56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe
Size

93KB
MD5

ea0086247723a9ed3d8a99aab5aae2ad
SHA1

f7fe70eceb420f7f186fc485408f4659bab8e9d5
SHA256

56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3
SHA512

41694800068421f6fa66fc69ae3cdb59f3a1433af4be83da2bbcfb237a2559e2d4592ddad8497d5736e87177f609e403d6ab13f97e419914205fc88a581c123b
SSDEEP

1536:UBSvP2XmTaiUibHEoyiupcBr5lwhnoxssRQnKRkRLJzeLD9N0iQGRNQR8RyV+32r:Tk2an/xrpcx5lwgeKSJdEN0s4WE+3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akcomepg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cebeem32.exe

Executes dropped EXE 64 IoCs

pid	Process
1452	Oemgplgo.exe
2840	Pofkha32.exe
2748	Padhdm32.exe
2976	Pohhna32.exe
2912	Phqmgg32.exe
1052	Pojecajj.exe
2624	Pmmeon32.exe
1484	Paiaplin.exe
2944	Pdjjag32.exe
2440	Pkcbnanl.exe
2860	Pleofj32.exe
1588	Qkfocaki.exe
2128	Qpbglhjq.exe
2324	Qdncmgbj.exe
2084	Alihaioe.exe
1384	Agolnbok.exe
2100	Apgagg32.exe
1800	Aojabdlf.exe
1776	Afdiondb.exe
580	Achjibcl.exe
2164	Adifpk32.exe
1388	Akcomepg.exe
1508	Anbkipok.exe
1424	Ahgofi32.exe
2296	Akfkbd32.exe
2712	Aoagccfn.exe
2340	Bgllgedi.exe
2716	Bbbpenco.exe
2548	Bdqlajbb.exe
3060	Bgoime32.exe
532	Bkjdndjo.exe
872	Bfdenafn.exe
280	Bnknoogp.exe
2800	Bnknoogp.exe
2892	Bgcbhd32.exe
1692	Bffbdadk.exe
1952	Bieopm32.exe
1292	Bmpkqklh.exe
2216	Bcjcme32.exe
1096	Bbmcibjp.exe
2196	Bjdkjpkb.exe
2432	Bmbgfkje.exe
936	Coacbfii.exe
960	Coacbfii.exe
1456	Ccmpce32.exe
2140	Cenljmgq.exe
3012	Cmedlk32.exe
1704	Cocphf32.exe
3040	Cbblda32.exe
2768	Cfmhdpnc.exe
1440	Cileqlmg.exe
2720	Cgoelh32.exe
2772	Ckjamgmk.exe
3064	Cbdiia32.exe
2532	Cebeem32.exe
1028	Cinafkkd.exe
2904	Ckmnbg32.exe
2856	Cnkjnb32.exe
2956	Cbffoabe.exe
3044	Cchbgi32.exe
1936	Cgcnghpl.exe
2652	Clojhf32.exe
1680	Cjakccop.exe
1244	Cnmfdb32.exe

Loads dropped DLL 64 IoCs

pid	Process
816	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe
816	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe
1452	Oemgplgo.exe
1452	Oemgplgo.exe
2840	Pofkha32.exe
2840	Pofkha32.exe
2748	Padhdm32.exe
2748	Padhdm32.exe
2976	Pohhna32.exe
2976	Pohhna32.exe
2912	Phqmgg32.exe
2912	Phqmgg32.exe
1052	Pojecajj.exe
1052	Pojecajj.exe
2624	Pmmeon32.exe
2624	Pmmeon32.exe
1484	Paiaplin.exe
1484	Paiaplin.exe
2944	Pdjjag32.exe
2944	Pdjjag32.exe
2440	Pkcbnanl.exe
2440	Pkcbnanl.exe
2860	Pleofj32.exe
2860	Pleofj32.exe
1588	Qkfocaki.exe
1588	Qkfocaki.exe
2128	Qpbglhjq.exe
2128	Qpbglhjq.exe
2324	Qdncmgbj.exe
2324	Qdncmgbj.exe
2084	Alihaioe.exe
2084	Alihaioe.exe
1384	Agolnbok.exe
1384	Agolnbok.exe
2100	Apgagg32.exe
2100	Apgagg32.exe
1800	Aojabdlf.exe
1800	Aojabdlf.exe
1776	Afdiondb.exe
1776	Afdiondb.exe
580	Achjibcl.exe
580	Achjibcl.exe
2164	Adifpk32.exe
2164	Adifpk32.exe
1388	Akcomepg.exe
1388	Akcomepg.exe
1508	Anbkipok.exe
1508	Anbkipok.exe
1424	Ahgofi32.exe
1424	Ahgofi32.exe
2296	Akfkbd32.exe
2296	Akfkbd32.exe
2712	Aoagccfn.exe
2712	Aoagccfn.exe
2340	Bgllgedi.exe
2340	Bgllgedi.exe
2716	Bbbpenco.exe
2716	Bbbpenco.exe
2548	Bdqlajbb.exe
2548	Bdqlajbb.exe
3060	Bgoime32.exe
3060	Bgoime32.exe
532	Bkjdndjo.exe
532	Bkjdndjo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Pdjjag32.exe	Paiaplin.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pmmeon32.exe	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Afdiondb.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Ngciog32.dll	Pojecajj.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Ihaiqn32.dll	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Agolnbok.exe	Alihaioe.exe
File created	C:\Windows\SysWOW64\Ekndacia.dll	Alihaioe.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Qpbglhjq.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Pdjjag32.exe	Paiaplin.exe
File created	C:\Windows\SysWOW64\Nlbjim32.dll	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Padhdm32.exe	Pofkha32.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Phqmgg32.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Agolnbok.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cofdbf32.dll	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Phqmgg32.exe	Pohhna32.exe
File created	C:\Windows\SysWOW64\Aldhcb32.dll	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Dqaegjop.dll	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Ahgofi32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Delgfamk.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemgplgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngciog32.dll"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adifpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfibop32.dll"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmcef32.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bfdenafn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1452	816	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe	31
PID 816 wrote to memory of 1452	816	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe	31
PID 816 wrote to memory of 1452	816	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe	31
PID 816 wrote to memory of 1452	816	56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe	31
PID 1452 wrote to memory of 2840	1452	Oemgplgo.exe	32
PID 1452 wrote to memory of 2840	1452	Oemgplgo.exe	32
PID 1452 wrote to memory of 2840	1452	Oemgplgo.exe	32
PID 1452 wrote to memory of 2840	1452	Oemgplgo.exe	32
PID 2840 wrote to memory of 2748	2840	Pofkha32.exe	33
PID 2840 wrote to memory of 2748	2840	Pofkha32.exe	33
PID 2840 wrote to memory of 2748	2840	Pofkha32.exe	33
PID 2840 wrote to memory of 2748	2840	Pofkha32.exe	33
PID 2748 wrote to memory of 2976	2748	Padhdm32.exe	34
PID 2748 wrote to memory of 2976	2748	Padhdm32.exe	34
PID 2748 wrote to memory of 2976	2748	Padhdm32.exe	34
PID 2748 wrote to memory of 2976	2748	Padhdm32.exe	34
PID 2976 wrote to memory of 2912	2976	Pohhna32.exe	35
PID 2976 wrote to memory of 2912	2976	Pohhna32.exe	35
PID 2976 wrote to memory of 2912	2976	Pohhna32.exe	35
PID 2976 wrote to memory of 2912	2976	Pohhna32.exe	35
PID 2912 wrote to memory of 1052	2912	Phqmgg32.exe	36
PID 2912 wrote to memory of 1052	2912	Phqmgg32.exe	36
PID 2912 wrote to memory of 1052	2912	Phqmgg32.exe	36
PID 2912 wrote to memory of 1052	2912	Phqmgg32.exe	36
PID 1052 wrote to memory of 2624	1052	Pojecajj.exe	37
PID 1052 wrote to memory of 2624	1052	Pojecajj.exe	37
PID 1052 wrote to memory of 2624	1052	Pojecajj.exe	37
PID 1052 wrote to memory of 2624	1052	Pojecajj.exe	37
PID 2624 wrote to memory of 1484	2624	Pmmeon32.exe	38
PID 2624 wrote to memory of 1484	2624	Pmmeon32.exe	38
PID 2624 wrote to memory of 1484	2624	Pmmeon32.exe	38
PID 2624 wrote to memory of 1484	2624	Pmmeon32.exe	38
PID 1484 wrote to memory of 2944	1484	Paiaplin.exe	39
PID 1484 wrote to memory of 2944	1484	Paiaplin.exe	39
PID 1484 wrote to memory of 2944	1484	Paiaplin.exe	39
PID 1484 wrote to memory of 2944	1484	Paiaplin.exe	39
PID 2944 wrote to memory of 2440	2944	Pdjjag32.exe	40
PID 2944 wrote to memory of 2440	2944	Pdjjag32.exe	40
PID 2944 wrote to memory of 2440	2944	Pdjjag32.exe	40
PID 2944 wrote to memory of 2440	2944	Pdjjag32.exe	40
PID 2440 wrote to memory of 2860	2440	Pkcbnanl.exe	41
PID 2440 wrote to memory of 2860	2440	Pkcbnanl.exe	41
PID 2440 wrote to memory of 2860	2440	Pkcbnanl.exe	41
PID 2440 wrote to memory of 2860	2440	Pkcbnanl.exe	41
PID 2860 wrote to memory of 1588	2860	Pleofj32.exe	42
PID 2860 wrote to memory of 1588	2860	Pleofj32.exe	42
PID 2860 wrote to memory of 1588	2860	Pleofj32.exe	42
PID 2860 wrote to memory of 1588	2860	Pleofj32.exe	42
PID 1588 wrote to memory of 2128	1588	Qkfocaki.exe	43
PID 1588 wrote to memory of 2128	1588	Qkfocaki.exe	43
PID 1588 wrote to memory of 2128	1588	Qkfocaki.exe	43
PID 1588 wrote to memory of 2128	1588	Qkfocaki.exe	43
PID 2128 wrote to memory of 2324	2128	Qpbglhjq.exe	44
PID 2128 wrote to memory of 2324	2128	Qpbglhjq.exe	44
PID 2128 wrote to memory of 2324	2128	Qpbglhjq.exe	44
PID 2128 wrote to memory of 2324	2128	Qpbglhjq.exe	44
PID 2324 wrote to memory of 2084	2324	Qdncmgbj.exe	45
PID 2324 wrote to memory of 2084	2324	Qdncmgbj.exe	45
PID 2324 wrote to memory of 2084	2324	Qdncmgbj.exe	45
PID 2324 wrote to memory of 2084	2324	Qdncmgbj.exe	45
PID 2084 wrote to memory of 1384	2084	Alihaioe.exe	46
PID 2084 wrote to memory of 1384	2084	Alihaioe.exe	46
PID 2084 wrote to memory of 1384	2084	Alihaioe.exe	46
PID 2084 wrote to memory of 1384	2084	Alihaioe.exe	46

C:\Users\Admin\AppData\Local\Temp\56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe
"C:\Users\Admin\AppData\Local\Temp\56b25392319b87f4cf2ec748d5a351754e69924c6af1f03dfc401f405b4fabb3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\Oemgplgo.exe
  C:\Windows\system32\Oemgplgo.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\Pofkha32.exe
    C:\Windows\system32\Pofkha32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\Padhdm32.exe
      C:\Windows\system32\Padhdm32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Paiaplin.exe
        
        C:\Windows\system32\Paiaplin.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:280
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        36⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2272
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        72⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achjibcl.exe

Filesize
93KB

MD5
8640c972a9f3e086799fdb7e6ab6c0d8

SHA1
a892add68772f4ba4c0b48a270f69560befceb58

SHA256
b4cd9042063f440a710314e13694f7c9951d39bd3b4e2a8b9325c01e2fcdf72c

SHA512
c9f5d012b38457b97b4bbfeb684f4fa8ba23985346e14fea523962190540890a38d09d1fb950ddf0d3cce68263b58edb38220919d7c22e1796a27f19920bee24

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
93KB

MD5
9a6b81aae6fc2c501669872ac6a7e48c

SHA1
b9677af3f3ae5f1f820ab9375bb817218321486c

SHA256
556e6c484c5055fafa8b83ff1c27463f8f2d8ae815a6c2b5e413595e3ca5a871

SHA512
d71cc36b396829a281ae83278c0651269c640af32e93c86eb3e3bb09522492e4df8ac14fca3f8cee5c67b9154dae41f5f915f9971bc38fc5f7178547807b7d0b

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
93KB

MD5
5d66fb31741b412e694f081ef5f64d68

SHA1
372298747c7c4ceb5d193d717e9182f942991368

SHA256
1084f319933d33819d29102ce55b5bb9ac2793e63b552cde6a015d458c7607eb

SHA512
896fd8841a318a43e1aec111a90a4276ca138452432c120bda854010f4caecce2850c215e20898e86697edeb602be40ed025aa97fa100530136f9e8b079dac16

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
93KB

MD5
dcb2f6ed0f0c41a203a681adc46820e7

SHA1
838c498e915c3fcbfdc0f5d1e2f1a134e550c286

SHA256
50ee4793ed3ff2908170a7ce020aa91c6da427068bb2b5d8a278400fa4edfda4

SHA512
92850fe6e77fc0f9767f5bdffe34dc14c56c26c2a3fd43365ff9f5369cd2d46c409da0e6588770e9b9bea2391e2a94e46f231e46e5e3533389edbdb68935bfbd

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
93KB

MD5
b883c98e0507d828aaf075c4ff00114b

SHA1
8c8974dd4884a69e62d782448b0cb87fbfca940e

SHA256
e8193a4dec52677a62313bc53b2ab7981324a348f560d7d40c47e4183fc36578

SHA512
49cad9b4575ee54e591e4a4ddebd027478f27c607f0cf7e02362cef1fcd5c5758f54791f489238419c96a83d40f9e42b2a8fbc4f3b55f3cd8c956a7d7620435a

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
93KB

MD5
64150d92989bfec0ce451bdabc34757b

SHA1
b62b0949d0431d04548179c828c6b7b68d10419d

SHA256
b4fcf4142c3968489cb376a919f85ec1d292ee00d8bbda77859f83ead3f944df

SHA512
29d3fd2a69198d7da0f37da8cc4375f8680802a06d2c07de2759fdf62701ef9c7368c75d0c8b622ce53e3e3c694d55bb1d45eb501dc9d4103fd564c524e06365

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
93KB

MD5
18928e22410bbe05ec1d35e0e83413b9

SHA1
bf96ebb79f3e6075539060943f26abe7dcd0cf11

SHA256
7616be12215fab360be05431972e6f48e248eca0da8ec9a6d53e36bb23c8cfb6

SHA512
b7287a0f553699e4dc42d87697a45d5cf4b0e3ac8db83ed37474da497396367f6f1094a43c5e13046bc88fb89b8ed99fe23cf8908d5a071ecab023e1587668ab

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
93KB

MD5
4df4e980858e53ec0f38b286bea78d93

SHA1
446a014b2e67796b5ce796bb878e3683c8d2da49

SHA256
2e66791e2048db637d4a72c591f7f47c627f8cc20bfd27fbb42ee25e8599d9cc

SHA512
eb54b8534472a1b6c757ad46419e687a56eed66597f062d6d5ee6f7de8610640fc9988552d26c1631c7f7d289d37c63ec690c049abe981651e19d13f0f7d8abf

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
93KB

MD5
b01988533f3c4b8d3bc6d3c6f23ea97a

SHA1
938033e36ee5f3d7c09463712be455154638a2f9

SHA256
ce6e7a7463524281bee5d47f21fe564bccbece82ff23d2e3b6843bed648751da

SHA512
d9670fcbf50550fb87d6935c84909137711e7de6b9b939c84d0bb9815588cef068419bb1c7d177c09688f939095a1d79a85b021362f7e5e1c6ba892f41c21bda

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
93KB

MD5
827397166be41a79c12dbad4a3f689da

SHA1
c8b90270eee43c9a463754c5de8d136436d64833

SHA256
452a95427507c2cf15de6c68a8e1c1c047e05e7f9292a25563e5cecd9c5b32a2

SHA512
39382050873459e07de6edda2ef876e432e8d5a825a8cc91a7bfa5eda6f675837eb67395a7d5e8f085e71ac8e8132099ed979dd9455ca45942d59fc53f74c0ed

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
93KB

MD5
d2c20d543f1292ce8f59a6c2b35ad9e7

SHA1
2ea9703e680a6df7b3a7baa80bfb7889c9768bc7

SHA256
743bf7e3fc1de6b6d1271033ad34e0e46407a352cacefc5a0c24ff0160446e95

SHA512
eab90c89d6f07effcba5992b1af02e3ca64f9ac875684be09901a1481b8fdc7fa5bc672f1922dad0a591b0f0012dd298fcc046f2396f2824e09a09175d95856e

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
93KB

MD5
3f9979c0a296c6330478d527df8a522e

SHA1
f9e4ae3fd14b267fa82087fc2939aae07a8e8a39

SHA256
226042d0fe2b1f5723350dedda344f680f28962fb103b239cb09ce21c8d49607

SHA512
a212667a0b64ae6187a86f105dcc25c795c492b2ac43fbbb0cee6711ac0b27be60fb8b5838efcaa673127e67be0a007ae69f060600e20d46e28ba482434db2d3

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
93KB

MD5
913888fde1d7e924a47dcd7806589ef4

SHA1
0c81bc1297579767bcf79b441ed3a72f8e23cad3

SHA256
2a874f2cf37ba38442e38a5aeda350940b712876ae9477d44d9169e027024795

SHA512
2bdb3890a08e20124765fed975e1436a5e1811cab51becd32bae52745217f1888ddb68c0e3e7c800203e10148a5dd44eb5dc897afdd873c9ca1cd85c78b88014

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
93KB

MD5
7aed61d43ee494ec4bceaed10629cce7

SHA1
d8975cec6a3271580a218abd9033279411870ed0

SHA256
5db072503929b79671bec7301a85ea6dd7e4e9280b0bb40903f28fd153ea7a90

SHA512
9ae690bcc9dfeffb3d6462aa8464c03f5e63a75e7197f0566af17cf1e53846669457fb89e75117309c3ff49cfe9dea2802552945179f227f3affcd3113a9fd4a

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
93KB

MD5
d6172116aafe31f4255b531c0393fe16

SHA1
1c03cd6ea8ae6ffc16108ce2aa1a13b752b10a6f

SHA256
f03934e9b61be6e7a2ea1bbbc8b5ff4a0353ba1001ad0b0d85ecd1d118b1c276

SHA512
27f46bd13b82e8a6c61008d2639cd8a475fb8cfa47ccdd4000de9fc7459322172e99a4a0e1263afa7b26b24e3a1523eabf2a65849495a3e2f22ed39e844d4104

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
93KB

MD5
57d351baac14d0f2f6ffcd3d2c7e78fb

SHA1
bc457a5c5fb58db18d1ebaede48efc4f759e1de7

SHA256
e907c6bbb263e0ee98da1de2d36fa3982b0e21ada9b7f6b148e421e129e603ab

SHA512
1e129b4b23a522433823f3dcdc2a01b349b1fb41cf4740c01b877c56924e3b220de8c9e74476e1ab08b8199f6f7b744d343d01d9ce36f02e0a8fd541bb59d6bc

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
93KB

MD5
c1dd44a6b13801747663c622885fdef4

SHA1
515bececb8f02ac440c6ac9110b08ce33791401f

SHA256
9578e91f02b8298e40fbb4f3a65b0dae6cc44417ac706bb21488566e998bd8ad

SHA512
3c0aa14fc6b1f1c6857518dfb03e33229e87fde9ec12d55796605d51acda6647d51f27c89827895aeb6bd9a4e5568cef6b97149eca15b186cf244575db9fbf6c

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
93KB

MD5
415256a58e1fde2835f10a2d6f340a76

SHA1
e086c023d5f3d8868ffd7251dde94b732d61aeda

SHA256
c767ad79f6555ff56fd2c29c99b803a75b0eec6df7ecc747ca23d426ca6299e2

SHA512
e5aaae90ab6a5cbf7490240e31e5a1a1e67cea450d08d58ad5024564c0ae87c2c279dd4659bfe8d3590401caee07c4730bda7fddd45bc1647e1cdff4ead348fa

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
93KB

MD5
bee51a5271a7a7f0f4f3e1919486e399

SHA1
f9ea103c5b45d5a01e52a46edf6320ac1425498a

SHA256
bd25902d07bb796469018a677c8599f5ff82bc5f137475a62e75cfdfc4bf7369

SHA512
965ccbefaafc092807c6e6abc624528d7d5f91197389736f366612c42f400e32e36f7037f56c4de3a4a480a6d9d5b807a76f3f24b0a826a187454b5e8b85209c

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
93KB

MD5
ca2b587b3a369b42e69e3847096c76ba

SHA1
3c848fdf788becfbcf61d23a8805ce7cbc784f79

SHA256
3523d52a9129ed3d83320fcc637c641a7c10bb8f19210231662cba4df86b7719

SHA512
6d97f7cdfa8d38ab74444807c1adb4052dd5e6c4967d9e7d1c07cb7dfb6edb98c4639400ffa8dd2c2d0a26a3aeb2e680ce86e83b6b662003656d166a5aa5a298

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
93KB

MD5
8753c295d096eabaa31060f1ccfc8473

SHA1
1ff3e6e32f07dca6523c54080109765349755f9b

SHA256
0d7e7e2f4708aa6ebc39b214398eaecc6e15e9da670e9154a12f1fc4f48170b2

SHA512
f12dee445012ee80b24813e50d8c2ece5b49c45dc38bc89acf6e5ca353016ab69e6f3858778f830522b96a39f71c28b7d1de889f9a7dbaffdc22e6acf1b1d062

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
93KB

MD5
10da534d4817e2cc32e223083abe7d1b

SHA1
8786f8c68800f5d107e6366873601666659fa8d2

SHA256
925547909cee0504c3f25762340c5b40582092d6df7e301c5f6201c51bac1c93

SHA512
532b5b9d794bd0db2e26cf121a4e00c3db27b336a60bad4ad78af31ec3baf18d99ad90bd181ef9054a7d00f043ab86cacc792bd81d7e851c1e565e3e7abcac60

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
93KB

MD5
7c14fdb0f2b86a7b849b986c60afb2fe

SHA1
8d613a00192f86b8b24cfe00afadce01235d7fce

SHA256
af5789349f4ff132b0cafab0c8c34b64734ace39a897db7e96022787536426ba

SHA512
93289c7f82d2fdeed0bba84db7543dde9fb9a30aae95f4e554bb2c891f65f1c7227a23de8b54ef0b9ec70a053602a3f2ad20167c1d2c3de031e1d629c49604af

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
93KB

MD5
ab06a0c27f81af1c53191774ec2dae9a

SHA1
1de2a077dab6377654eabd8edff2329067b6dc59

SHA256
9358edd57031da602350c1b4c5d5ea57558457978bb19c5f1362d6ee41f077bb

SHA512
49e3de417261d4eb3064a4442475eebd54952734bfd2b876167cf3ac5dfdef21f2970db7a71995a7ba793e1d74df60d2d0fd4c928b4c47db432a498cd377e2b6

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
93KB

MD5
b60dc648361f6a758d625b7ee65d6bb8

SHA1
e6852ec12fc4c56d5ce0e97ba138f437d81bc337

SHA256
6caccb32b711c1f3decda375f402d94506f979684f96352c957b2eb0f391656c

SHA512
4c978b4206d1c3e31a7a295571b1b76889c461f3cb00cefef997bf5316fbbf470fec2f19441b938008d36381d4dc8ce2071e0df15384ba72ff46090929afa34b

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
93KB

MD5
7f6d86b0f5c5b6675e0b5770e28af03b

SHA1
b68b3584bd9c0485c073ca27a4783b94e1417209

SHA256
418cf196b755d74b88595ec74081a3dfb8cceb5bd065511269271136d4776d1d

SHA512
424b66373d17a6ca963a0290fc8a9f813a2b38a793968bcb3944bb9b630c3f9a11f7edfac49044fc1ba221b7296fb156d127d799ccbc2a795e373e4e201e98a8

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
93KB

MD5
68f1716c0b2a54d441a9dadb6ce6fec6

SHA1
689d000000034fe4ff0b284cb3efb0878e1e8804

SHA256
1c46e954960e109b95894184bc72f97db3069685a9cac70bd2df58936ce169dd

SHA512
def4c8fccf179eeb9ff8598cfe3e6d5cc29a051c2fc813ccce75d1a59ec80f94bd507ed61808acc0f740de40abf967575bef51282a25bbaed1675942a882109a

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
93KB

MD5
b0a1efca7aef962b67a60c81c1789769

SHA1
9d07ea944da79d9ffdddf005a12870f3b69d642f

SHA256
16c510cb9c866577055e50e73133b5e5d8417ba512f4bd380f498e4c808d19e7

SHA512
5cabc397d84787efafb3a8b1fdb1b36ec11db28d5f56a79189c10b8beddaf0190de9b9a43382b807243ba3b466bd4943b7465771f5fe5b447d1a93629e80e91b

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
93KB

MD5
54d05e66e005b4c313826fc84cdb3afa

SHA1
810d50f5a4072486b91d41a9326bfd5b4cc76ed0

SHA256
147b6ad8c1d196646f54e19d2d344ec7e802a41131105611ff8b166094b1e41d

SHA512
1c294995546803923437c0252aeeb36bd3308737dd09da2e15bf4787fa48b68a20f637e8ec5b71ae8d30a3b118532795898b9d67d1d33c55ed8b425d5f3dbd9a

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
93KB

MD5
9f337006e1b436a5e7024a8018c3b760

SHA1
255d59d8cb77fa25375d0b6adf89f28ad17eb581

SHA256
ddc5d4aa550bdda9a30db0ee323149f4f7c765a9f7d3a735e949e95611b968af

SHA512
b546619fd193ebcdf0b4ccfbc41f8c5439c82b461a24377f409a70e4991d961deb41af8a75f0fc21f74d5261ea5ae684661c3e91516f23f9ef38f76c90e10764

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
93KB

MD5
d6028253af30beacccfe6096cb930967

SHA1
6f44d272f282eab1ccc5720b26948104f86ab7ac

SHA256
36ebb777d82066137e88d2d725e8c250d5d661aec4d915eff4f4d3e8e98dd188

SHA512
b6a0b27681ad127a3867ec02c2e10d0bf10b025275ded4a1c39611b0dcbfcabf5513de29a55fd55fe21690d2b2b25532a8dec0c499a7d96ed287b57963bf57f2

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
93KB

MD5
831f0e559a08da3e01686cac4b45fa4d

SHA1
aa7f8ecac79cfe569447144ea7c753019ea1e864

SHA256
d258844fb04f0e3fecf7be58113adbd4658e927b4e954758a869067cbc74c2e1

SHA512
542fe056c50b15ec917b4cc4769dbe67b2029962231700916e811f8e7995205506a0e377aaa4fa49deee773a40ff1eb5f98ef34f7c0de5fc90101b9485da3251

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
93KB

MD5
5e1ce158e1beb87d837cd3d99d8a921a

SHA1
2a1c265cd97bba5d33a87e69414c7bcd7f8a6adc

SHA256
9e9a15f5d59ac0c6e0dd7d1c30d74399f36c6989d41324f5615ac633669d80f8

SHA512
a14192c1657d22c0341b61fe2553f1ba5fc88cfdca2e107b5da3ebdbe174d2f36e5217c3b6ad1fe71c9aef3b55d39f7bf10783a0df4261181acc497c86167b23

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
93KB

MD5
c9f3a844f005a24ada4dd203ad0e0983

SHA1
f6130f57443f3e23ee395504f5b219be562e0742

SHA256
aa9afbce12e5ea26f6a3e246bb57c7eb38d0aae28a53c8f9daa9e64604a0e985

SHA512
7198fc2681208f6d1a9971097fdc23fd9db8d9b92b6b4d3d1fcc4a51eff9b9df965baa0ebb3d9a9d4c38c4f31b343e19e3a5948e7aa6fb86bc2c40b2869528f5

Download Submit
C:\Windows\SysWOW64\Cfibop32.dll

Filesize
7KB

MD5
9017232ceac92b082b901df4a14b6cea

SHA1
025ed79090e291da9fd598a9174d4eae37bc7d14

SHA256
55defdc8454d32a3c8263ba5790c244934042f49b5ffcd9b9fdabc6de77767fc

SHA512
1ebe4dcdcbc6c62279d88c68661ac62c661efdbe530c1dff17c84f6779ff9c7b53984cd748776f25952e5f5f92cfaa29c2d85a01641e3eaefd18cc97141f0484

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
93KB

MD5
600f696fe84d7ac736593f26b6c1666c

SHA1
1686114ea9abcd5fbff5017e9c1e8c708fe0e417

SHA256
9ec352e15a646dee879d81701a768fee6784c868302ff7604cfdddcd893b197a

SHA512
36773cb5ee9d9841e3d4be583753e0ae0584c5cbd3f20aee852796a2af108e3621b6299f7f2cac84dbc8a8c97929bc9e2b0e2aded01c81fdbe69982f0a617b71

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
93KB

MD5
4461da05ad71ca4cfd390c793aba9922

SHA1
dddec50c81ed818e2b9ccccab8f740f9afd939d5

SHA256
107f6cdd9ec80a35956355120e0e09f879218056ba7325792540a49e1cbec2f6

SHA512
651b9c95511d9705f0a7139a291f510701e254f47bf8f5c6649be7ab8656daf0d4cef676d096a5590019d5cf7b0c7c1e729a213ba1a0524ca78f9e25305d994e

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
93KB

MD5
0072ec8a43fc4e11cc10af59bf12f103

SHA1
7fa361a7de353d911237273eaddff9306f2e52e6

SHA256
f349413346c3e67874d38e77e6de2c813711d96f08b7950c09b415cc05629998

SHA512
5daee8596c612016d2bd449119e94d7d33e9a08b9abd21c03a5b36318c37efc5da9355a6d6f0464645cd4f0c89be80db68e397a7ce2aac07651874a0fdae3b2e

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
93KB

MD5
754b8ecd12cbccf8fae31d8bde767f53

SHA1
0ff842be876f93f223e44a108cdded7d2b49e847

SHA256
bd77f4e69d607b6dc6bde81d0e7873f005cadf7d0c0eff4cd088208e2ece8af2

SHA512
6bd436ab4099504d41e5910b05590eb0ee8b8cf96b4634efaca84f048995f12f51425cde48f52cead869469a60c827c4508508d0f1a6b4bac6717425aea2453d

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
93KB

MD5
fa14442f4fe634bd34873d1d14bea59f

SHA1
c441434bc9c34d9c008abcaaea270ed0122c8fe2

SHA256
dd65b9aebd63877031f17bb03fd33f497b50a372e8967ca47c217f2b9694a2dd

SHA512
f3ada73fa99db113b26e4056b2c0c7d2e67b255cfbe902cdca1227ed839f693c17486f813c7f9769e50cd7a30b83efe549499a360143d05476949f5d23d9a2c9

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
93KB

MD5
628849c9f1c72b922fbf1c1efcf815a6

SHA1
3fc8162f7ab2669a5eeb51225a337e570eb17d51

SHA256
933e680408002416dec7cf8013f64077013277339c13b18b32721d60c2901966

SHA512
16d8fff984d9001f56727622311fc40a48f040c450a3a81e4f85d9865121978602051368a718fdf584a5c7e8ec205d21fb41f0d083db9fbcba509d7b12ac6f3b

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
93KB

MD5
a642690f709d4d37a36b26f9a9a241d3

SHA1
2d769fdcd96f0b6d03b2e43f115b7d5b9af4550f

SHA256
bac330582207c288c0b4b9334e8f3e61eb72fcd329c3aec5bf583d62e0b31291

SHA512
5576c3036e502a5e143cdcd404fba1bfa40222ecf7c4af163c8164c42470ece7ba9ddb10cf8bdd6eb847a75a433d731a72d7fa57e72b082e750c9d69f8becbe0

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
b42f22714de264e3d5d7f5cab39d0eda

SHA1
107401f217f6e8f1fb5653e44b78c52fcf0dfcbc

SHA256
fae0a13c778c201bd558f2d085edff9dacde7fc9f414c35561fba0da83c820b2

SHA512
a210a338adeb574d065422cda54cc32a87693a10026c223eaed9c13be9c19ae4dc2b77fd815de2623e835c093435e015b067365f381c0b53d21720b8ef87564d

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
93KB

MD5
52e9008510996c9358d442975f209683

SHA1
88b050c115d3243038ce3ac381d71fc7106fa598

SHA256
5ca97bbe1cd1b6b7f06dfdb0c66acee050708e52fea28a042b685181d6ef29ed

SHA512
fd65c09845478ae179b3184d36f54a62e67ca73ea4aee3a77e63d8dba93a8ab7a659f2a42dc26a5b8766d69307c8f006cf03a21ef30fe086e45cea24eef46afe

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
93KB

MD5
7535e675398b3eefb71aa177e8c1b792

SHA1
7e880153ea9d781f203eb5d0640bcb1698ca14df

SHA256
e8e0f8ceaf8ee413c178ce80367178384790ada0bed4a29c15f45e7171c9786d

SHA512
dcd9347e3355d5e5b865d3e04cb34f58607b2077f457737f637a3def921fb072b5101af6da4bc5993bcc4d06866ebc4f4b805295a7e572fc6d093ff365b09caf

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
93KB

MD5
00e3e58e26a7265fcebe38608f68b1ce

SHA1
ba32c6ce1b0b2e28053edc46e6e2ef894a80605c

SHA256
c101fd744c1c52266e97971cda943925f5028dcf98dfe94007ed195e956782ba

SHA512
30128d84fb5a37c4de46e3f304c991c515f320764117510d108273ab43a5d2732a173a52e20525ee1d6cedb9d1b4a84c776eba3a0b501507b8f17d901b796baf

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
93KB

MD5
402bcdda7b322fc09ee924e931445ed1

SHA1
4cd526d6be7cb306a4b6cd9fe21c5f817e886edf

SHA256
ea75482de2d5b7aa87d60f58a92d213ece9ac53d11f9a4d28af8b6ef414a930e

SHA512
d410b788e701a9ad6f7fc42eab32c218c88b03c08b1b655f38f44485b805b5ff380fc12ad5e28ed308aad7e104017f0af3075e5e5dfb0ac6fbfc01e8f1d00488

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
93KB

MD5
5d38d7bf49524fb90a17ba344a740aef

SHA1
915774bcc131ba94608051a88764633f10db4b5f

SHA256
194e60ac376047057b7a96362b2ba70d96f0bd5d8388d3c6c2032afcad7a3192

SHA512
e0e1c2d034056db6cde3b075d56948afb90d86647c0b6e0d597575b58e766d06fbc4de48202ee44237862c6896f0c29b275ce329ad3f5258e6fd2b7551a325c2

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
93KB

MD5
696b773b487f3328a6761c161c341be5

SHA1
28e5295afae37137cda23825335ea731dfdabdcd

SHA256
1d058e8502eb12a1596f72b3b844246ec08f771a227a7094ed21f86c967e1fcb

SHA512
09083cca7013fac68ce7962f407e5a33f5d1ca2bcf888d4faf79163168dbfa9c99fe1f6a625e903aa0326d41c218e8298b2a25f173bafeccfd73d42a10f31bed

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
93KB

MD5
cec1c58c0462553bcd7978403b7b9523

SHA1
f85751512019390ceabfb44e4ce3b52afb46a7b5

SHA256
026bb01dc2a0e118c1816ec996fc0f5b14446dfc187ced78fc65651c33cbb7f2

SHA512
3d23b2807dc3b784f91dd8e2b49b70abf49fb790218ceadbefcb47d82fb50adadeeddc5748bf082f13bb76d3b88789e7244d4cf7e70257145df5431c397a771b

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
93KB

MD5
62b8e346adb316c541148fd9a7c8ad49

SHA1
83a81db31f054a87867b029ebebb5ec0cb915fd3

SHA256
db4e79b98b9e96084d0eb14f2719ae9555cc5794f2388d59c27c1b1721bdbf56

SHA512
fc0d751ac3167312bba4aa3ea6db8ad486fa57b21108ad88ece5ce42c3bc0358861b2eb5c7dd0b649f07a7d32d670a5ad3f2dfb7bdc1c76cfb3a4b1723cffbcf

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
93KB

MD5
fc717e3ea849793ff4b363dc8f72538f

SHA1
b7709d4f00a04f0823def4bce32bd54cb674eea7

SHA256
08d75cb5f411776732ba892e1e80fdba951ef59d3e4ffdd06b768cb4765ad274

SHA512
ec62b67a154fa9316f5ebe63f45c66fe2e65b851a8e6da750b6ef0717e977e7a45e84dc9b6eb8505f4b48dcc29031de70e6b547aeb0a19cc39f258d0001a6ed0

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
93KB

MD5
63addf5bac548743b663352877281727

SHA1
a516f124cf9c44ff8a738451d45d89b3e91df9cf

SHA256
92adc599d26165ef9f6f843036979d1936de04a3433037f5fd3aec9e01464f30

SHA512
161915807754bcb3aa4ad5da4e75c0f4f8da3cbb07c406252f9fe21f26079fbdba7a686b2b882c0a85a5a15ba4ea2d942e209d680a52b5e50ab936116fb8148f

Download Submit
C:\Windows\SysWOW64\Padhdm32.exe

Filesize
93KB

MD5
2886f8ba9616d319c1d054baaa3bc88f

SHA1
876ab86971065c9a0eedd09f6d367b0c7425c811

SHA256
b49f68f768f891f282a3a67ccd80e52e328afd97709e432ccec4bdc709eb50ed

SHA512
ef59375ab1b95036250cc01f6019ec74a90cf7b0667688af8f56c0e9bd4e3293e77f5c2bf53198e17cb5adfa538955a804902b05e479cb77f3e07c1318df2d06

Download Submit
C:\Windows\SysWOW64\Paiaplin.exe

Filesize
93KB

MD5
757037b30224464ccd2f7456260f3b9a

SHA1
75e8ae40b36575ef100a14c4e0e6460eacb88a36

SHA256
d0a343977d067b0499ec33cbd470c4f35b5b16ea54484caeffe98fa6719e20e1

SHA512
b7470d339c64904dc3bb0250c3d4b451860d41d33d6f8775c92ac5a82d20343ae87e1cefce019bb5eba796f6b389735f348a6c3c890703d9096e2f3ad7db6d1f

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
93KB

MD5
e1f57332110d742e47a28de3987228e1

SHA1
5d8e7122b26df4cbcd9f0f03d571716b3629211d

SHA256
dc5a74fffa7335619eafdcc696b56576a2af6174466e06292485d4b2578e6deb

SHA512
4616ac470e2c7610e1aff837567427b720476bd9fa9ab50883a0942ca5c5b86612aeae4cd1d1ff3534f80f3947d953b67c4f6ab368047b2c5125d0b9683e8759

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
93KB

MD5
792a1577b221cda16d9f317aea9c94db

SHA1
501d2e8721e1e16a84d2f1400c89b856ca4a7e87

SHA256
5263c1dda7cc9054b2cd29356c63eb20bc2c9074c7b8bb478ffa23677d644463

SHA512
60a1e0c212769f82b33e8c45d6a89b738c9e618c5be23abca3aba461a1bf8f306896e8794b07aadc9a7c4f8904e0503f08549cb612a20b6058c1414e60470c78

Download Submit
C:\Windows\SysWOW64\Pmmeon32.exe

Filesize
93KB

MD5
9cf578042033cedffb8052710caac96d

SHA1
81aaa7b40620d87b2183c957d74fffdd83150775

SHA256
aabb17e9895b33a6df5a29705d4b7bcbe3a6c8ddaaf6791ec7c6e27ba5eef3eb

SHA512
9bf1478073833a025152f7cb3ed35aa9853939fc8cf36c16b05c2d75afbe9dde3743770a32349ff19320b38f42e1e4c42a730885a9c18d86cafc926b36426b28

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
93KB

MD5
a6020730343159d220e444848b228847

SHA1
155b2f9f24f2f2612c30e2b5c624dded8313e0ed

SHA256
2928c0de5bee5eb88e6a9980e9e9cb8ed34b772dbaf7f32b792bcf2b13a1e6c3

SHA512
6d74b4e985244d84600b6833ddbf25d889d83e386ddbdd287ba8d1bc6e07fef96965a849291b7ff132bfb31480be8862a0261d063b2894d3df057ee536b269c3

Download Submit
\Windows\SysWOW64\Agolnbok.exe

Filesize
93KB

MD5
17e678f0d32c343b7b09fe790be27b33

SHA1
b153eab09fe70086de455ecbc30798f7bd2cb397

SHA256
400627377b45e47618459e3d88cdce07b310d4d80ca78e35edf3943b82c721a8

SHA512
5716f66677661aceb8d27c2b139d150d3bab26ccfd60c727e709bde2898cea003563b7a1bb7f4fef2cb4962e18a8bff1bcaa0e0ce69a6cf374cf5ac0e24f4cf2

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
93KB

MD5
a089c361b348c9359f6ceef7b0c46f43

SHA1
6f2082ae3a900b2cf6416741335cdca5cfad3cc9

SHA256
7f8727f2088358c1b6393e0ebaf8ade6b2a637af8ae69a4ee43ff2bc374d5ffc

SHA512
baa7f571340a9b44bb0a19b79aabced237d40ea18e2e5032fe6fd59030130bc49e3e3e3d85378a59a1c9020c2d6f56c53c048122c8a2be89a55e2ef9020e5981

Download Submit
\Windows\SysWOW64\Oemgplgo.exe

Filesize
93KB

MD5
97493e16ef02116c3c8190cb814dc063

SHA1
4b334b66aa35fb2d534c43937e71a9c6245e7052

SHA256
4429e6bfe82dc7964c105c3093bfbb3aa20b99809e3b5b4728bff5d0f8ed1325

SHA512
ae4e1541b5b19519068d72f80603b16764cb5e02bb77a0054d449ee760318441b48e64a43f8ae2fcdea1b695c6bd56c30db357e71be8e32830fc6b9f92d1a34e

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
93KB

MD5
44ef453af5a5d10198ef76b75b5d6041

SHA1
213d69f6a8390fb97e7168a88629938e03df4674

SHA256
6ad7b888a093039a78123d75a2279ebc07b7e7af70065a20498639f731b937ee

SHA512
5ce505a7e685f1e0187c165c533334583d5df127e56bfaf1c6be4775f35cea81c2baf63782d2a84528aa54850a7157c06444b66f731a697a92846560a1daa811

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
93KB

MD5
5e6ad67b4349367edbb4300cf07f703e

SHA1
dbf97cbc6b411fbdba3fe2febd76367be4f94a6c

SHA256
ad3f3386b53d0ac7602b8edb1308933db24c0996d5deb2d99a53fe7cd781a95a

SHA512
56a0ecff838618e9450f2b3fb52b63d704e73b1a875f3b0d88549f0dfe41af4be7b8fb20429ee92f5d2031f1bada4fc58dae09c6bce96344d3a09fedda504a3b

Download Submit
\Windows\SysWOW64\Pofkha32.exe

Filesize
93KB

MD5
d3f68cc14cb526afb1f7029deb13ea2e

SHA1
70d15b8f320b20e0074b4549f67c81bc5f871dfd

SHA256
06e601d8b5856c25df8790ebc0c7e5358ad75af5248c4308cc5365fbd8242d36

SHA512
fc87834128daae5b1613b6060d7825f413e47b1da24900aa4ef7cb49b256dc8e9799fda2117633fe9cd8d5186ae32434203427514882ebc6b2c25e2bde4cf086

Download Submit
\Windows\SysWOW64\Pohhna32.exe

Filesize
93KB

MD5
c9cc5084283e3e640665acab958a5055

SHA1
013ca9d71955eee8a5e0895416c34359d39432cf

SHA256
4e06515b722198cb07245ca2efb34c9d52ab6da10116a4f4951498e8c66c359a

SHA512
822bcf7c653b915ad056a78db7a76528ada09ce0b80146498aae63f75357f232c02762fb2879a9b91118899c3b2a1212d9070b7e7dee783cc0899a254d29af90

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
93KB

MD5
a53caf6ab412416a3b25a83af77a30e9

SHA1
da3c0be04cf672504e27a93e370f19a967bcde71

SHA256
08a63707e207a30bd91ee425ca29333226e76d36f34446a50ec64cd152d5f910

SHA512
384da5592fcceb7bd4de4d3cb30e970e0cd5f612d6a5c2c3697241d5e8d565d5a1404793edab9363ac4e60ec59c9211acba60ebaecef3b011ea143af479a239e

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
93KB

MD5
1a1d2a2e36126c2936309f135557474a

SHA1
b281d488009d81bc6c207821518bab37232d948e

SHA256
df9c70aa4c3e9a2a6c62e461c2a30a8058bfd1976627786ed30cd91c92a71bc0

SHA512
e04f307c5da8fd3cf48fc5be0e935dc8651c29a51062921957a38f7d17225cef6250c46fb4b9c16446ead12e428a5a8ee7c2af85a775a68b27db4adf3db9b1bf

Download Submit
\Windows\SysWOW64\Qpbglhjq.exe

Filesize
93KB

MD5
3bd4814735343bc82f1b0a2bfebcaa51

SHA1
6c2037318b3dc2d27df6bfd4ac72c9592abf1ca1

SHA256
894ce2b2edebfd9f24b329247e393e35d56065fc587c2d3b3c2af89e2bf4328e

SHA512
c93d27b2856f4cfea0706802f0d202afc8fedd5c913c623d4e61642b37ec5984db1f17d9bee2e59db4dc3fa7020bf9918c21fd2775202e3a699d9147373ad7fb

Download Submit
memory/280-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/580-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/580-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/800-786-0x00000000779B0000-0x0000000077AAA000-memory.dmp

Filesize
1000KB

Download
memory/800-785-0x0000000077AB0000-0x0000000077BCF000-memory.dmp

Filesize
1.1MB

Download
memory/816-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-12-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/872-417-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/872-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-94-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1052-97-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1052-182-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1052-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-227-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/1484-127-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/1484-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-128-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/1508-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-336-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1508-401-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1508-323-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1508-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-266-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1588-191-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1692-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-321-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1800-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-267-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2084-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-289-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2100-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-310-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2100-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-274-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2128-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-300-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2164-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-410-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2296-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-405-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2296-344-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2296-343-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2324-278-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2324-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-218-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2340-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-244-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2440-246-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2440-154-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2440-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-190-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2624-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-371-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2748-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-48-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2748-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-38-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2840-103-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2840-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-169-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2860-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-444-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2912-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-152-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2912-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-136-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2976-113-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2976-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads