45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
Size

64KB
MD5

a5b7100a39ece5c1afeb07c468a16f9f
SHA1

163e8fcd5d6cac9bd7dea3c01fda52396ed22f48
SHA256

45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4
SHA512

72af3b5db113de9d1911e7b263e427b5385aa97de4e51901359f05f65ce846a915e3a5c0f95749fba1fd57db2b8a1ab4c1948522d00f97b141fdfc7d4f4cff42
SSDEEP

1536:wl8N0s98zyCFYBb4JHcM3WA7yC15K2L+AMCeW:go5mCBbiFV+pW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe

Executes dropped EXE 37 IoCs

pid	Process
2924	Aojabdlf.exe
532	Afdiondb.exe
2536	Alnalh32.exe
2652	Alqnah32.exe
2984	Abmgjo32.exe
2736	Ahgofi32.exe
2460	Agjobffl.exe
952	Aqbdkk32.exe
1872	Bkhhhd32.exe
1996	Bbbpenco.exe
1884	Bccmmf32.exe
1824	Bkjdndjo.exe
1236	Bjmeiq32.exe
1932	Bceibfgj.exe
1988	Bjpaop32.exe
316	Bqijljfd.exe
1376	Bgcbhd32.exe
2540	Bieopm32.exe
1340	Boogmgkl.exe
2884	Bbmcibjp.exe
1536	Bbmcibjp.exe
1580	Bmbgfkje.exe
2252	Coacbfii.exe
1528	Cenljmgq.exe
1752	Ckhdggom.exe
2528	Cfmhdpnc.exe
2524	Cileqlmg.exe
1980	Cpfmmf32.exe
2668	Cinafkkd.exe
2744	Ckmnbg32.exe
2456	Caifjn32.exe
2948	Cchbgi32.exe
2920	Cgcnghpl.exe
2248	Cegoqlof.exe
2404	Cgfkmgnj.exe
2348	Dnpciaef.exe
2380	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2088	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
2088	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
2924	Aojabdlf.exe
2924	Aojabdlf.exe
532	Afdiondb.exe
532	Afdiondb.exe
2536	Alnalh32.exe
2536	Alnalh32.exe
2652	Alqnah32.exe
2652	Alqnah32.exe
2984	Abmgjo32.exe
2984	Abmgjo32.exe
2736	Ahgofi32.exe
2736	Ahgofi32.exe
2460	Agjobffl.exe
2460	Agjobffl.exe
952	Aqbdkk32.exe
952	Aqbdkk32.exe
1872	Bkhhhd32.exe
1872	Bkhhhd32.exe
1996	Bbbpenco.exe
1996	Bbbpenco.exe
1884	Bccmmf32.exe
1884	Bccmmf32.exe
1824	Bkjdndjo.exe
1824	Bkjdndjo.exe
1236	Bjmeiq32.exe
1236	Bjmeiq32.exe
1932	Bceibfgj.exe
1932	Bceibfgj.exe
1988	Bjpaop32.exe
1988	Bjpaop32.exe
316	Bqijljfd.exe
316	Bqijljfd.exe
1376	Bgcbhd32.exe
1376	Bgcbhd32.exe
2540	Bieopm32.exe
2540	Bieopm32.exe
1340	Boogmgkl.exe
1340	Boogmgkl.exe
2884	Bbmcibjp.exe
2884	Bbmcibjp.exe
1536	Bbmcibjp.exe
1536	Bbmcibjp.exe
1580	Bmbgfkje.exe
1580	Bmbgfkje.exe
2252	Coacbfii.exe
2252	Coacbfii.exe
1528	Cenljmgq.exe
1528	Cenljmgq.exe
1752	Ckhdggom.exe
1752	Ckhdggom.exe
2528	Cfmhdpnc.exe
2528	Cfmhdpnc.exe
2524	Cileqlmg.exe
2524	Cileqlmg.exe
1980	Cpfmmf32.exe
1980	Cpfmmf32.exe
2668	Cinafkkd.exe
2668	Cinafkkd.exe
2744	Ckmnbg32.exe
2744	Ckmnbg32.exe
2456	Caifjn32.exe
2456	Caifjn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Coacbfii.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Caifjn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1660	2380	WerFault.exe	66

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll"	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bbmcibjp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2924	2088	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe	30
PID 2088 wrote to memory of 2924	2088	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe	30
PID 2088 wrote to memory of 2924	2088	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe	30
PID 2088 wrote to memory of 2924	2088	45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe	30
PID 2924 wrote to memory of 532	2924	Aojabdlf.exe	31
PID 2924 wrote to memory of 532	2924	Aojabdlf.exe	31
PID 2924 wrote to memory of 532	2924	Aojabdlf.exe	31
PID 2924 wrote to memory of 532	2924	Aojabdlf.exe	31
PID 532 wrote to memory of 2536	532	Afdiondb.exe	32
PID 532 wrote to memory of 2536	532	Afdiondb.exe	32
PID 532 wrote to memory of 2536	532	Afdiondb.exe	32
PID 532 wrote to memory of 2536	532	Afdiondb.exe	32
PID 2536 wrote to memory of 2652	2536	Alnalh32.exe	33
PID 2536 wrote to memory of 2652	2536	Alnalh32.exe	33
PID 2536 wrote to memory of 2652	2536	Alnalh32.exe	33
PID 2536 wrote to memory of 2652	2536	Alnalh32.exe	33
PID 2652 wrote to memory of 2984	2652	Alqnah32.exe	34
PID 2652 wrote to memory of 2984	2652	Alqnah32.exe	34
PID 2652 wrote to memory of 2984	2652	Alqnah32.exe	34
PID 2652 wrote to memory of 2984	2652	Alqnah32.exe	34
PID 2984 wrote to memory of 2736	2984	Abmgjo32.exe	35
PID 2984 wrote to memory of 2736	2984	Abmgjo32.exe	35
PID 2984 wrote to memory of 2736	2984	Abmgjo32.exe	35
PID 2984 wrote to memory of 2736	2984	Abmgjo32.exe	35
PID 2736 wrote to memory of 2460	2736	Ahgofi32.exe	36
PID 2736 wrote to memory of 2460	2736	Ahgofi32.exe	36
PID 2736 wrote to memory of 2460	2736	Ahgofi32.exe	36
PID 2736 wrote to memory of 2460	2736	Ahgofi32.exe	36
PID 2460 wrote to memory of 952	2460	Agjobffl.exe	37
PID 2460 wrote to memory of 952	2460	Agjobffl.exe	37
PID 2460 wrote to memory of 952	2460	Agjobffl.exe	37
PID 2460 wrote to memory of 952	2460	Agjobffl.exe	37
PID 952 wrote to memory of 1872	952	Aqbdkk32.exe	38
PID 952 wrote to memory of 1872	952	Aqbdkk32.exe	38
PID 952 wrote to memory of 1872	952	Aqbdkk32.exe	38
PID 952 wrote to memory of 1872	952	Aqbdkk32.exe	38
PID 1872 wrote to memory of 1996	1872	Bkhhhd32.exe	39
PID 1872 wrote to memory of 1996	1872	Bkhhhd32.exe	39
PID 1872 wrote to memory of 1996	1872	Bkhhhd32.exe	39
PID 1872 wrote to memory of 1996	1872	Bkhhhd32.exe	39
PID 1996 wrote to memory of 1884	1996	Bbbpenco.exe	40
PID 1996 wrote to memory of 1884	1996	Bbbpenco.exe	40
PID 1996 wrote to memory of 1884	1996	Bbbpenco.exe	40
PID 1996 wrote to memory of 1884	1996	Bbbpenco.exe	40
PID 1884 wrote to memory of 1824	1884	Bccmmf32.exe	41
PID 1884 wrote to memory of 1824	1884	Bccmmf32.exe	41
PID 1884 wrote to memory of 1824	1884	Bccmmf32.exe	41
PID 1884 wrote to memory of 1824	1884	Bccmmf32.exe	41
PID 1824 wrote to memory of 1236	1824	Bkjdndjo.exe	42
PID 1824 wrote to memory of 1236	1824	Bkjdndjo.exe	42
PID 1824 wrote to memory of 1236	1824	Bkjdndjo.exe	42
PID 1824 wrote to memory of 1236	1824	Bkjdndjo.exe	42
PID 1236 wrote to memory of 1932	1236	Bjmeiq32.exe	43
PID 1236 wrote to memory of 1932	1236	Bjmeiq32.exe	43
PID 1236 wrote to memory of 1932	1236	Bjmeiq32.exe	43
PID 1236 wrote to memory of 1932	1236	Bjmeiq32.exe	43
PID 1932 wrote to memory of 1988	1932	Bceibfgj.exe	44
PID 1932 wrote to memory of 1988	1932	Bceibfgj.exe	44
PID 1932 wrote to memory of 1988	1932	Bceibfgj.exe	44
PID 1932 wrote to memory of 1988	1932	Bceibfgj.exe	44
PID 1988 wrote to memory of 316	1988	Bjpaop32.exe	45
PID 1988 wrote to memory of 316	1988	Bjpaop32.exe	45
PID 1988 wrote to memory of 316	1988	Bjpaop32.exe	45
PID 1988 wrote to memory of 316	1988	Bjpaop32.exe	45

C:\Users\Admin\AppData\Local\Temp\45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe
"C:\Users\Admin\AppData\Local\Temp\45d7dcc05fed9bb6c97b469e9d9f9df10c36254418fd0381394732b2ce1391a4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Aojabdlf.exe
  C:\Windows\system32\Aojabdlf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\Afdiondb.exe
    C:\Windows\system32\Afdiondb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\Alnalh32.exe
      C:\Windows\system32\Alnalh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 144
        39⤵
        Program crash
        
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afdiondb.exe

Filesize
64KB

MD5
a9222bd85f7868e38c140a774efa567f

SHA1
5ce31f61eaae80a30098d3748e792e297b85fe3b

SHA256
b2da7b264cdcd48b55ea9324d8ca4a2a9a43ae8d9bad0865ef18d4d3a71a8171

SHA512
fe8a98f3eb1bb83ed06375957a0727f3d0a873997216e155d73bd0fb577281fe01599a56bff0c6aeb32018e22810134e8dd716f29b3e466702def6ae15dae1bc

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
64KB

MD5
dbeb88dcce7997fadeb81bf3c552ad86

SHA1
f9f6beedd040dda44a6b2eb98dcf1e43108a7b08

SHA256
8fa6798c79e3f0fe64617ae2d0dcd70c7ca126b147844621c6d3b3d067e16f57

SHA512
6e6e72424680caf0c940ee2bae607c364b07293566ca9dcced7beacc70425a27e1a5946d7359659d7f77927d68ca0b66df33a015acf54005e6a6f37bd5688b38

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
64KB

MD5
8132fe9120cfad55364ae68a040759e6

SHA1
7ea784373868ea1baf0dcca19b46a5be201b4040

SHA256
6a9117b5033b64d38f849455d67c8c9b5513018b733870ecdd73dc6a230d1155

SHA512
763b71ce7edd83348bee0b2fe103e762273dea4dc7fe424c842b6941cd266f05f0133ecd9f34c2ae5d33818e0c81e3729383b49ef3e4492fce8891608616a9c5

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
64KB

MD5
1a00b34ccdb52d23a63ce3d8c6801f65

SHA1
4726df91e0d46b5703ea05028743804cb426a0fb

SHA256
759b6ec8368f133b8371e7da7bf8ac81f4b9b3483eedd31cc235e4de50a10f4a

SHA512
a38e307d497ec4c927051f6bda67fb4c2f974cd209488ba926fa3e6a93381f5b94324c602fa416a34b9b9b8f3c23ba72989ef702c82f10bcb091db40532f1495

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
64KB

MD5
640522f45d66a1918d7164253e92671a

SHA1
9139395b7e47efc061347b041106a91460a4c972

SHA256
a1483c05ca59c77c54e2b29873afcfd41d75c596733fc769f0f6748318275f23

SHA512
969aa77842ed7d35b13eaf827c7913e5afb099ed9379a887995f84ef3790913cf88ead83a946af1476514c0eaad33183626563b024fdb3c1c41d63eaf0a4dbb3

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
64KB

MD5
48765b0349e06ff5f1f78c1df25d37d0

SHA1
896593cc92aa15fedfacb48fddd11518ef780be5

SHA256
f835bc9f58937ce1b6c4f1130d679335ab48ca2f4947652b00469a229d227b49

SHA512
52f5ac57d3961bb6f54a454fcef77af249d4df127228b3b05f48a40cccfa519a9543d141d2068196b2e9b811bed1171bf4e8e9e42a924588a3b43418aecb0f84

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
64KB

MD5
a0cedbf84352abfba919d88e20e60f5e

SHA1
698ff3355e7ff9898db01df03ddf42aadd9a8839

SHA256
28eea9f39fadf212d2ff50e51b14577afee7c1a2c489878fc08027564f4a7ec0

SHA512
4e30702901afb026d03a825fc64424b35a6cc1927e6ee25454d386a70347d9dd8b01366220a966933f9ecbe2848aa6e06a693869499ccdead3c92f0e41b68c6f

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
64KB

MD5
ce1db493792ae3acb03ecdaf45309d87

SHA1
69cf924deec394ba0d933a5468fde019be3fa1eb

SHA256
c4e31771e3bc9f5934dd207a9ec60536443c664f888b24f3e6d396aa3f600403

SHA512
e0797f3fff92e6125ad5c6c388d05a3e547e860300a6dd07b57f6f73a50341f494b04345a21a8b2de5cb43c65b22e8a7b07b8813c73a2acc79542bc5f300af3d

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
64KB

MD5
0110032a546e142b514b6a566972bb84

SHA1
5f8a51c4c4e786438a346f47a5b55914306bd2b6

SHA256
d1ed06afed87c45265f293f5d614e5ce37b685af344a1c51cb7e59f05654e8fc

SHA512
e7aa8f3b486b9591759c95d7da4f24fdeeb6bf217c41dd04a58d20e633c2635aab67acbb906115c8ce0212c01a7b0c719013b817144bebf1313649a7bfff17cf

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
64KB

MD5
c174556d6b019968c528e5407fa6bd3e

SHA1
fc0d2349ec1adb7ec412e13011dab62d435f8273

SHA256
c1d2ee356f1a239bd8c720b078a79e78f00f70108dfe9162a0d5df7e6fb6360e

SHA512
2573f27c23854c32165bd3fd5e5934daeef5e30746c98c66f0c6db3624798e0a71d9f27b9c224ac26a05955588a0c720ef6cb8e9b3df6228c4880186e3fa8b1e

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
64KB

MD5
cd98667d6a3f49c254d2eef108221804

SHA1
b800c2f849128e9c3b2acbad1236f211720e5454

SHA256
e8143efb202edb1275f5293aec40494da024d3865e79ed32e72e434e90ca19cd

SHA512
23827aaec3d3d635bd8560576ff24b2bdefa5796b79534e92d12d7c1586df9da2c44d7df47d6ed0daa7fef01bc9bb6318163e74ceedb8af4179bd0cd13b5db79

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
64KB

MD5
f211048ff3895382f94a9e937b9b1d5d

SHA1
fbaf39da27bbc1f9e066c92152f3e8f74a03359b

SHA256
dbcd786f6449a08032b31351fb40cad7d02092b34f1ed4c997d353aa2164f897

SHA512
1713d2abfeb68a9f12398810cc1961e92832ff24d41e72bffe00f487772812bc747c76c6783403473483754af80534adf284f66d1232d4139a96af8cfa7764cf

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
64KB

MD5
75b7c7339285c2e71c2837c5d03f1527

SHA1
5b6f5eafa0a5610abfad62100b34c873cade4d8d

SHA256
6834645195e265a956f0fc0dd52c23b52de0eb5a666d4bf3ac33d14607845fcb

SHA512
b25c67ed3c0f328eae79b1c65bdaf04a79b15095c4807e0b539f4b63ca8d20b894f4f56ee1a7fac2dc8d4be2a01ed24aa07b60fb7a791f02222973b58c3df776

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
64KB

MD5
efd14a992ccc3e906ffa29f3fe93437a

SHA1
27ed807e02ec8f9f6f4e9950dde4732fe740dda4

SHA256
aa5bf54c18a8d7b81f8c66d3b2890a6869be351414226fbbfb3e32388ab14fcb

SHA512
03f0559f2261b1aeb6b724b327f2e3bee5b924eb9a33465f418ba7f9e69acba023403e66f0a372f6b99e1c2db7c6cecdb1ebaa860484349a5ddfd13f8c9babf9

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
64KB

MD5
306788b2a38974c23b9d34864fbc58d4

SHA1
e6bfe306db88b7ffe13be80b59fc8bcc3528d719

SHA256
f8b072b708e995592fed448a283d22a0594f235596a5527502af5f6490dc1eaf

SHA512
fdec0bf833ff7ed20f032d4612ad21559c5f42be44bfa97f33745baacbe3589d7aff3d7ddfaac7ef4a2e45e99b7ff67f4ee782d996e143a739425235baa93dab

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
64KB

MD5
222000771f1b4341852c489b6f5084ff

SHA1
f9f48a3dfd708a2c85b56506a106b8319a5fe1bc

SHA256
366321c0e8ff4fa2e43f21a7d0fd2e461f7aee1371c20b08a262c7ffdba8ce6b

SHA512
780dd5ae8e188b0279a505e3e7a66e9b99bc8f6bbcbe62bfa65f57fe3e4f39d155346e7693bdcab0ba77b68cfd3f0fb7b77db253136890e10011e89aa6a1cc86

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
64KB

MD5
0dca35346586adf438e37b3a85e1c4d9

SHA1
512c8518e947096900babbac926e6f88d30acd8b

SHA256
223eabe71d413cf5941ada2da558bf29bda0b6f81797ccb17a0b1309ca32bf3d

SHA512
d4c341916f16046fae1024ab24eec684ebd9a1b2eb8f37110e34fc3d2005793fcc255abcd3de50598a59f44aa45dcd524edf92d57f20edb4ff846994d001108b

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
64KB

MD5
e979ee7d03bf64d9177d7f75150050de

SHA1
74115212dc0f2d21aaf340ff2fbbd64e5ecf29d1

SHA256
e69860a7122d4a9df9978a8ba5a414fd3086bfda51d2b13622ea7493c4ae2741

SHA512
03f74ab3a7805d61982ef3b77c5da3873c094ca012ffecc62b7a05339f8b28a039cdc097859145587d0418b669c5c8384d31d88b469b2cdb8ab3b56d9ff01020

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
64KB

MD5
2d42016862d5ec7df2f65cfa0ff747df

SHA1
dec937ce86ef782d0a7441cc9cfb59158c1cadcd

SHA256
bb42deb69f38bc409fa5b3a9ad4cd9ce6496bfb5f5d88406c67af63122da5050

SHA512
e06a1d8649b27b9bea865ad8adabf21970302de1b1c809f1c02eb84118efbca7166c953ab7e80942890f36d39a04b7217e0ef8abccc387810801d1e1d93ee087

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
64KB

MD5
8c9f0506d741f2cdb897884b3244fafb

SHA1
3957215e367ff2f345dd3cd76677feb63c7f5f53

SHA256
b11eded3904060ee36c6ba0aa8e8bb2c46a7a6abc350f735974c9413596010da

SHA512
5229924f079081e1a11e5d8f55e3a10ed4787682eb74944f18d88bbf0c44cec42c948e166f52184ff386580943175452ed0dfce16a036dd47eb633b28737298b

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
64KB

MD5
f59001615416bb10cc822f7ff17d2ca0

SHA1
92a3c752e3821ee057af393cd75f0ae17e3a42bc

SHA256
2b16e43bb62d30182cfacd0eaa56550a648c8e21af20766322b1c15ce17b76a4

SHA512
ea9e328b89ba414db42dde8d3a373ee536bbd2bbafbd8e00c6728da2955e1095bda7dab02b514b0bfbc08285001641d6b6f40591dce04c905ee2fd26097ff036

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
64KB

MD5
618668c6c8442a2ed76088636c5abe12

SHA1
d1149cbfb71833d006749fab38c53fc80bea8330

SHA256
ff88aa7419a66442c32b3caecc89ea41f834d7fdda3130c4c70445a03842ca5a

SHA512
2d5363907b2f375761a9b852e9f875cd11aae7e4221381d4cc981f452ee04174280eb8b03d4dff91029fcacb5057c3c5640be580151f0716eac5f9201aabc1a5

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
64KB

MD5
45e5613a2c9ed892766ac31b4013a66b

SHA1
b5fb8afbfe9b8c7d53bd22c145fbd6cd5d705821

SHA256
9c550a644db341b3a407098e3a29f81dc1cea4e4a36d96b41c3e19e544f4e3d7

SHA512
82fafe5c67a14caaf6956879b61a88bc30662d16bcf003bffc6a3ef5cdf77ca84e1a5f8f632c7f5c51de2356302c43d6e6698c506f51d16d4adbdf1f161cc796

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
64KB

MD5
71b732bca7576fe7d584dce78efd1e14

SHA1
be61631a9fcc83ce0790b93bbc9170b51623dc06

SHA256
06f3fc3a8850107d2ecd3941648b58161489d860ff6986c0a93146f8fd306e89

SHA512
2a7704b106e1a236529d0a3d6359362e3b25a182c48d572c704c92eb8b9172235be88c5767589fbd233388023b7f77674efc7ddc22d14000a0f20c3f33821940

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
6e16aa994b9262499e9ce53d35a44f4a

SHA1
fd341889a4bb052b88251a35a813910d31bb6ad0

SHA256
a438552c515f48a098a576702b1937d0b7dc4c0b76707b8843197c6604e65a1a

SHA512
4e925c317daaba2c56c6ae6e4f32569fba84b3e909cb30fa37cde873007d4ff4aca8cb7dd62fdebc4b0fe6fc85c363c2f9f8795ccbc9d377d82851a30a2ff1fc

Download Submit
\Windows\SysWOW64\Abmgjo32.exe

Filesize
64KB

MD5
2ed0182ad515b8268c2dae01693a03f0

SHA1
b46bf5eaacc908e6b76ddab9e52be2e3e5f51ba3

SHA256
d8a5f6c601d663c2f69a651f317d41e1bd63b0d26eb2a0656ce6518f262ac408

SHA512
fb2638f1c74aea30f22304d8a534dcaaa7a9f8501ef703e5a40691796d25680ef0d2947964a8f4180dc881870d311c11747671d30dbfd527fb4343bc0969a697

Download Submit
\Windows\SysWOW64\Agjobffl.exe

Filesize
64KB

MD5
5418e402219c72be524991aa7fa87e0c

SHA1
55956801c77c895cf337ab7a612504bd01f4ac35

SHA256
0a6e8d91e95391f060b37ad97adc68ddc968cd2fd800156a6598a1f819fdeb8a

SHA512
f2f5b1555a5666bb7e0171ba3598007cca09ef34665d80b763756f8f123f257ed473d39228fff5f1170a032a92f4b29737737042241b758b4074ab5493460738

Download Submit
\Windows\SysWOW64\Ahgofi32.exe

Filesize
64KB

MD5
d6e312a4507782f953465b5a43dcdfc4

SHA1
15e972f587f68188372d3d6038ceb1aaff342674

SHA256
f4b96ac446d941a7175e298b682ccd1544362ec2057708d758bd8f3497a1de72

SHA512
f9a8ea6701cf68e6b3bcf2ab8fd00398ea3965b39bc7db9fb239c3574c9895cd6854566308e9a5c5b9302c3dd31736ecaeca77344fb4fd73672450c933e4ac1e

Download Submit
\Windows\SysWOW64\Alqnah32.exe

Filesize
64KB

MD5
b708e5add83f9df56cb02e37f5617c36

SHA1
4e4bf49d274da75655035303926fceea7af52d54

SHA256
5c327352ec9222d473ecd84f2dcedd7f158f63f3751f2373b85fb2f3519065e4

SHA512
dcb4fe3fcc20307d7c03386480981282ac4e6b06bcb137d373b78d56ac4ea22befda16791fb3554fc7c412ab9ea3dc8469d7ba6f3fa7132d76c855726ac2bb49

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
64KB

MD5
c5bc8f87f4639cdb961b57f9e4c5ac89

SHA1
9963ec0cab150e53fe9ed6dac27ee9daf2e07705

SHA256
2eb134f71edec0a0c1c8b2c689120d3f38697d2bb0e5dab23d7c1f26ef7e71ec

SHA512
9f68bcc5a6128c87672aa4d06255c968bd209e0910e963f0429cc53ab625a669b4c004e354e76d4083e8358c54668616bbb1a250d9c4c361fa8e862cd77e5c44

Download Submit
\Windows\SysWOW64\Bbbpenco.exe

Filesize
64KB

MD5
593d17770083afcda6cd092936441e65

SHA1
7305ce02f428f01f386d7c07d720eb0b25c06fbd

SHA256
66932bffad74fb8ca1b6fc89cebd5b5006b548a6d7514eefac09a0af89f4b567

SHA512
74230bbed5bc709432eaaa5758d1c40c2b02339482d2c0ccdef2d1052882b56bc92226b99ac080f95d04cb0799b6ad3cf70a0e6c718789806f3f547e3dcf6ded

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
64KB

MD5
894ea768b6eee8f3daf5b1fbb37d6f7b

SHA1
81b2eafad8123f0914748116861e5b96d82ac03d

SHA256
ed32e85bcc3bea4809e9d4268738daea998cfc2091cfe6b4fb67627f05bf9019

SHA512
ab161b80153c21770e6407509862161987f4481258ffb76065d090c6712b2c85d27d883ba724bafc88821b7f1324db2eccaf241186a2ba8782512e7d0a231e7a

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
64KB

MD5
56d86974c983f876f753da3f3b006398

SHA1
4db819cd81b2b38000b2500584d04ab0abd46c33

SHA256
580d858231f847bedc5255af8712a1800fa8d8ad3d0b7d892121b90269c18a4c

SHA512
97c1edf0873ed4789f70106a30db4311f0e45fde603eecc5b6ffa486334a408994f5c0c179d3511395cce9a1e26ffa3eb45ba2e4e1d36dab5f23c939ebaf7ebb

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
64KB

MD5
0023dfb95b4998c3af3b5219a43e7904

SHA1
128629722c2386c83ad77045401ff4f78f052e82

SHA256
0f5aafedf61417c6b42a9a3e00e97fee2a9c6476655ffea7a33327585e641f76

SHA512
435ed257f58dca6f389d6d7c64e48d5e2789fd4f5d997ebd05afbcd6a39abb98722248da65afffe0d2d4447c5c74763d94b38d54592d2fc757601f94e39afbcd

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
64KB

MD5
bc00ad7f02034f5d45de5430070eda21

SHA1
e8d48f2fa5f4a796ff82f3f20dff0144d6b1988f

SHA256
6f09cd19a375810da043ef8eb8f92c08754d24eac79522ec304ef7153fae9dbc

SHA512
1a9b72845514e7d42481a339c1e2d51b29d2b7b2914d377a2dea86fe92a0fa9bdfb574fbd57ef3c8f2450e0e4aaca30316da23da4333cfcc23797708cf3b467f

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
64KB

MD5
640a1d7c74a9b863fab9bdc069532c31

SHA1
b5aaceefcfcf653da6312a3a4790680feb8e8790

SHA256
095428b7465aa9d8203a5881fa838e9ae4f4b6e06bea3b25c08902f26280edfd

SHA512
14a8692aec0c52c9c832b86ab42ba0dab36f1d015fa3088ba9a50aaaacb063089579bc1f3b5cc6fe8ac44689fea78c63f20a624d5010c023f4c4a45b96170c26

Download Submit
memory/316-227-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/316-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/532-40-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/532-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/532-41-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/952-125-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/952-446-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/952-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1236-188-0x0000000001F60000-0x0000000001F9A000-memory.dmp

Filesize
232KB

Download
memory/1236-186-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1340-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1376-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-302-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1528-303-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1536-271-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/1580-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-282-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1580-281-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1752-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1752-314-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1752-313-0x0000000001F50000-0x0000000001F8A000-memory.dmp

Filesize
232KB

Download
memory/1824-170-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1824-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1824-180-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/1824-173-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/1872-126-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1872-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1884-164-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1932-206-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/1932-450-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1980-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1980-347-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1980-346-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1988-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1996-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1996-448-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2088-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2088-12-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2088-8-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2088-439-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-414-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2248-403-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-412-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2252-292-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2252-291-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2348-428-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2348-435-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2348-434-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2380-436-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2404-424-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2404-423-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2404-413-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2456-379-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2456-380-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2456-378-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2460-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2460-445-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2524-335-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2524-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2524-336-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2528-329-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2528-324-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/2528-315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2536-55-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2536-441-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2536-43-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2540-253-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2540-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2652-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2652-442-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2652-65-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2668-357-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2668-358-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2668-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2736-97-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2736-93-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2736-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2736-444-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2744-368-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2744-369-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2744-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-261-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2884-262-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2920-402-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2920-397-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2920-401-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2924-440-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2924-33-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2924-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2948-391-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2948-390-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2948-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-443-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-83-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads