PID 4508 wrote to memory of 3076	4508	Dncpkjoc.exe	101
PID 3076 wrote to memory of 4464	3076	Ddmhhd32.exe	102
PID 3076 wrote to memory of 4464	3076	Ddmhhd32.exe	102
PID 3076 wrote to memory of 4464	3076	Ddmhhd32.exe	102
PID 4464 wrote to memory of 1236	4464	Egkddo32.exe	103
PID 4464 wrote to memory of 1236	4464	Egkddo32.exe	103
PID 4464 wrote to memory of 1236	4464	Egkddo32.exe	103
PID 1236 wrote to memory of 3780	1236	Enemaimp.exe	104
PID 1236 wrote to memory of 3780	1236	Enemaimp.exe	104
PID 1236 wrote to memory of 3780	1236	Enemaimp.exe	104
PID 3780 wrote to memory of 5000	3780	Ecbeip32.exe	105
PID 3780 wrote to memory of 5000	3780	Ecbeip32.exe	105
PID 3780 wrote to memory of 5000	3780	Ecbeip32.exe	105
PID 5000 wrote to memory of 1640	5000	Ekimjn32.exe	106
PID 5000 wrote to memory of 1640	5000	Ekimjn32.exe	106
PID 5000 wrote to memory of 1640	5000	Ekimjn32.exe	106
PID 1640 wrote to memory of 2108	1640	Eaceghcg.exe	107
PID 1640 wrote to memory of 2108	1640	Eaceghcg.exe	107
PID 1640 wrote to memory of 2108	1640	Eaceghcg.exe	107
PID 2108 wrote to memory of 412	2108	Egpnooan.exe	108
PID 2108 wrote to memory of 412	2108	Egpnooan.exe	108
PID 2108 wrote to memory of 412	2108	Egpnooan.exe	108
PID 412 wrote to memory of 3008	412	Ejojljqa.exe	109
PID 412 wrote to memory of 3008	412	Ejojljqa.exe	109
PID 412 wrote to memory of 3008	412	Ejojljqa.exe	109
PID 3008 wrote to memory of 2172	3008	Ephbhd32.exe	110

C:\Users\Admin\AppData\Local\Temp\30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe
"C:\Users\Admin\AppData\Local\Temp\30563fb31d2db82b27f3e32cc2ce37a45ab39fbaa346334a0e20f722cb60fd90.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\SysWOW64\Dphiaffa.exe
  C:\Windows\system32\Dphiaffa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\Dgbanq32.exe
    C:\Windows\system32\Dgbanq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\Dnljkk32.exe
      C:\Windows\system32\Dnljkk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 412
        47⤵
        Program crash
        
        PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4304 -ip 4304
1⤵
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
96KB

MD5
07cecd423866c7c5eda0421b73a5b795

SHA1
14f7126b6dfb007bd4f973266b9cc57421ae660e

SHA256
7c4788e8cda3843197a559c350637b6c3458e7ed4464227a3f91ecb882d6b813

SHA512
62c4f1cf1b2c0940f2e88c3013bcc4a16d135a466cd16e410c66b022d3467f4f75569958adfe713c3b1f4be474c2986dfbe4dcd6ed169c45a39878ec7a2572ba

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
96KB

MD5
08a117a2bd3b08c1402cc4a220f497d5

SHA1
df62fb3e6da3806bd050ce31535491c8878054be

SHA256
4232ef11fe0b6dd74a8fd7cb2a9ef4c3b684d0727c6ee0a73239c7aea9cd68c8

SHA512
f31e8ad8ff998ba2c763c25aaa1ee08223fdff70d2d0ebd8f499d6e767b4110acfe4f0bbd687a781eb503a6c04795160b38e6a19ac2c2fa481ca894f5b990bfe

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
96KB

MD5
6c47decd25dc6fddb502c932cf916d5f

SHA1
f6da906eda9e378af97b31ab2139c287e2bbe37c

SHA256
c89bd78d21b2532dd1f0ca8b329fa70bfed5bae0464c367d78f2b652b8cb38a1

SHA512
5a4ba7fe3e01578da1aaffef641398604a244898476ba0878f7e4b7f815ea80f3cfbf73daee78f0d81fc48efafa9a09bf60170512ac9eb583315f4cb8d6d7a94

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
96KB

MD5
c77d22eea46352f97fe86bd9cfa5f2b5

SHA1
33a98b969d382e93296a4e212c1a99d18b896ba8

SHA256
ce699394ec98a5a2b1930583f1ee782ccbca7b016958df0ddb4861e2e7a5bed6

SHA512
620ac1112098850e7c8736d1740014cd49cac4bf0e067619c25375803cffd6bbea8f6f90d473b7c83f76f124d9c845711a5bddb28d27a102b300c60f2a8ed77e

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
96KB

MD5
1e7809548f23139ec54c5ce93a74da63

SHA1
05bfad78721a3cf07087c7ba167e1479d36ebccc

SHA256
788cdb3fcec54d1155a37ba356f12470cb0d8e961e8de02ef23b7b8e1de28fa4

SHA512
86d5387a15011582d68f3f2509cd808b985755538e94c56696398d0d6171bc1a77b0d6d0b977bfe41eaf3165d05b20f6a1703b1b1c7cbe79d940436c16eb8475

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
96KB

MD5
0316b656ebb8b77ddd9c50c02b1fdbe2

SHA1
262ebc1e4996be67bc93d771d72d8f1899ff1d89

SHA256
b260505781d052d93d97fefe76b8f76f5e059e2e220cb0d7cc11d848c964826e

SHA512
ab288b07192641c846410b7bdbc3b3d171531b50d85cd62cbec285dc5d3fd6e8c5dfcb6e365becfc60892b53ce2902b08056bb1a0ac7fb03e30e4a2bf716e784

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
96KB

MD5
2d93e039f93c1f82897e798c11141838

SHA1
a11cce7f2786eed9aea8135e16b669a726a259cf

SHA256
3ae03b934211173bbf84e3f9d06347a948015ca50026e4ee76d174caefc0328c

SHA512
67fd232a4487a47589ea64d5c7027cf4b5841c81e40e7ef4d09c81b089932aa5ca253bafcc42b2349b27040ec1ce6791c045486e3b0b6efb44227ff27421555a

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
96KB

MD5
3d26d0988e16f83757908cccff504f32

SHA1
3d79f0f0830b7a60bec571f094bbd58ffa1c5808

SHA256
eea51017219bb2710f1a545a3544ca6f60c87ec019f4a56fef54a7cef55a85f3

SHA512
1ebb78cc683c2348441200f8091678f49ef4c0654548ba8b7d12641617d00aff4af6bf8dcf57f1fc63fbdf4fdb8927167788554a2316accb365add38699d8e8d

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
96KB

MD5
72a8d4626e1237551d038e40310e58f2

SHA1
edac3b8035103ceaa74f13cc842897830b0e0a99

SHA256
dba83025271bfe66b5b84bf17c3c6fc46bf0749387d7d8483877da50e56816df

SHA512
a8c29ca29b39c09dd870e91457096e361d470e433cf326ce48f7e3e0ef66c075d516639bef091b1eda29d085df45be1b22ea08a430d9e63a8b3fc78fbc0d9370

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
96KB

MD5
018da1b69919f378cbeee3b9758ce2ac

SHA1
dea10832f93d01f45c3f6be3ced78d0ac5e90ed3

SHA256
15947767409a4900ee7173d3bfd95e39356db4207cb504c4968df1d198e005e3

SHA512
13f0bf6de2e97b8e7f78df1bf4fd948d3913945bf01ffab38259a1933a388a4b41e11e594cf690e2526e5e18c88ab1024fcc419f01467dc02a0eb671b0eb1869

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
96KB

MD5
2ff17f67ce01ddf95e4e9a88a27cf6f2

SHA1
23475f6e062fbc15985302e62b9f89b9849530fa

SHA256
072b8d6349e52d68175a656ad2b30072fc3391c238b6190b02827f46a9a70c2f

SHA512
a83aab1847491da6a3688fc42b9867f63d2497044ae02d541fc02f6ab8c8938596231448154ff3538088f07ea015697d7db87140379ee91296d84b8c69da6517

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
96KB

MD5
6b343ec1c141dd7f0c3d8d6d3e2e5e9c

SHA1
5b33a4c5f8b6af3bba8369a153100d0d7660bc5d

SHA256
22eb1aeba905c9f24ffac03db1fc397991c35fae1102cda9b90ac8b61dde0e4e

SHA512
74482f1d552635be38e740a1812bfa17d924104e5233f6b4ef96f07f05e1003141362164cf2a72928e9a63f514a6fd67f9f25401f677ddb7a15d9b4a8b9495e1

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
96KB

MD5
0333d19d118e5ed5d618f89c7f90f1df

SHA1
de9222585899a2cb537e4b9ff86e386d923394a0

SHA256
c7faee553c72938994a8f5dbfc350d485d3679f28b6154c2a4f152bd380f092a

SHA512
56d29dbc9e7d524292c3bcdc69f9552858f566c0eb7b3260875897a2986d41aad29d0d0371c3d48b6457029bb91637d489881b822ca70c905500d8c8b6f074c2

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
96KB

MD5
1848e9ee99adfb1c2f56ba922c64d3bc

SHA1
00c33286ddd2ceb38efa38a081a7b6871fb245f7

SHA256
d179b986f21e8cde935563c1ada9d205418833ff39689a02a4d594409323d15f

SHA512
f333da6b00790c815f299d92afe0901ae87aeff6a7b70d48451e1c7b2d8adf7556c026825db95d890be605ebc579869e653c57c35e58aca0e215c350e9c9c6ac

Download Submit
C:\Windows\SysWOW64\Eahobg32.exe

Filesize
96KB

MD5
544f688e9d76b7ac4fc0af8a9a202259

SHA1
5948b50e36377f80e578328501c821abee0be626

SHA256
1c6dd473aa504909272f016122eb52e9ed7d3ac825d469dbac45c936871291b4

SHA512
374094da48c141e39663b30535db794f0de9d922f52187ef43e725d32d358075da79abed881e73e0ddbbb7733099f7dc273871e0db9213261381a86b8016c65f

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
96KB

MD5
98fdef3404620c0b7ebb94ec3b19c011

SHA1
47596432d130d40f0086daf5bdf98e72b7f74513

SHA256
a2fe00b9aed264f723653bd50b4bcc5c7c3799311b073c4f1485ca8e4f58f028

SHA512
84e823e2c4ed0ba96a177afde24326c7995dee2ef52645c002f6bd604747308fce932448c64b55d7090c5ff418bc98d6f897d2edd8f7e0d94f6c4526cac0f8d4

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
96KB

MD5
209a9fe7571513cd3013699a27001498

SHA1
bafaf325091fde755eca0c3a4822fd2825c42111

SHA256
d0ccf036acdfb6a5de2da6e0ca5af5a5759068abce3da4a4981a6cc4a5405e57

SHA512
0e7bbeea8c158a0b136f7ca898581fac137d617dcca7dd2d4cdace725e2d50dd7008d230eda37179c92131013e13893538be7bdd2d0bb98364d6b3793a5ce2ad

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
96KB

MD5
49bb77bb977ef155afb78073c7860c8c

SHA1
40078d5426f88723998da0c2fbb69510d7c14b82

SHA256
25b4f742ca868e64ddbd7b63be82bd48fa87b7e713607a87d117936bc15a770c

SHA512
44e762115b17631522ac482e8e462c1aa1095fe1bfd2009c9a09b2b90a4cf20ea29337fb20df918fc55d8822003ef62037cd98579d19f20d4bfaf7a059e5b6e5

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
96KB

MD5
073ec0e10774f4fcd3a97ca5090a4be9

SHA1
4bf620d826eb5bd6a818566ba7689451908321f6

SHA256
beb66f612da7fb908748720ad6689237e009b227533af0c5f81c6d7284747884

SHA512
eb6e996e48684a40257ccf19fbbe60cba59af94c4c19b372ad5518076d322b8f2dd934ed59ba7a8d42d39eb83175bc9af0edc70e1fefda0851c77ca624df297c

Download Submit
C:\Windows\SysWOW64\Edihdb32.exe

Filesize
96KB

MD5
7f75886752c2d06bc333655be122b9a7

SHA1
8711c2bdbda2584b170a6507308f54cb1a8559bc

SHA256
15e4de6f8e4b72f132f105f66702ad3941f9d337ef5be346b92d9da7fb5c2ace

SHA512
54189811ea0d56bddb8a0bfb3f4d26b6fe9b9410e4fdf21fd329f0ee22511a914a4c75bb337afb0ecd56021c53f9525d3b8da1e0a3840d080afa9c58e50f3849

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
96KB

MD5
4007bea9dc6f27ae6f928f67bca031e6

SHA1
ecd460066fbbf31f21478adf9e6917bba6940933

SHA256
729b302237d777c440e25702f3efd13b5dc6be38d98d9e63906b0284701bac55

SHA512
32152a1447cfbed8ebf13b4cf9601245b4432c832fed3d31f8a59c6a7ecc7a1088d7627ccf33c9c6583f4054b315e67c335bf5065abae1f03ece59b8f31553ab

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
96KB

MD5
f9055d854621bc324ae3084a511903f4

SHA1
d1557cc8494add65e9126099f51a4e4aa3c67ce6

SHA256
1d575aa324d81b8967229e1401817771f78a9fcd6381928f41f36db08c8f54a2

SHA512
497c020110bc948bc30e6fd5df29976411ef5c4659ea7c7353d95fa93074771437da234d69381cde4062c3435c7241291ca0ae236aa13f59d3fa0ef4c2ad0e15

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
96KB

MD5
b391a396e128520ee2b05c611c745f2a

SHA1
1ba144242c2ab35a7148a709ee2e1c28a2e7cfc2

SHA256
620ec3ca9bc8109609ec743f63c04441a8040189d48ae0a00ca1e0ecf38dc6ac

SHA512
3558c6c09bbb1840204191c3dda3ae210421a5215bbe92cd83cc6d9b03e3d893d60ce2c489f39df5dfad21e3a3c963150888082843a534ba25a24b757fccc937

Download Submit
C:\Windows\SysWOW64\Ejojljqa.exe

Filesize
96KB

MD5
832bf57d9e06235da9f1ca9b8fd31b09

SHA1
58e1f4d6499d0e68c756b50e9444296ffec58022

SHA256
aa061eedbbdb9214f32bad7062b1e385d2eb7d1265ae824ef6bf3cc41a3257a5

SHA512
faabb64ed7b61cf5a96bd6556d85cece48f20c7fc54dfd3cf65e9762f009b3efdcc33c9531ea2f4917895f29c045ef9ce8c4bb3255bca8e9d22bf4e18f0054cc

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
96KB

MD5
49b97ac515ad9dbe14fa41d1de5e9589

SHA1
6bed467755d7b3b12696cfeb3d43fc87a4b75e75

SHA256
6c93da03ebd6b1659411f31b29142df53f55497400ad13cbba6cc939a41860c0

SHA512
6cc6001fc18840896b9f269a767467e126feb438ebb70346a2e3e38f55020e3b539cfe22f73ebd7e0d204c527e7923089238a5f9bfb858b4a518a541981943c1

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
96KB

MD5
ccddc3e4bdb748152823e8a23aada7ef

SHA1
6c1644c8945dcf59612a34afd0d040ad5541146d

SHA256
fd1d51ac9cb66d38d9e38d73f0e9aadd7ee3f5a538461efb6178d82177875b17

SHA512
3436d1cd9e70bbf395d657dac4775fb2fab41ffbfe5eac5a16054cfdda399384f3b62918b1525701b6b3265b88392da8ea2a779c21dd03cb23b64c2addc766eb

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
96KB

MD5
3e1b5bbf1df22d59457ad1acee119713

SHA1
59e093e410b7359c9e817f7d951e46aa31b87fd2

SHA256
d928e373e8fe23c97d4842219cbd523f1f803366b4f4bc430c4dc91705423fb9

SHA512
b8a671846bfc6219fc2cf3d6b92cb5bb6296b7db532f963138196a3f8a50d8c1f7219e481de61656523966fe9a3a6cbbcb8944d84e0209d8324a14128389ee11

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
96KB

MD5
f683f036a91101076fc5fc98fd526a2a

SHA1
1a4b0c62d66d708d9b69e2e849620c7f581f9f3d

SHA256
e066732d444f83092012463aa83c56ae4a8e53634f71246e6a30358ff5209857

SHA512
3b16edd938e4dff99247d1df841a59f87dd67b70122f68411bbfc21cd60c1aec19606b778791034020d4c0075b3cd31809c8e062bd88c6f3c8f0a4d1c461e090

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
96KB

MD5
9dcae0941e7d4852aa998ccb07ae575e

SHA1
2911cbae0bedd0f49cdfc1b4ad8a08e7c2f44870

SHA256
7d62cafc9e3110cf2f4177159a2b2954f83334a68820fef5bd6b8ee938f3a7ee

SHA512
b9744d06198c764dcfff66439f2930b365aca2c6cda34019aa67820cf31cdf69aef42cdff21e7f75fa9a7dc5d112d5b6e96230026f15ed5c09ef5f99ab197c75

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
96KB

MD5
c465251e1217321c53cec10ae8d5e0b2

SHA1
391569770c89553b857cb73619a6247e3eee2a27

SHA256
d38a741c94651f4a84168a18f190147bf5cd53270b78df5354257036f490c027

SHA512
30850f9216526363dc401483087f2684e7e966feefc30a84a79c6b18808a9cc8c348d102d5cb35245c22f9b02b471adb76523c3d15a1964a5b98ab9303da72e6

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
96KB

MD5
8ebd6debb47963112f179c2526327fff

SHA1
7c8c500f9e9c8f49b0e96b7c338f803c8e55bddf

SHA256
983ee700f248252a78541f43cd028f1c5c83e8f00fbd0145c71c8f5668bcdd9f

SHA512
784f1cc4069a56e82c0bead7328e04e0334e5dc98859eb5521ac3bb0478230b62d2be1dc972e16b59eed5534db16a25101230c88cd5f5cdad83709f315fe3d9c

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
96KB

MD5
afa68dda42b204e6fb2361508b488554

SHA1
83721f8cbd64af0087c73fce88fc9735a2f5a995

SHA256
afcc947767bf13df52292ab1ca35b77818a5797fd4f96c7ed5be9f9e551f4cf5

SHA512
d8ea4053686277cd3ffbb4ec9838624cc9ebe2219e966f3aaf3c5e6ec70a58b3cf5cd0d9b1284e584a3525359a26f7a8b38af379904769c8c2697a8d6a463d93

Download Submit
C:\Windows\SysWOW64\Ikfbpdlg.dll

Filesize
7KB

MD5
fbf522476e6eca3e6c0801b744279721

SHA1
945b1389effe2870f88cf54c8aa2dbe85b240fc7

SHA256
d03a30f9f634b5ab2a995b80de767598d532c714c303912b1ef6a97351ac21f9

SHA512
c55e490476ab5fc38181ce0b831d6d9cd673b92fb5561eae194b1b966702d3f94216161dab593527be5abcee70ead8423a9bccecc14854f8d300e37a9f09a56c

Download Submit
memory/412-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/412-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1000-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1000-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1768-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2180-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2180-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4304-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4304-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4768-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4768-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads