bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe
Size

93KB
MD5

69f24176d9338a1497ccf34c9a67b930
SHA1

a940c4254b850d09c4f8a740c172e4c658ada149
SHA256

bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397
SHA512

76212ec5f878cc58cd99d270c98cae1814a8ac7de5361c9cd0b0400cdce25fb0035145c93f71daf17b267c690e3085350fb7f2b12708251295913e69d9c33295
SSDEEP

1536:B9o0h1lJL3yqlxva3Ll80cRS9U6y4BWw+B+w/QAS3vsRQRRkRLJzeLD9N0iQGRN6:B+01PL3blwL+bkU6x+f/Qn3keRSJdEN2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe

Executes dropped EXE 49 IoCs

pid	Process
816	Qnjnnj32.exe
3156	Qddfkd32.exe
2780	Qcgffqei.exe
1860	Anmjcieo.exe
4396	Adgbpc32.exe
4404	Afhohlbj.exe
3916	Ambgef32.exe
2852	Aeiofcji.exe
3344	Afjlnk32.exe
4844	Amddjegd.exe
1748	Aeklkchg.exe
3412	Ajhddjfn.exe
1292	Aeniabfd.exe
2260	Afoeiklb.exe
2604	Aadifclh.exe
2148	Bnhjohkb.exe
4500	Bganhm32.exe
4344	Bnkgeg32.exe
2132	Beeoaapl.exe
4728	Bffkij32.exe
1812	Bmpcfdmg.exe
2524	Beglgani.exe
3012	Bgehcmmm.exe
1320	Bjddphlq.exe
2480	Beihma32.exe
3280	Bjfaeh32.exe
4928	Bmemac32.exe
3224	Cfmajipb.exe
1560	Cmgjgcgo.exe
2608	Cfpnph32.exe
3976	Caebma32.exe
4320	Chokikeb.exe
940	Ceckcp32.exe
1080	Cfdhkhjj.exe
1300	Cmnpgb32.exe
2792	Cdhhdlid.exe
3284	Cjbpaf32.exe
1328	Calhnpgn.exe
1920	Ddjejl32.exe
3124	Dmcibama.exe
1952	Ddmaok32.exe
4856	Dfknkg32.exe
3636	Daqbip32.exe
3296	Dhkjej32.exe
4596	Dmgbnq32.exe
4568	Ddakjkqi.exe
4348	Dkkcge32.exe
1984	Dgbdlf32.exe
4836	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
952	4836	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 816	4148	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe	82
PID 4148 wrote to memory of 816	4148	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe	82
PID 4148 wrote to memory of 816	4148	bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe	82
PID 816 wrote to memory of 3156	816	Qnjnnj32.exe	83
PID 816 wrote to memory of 3156	816	Qnjnnj32.exe	83
PID 816 wrote to memory of 3156	816	Qnjnnj32.exe	83
PID 3156 wrote to memory of 2780	3156	Qddfkd32.exe	84
PID 3156 wrote to memory of 2780	3156	Qddfkd32.exe	84
PID 3156 wrote to memory of 2780	3156	Qddfkd32.exe	84
PID 2780 wrote to memory of 1860	2780	Qcgffqei.exe	85
PID 2780 wrote to memory of 1860	2780	Qcgffqei.exe	85
PID 2780 wrote to memory of 1860	2780	Qcgffqei.exe	85
PID 1860 wrote to memory of 4396	1860	Anmjcieo.exe	86
PID 1860 wrote to memory of 4396	1860	Anmjcieo.exe	86
PID 1860 wrote to memory of 4396	1860	Anmjcieo.exe	86
PID 4396 wrote to memory of 4404	4396	Adgbpc32.exe	87
PID 4396 wrote to memory of 4404	4396	Adgbpc32.exe	87
PID 4396 wrote to memory of 4404	4396	Adgbpc32.exe	87
PID 4404 wrote to memory of 3916	4404	Afhohlbj.exe	88
PID 4404 wrote to memory of 3916	4404	Afhohlbj.exe	88
PID 4404 wrote to memory of 3916	4404	Afhohlbj.exe	88
PID 3916 wrote to memory of 2852	3916	Ambgef32.exe	89
PID 3916 wrote to memory of 2852	3916	Ambgef32.exe	89
PID 3916 wrote to memory of 2852	3916	Ambgef32.exe	89
PID 2852 wrote to memory of 3344	2852	Aeiofcji.exe	90
PID 2852 wrote to memory of 3344	2852	Aeiofcji.exe	90
PID 2852 wrote to memory of 3344	2852	Aeiofcji.exe	90
PID 3344 wrote to memory of 4844	3344	Afjlnk32.exe	91
PID 3344 wrote to memory of 4844	3344	Afjlnk32.exe	91
PID 3344 wrote to memory of 4844	3344	Afjlnk32.exe	91
PID 4844 wrote to memory of 1748	4844	Amddjegd.exe	92
PID 4844 wrote to memory of 1748	4844	Amddjegd.exe	92
PID 4844 wrote to memory of 1748	4844	Amddjegd.exe	92
PID 1748 wrote to memory of 3412	1748	Aeklkchg.exe	93
PID 1748 wrote to memory of 3412	1748	Aeklkchg.exe	93
PID 1748 wrote to memory of 3412	1748	Aeklkchg.exe	93
PID 3412 wrote to memory of 1292	3412	Ajhddjfn.exe	94
PID 3412 wrote to memory of 1292	3412	Ajhddjfn.exe	94
PID 3412 wrote to memory of 1292	3412	Ajhddjfn.exe	94
PID 1292 wrote to memory of 2260	1292	Aeniabfd.exe	95
PID 1292 wrote to memory of 2260	1292	Aeniabfd.exe	95
PID 1292 wrote to memory of 2260	1292	Aeniabfd.exe	95
PID 2260 wrote to memory of 2604	2260	Afoeiklb.exe	96
PID 2260 wrote to memory of 2604	2260	Afoeiklb.exe	96
PID 2260 wrote to memory of 2604	2260	Afoeiklb.exe	96
PID 2604 wrote to memory of 2148	2604	Aadifclh.exe	97
PID 2604 wrote to memory of 2148	2604	Aadifclh.exe	97
PID 2604 wrote to memory of 2148	2604	Aadifclh.exe	97
PID 2148 wrote to memory of 4500	2148	Bnhjohkb.exe	98
PID 2148 wrote to memory of 4500	2148	Bnhjohkb.exe	98
PID 2148 wrote to memory of 4500	2148	Bnhjohkb.exe	98
PID 4500 wrote to memory of 4344	4500	Bganhm32.exe	99
PID 4500 wrote to memory of 4344	4500	Bganhm32.exe	99
PID 4500 wrote to memory of 4344	4500	Bganhm32.exe	99
PID 4344 wrote to memory of 2132	4344	Bnkgeg32.exe	100
PID 4344 wrote to memory of 2132	4344	Bnkgeg32.exe	100
PID 4344 wrote to memory of 2132	4344	Bnkgeg32.exe	100
PID 2132 wrote to memory of 4728	2132	Beeoaapl.exe	101
PID 2132 wrote to memory of 4728	2132	Beeoaapl.exe	101
PID 2132 wrote to memory of 4728	2132	Beeoaapl.exe	101
PID 4728 wrote to memory of 1812	4728	Bffkij32.exe	102
PID 4728 wrote to memory of 1812	4728	Bffkij32.exe	102
PID 4728 wrote to memory of 1812	4728	Bffkij32.exe	102
PID 1812 wrote to memory of 2524	1812	Bmpcfdmg.exe	103

C:\Users\Admin\AppData\Local\Temp\bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe
"C:\Users\Admin\AppData\Local\Temp\bab89ca3cafd17d4b343cf38dec20baf54f65b55605328b6b800d930515cd397N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\SysWOW64\Qnjnnj32.exe
  C:\Windows\system32\Qnjnnj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\Qddfkd32.exe
    C:\Windows\system32\Qddfkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\SysWOW64\Qcgffqei.exe
      C:\Windows\system32\Qcgffqei.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 228
        51⤵
        Program crash
        
        PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4836 -ip 4836
1⤵
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
93KB

MD5
d44849ff6dbc9bbbec5b46ced3903639

SHA1
3ca6573feec712f20cce11566a0bf45c1ca741d8

SHA256
6a84070a75d277ae0321be553191844cac4cd4ae3dcb3a560faeb3c4188c5998

SHA512
771a28dc87dee1405bfad28c84275dd72d8adf01b9ee0f300040433247ef2ffa7f57a352802b70e688de7c966214cee843d1c68179dd66f668e967ce4a98888f

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
93KB

MD5
2c93a3a2dd9205c9a941ab3366f71d8d

SHA1
6b16e278058bcf0b1a19707fff88422d377d4981

SHA256
49571cd405b472f45dfd55b7e0c5362ef0ace7bc1474ebcce63b18ccdc3eb9f8

SHA512
3c1b0246c563c416705063ba622c3feac82a0ad2552cba7271bcf261a703368d8abf8c3375cb7411d367e93b6b5a55614c8c4556946ee4d253563ab5e9ffeee5

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
93KB

MD5
71871b275523b43abca122788dede3ed

SHA1
e05a4af8c73cb1aa3678fc8413a7299c84753299

SHA256
cf8e6f55aaee72e8810032ad833b39efabbf54e3f6e0b29a2df2723e0983c0fe

SHA512
f7ab8024d40e7604a97da19f0f0bca7febd57c48239a5bd207234bebebfbc65637bc17b2e4436c684b9e3688c43c4e7ff467f52bc7c17fc377a94a35493ceb32

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
93KB

MD5
2b2c769d9e80bd6f557274947fb2c146

SHA1
b5f0b716fb69710153c6ff14818f80dff5afc754

SHA256
31ddd817a768ffeb6a1c92f46c259bb5e83b327dd68210589716cc55c3676cf9

SHA512
344b8edb210497084d56c922c044755e39976b19984af0727eec68e1fcd5c7d0fe836c3a4ccc6d428db6ab103143c51730bd8aa16a535809091b897733c1db9a

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
93KB

MD5
36c4cb74a0558f8b420e59f6e2505ea5

SHA1
37d98ecc61fbcafd377e2f2cc7f56557172871f6

SHA256
a29fb379e6a364f401399fa0db6261be3b74e60c3525bba3ff4d92c7f5eb6f2a

SHA512
f86f38df378797da296388a815fc23f1edbcd7e53afa3567235eb7450d935efa84cf977f266e4f086e4afd7ca9c978eae54acb2a133e1b86f03a92d1d88a0f56

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
93KB

MD5
6ea7743da2cee1ad37d28fbb757f6dff

SHA1
848ce49b9dcd8a90a0b2adbc03af931a378d8372

SHA256
18a99a77df5ed88a2247cad3c774838e176bbaedb4c3944a179582cb51d9a7b7

SHA512
395c52eb87fa71d484b688fd4e415c841ffed09836ad9c6a6ef6077f196cf08dbdb632f4eaf46dd81a56c1291035647f50e1cac14b7682918a874ab8ca53eb9a

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
93KB

MD5
178a6735bb5fae4fb9d6875a7304cdaa

SHA1
4c5eec24bfd10251d2d53edb893c3571551f3e86

SHA256
6694fdebe13e07702c498035fa4d2272458194faef5eb54c5451dfcf87e5bb1d

SHA512
a471f789af63efda08e5bd404b516ba6b6a949ddc1091bbcf0ffbf0897be7c404d4abad4ac1f0528a8984ac062e1a4cc4023d8df77be80e4be26989dfb501a78

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
93KB

MD5
6c917d417c031e82d7e8ea4829cee4b1

SHA1
99216f3a2977f1bb854f6406264b48d8a9fbe520

SHA256
ac8a7e67cccec66d8f45226cba0f2da85b769ed756a4ae37625b0c623a1e14eb

SHA512
f45cc91d97c8d045ed61a0b28a4a0306b82974a54b0afb0771fe58c1f42c5f47ea532b184dcdf1b1da771a7c358037ca1fed130e82e65b22d3d589ac01644267

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
93KB

MD5
3941ed24286c93b3aac350f2fa7e4d1d

SHA1
a62c8b21a959736f7e43c3841f73d46ace35488e

SHA256
15b653d20f28d93ff8f5a110ade19f1f620c95da33984122203eb09d37fcba37

SHA512
13d802fb4a916b32a01241896a174c8511ce810bc68886789afb78751ecbc7dcf31d4abe00767773c55eb9eb8f023ad5b6071001bd77b3ead571e0188658a859

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
93KB

MD5
fb55cd8853fcd85072cf62126b6cf65f

SHA1
497954995005232914ab59b338658c7b2be39d53

SHA256
806b39f2f3c2595215856fefdd04e57c0fb56722d86f403992bf973e2eead686

SHA512
9d09a3dbdcfbdcc07b334092c7eadd17642b3a26e3f2b9d0b3f8d09ef52f8d08cae90648e214f41693160ac5d236e1182f8e2fc34a8d025222572e9af1346595

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
93KB

MD5
dff3dafaec9851f35edf896f92015756

SHA1
b8ab11d0aeeea1940d7385015b9974f80c0c56cb

SHA256
2316ddbcc6f61bbc1b826a5aeb07704892d6d5c185e71cb2556f95c86f2cfefc

SHA512
1675cf22ba51e64860252ca31e098ae5ade5c038010e9152991cd14fabe5ef92a39246741ac3a49558519eb0198662acd76fe534673af7e76a6bd2dd632cb40f

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
93KB

MD5
9774a175bd68a114a66f3ae974ab3689

SHA1
c2cb4953cafe1d51e7c2d4e274c66bdbaaff7d77

SHA256
610488462dfd4ae31c03dbca6c2a26eee20f2099d9d11c97d4e2d0992397f6a3

SHA512
7a291c08ee9812b9f1cf610815f463a2e696bb4c78eac457d88b09f1d2996a3ab030bb22b6ae5cfd3d24aaf4545fd86c6ac64b885f22998dcffe40547ac428f6

Download Submit
C:\Windows\SysWOW64\Baacma32.dll

Filesize
7KB

MD5
94df0421a979f54d156c28a4c96d8b44

SHA1
913fea122cf27ff74224664927e89de13024d079

SHA256
7c96cd5c6eb64fd39f93a70d0d5312c2d00f20ff47ccfc3a4d2f9844e987025b

SHA512
394395ebe5b4f048f7f2e6f5e487d59917440bcc07d4c57b6eb8c824aa6af8571baadde083449defff6722bac11452eb39251b5b217a4637bacc22af0497fef8

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
93KB

MD5
2d9c500f3b0abf1aacbfdee9bf118168

SHA1
e3aafb779e9e42b5b0f3556c252553bb402cc2ab

SHA256
b56070f75eb38af86afd5dfd4fb83d6c3d1da8f89bfdabbc34b901c4445e056e

SHA512
df0cfa33795be60231ecbaed37e8648182a8d98cec8e71f3b9532f48d9337627b4e485d45b8587be87c9a5c860155ef874b6b422f26079cd5267678a161bb7e1

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
93KB

MD5
c37ff5a95b41050ee546f56761a14c73

SHA1
dc76ef85879c872ab9692f4eb7b2cf3994a6a690

SHA256
b505671ded40933c999e7ee0a6203c872fa047f742b9bb9c28f94ac6861586a7

SHA512
581a46847b8e9c9e23b9652aec3909c43a85eb137c3c2fb61d80f131384bde786573a0540998e36770f700df635425530c44170a0c990cefb181a1555b18228a

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
93KB

MD5
aae064aabd72a24b083a019a1c20e361

SHA1
806d6e6d0f45fd208e4f01b75d9e75829ee5d88d

SHA256
5c0ac34e2e9262492ec4089fbaeac35bf6d50d7caf76f7b95ff223adba154db8

SHA512
fe47c208fc414124d14e2113e650418088c9b7291c3fac2d5facf734d6d38f74ca1a879acaa1efa4eededef2612a9f88772f7a433f612480e8db555abf93ab23

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
94cf7817a641406a1a057c190220bb28

SHA1
bbc1a4f6d488769a91b8c5090365d0ab3913c176

SHA256
f4fbd839e6533f0cbcfaac530814c9479dd6014e9427d5918905aa517f85560e

SHA512
1d037a3cc353ad9f292c6130c85f5d009489d090c0a515a7a8fe9b0b52161a1bd764b3b9dfea88279888572a6e73a8e302caa197c7b3d8e6dd5a07b90007290a

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
93KB

MD5
cf9c9e6bd60606fb8afe7caa8e6b577b

SHA1
1bd2d6f54f2779bf7b222e68c7a669e97054c2b9

SHA256
c9cb7cad5d1ff644c79584fef3d15bcfd983243c49111fb1fac4ce8333442bc0

SHA512
2ff0193c45d64289e5cc1ff22686d588122dab4d453cee270fa45687bf23d3e9603b35ce2ad5c3930bd36e454d5a6d53378b1c8c06c802adc9eebb9df2e734cb

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
93KB

MD5
c11fb0336b45ef6c55e69149d0760601

SHA1
274af8f59051e5b87d8fb4c8ebdc1ec11aa1f0a5

SHA256
d3deb12a63f5aa537e0400241d8c537befd4043af3997b643f151076883676f1

SHA512
d9ad46606f03812dc6f4186460369390eb5b642830344bbe1edd24fdc4e48a42b9b3a4b086937fe7c4c31e490b7539cfd20f31e833a9dab7426f2e4df0e796c8

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
93KB

MD5
45298764c579e7689dbff83c10b13a6f

SHA1
ca95e39053e85080faa2019efb610205c63118da

SHA256
caf06314fe7fb2e8a4c1a8989c55d507057bfd05c805d5c0ec2f8be1a28a7a4c

SHA512
c26be5c9fa20f62f8ef3fd4545906c218675f138cf05681a2769221adb2df24a6e02127e50890a9c6f0d33a1b91db88e9e031eea59c02d12bc7a639855ce2d44

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
93KB

MD5
3f261c9398a3f2adbc9e3038d22b068d

SHA1
8394d6603f42e9419773d60b7bce7a1bb3624af0

SHA256
aec2b84af7cd206101bea76f166501cdd2ed234c2a0e26c3e9499bb0644a74f0

SHA512
2f197e4123d564f72dfc6ec83c64dad7f32f543e3a9ec4655f626f400f9531aa9559efc348ee2ab9853b8fd35f419d5ba15492609ed925833073f60cd7365df1

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
93KB

MD5
c7de5aaab92af4b9acbf9ca88df0ca94

SHA1
4f5e0041e49cd064a27dfd922eff7cb146b8f33e

SHA256
2c079b8f2f95e1e46f981abd4f18fd87f1501a8a24e75b34ed6db8677249a39f

SHA512
c0cf0bf40c0ec5daf9804e60d14979e920d6c0cf76e5f555d3fcca255001d6d49012eed9f59322437366ade2b6a5278fc73a6cb08084e6890468ee1b2b4d4e56

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
93KB

MD5
f5307af3b2b5c68d8ec6b8f11a7f781e

SHA1
9234c7ee7ee0f4241d6fae34b98a80119c86db6e

SHA256
b5ac1472de351488ec88078cc37acb6b0ed3a21ac224e44704225247a6531fe1

SHA512
5f75cc519db57336d13bb5abedffe90570772eb810a3136a977613a02439bca4defdbe057032da58493f5198c05fd1d96f405560ef4d308c558481b601401e68

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
93KB

MD5
af89bf0b9b802368e1676fd1d874e664

SHA1
ae6994104a49c16a0c2208397197523e74e87ad6

SHA256
47326e12b2fbba395e8d68465492a3dd03f2f23d69b91f5c2eb5c6192af46fa5

SHA512
70aa9d28a71f714843f7a16a57f509125ab8c48283c14fed5bece1b0273b4dcff8c71392f04314b36ed7a2f70e7ef8dc61b97963c6c554e5b19cf89c03a4f80e

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
93KB

MD5
34862a3c1c759a7c4d93005d95cdb7fc

SHA1
8c160651698ebc163c9727eba132e90fcae0f7f5

SHA256
00d1dd5b542cfbeef338021aed344919a503da5a99a959b57de59bebc61d6abf

SHA512
a1ae00440e8c3b5be8674e6647747428b5da66bbba3af5e26ed9e7f7d7c2181084dd093ad172257fb9afb1c89e5c0232e703f94c680c9eaaafcf2a784dbe959d

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
93KB

MD5
ef55ce0e36ddb6f6303afd868af03014

SHA1
a42b8185582850921b8cb68d9e464d16b9539f07

SHA256
97f344016f237b181201faafeba53fad707a48d4c7ad1d2c65ea379b7c997ddb

SHA512
7e1c3ee8c2676835c27acc00546d0252bfe22e5fa7c4574e9e4c509e43b49aad6f8824b8fd619f26217659888d2cc1eca9026b0c5d67ad065efe7e0895a39c29

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
93KB

MD5
2303a9bd75253803b68b4da9b21f253d

SHA1
f34d73a4a13a46c9b375410560ad73cf47e4bada

SHA256
d2ae3e6c74c99c288ab4a5bf9b464cdf45a90ed951d7b4f92b3b91f8762abe72

SHA512
48316cf39f54a585ec174033798f32a02a947a8fa7dcf2a0b68c09ab2c331288e8da7c0cca4e5e617cc16d941f991fd49a5c03f76f14c90b8356d21f05571adc

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
93KB

MD5
a4dcb4a328cc3bfedcf85cd9ee518def

SHA1
e20af045388a23ee68481eb2c72824732d7f6169

SHA256
f01b4f31c098f8f64805eb8ab9c13b204d4de091e74b0e6e73c92d21faabd007

SHA512
eb018b98870e45026314a70fdfee15cd5b12d99f8681b5abf9d77ff63290d6d824f88295c5b798a73e4aed2043c6a6e91f3a6d88de6d8a77739436c356192e91

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
93KB

MD5
3355c5dc48430e5dfe7c94381727af61

SHA1
d6060f3b428ff67c31d29cc93ed9fa365f149db4

SHA256
3bbba248f0db451632ee22f6bdc37acc3c9ba8c300940d9ae7e0987aa5d6da75

SHA512
0b9b822fba44a2b0704e9ee0427343ae766b71fd64a98ca873b612263fd79c161676a5ce8c1b59b0e46945f0965a1b733373908545ceee48fc79b525cab82a17

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
9153ea9eca6f2e6b4043c85356986bc6

SHA1
b6a47da22e13f9b2941eec6066fdafe8be0e0aa3

SHA256
d4332078e2f3c380d7d10e98ec0e80d73cfc4d3d687486141809ba2db3610d40

SHA512
2ed6353f666d7c9c44876416edefe652dc0c15e414dde147ceb24bdf65a54cc2d8ff2b441f954d2ff608d99bfdacfe151ea5ceed811c75e53f2ffec084332175

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
93KB

MD5
25b2bd7ae63d67b871e51cebfb29599d

SHA1
c150a02421564121060aae74b592638ff336ef75

SHA256
2fa316b1af3555aefbb977805bb6ff1023e87a77abbdc01959f4ac54535c6110

SHA512
cfae938bd34a14e6975a6023bfcf27aa08996955980c16b993bb536d7119ca1e201de1ae63cd1392267e7534bd07817368247725498c62b50e986f82bfc815d3

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
68c595013460a41596f1fd0fca34015e

SHA1
78648be3e1dd8b0a83633905bf6792fb9a89f84e

SHA256
e0158b953d02e12c946279ab5c3f13f1aabf5f4228b20160dbf6518ccd97924c

SHA512
cee241dff2c9f24175590bf84c389d40fc9d927ff5e0bc677f4f7859b431567ad4bdde0b9cbb7c3f37b288bdda78c992c1eae45e4b1ff2a54a21938108e9097a

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
93KB

MD5
f19e0c83f3d4d9110e7915b197cfd6e0

SHA1
435f9098946200d42a91ffb94cc4d8aab597a4e1

SHA256
58f61f499fcf0babef0962e6bfe89c53eed632df3530d7b7224b0392a87f5b80

SHA512
5c1f1aaeb3f8dad8fa6a01deaba04a2d4fdc869705b65a334f72bdf569d1553c56ca07a47fad657e4c829994b7322ae1a65b59632d3b86be9aad454bf7b26aaa

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
93KB

MD5
a79563ad0bdd786f3482915f75b413d7

SHA1
a36faa6b12fd123793083de9ed86a080347f2700

SHA256
d4616e3aaff3fc7f5f0ce4b175158d7f868cea8f889a838d0778764ad8cb2a52

SHA512
3a1bc1e028d64df59490b86f33ddf564843261c94e1bcd016bf12ce999f0b0132f18d62209635fd3f74b3b1aeacfffe5a406dd6e0cce58ad68cdddb569293ef2

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
93KB

MD5
7a3bea78db23dad879efb3930a42cf7d

SHA1
b39cc77aa691600f27e19abc7f734d964bf1587a

SHA256
e47937e4f543d883a4762e962d3f5ba5c07f46c37114c7535f3860cdb9b1b4e5

SHA512
6ccf5adea5e7237e06afe0ad20673a594f15eadab9509d25e41ed3342df6ba02c1388f9bbf3ff229ec900f5652b8be51625f06cf89d20055822fb50c9de035e2

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
93KB

MD5
e478b5fecbdc5e9a7a80ebe2d00d4006

SHA1
d6f967ee6b2c6adcc9b8803ccc59954698492a8e

SHA256
64e8dee45a6569cda77448290440e20b6ca20347f086e1016bc38ab79f311389

SHA512
e52823c70cb064a832cfe3cf40c2de85a43e7190c277756d3c96c3dfae2e9732bdfc235debb022b112122f754f2f83271a8d220e8e6db063906904d61e2d06c4

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
93KB

MD5
cb277bd7f9f973cfcfa830818af45e17

SHA1
02522c3a42526b21b6f1a65f8807c959874a79d8

SHA256
22a5cd9d36d92607440d3d02f7dfe6ed9329c1ef31e459a700eeb5d5c6c82a17

SHA512
dd3e47ec508097f59ab4de6bc7a4f33bf08ad5bbcde8cd12d5cb921a491ca76151e632023cf104a96a1dc974579f56f5ab170778242dccd73451a420aaed9b13

Download Submit
memory/816-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2480-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2480-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3636-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4596-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads