8a935e612c3a0b3b3832f03453b02eaa0e9a79dcbd7cb59784b2fe1ff0a32053

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b4b12d8c8af93e4e9367f71031a59d0N.exe
Size

315KB
MD5

0b4b12d8c8af93e4e9367f71031a59d0
SHA1

1c488099805ce3a798bc92c4e6ff11fbcb30f5c4
SHA256

8a935e612c3a0b3b3832f03453b02eaa0e9a79dcbd7cb59784b2fe1ff0a32053
SHA512

10ac81bedcb7df800889f1bc83e7e253c51895c4013fd27f5164cf3fec865961fb5891f68422da68f77e4992dcdbf32562a906152966773596fab14730dc7dd3
SSDEEP

3072:r6yzomUWzTtSRTtq749+f4auvZ7LC4ZR4mqmnKBstqBiPXPAPePdfVQ:rbzomTSTtqI+stesMmG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b4b12d8c8af93e4e9367f71031a59d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0b4b12d8c8af93e4e9367f71031a59d0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe

Executes dropped EXE 45 IoCs

pid	Process
3800	Acqimo32.exe
3544	Afoeiklb.exe
2204	Anfmjhmd.exe
320	Bjmnoi32.exe
1916	Bnhjohkb.exe
3120	Bcebhoii.exe
2476	Bfdodjhm.exe
2160	Bnkgeg32.exe
4656	Bgcknmop.exe
4860	Bmpcfdmg.exe
3816	Bgehcmmm.exe
3204	Bnpppgdj.exe
4968	Beihma32.exe
4080	Bjfaeh32.exe
2712	Belebq32.exe
3672	Cfmajipb.exe
3244	Cabfga32.exe
2108	Cenahpha.exe
1004	Chmndlge.exe
2976	Cjkjpgfi.exe
4028	Cmiflbel.exe
4920	Cnicfe32.exe
2648	Cagobalc.exe
4848	Chagok32.exe
1408	Cfdhkhjj.exe
4368	Cmnpgb32.exe
3772	Chcddk32.exe
1796	Cnnlaehj.exe
1520	Calhnpgn.exe
3332	Ddjejl32.exe
440	Dopigd32.exe
2032	Dejacond.exe
1924	Dhhnpjmh.exe
3620	Djgjlelk.exe
1232	Delnin32.exe
3144	Dfnjafap.exe
1420	Dodbbdbb.exe
1348	Daconoae.exe
1048	Ddakjkqi.exe
940	Dfpgffpm.exe
1620	Dmjocp32.exe
464	Deagdn32.exe
1128	Dhocqigp.exe
1164	Dknpmdfc.exe
5004	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	0b4b12d8c8af93e4e9367f71031a59d0N.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4428	5004	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b4b12d8c8af93e4e9367f71031a59d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0b4b12d8c8af93e4e9367f71031a59d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0b4b12d8c8af93e4e9367f71031a59d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0b4b12d8c8af93e4e9367f71031a59d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3800	396	0b4b12d8c8af93e4e9367f71031a59d0N.exe	84
PID 396 wrote to memory of 3800	396	0b4b12d8c8af93e4e9367f71031a59d0N.exe	84
PID 396 wrote to memory of 3800	396	0b4b12d8c8af93e4e9367f71031a59d0N.exe	84
PID 3800 wrote to memory of 3544	3800	Acqimo32.exe	85
PID 3800 wrote to memory of 3544	3800	Acqimo32.exe	85
PID 3800 wrote to memory of 3544	3800	Acqimo32.exe	85
PID 3544 wrote to memory of 2204	3544	Afoeiklb.exe	86
PID 3544 wrote to memory of 2204	3544	Afoeiklb.exe	86
PID 3544 wrote to memory of 2204	3544	Afoeiklb.exe	86
PID 2204 wrote to memory of 320	2204	Anfmjhmd.exe	87
PID 2204 wrote to memory of 320	2204	Anfmjhmd.exe	87
PID 2204 wrote to memory of 320	2204	Anfmjhmd.exe	87
PID 320 wrote to memory of 1916	320	Bjmnoi32.exe	88
PID 320 wrote to memory of 1916	320	Bjmnoi32.exe	88
PID 320 wrote to memory of 1916	320	Bjmnoi32.exe	88
PID 1916 wrote to memory of 3120	1916	Bnhjohkb.exe	89
PID 1916 wrote to memory of 3120	1916	Bnhjohkb.exe	89
PID 1916 wrote to memory of 3120	1916	Bnhjohkb.exe	89
PID 3120 wrote to memory of 2476	3120	Bcebhoii.exe	91
PID 3120 wrote to memory of 2476	3120	Bcebhoii.exe	91
PID 3120 wrote to memory of 2476	3120	Bcebhoii.exe	91
PID 2476 wrote to memory of 2160	2476	Bfdodjhm.exe	92
PID 2476 wrote to memory of 2160	2476	Bfdodjhm.exe	92
PID 2476 wrote to memory of 2160	2476	Bfdodjhm.exe	92
PID 2160 wrote to memory of 4656	2160	Bnkgeg32.exe	93
PID 2160 wrote to memory of 4656	2160	Bnkgeg32.exe	93
PID 2160 wrote to memory of 4656	2160	Bnkgeg32.exe	93
PID 4656 wrote to memory of 4860	4656	Bgcknmop.exe	94
PID 4656 wrote to memory of 4860	4656	Bgcknmop.exe	94
PID 4656 wrote to memory of 4860	4656	Bgcknmop.exe	94
PID 4860 wrote to memory of 3816	4860	Bmpcfdmg.exe	95
PID 4860 wrote to memory of 3816	4860	Bmpcfdmg.exe	95
PID 4860 wrote to memory of 3816	4860	Bmpcfdmg.exe	95
PID 3816 wrote to memory of 3204	3816	Bgehcmmm.exe	97
PID 3816 wrote to memory of 3204	3816	Bgehcmmm.exe	97
PID 3816 wrote to memory of 3204	3816	Bgehcmmm.exe	97
PID 3204 wrote to memory of 4968	3204	Bnpppgdj.exe	98
PID 3204 wrote to memory of 4968	3204	Bnpppgdj.exe	98
PID 3204 wrote to memory of 4968	3204	Bnpppgdj.exe	98
PID 4968 wrote to memory of 4080	4968	Beihma32.exe	99
PID 4968 wrote to memory of 4080	4968	Beihma32.exe	99
PID 4968 wrote to memory of 4080	4968	Beihma32.exe	99
PID 4080 wrote to memory of 2712	4080	Bjfaeh32.exe	101
PID 4080 wrote to memory of 2712	4080	Bjfaeh32.exe	101
PID 4080 wrote to memory of 2712	4080	Bjfaeh32.exe	101
PID 2712 wrote to memory of 3672	2712	Belebq32.exe	102
PID 2712 wrote to memory of 3672	2712	Belebq32.exe	102
PID 2712 wrote to memory of 3672	2712	Belebq32.exe	102
PID 3672 wrote to memory of 3244	3672	Cfmajipb.exe	103
PID 3672 wrote to memory of 3244	3672	Cfmajipb.exe	103
PID 3672 wrote to memory of 3244	3672	Cfmajipb.exe	103
PID 3244 wrote to memory of 2108	3244	Cabfga32.exe	104
PID 3244 wrote to memory of 2108	3244	Cabfga32.exe	104
PID 3244 wrote to memory of 2108	3244	Cabfga32.exe	104
PID 2108 wrote to memory of 1004	2108	Cenahpha.exe	105
PID 2108 wrote to memory of 1004	2108	Cenahpha.exe	105
PID 2108 wrote to memory of 1004	2108	Cenahpha.exe	105
PID 1004 wrote to memory of 2976	1004	Chmndlge.exe	106
PID 1004 wrote to memory of 2976	1004	Chmndlge.exe	106
PID 1004 wrote to memory of 2976	1004	Chmndlge.exe	106
PID 2976 wrote to memory of 4028	2976	Cjkjpgfi.exe	107
PID 2976 wrote to memory of 4028	2976	Cjkjpgfi.exe	107
PID 2976 wrote to memory of 4028	2976	Cjkjpgfi.exe	107
PID 4028 wrote to memory of 4920	4028	Cmiflbel.exe	108

C:\Users\Admin\AppData\Local\Temp\0b4b12d8c8af93e4e9367f71031a59d0N.exe
"C:\Users\Admin\AppData\Local\Temp\0b4b12d8c8af93e4e9367f71031a59d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\Acqimo32.exe
  C:\Windows\system32\Acqimo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\Afoeiklb.exe
    C:\Windows\system32\Afoeiklb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\Anfmjhmd.exe
      C:\Windows\system32\Anfmjhmd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 396
        47⤵
        Program crash
        
        PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5004 -ip 5004
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
315KB

MD5
706e0cf0e361b92724ad5fd1eac11027

SHA1
f52dc263b214e3d625865c0d7b050e8b718ca56b

SHA256
c140832066ad361c3b8bf61386205633501a640bb439699ec04746e4b6865c60

SHA512
5b214d08ce3967e9433b2687c7e8680566a6ef60b4ec5fcb60197c248189b6bdc43a00a11e6cdaa87e8b371b147a4b08cb948816ef718afafc726898fb5799fc

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
315KB

MD5
d589b8a8553eb62fb96a651f348a18c9

SHA1
fcb9b1501a21ef04902cf6cfb9b4af620e456e82

SHA256
53cabdd0b957803b255598a273c71af4007e4dfc4a1757e8c108fcbafd0510d2

SHA512
7284ff306106a9593b84002c47980a132e2a453638eda45d559b1f88029a645e15c9c2e769b5acf5591be322d893f9cc75a796ea10d67fcdcacbcab298425f3c

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
315KB

MD5
4895bcf1b9bfb0df9d5735f1f7c007c7

SHA1
9dd9fe0c481056e0e054b7b532f5b8a87a5ae9ca

SHA256
b4baadd9e79a900760e68d84dbb5bd0b99af402bd3d5f988e891dfcac0184791

SHA512
75762f87778b2a5948aec59c0e39c675383b37e617e17bde9145a75cbe83350a0c8329a4f69de05b0a957610da191269cc78ccb85d9162c7f447cca2a4ec512c

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
315KB

MD5
1b68fa1bf6ead078d165c2d7bafe7811

SHA1
b89dd9b4324433fe48b481038fac054e4ca99ca4

SHA256
301e34530ef2db313da980d3984e1c670090bc65a058e3c4a02cebb9f627b7d3

SHA512
0b64422b9bfb25baa5cb2245db9afbd2477cbe47c5dd136bdd135441c5b4184ab61602e6159f3ed459cb2df67d7f59d1cb9a7898733b256426178916f7c85f60

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
315KB

MD5
e683c06e116a6a86a37b07f9b3cb5039

SHA1
41e0949ff9d5aae153673a772bdb58c769cbe00a

SHA256
b75c8337b33dda9a80f5b7b058803d8bef8e847db5260067fb2678502e800d72

SHA512
70ecd25dc286a5aa92db0935c42be1dc7e5ab3bbcaca974af85c2b7c33b4802a8dfed382b1d7043a5840673ea80346bb7039e2d7a697d58bf3c2d6e0c6dac770

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
315KB

MD5
73b0b785ed76e15e0a52700974e9c015

SHA1
f48f2960c3d2a7d50205568f36a007160f7d3582

SHA256
cecc3af0046fb9c5fdc6c027faea29cd3878af5d5fccf2ffa7755c8767e81494

SHA512
0545dd88b9c35ad0b1aef6ed759cb3e0f2c8b305a7147b98e91db419fe98eb90ddb8ec7eec54af4d2534984c757ff826e2902f52f85250e74dc00263b38ab158

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
315KB

MD5
68c9619d3dffaf764f791f38b090902f

SHA1
609888e0c0111272101a8e05ef9b47bf43e9221e

SHA256
bb4e51b629f6905f63aba144be45d1b423cfa05f33c344a5fb964048e27cde59

SHA512
11851bdb3bceb2b2e3566b5dd8f5d3e65d0be8466d6b07eb3ea857ae6476cae259a1ed4c284af894c9252422bf50a74a7fc6549c4365a5793f03bf25358b9633

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
315KB

MD5
b7def757705529a707924c364e6ec302

SHA1
cdca53aade82faaf598e6aa7ce8338cb55bdc74b

SHA256
d5b290003778398313503e9220f220dab8d81f46824bfeb52eaeb0543fe7a663

SHA512
a673b646a95c65ae54b70ceba90747b5d6fa0977286200127d5a7911bb89a05bbf4a4260fbfdc0960cfd4bae1d68a194e6eba246f86c4bc9dff86040b1c46fc0

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
315KB

MD5
77d5bfff88875810da247936744eea43

SHA1
e951be024e793d30b78bd32b19a482ea10f5cde8

SHA256
e594ceb4b76b7a5a25bb995febec0ca81de610834f81cc0a3e03a8c4edde4d20

SHA512
d3e6de054d06e5fe80a606288c3b2206d29bfac40f2ae826793682b07da27c7dad6eba328bfe01fa9ded684e85c3d36555ccaaa7d1034e5b20da4e01559eaae6

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
315KB

MD5
3e3f4a968982000cb2e2b16cf65c9cd1

SHA1
0e8eb22bacfe971f9a7a66e962514f27dbb0818f

SHA256
90ea9f23d4cac1b72ea4cbdb0d62c9832f83fd82035de5a5d3de5b1053a0aabc

SHA512
db3c87f6f5df8e70d0cc74aa8bc98b44a68c3ea25bca4a556be64347405ae03e5b3828d9937e88ba84ea011ca2049896b59e5dc10488287c82607623ad6bc359

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
315KB

MD5
0cf646dbe410413b08702ca02aba7d20

SHA1
89e5e0bd233f7fc233cacc301efefdcc46a836bc

SHA256
19b1605e20fc10a217cee15d1bbce4181c535b6e5bc1724a6ec3b41a43e351c0

SHA512
87f66ad592da44ac4c29cadc900d85d16b4987370e12078ebc3b17334102069856071b0398ad3a26adf2e110d2885e9ef51aa2452de8c622e2c68222c6dfef64

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
315KB

MD5
0c56b8825bd9bb5226de1c4d5b40b97c

SHA1
8ecf0c32c2d926dd9c6023bc3f3a798fda5f99b1

SHA256
0c2324f358e19e49388ca120fabe441ffabacb491c1dab88a93655b5a4e48d32

SHA512
9a01aff5b90a42088f88cffe3b830d896f6a14689957ad1c491949715eb3f4d5af36e9d80c88630833afe21f311f88eee034351597aa2c8244910b5372267ae9

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
315KB

MD5
c2f16213b986f2bd5ec22911f1e880e3

SHA1
0107286f4f9a0687c11856ea7b79ffbf3f232e17

SHA256
347fcc3db89fa97497ecd373e94376eeafda005aae199d2832dc912e0228b864

SHA512
302d3d0045d97a5546b788f25a4535e0769f3342a568eecb892c89ba004fddb5ed811b51b945a3f69b33f3945b23ed169a557f84927383d645d05f1048a51c8d

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
315KB

MD5
7ddc57154fee08fbfbe75993b1c1d410

SHA1
41a9a9521f4239716db560bc9a1d3d0ab24569d2

SHA256
193706ccce17d8fd3e75f75b8e18290d830a6b1708fef1dfbfae12b2d70a9b77

SHA512
7cc409ba6f0bf6ffd0525904491a9837fade899a83e673475db413270ece48406abb549e81891abe5da8f449bbc7c561a86f4ef030e30207b9fe039bca83549d

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
315KB

MD5
b66c33962dfdba5b7562553e57757b85

SHA1
c8cc71074f90c3e6bbe0f368defadb306b27d845

SHA256
2384dc65612c4ff259778c499dfa20f54726bb1492b0c25701d235e1fff29792

SHA512
aacab01f3fa18b296e93276c920b56551d8a544bc57340eea6deb3055474c84ea6ac1ef307fa06718748f14cf14b511af77d8a2cabd08c400742c0038788c37b

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
315KB

MD5
dd01937e917d0501af23c00ca92ceb2e

SHA1
b3cde57f1e5b8efab31301b2f44e8d6f0500defc

SHA256
e182d73878870a93ea59399dd7890a2fafbcd78a146dfe72d7da61fbd02d0496

SHA512
b8f021a8cda37d1ca659955fe2b74c1d0b8cc06c74dba0b0452b962dbdb1b38a1a8c1d519610308e12ca96f5f8075a3545377d480cf415dad546a258a0dceea0

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
315KB

MD5
28c83e3ed3f201ae72189828aea030b0

SHA1
355024651787cbd785d0c3dbf7b7cc004724f4e2

SHA256
db5954cecd2aeba73ac5d134a12692dd5b2a6ca1f720bfbfd663fbfc5c7822a5

SHA512
f87ea26eb18af04a67f03bdf014f70949e2671f8af9accfe7ea4993acb838331bf39dde2deec02948ca2e2bbf0941cf13e970cad2248dd62a59e23fba5e734b8

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
315KB

MD5
ceb51d945abc2d75d85a8927ceddd7ff

SHA1
e6b520a55200655c76baab4ec5fa52cd87ccb10d

SHA256
4c8f6a3d3b078c83f76cb42547ec0ee290943f231f8d422f5a5bccf65b5fb9a6

SHA512
5317ca4577ce79f31e45cc52e4b5782953f864e2379cd3c243060e9c4ce2d7c1d7c035063fc0eda4875e650da3b0fefdfafcfacb900408beab09fbf3441c6177

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
315KB

MD5
90941b0bd7ec7d9a7f56b8721df890cb

SHA1
aa2754e07de829b668d39161e5255e955bb08818

SHA256
d313c66836d250aee5a89b3fd9fc62f55fd15e10b3babad9607f9f1a1b95a2db

SHA512
c79c011efb1f534910d8dd2b08e2e43eadf6d24b516ff38f2d6f12a19c088995b6450acf58e42c51592f6c776c64aa53999a1c70a5612f8d68f6b6e35ba9f3c3

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
315KB

MD5
db0cdcdd4673dff4a35e5466f6b92c66

SHA1
c022866e41d875969ef5a8c4d781477d58597a0b

SHA256
27e3b24b4a9ed26ccb5a2241df9459ce2df0ad81766e18cd5e127999f7d54f21

SHA512
4302f37ecd13d2ad75e119dd32528602938ff361ef701704443119753f7193fc8d603acea72338626f070a7d880c655d5c8dce33be81e02800a1b049658d6a42

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
315KB

MD5
7681d3d2a83696e4e539c9ec42cabed9

SHA1
cdb0e046d97ba6c1a9849d9f0f3a692b6febf4b8

SHA256
f3e249c923606836cc9e86f5fe851834b6afd01330f8cd99cf686b5471bf92af

SHA512
67ddf2ed75a458d463f70311e27fc8236677df5fa043d868ef1ba2f79d373afb7e9215988af555f23c3829918f985bbd5be5c1ed1ac2c7c1501816ea5cd81086

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
315KB

MD5
f35dbafe1006b2b0e8d56eb7b891e44e

SHA1
d687d4afb7d2fd3a2bd4cf0a905b9955cdc5739c

SHA256
9560738f1c8cbc4bd5b24dce246c3e665f79b64d90a67f1ecd50aeacef1dc774

SHA512
be6caad83f9c76f03b29947e1fc3899471439e9e1fdebe0dd3b2bdcd39e4437578e4ae138a9467a424fbfb96de2f028afc6364aece39d8c391a5d9361bd8ce34

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
315KB

MD5
39401bb5faec1b868d26f3b485802a5d

SHA1
ec180ece272e481acabfc9954d4f7e1eee1342de

SHA256
4e7cc95e03122c3d646099684fbc9248554356dd722bca4be4f09a092ed2e44e

SHA512
a7533724566dcc7b05801916249bd94d039310ee6ebdf075ba58f27923d4c9994360bc2042dd96f84bada6bf2144408b8c93f5bfb4cccea8211c4071938f62a0

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
315KB

MD5
94e47c4df3d91ed9c65f0d5d74e62f95

SHA1
251af331c944a4ef7deb81224909da17f198d5b6

SHA256
0a3fcf0cb6446c0150864fe1fd34aa4ecf876319a0c1a8acd7a81604ecd289c6

SHA512
0c10e7433276e6d23ab855afdde39379751f18021ed5acb466c52c2ced4499814dee47196a5b46210636183ef6e49d507ca43607cb4aadef26b47867a6ffa87c

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
315KB

MD5
d28ea9a97b2fe2af836ce7b74e1390c2

SHA1
64e53543e2e5bc147a6074a2680644ea1776a4fe

SHA256
79db867b63ef80bd0569c1565d36011f2f65b158146833dad02b54e94afa36df

SHA512
9c1ff38fcfbb5a941b30778c140a42df79a634b8043d82fdc625c6d34f2b7783c786b029086bf9414d2ace4514c21167633f59f4c6300e44fc9e9384e5032888

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
315KB

MD5
967e69e700de2436282a7ac92d6cab7a

SHA1
defb70d28981907d106b237750a93c3d8538c9be

SHA256
5b6dad8f7c88e8edacee0ba5b0504768bb75d329b47d6bb9be5cfe46ceb4be25

SHA512
2ed52b88b6dec905bf08190b04fbc77313a1369bc0638f5ab42d623a019cff3b93f56c2e18a27ecfc64fa681e5ee393db34c3c7e794487f4eb54db7d1ff1a384

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
315KB

MD5
9fa899c2637174d0e788c9df387d9720

SHA1
acd5158c671baa5434bbb0241211561d6b613d8e

SHA256
47c9434b802faba10d1dd5edbd96006b2d48c4f5555908efe5348a817c49afd1

SHA512
27a044a853f320c6601fd42e1bcf7459fdb8916b96dacba4744950ad63e2b2910a11b5596c71e370da3c593b716a76cc159b84ad538d739809fa85096a7f30dd

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
315KB

MD5
d66669a7ebfd9f362bf6e4909f59840d

SHA1
114ac86486167a5bbd1b63a8bea6e94e62cef26f

SHA256
e334fae70dec0fcaaa81ba8ba713dbf353c69525dd7b2b8c6512b42ca7d3796f

SHA512
6c5d074a9d074bbb093a0526688e62a8f119834edc9c2ebc39f712e9e16f49bf0399565c7d0c2f23e4a52eef616309f0bbb99791a336ec0405325b766fc30bc7

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
315KB

MD5
491eb724a64062b1254524a791c6f32b

SHA1
07c869d83faa9ca92d41ab7cf493ea3d1c41413e

SHA256
2bb890bfef9ea800e8728bfb922c732fe75808588c34abbaf87548e19879bcff

SHA512
35632fc2866a968f5c2c7c718b428957e3bb353301e9e945c1081d2ab5491069a23e77f53ddbd87a1a7272a865e31c666aec3630c91b61daf678bcc2cf96b8f8

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
315KB

MD5
16a75fed72ff890939ac5f3cc3ff5788

SHA1
1074cd1abe055a0dcce43ea58301e24172a45c7d

SHA256
ab48eb21c9a85363062308cd8cddbb42da031863329dd73107e6c7fd7f7b9c2a

SHA512
cae5ea6ea66a7b91369d62b7fb1ae7bc7f82fdc0563951959555fad82d829c9b6b500e44079d1de97693ca219891f4e0a0123de9d2ade67dc812f600410b61e7

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
315KB

MD5
9205d6589e0eed4a1e2b586a79079f75

SHA1
ee4824461a307ad4f0d2ed2053f643b7bdc146d6

SHA256
daa0c990b77d54c97877caf77fb1cc765afed22a17ff2c7e19680c991a8f3bca

SHA512
ac1e9ca532a1ffedd8c8edfdef6e2c712f99deb69dd75bed09ca7928e82f1778fd38d9b3f1f159f0408452a0a8e6b5d9f58f6fbf8f6b2a24da021db7fb8b0317

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
315KB

MD5
a94896a1b5d635e667f858240878c77a

SHA1
92d6100e90b2992c8baf1860d8f8e881bcf643d4

SHA256
477af7debf1909b1586aa3c2e69e6172c1620c674bfbcaec28b489e622a32265

SHA512
c3a298234f65db5d5745d2d4964e52ff069f4a6552b1c9f2b211956f3b952875ee7beb263b2ed0ba93d876828b4fae3f293e2eb9f680de345809eb7ac17e3222

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
315KB

MD5
4eb441924d13b85e3c16a47982c47cf7

SHA1
0ed418c5edd39a8116e6dd2a6a16777def53b4f9

SHA256
900699bb1fb551dae2880f630d06dd24402d35953e445eaf0d33b970e5ed01f9

SHA512
f9638b78fa155aa93fe06ae01cf504e9f3b98962863492145a020ea11b4b7869fbe4c782f47844dddfec7bfde765aee45fe0528d3ef3bcc25b7a93e33975a8a5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
256KB

MD5
b90cc982b6e3d60e99fd03b8d576e8f0

SHA1
744250335ee26d8697b5f29ae9b174abd608b5d7

SHA256
df49c1f112428580e62c2a124557d7cbcec291ff21d06528fd600895fee03aa4

SHA512
600dac2623aae96822b9a1a455134697733c8726cd92b1cb0c2b359c922c0658b7dce5813d1240e8157d5c6f924662a2548b5e6b458c87a0ac9388b84b74a8bc

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
315KB

MD5
f4a204dff6acd9ed1e0af05592bfd7c5

SHA1
0cfdc7b11d9ad2b7ab4924b7f6438311924535da

SHA256
e4cc53808d6e50484bf47dc765a72192df2f79621e2c6c4f3d0cf21037779ff3

SHA512
6ee2a4c4b8987218162d834250c98ef48920bca769dda785528f2ff6fd3f0f82404ba9972bc60d7001cff879437a4669727517177e78fc1485200ec8d727790b

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
315KB

MD5
2a3ba169ad47c3c8acde607094b6e6e8

SHA1
e456d3e078f3503501eb0b941cc89986847c4fe0

SHA256
c152bdb631441c0dcc3b4efaaaef12c897964f23391f188f2c6efb2eb75533f9

SHA512
69fcaf20efa20e30e7e5f7bba302848ff6d0e2897f84e8feb6deb9a6e13f664fd3dd9047e60674a1ff6f54d644e3a446815a2793a0c7262faacb0b51c647dfdd

Download Submit
memory/320-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/396-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads