c0996ca8fc7dc4e2f7dfd85dbccf59afae0f2be023cab85a884f23111e950647

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d72209ba663854192f42f6469d4caa10N.exe
Size

64KB
MD5

d72209ba663854192f42f6469d4caa10
SHA1

4253530131657272f91eb5ab1cf43927fb0cba45
SHA256

c0996ca8fc7dc4e2f7dfd85dbccf59afae0f2be023cab85a884f23111e950647
SHA512

fa0b85dc843513ca6c92d0b7f59d2f9735dee1862f0109c2c5ab4a993001a9a464d88c8b84ea558c7416d7fd7c5f30bfee3aaa0b493ecb795c20572f63cb47f4
SSDEEP

1536:L7tuteE7cHlnTwKBgMMAspWDi87SSu2LECYrum8SPE:90b7cFTwKBgf5pWWFSzEVT8SE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d72209ba663854192f42f6469d4caa10N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d72209ba663854192f42f6469d4caa10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe

Executes dropped EXE 51 IoCs

pid	Process
4460	Bganhm32.exe
2848	Bjokdipf.exe
4820	Bnkgeg32.exe
2264	Baicac32.exe
4368	Bchomn32.exe
3236	Bjagjhnc.exe
1488	Bmpcfdmg.exe
1428	Beglgani.exe
2088	Bfhhoi32.exe
2600	Bnpppgdj.exe
4492	Beihma32.exe
1544	Bhhdil32.exe
3852	Bnbmefbg.exe
4324	Bapiabak.exe
816	Bcoenmao.exe
3820	Cfmajipb.exe
1264	Cndikf32.exe
1040	Cmgjgcgo.exe
416	Chmndlge.exe
2932	Cnffqf32.exe
1564	Caebma32.exe
2652	Cdcoim32.exe
2484	Cfbkeh32.exe
1164	Cnicfe32.exe
5040	Ceckcp32.exe
3188	Chagok32.exe
4452	Cnkplejl.exe
1960	Cajlhqjp.exe
4292	Cdhhdlid.exe
1884	Cffdpghg.exe
2644	Cnnlaehj.exe
3704	Calhnpgn.exe
4444	Ddjejl32.exe
3420	Dfiafg32.exe
1472	Dopigd32.exe
4212	Danecp32.exe
4504	Ddmaok32.exe
1512	Dfknkg32.exe
4876	Dobfld32.exe
4572	Daqbip32.exe
1260	Delnin32.exe
2400	Dhkjej32.exe
2176	Dmgbnq32.exe
1396	Deokon32.exe
408	Dhmgki32.exe
2656	Dkkcge32.exe
2420	Dmjocp32.exe
4352	Deagdn32.exe
3128	Dhocqigp.exe
4404	Dknpmdfc.exe
3708	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
620	3708	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d72209ba663854192f42f6469d4caa10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d72209ba663854192f42f6469d4caa10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d72209ba663854192f42f6469d4caa10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4460	4752	d72209ba663854192f42f6469d4caa10N.exe	83
PID 4752 wrote to memory of 4460	4752	d72209ba663854192f42f6469d4caa10N.exe	83
PID 4752 wrote to memory of 4460	4752	d72209ba663854192f42f6469d4caa10N.exe	83
PID 4460 wrote to memory of 2848	4460	Bganhm32.exe	84
PID 4460 wrote to memory of 2848	4460	Bganhm32.exe	84
PID 4460 wrote to memory of 2848	4460	Bganhm32.exe	84
PID 2848 wrote to memory of 4820	2848	Bjokdipf.exe	85
PID 2848 wrote to memory of 4820	2848	Bjokdipf.exe	85
PID 2848 wrote to memory of 4820	2848	Bjokdipf.exe	85
PID 4820 wrote to memory of 2264	4820	Bnkgeg32.exe	86
PID 4820 wrote to memory of 2264	4820	Bnkgeg32.exe	86
PID 4820 wrote to memory of 2264	4820	Bnkgeg32.exe	86
PID 2264 wrote to memory of 4368	2264	Baicac32.exe	87
PID 2264 wrote to memory of 4368	2264	Baicac32.exe	87
PID 2264 wrote to memory of 4368	2264	Baicac32.exe	87
PID 4368 wrote to memory of 3236	4368	Bchomn32.exe	88
PID 4368 wrote to memory of 3236	4368	Bchomn32.exe	88
PID 4368 wrote to memory of 3236	4368	Bchomn32.exe	88
PID 3236 wrote to memory of 1488	3236	Bjagjhnc.exe	90
PID 3236 wrote to memory of 1488	3236	Bjagjhnc.exe	90
PID 3236 wrote to memory of 1488	3236	Bjagjhnc.exe	90
PID 1488 wrote to memory of 1428	1488	Bmpcfdmg.exe	91
PID 1488 wrote to memory of 1428	1488	Bmpcfdmg.exe	91
PID 1488 wrote to memory of 1428	1488	Bmpcfdmg.exe	91
PID 1428 wrote to memory of 2088	1428	Beglgani.exe	92
PID 1428 wrote to memory of 2088	1428	Beglgani.exe	92
PID 1428 wrote to memory of 2088	1428	Beglgani.exe	92
PID 2088 wrote to memory of 2600	2088	Bfhhoi32.exe	93
PID 2088 wrote to memory of 2600	2088	Bfhhoi32.exe	93
PID 2088 wrote to memory of 2600	2088	Bfhhoi32.exe	93
PID 2600 wrote to memory of 4492	2600	Bnpppgdj.exe	94
PID 2600 wrote to memory of 4492	2600	Bnpppgdj.exe	94
PID 2600 wrote to memory of 4492	2600	Bnpppgdj.exe	94
PID 4492 wrote to memory of 1544	4492	Beihma32.exe	96
PID 4492 wrote to memory of 1544	4492	Beihma32.exe	96
PID 4492 wrote to memory of 1544	4492	Beihma32.exe	96
PID 1544 wrote to memory of 3852	1544	Bhhdil32.exe	97
PID 1544 wrote to memory of 3852	1544	Bhhdil32.exe	97
PID 1544 wrote to memory of 3852	1544	Bhhdil32.exe	97
PID 3852 wrote to memory of 4324	3852	Bnbmefbg.exe	98
PID 3852 wrote to memory of 4324	3852	Bnbmefbg.exe	98
PID 3852 wrote to memory of 4324	3852	Bnbmefbg.exe	98
PID 4324 wrote to memory of 816	4324	Bapiabak.exe	99
PID 4324 wrote to memory of 816	4324	Bapiabak.exe	99
PID 4324 wrote to memory of 816	4324	Bapiabak.exe	99
PID 816 wrote to memory of 3820	816	Bcoenmao.exe	100
PID 816 wrote to memory of 3820	816	Bcoenmao.exe	100
PID 816 wrote to memory of 3820	816	Bcoenmao.exe	100
PID 3820 wrote to memory of 1264	3820	Cfmajipb.exe	101
PID 3820 wrote to memory of 1264	3820	Cfmajipb.exe	101
PID 3820 wrote to memory of 1264	3820	Cfmajipb.exe	101
PID 1264 wrote to memory of 1040	1264	Cndikf32.exe	103
PID 1264 wrote to memory of 1040	1264	Cndikf32.exe	103
PID 1264 wrote to memory of 1040	1264	Cndikf32.exe	103
PID 1040 wrote to memory of 416	1040	Cmgjgcgo.exe	104
PID 1040 wrote to memory of 416	1040	Cmgjgcgo.exe	104
PID 1040 wrote to memory of 416	1040	Cmgjgcgo.exe	104
PID 416 wrote to memory of 2932	416	Chmndlge.exe	106
PID 416 wrote to memory of 2932	416	Chmndlge.exe	106
PID 416 wrote to memory of 2932	416	Chmndlge.exe	106
PID 2932 wrote to memory of 1564	2932	Cnffqf32.exe	107
PID 2932 wrote to memory of 1564	2932	Cnffqf32.exe	107
PID 2932 wrote to memory of 1564	2932	Cnffqf32.exe	107
PID 1564 wrote to memory of 2652	1564	Caebma32.exe	108

C:\Users\Admin\AppData\Local\Temp\d72209ba663854192f42f6469d4caa10N.exe
"C:\Users\Admin\AppData\Local\Temp\d72209ba663854192f42f6469d4caa10N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\Bganhm32.exe
  C:\Windows\system32\Bganhm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\Bjokdipf.exe
    C:\Windows\system32\Bjokdipf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\Bnkgeg32.exe
      C:\Windows\system32\Bnkgeg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 396
        53⤵
        Program crash
        
        PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3708 -ip 3708
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baicac32.exe

Filesize
64KB

MD5
721e7a449ceb763da0e987ee700d8614

SHA1
e1f221db34036cddd9ece3627e8a0ad726b6d937

SHA256
90f0d021cedc778fd05b01b1238b45b5d2a85ba1dd4f75bd70c85f036e55aae9

SHA512
7901de5ad5de641fde89c344a0e9e6f98f4e308faf9e8ee3a13df967d03ab8027a7c421da4450c3a5bdf653fd97c48532ba37fdc4c7ee54c8d43c7c8c19074fc

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
64KB

MD5
94e441cffce3f6fc3c986f9daea5e7ea

SHA1
c859d27b2db8c52ec347f762c01a273787ad064e

SHA256
bfb898e0f32c6a642f2a826e2ed83db2fabfaf29900db683d3d3710deac503eb

SHA512
6401c5606728ca025d5e00ec82dca3960ca353c00339aec7b97e529ef2d95cc203f2918fbc085fdc7681830643e9d4fccba6e0ecb34631202ccd41b9affe0d3c

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
64KB

MD5
7e1b66ae4e5e2f3d2cc86029cbfdbda1

SHA1
b65d060fae7c6a3629bfaa103ea3a4f5e9951bf4

SHA256
2965a3890b3f6a15526402e9835569f8fcbcc61b9786edfe362cdeb6b3fd3d9f

SHA512
e9cc6a803fe62b07926d5182a2b4d8fab9f141057d16db053171b43f33c6971c0cf78feec92d8a84d98e4193a26c03f9e6a1a3287e51fb491a27b0fa00e43680

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
4b31e5f869b3f5722320a74d8e712ac1

SHA1
d740f985edbc138211c30d6f1c1926ab88468d66

SHA256
2d598593a19ebc9db4719542f67d72a63873585c268c9edb1be426169cefcabb

SHA512
841bc754179ed71ba4eec04f908297d0e7a2ce4205eb7c388f57f34c2d24dd8af016288b369322b5383d94c9ad89e68d2a490356d10ab7771ee567bd483186aa

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
64KB

MD5
f8cd5abf49b0362a0bc2f97b05bc3dca

SHA1
239a5bd0dea36c0f165833a9cab52de2e28d7782

SHA256
3f3f8712ef132518e9a64b633df3183d1b33b032983246a8024616db4fcfabb0

SHA512
59570afddde80b9c3ad255ef43c700366a65156a3fa01d301e8955e2c99a14c860818d84407f8a49908af34b703f664b28937c4d550c221f1ff4c64565ab8603

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
64KB

MD5
0ffca54ad79ebc81a1bd169b06905c5f

SHA1
62e7404fd9a8d3d188366a8a2f18ee11644d2293

SHA256
d57849457a536d73aeb8decbffd76c050e82a7a0f5d9a3c4ebb5e9b77d9db59b

SHA512
98dd6553db13203f005e78d19eda424eee1f2716875235fcc13df1959b25fdccf013bda4742b150a917e350e67020bbb176ec9ae2458dd89f5784a5c01c0fea0

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
64KB

MD5
2f8a1cd8fb6e836e37ba76bb1ba5a094

SHA1
1f58d6cfec346a93d361d03b3bb125e2eed45465

SHA256
0f6761b25b5b614417282ad72081d99a39c05685de8e4235b7c9df58a3d9c27e

SHA512
83c58502c1ae22ad3eb083e94abb55768dd81250a8d0a787320446f51354b059ced4c22891678d31821fe806a81107e0b9488ee27ddb8eacf7f8cec1162ded4e

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
64KB

MD5
ccfef2ca8780aaeb4ca05f6282e10e9e

SHA1
9d04e2999233cc7ad10fecf289487d338ca6a959

SHA256
454551229b6c74332a6986b129d55e830d901dafc7ebefd40ff139aa761c849b

SHA512
38f75dae4ac3eaefc341c0257532c6e618f4690f3096de6bef6fa09578d6a67e94d5e97e915bc8d295ade5df42f8c68a86f367176aee60492b5c0225a5f63c17

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
64KB

MD5
beae1ea78aa5ca787af2178c90f75ea4

SHA1
2470560b8a60e1c0afa807d049dffb3c4dfc65e4

SHA256
0652fd763658102f656794a877934d9cf0d1ee6d2d18684519c844150d4755f0

SHA512
fe1b22b08068293e6fc489158b65fca686b912b29d46c4537ab68d1fed77257c7bbc76c4a67721308f85017dd0130bd16ed45fa194508dc2a3c0041b8bee940a

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
64KB

MD5
2912c4753e3de42566bb52b0fb229f92

SHA1
e6df09a03eb10eeac887693a08dbe66bc9870979

SHA256
5cb9a24a56076e6a50a59f599d6a614072b3480e1ca937bb4ef9b87e92fe2212

SHA512
7f26ad06fa749a54090493fbdb81d9f1b81d7361ac6adc83b413d3c0e9185d79d6c9ae6b1e88a24e001325a54f1398626045ca845689caf5af5e31472a92bef0

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
64KB

MD5
d3649ec59c3106c67326fe23b7626cd9

SHA1
30160977b338c616431cb882f6d3889e9be8c39f

SHA256
a6651d60c39bd4f4ea078692acfd8feec3889b1208f2c09105615e02bfd26549

SHA512
4b3ed43eb11aedfb57e76eeff55f4080600fcc996acb7ce95c6dfb9a5328d05cefef63c4c80e46eccee2e4e239861a94b525e878ff8d147a687d19cca74393ad

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
45adf6fa6333a745565a8e74da6447bd

SHA1
eb42ef9e52c543bb5f6f6cd06c2d0ce0ebc70b1a

SHA256
cbe2427df5831fbc1346fc405e1d9dcd8e3faf19b6dfd231ee8cc16372194348

SHA512
68799a834f408fe862287b3824ae4c7406a88f88904dac633724f05bcd2cc990690078e7f26716367b48c63c2b166287342c33bf046803d169e60ada94292272

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
64KB

MD5
a5060b7f864e4a8225fc7eb114770342

SHA1
66bd424c0f1ac8d9962e1b401d24246833a912ea

SHA256
d513afc9b9ec83b9ed677f876360635697e341771185edcbd6593092439ebc8b

SHA512
c363d86279bcc75290e34c197ab56991afd4b648d3287614d197745c896adc1929e6b20c69dbece5bc6c7c9fb9587b68aabc690e054e0a015972dec490db513b

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
64KB

MD5
59f49345a23c79406f7e37d67ce9e7f4

SHA1
59b7c001c508c760b0d3eb45f6a4577f822e055f

SHA256
99606c0d5f3527862d7a8abfc0627cdb5440befa6de1d4aa430e8c0ecd9c6944

SHA512
c1c8eabeda848c9b8081c013b3c973ef0e859adb42efeac6b8d76e25f816c88bab7b0cf66d7321459f4eedea13d4f695b1d76c042d4f79472de6205d8ab4c51b

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
64KB

MD5
0c3031826d9b0923bcbecff6406baa84

SHA1
5675840bbbbb7e790c599e046cf4918069ed7f8d

SHA256
1f906eb0eb19500905560cd63b02b772bf047be956d25af23aa587f3419b0c76

SHA512
7a6aa36f808f00d92ec835da1defa222939a3e9248b37582f9773dcc6f9d16eb62df7cb6dee8884e5f94789cb4b380f742c3c7a29b763b24258cd66778da959a

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
64KB

MD5
d64a4350061f4c922f4578eae030f678

SHA1
4759df62eb00fd4b7bef26de2787177aefe0a1ce

SHA256
ed38ea75aade0edcc57d479326c6759c361d9e727f244c86afd166112675e8ab

SHA512
a999b42631a1ca46c3a3589640535871e7c891f90a538e52e09072c759a29519cb0c06dd8404112b78e0da9dd481ddc96f9d8781b1491cbb5d2f73748e563289

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
7ad1e1569176f3c05e4bc06468b74114

SHA1
4f95fa73d05e3fd5921e4214ced8868e0f7796de

SHA256
c4e59d1eb31bf6e4dafa20c7cb3a8c8b3900d04cb34b29255227da6a6121e8db

SHA512
b3f58b48a35e1c116bee9a57a3d6997275975cdfd4dd70ca0c5440724da0b60dbae5fa40761dcc20f49dc201af3e5eaf7916d00505c3221fbf92564e1483a25c

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
64KB

MD5
453421b0a2deb0b71b8af44aa27d17c3

SHA1
f8c4d03cfc1f3382f49871415718833169c32741

SHA256
fef9ca63df0f704cfdad5d0b861096cb0226d624864c29a1959040a37b76ba3b

SHA512
8d8ebaa5049674b36d95e9281abddad5addec7f92198ec3ab52e4c2d733eb08fe4165b8784a2e8e22e5ece6901a7e4bb6a3b93b47ff6a4d549a82d13dc0ec67b

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
dd32111396c6211b7f1b399e73a2d989

SHA1
e2cf25fa69d3990c75ed7f0c0a5f5aa90d55ceb7

SHA256
5dff485999f17b0b19cde3d42f2f008f9658aad38322d93ef90b1471adc6177a

SHA512
d6cfd5256500365392071413aa4e8ac562d4e2326737e6adf2517e24e6481e1009c9a8c4d2648dec48fdb713c25f4be766d22058909415f73dbf0c3e0d17199f

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
a5e2dbf9ac6366ac0ef7a5ad94a5b868

SHA1
4184469d038afc99782f94b8c782563fbba6ef79

SHA256
aeafee4fdf84518af09ebd0a627daa5446d1945f6b16ffc9840b067adc494240

SHA512
5b3ae026535aaca4a051631961a52a14810fdc21a885f4dfe152c6274a4fccbbd41478e1a3a5c5fee7aee156bb6dc1160ebecc1378ea8ea241c2665f94e46f96

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
ad586eed74cc9883e635ddc7ccafc3d1

SHA1
5661e42d11ff3a190cee633386b4fbc293e2eafa

SHA256
c4044cdf24c80b18bbc56a1b7cff5aac22305392064f62cb53ad475a7d4e4959

SHA512
ea021b7a15b71039d430d0789d1177e6c6f074fd54b89f5ee429e0bae3efd699c1bd313874c9ddf89de95964a1e474142ec298ce3e6c3ed74f08ca50615b5e69

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
7a3877fce807556af5620f48704021f1

SHA1
ba728da6ab26dd18adae179512e25a7298606fbd

SHA256
1f31c3767b0e16aae77b1f3b33f5aac50a5f5ec8418a1e8d8416f2ec41b0bcf9

SHA512
7f795f512ed3ff391790dd9114b38052a9c43406d360f06e8f14d54a6810407d2d836dbef9005ba3874dd822fb7e0155dcf30a3ee892d922ec2bd35b70cd8c1b

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
abecc2b579a66c6903b547b0849eef47

SHA1
1f634b0a56d9adb791243d23fdee55d944fbcbc0

SHA256
c8b4652441f045a1fbb4ff970cdf568abaeb2695415b23ed98050bf9304a9b51

SHA512
2f1fc4071fa9358e23f417a4d5fe256d2e5d429647c55acee22b213b213a6ddb7047493c1f4f83fb597422e5a4fc641e77c003dae05662f5994a9d3a90e1948d

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
e77a76dba1c8bd9c7680c1cd16cd57d3

SHA1
8d69d86ec282e214d6678dbe177cd712ac2e25ef

SHA256
2e4061db071e686a26b216f4b675f9bbfc57c684233fc21a5dc46ec239367cbf

SHA512
dff5aa6d23dd35e42cd77b8ef715e0cb71a83433699dbf6610915ce97c8b9ddfbc8f8029aefb1f27bb6cfc09ba85404cef286e2b1c52ae63f6f1e08d26862f9f

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
0b8f6dfff670bf18a45a1f83cddeb12d

SHA1
6f73259bcf870d3214bbd688946044a3b8dbc492

SHA256
6eff4bd78957f0a726c4f044ed689470b047b2a5c1eae582e29ac02e654bc089

SHA512
3fd7af6b5cdbd2d30e11698039dfddc2aee42c65c90e75f84924d42639f8612198cd55c2707fc2a8ed1be918c7ca01d906a2fff81e3e93047d4027115a5168f1

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
e696032e58a9e95558f83face4f2e2c6

SHA1
0922d6e057d3e0af00904164aeb157920044b96a

SHA256
026b11063564619fdc92f94f96f2b3ba0b0f944713492691bdbcb165898f3bac

SHA512
72b4a2eb6647ce5c7723504b527c41880de896aeed670aad51535a461f9fcd8d8d9ed2b0e820512de041a1a2012ab73d50439783663e8e5e21566f8ff333db9f

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
032542e3ba14070bdd0da5385eae417f

SHA1
be88bfdce54f74c8b1fe9d5227283cf8dcb788db

SHA256
eb2784da0373f787b22beb2bd4c4892acbe42dd5653fe97adca03a7653b4e4ea

SHA512
13ffcbddcf7de7173d41beb70f697c40296fa6f60af298c9d4ea0e0f15a3cf2daf06019c35eae07ff46be10b580888d65cce15d8a363edc524706213a1f28909

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
64KB

MD5
b0ad8efdb3b8f79c1432d66cfa0fcc4c

SHA1
14a5bc358ef295b89194ec06413d03a5a0dcb6b2

SHA256
0eb5e95a72967633c0c85035daa135cdbc2f36595309bcf85f1b0129ec4ac97e

SHA512
fd0b8333c92d4e015af2f66d01b279375e0707fc1465d34434fd4666693d52a64930f3480e8ab09ac6446cc171a9601d678d54df2cb883afccda4edf56c125bb

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
6d5e8b93ac6d1dcae751fe6177ff3070

SHA1
1e8e3dd48e7edbe2b147588e77cb9a4d833b673c

SHA256
bee1ff2f0ab8d4b1aee59f0db79a434c4f064fbf87410a67b1d2be107245f9e8

SHA512
ebcf0adbb49826405a3d033456a2336ff4755e3bfca7065cf00b010a7dbc573c3e2a956f5c137690cbb5e7b067f181b268fdba921c70bb112552dbd77166c7cd

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
64KB

MD5
d272524cd89aeb3567ad1724bf05c112

SHA1
535b926d2d2afddc63a0127eee461d709f3c62e6

SHA256
f9dd1ab4f704d66ff08d63d7816dda988aceb7e0326f9e855d018df2ec39e726

SHA512
6ad62407231d2e3fb9bc96188ca8cf65d69d17b4456d708164fb5c0fbb9785c44b9dc066a1d5555b3f3cf0aff0d880216118b74e355165ce8d6a037ff194fa19

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
e6d96863459b6d95985a94c1c269f76b

SHA1
5192567f9ae9e3a47cfeaae180cc22286c752a33

SHA256
4aea82d84c2060b5c08c8e8c5ad9e95513a8d20a7c0cb34e81ddddf81e1d43ea

SHA512
04dc0b1e49741d1cc3f9125ff5d98d602129b25228f6ad0fd663ecb890d2b581b491a0fca55c3394e6ed1c3a36a471ef97d52d9d0de091c6bf97268858859427

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
25a6a51e790a04b071f3966601930b46

SHA1
079e90b163a68c7c3f1bf229f09d78bcdc24ef3b

SHA256
67bcdb6e0014a3e76a556b4a3461812eaeb78e5d0bb5f4436d9c72904ce19fb3

SHA512
d274afbd1c7abb8daf3d7e3c79ba8baad1d776030b9797df334d95f70698c5a4df99edf9a87292ecdcc3881e636621e5a5afd2d476f34aa3dc921a25134bf47d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
37eb73d4fbe89b330e900aa3375f4b21

SHA1
f46e859c6853d6db66577989a959e8ca1b02ef33

SHA256
2daeb6e7cf6fe3a50824847fe8f39213ed3eef90287f87e561bca798fdfd1a4c

SHA512
ead121d8f3ac217834c4c7761d257b8999575e108d73bf9f37561b64564ccb7f6c3feca5f369689f0499b02ee7c8b1fe659217ee200cde82e214c322b410040f

Download Submit
memory/408-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4820-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads