efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe
Size

60KB
MD5

ba23f0ebdb9b10bd25ffeaff2e377188
SHA1

20d8a61085be40ccc3a2a6e633b634fc823045f4
SHA256

efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432
SHA512

40cf1302836924aa4fcea42adefb9edf5697683d15a9e236d7d7c408421b999403d11649a87ab21250b3642f43f0eb90512a0ca110bc996a74f7d6a4983619b3
SSDEEP

1536:D2RHb74MBX55IvVjhFc2fYkG3uGU/DgVGB86l1rs:0pb5I9jhFJBUVGB86l1rs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdlkiepd.exe

Executes dropped EXE 64 IoCs

pid	Process
2752	Oancnfoe.exe
2916	Ohhkjp32.exe
2656	Okfgfl32.exe
2040	Oappcfmb.exe
476	Ocalkn32.exe
852	Pkidlk32.exe
2068	Pmjqcc32.exe
2420	Pcdipnqn.exe
2804	Pfbelipa.exe
1248	Pnimnfpc.exe
2300	Pokieo32.exe
2584	Pfdabino.exe
1780	Pqjfoa32.exe
1928	Pcibkm32.exe
620	Piekcd32.exe
1532	Pkdgpo32.exe
2356	Pbnoliap.exe
1364	Pdlkiepd.exe
1776	Poapfn32.exe
1576	Pndpajgd.exe
1688	Qflhbhgg.exe
1724	Qijdocfj.exe
1732	Qkhpkoen.exe
992	Qodlkm32.exe
1184	Qodlkm32.exe
1708	Qngmgjeb.exe
2160	Qiladcdh.exe
2676	Aniimjbo.exe
2204	Aaheie32.exe
1096	Aganeoip.exe
1844	Anlfbi32.exe
2324	Aajbne32.exe
2788	Agdjkogm.exe
2836	Afgkfl32.exe
1936	Ajbggjfq.exe
2704	Aaloddnn.exe
1036	Apoooa32.exe
1320	Agfgqo32.exe
3032	Ajecmj32.exe
2136	Amcpie32.exe
2152	Acmhepko.exe
2012	Afkdakjb.exe
1128	Aijpnfif.exe
1520	Abbeflpf.exe
2084	Bilmcf32.exe
1284	Blkioa32.exe
844	Bpfeppop.exe
1112	Bbdallnd.exe
1480	Blmfea32.exe
2168	Bnkbam32.exe
2940	Bajomhbl.exe
2776	Biafnecn.exe
2660	Biafnecn.exe
2632	Blobjaba.exe
572	Bjbcfn32.exe
988	Bbikgk32.exe
2140	Balkchpi.exe
1768	Behgcf32.exe
2992	Bhfcpb32.exe
1304	Bjdplm32.exe
1692	Bmclhi32.exe
112	Baohhgnf.exe
2488	Bdmddc32.exe
2492	Bfkpqn32.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe
2884	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe
2752	Oancnfoe.exe
2752	Oancnfoe.exe
2916	Ohhkjp32.exe
2916	Ohhkjp32.exe
2656	Okfgfl32.exe
2656	Okfgfl32.exe
2040	Oappcfmb.exe
2040	Oappcfmb.exe
476	Ocalkn32.exe
476	Ocalkn32.exe
852	Pkidlk32.exe
852	Pkidlk32.exe
2068	Pmjqcc32.exe
2068	Pmjqcc32.exe
2420	Pcdipnqn.exe
2420	Pcdipnqn.exe
2804	Pfbelipa.exe
2804	Pfbelipa.exe
1248	Pnimnfpc.exe
1248	Pnimnfpc.exe
2300	Pokieo32.exe
2300	Pokieo32.exe
2584	Pfdabino.exe
2584	Pfdabino.exe
1780	Pqjfoa32.exe
1780	Pqjfoa32.exe
1928	Pcibkm32.exe
1928	Pcibkm32.exe
620	Piekcd32.exe
620	Piekcd32.exe
1532	Pkdgpo32.exe
1532	Pkdgpo32.exe
2356	Pbnoliap.exe
2356	Pbnoliap.exe
1364	Pdlkiepd.exe
1364	Pdlkiepd.exe
1776	Poapfn32.exe
1776	Poapfn32.exe
1576	Pndpajgd.exe
1576	Pndpajgd.exe
1688	Qflhbhgg.exe
1688	Qflhbhgg.exe
1724	Qijdocfj.exe
1724	Qijdocfj.exe
1732	Qkhpkoen.exe
1732	Qkhpkoen.exe
992	Qodlkm32.exe
992	Qodlkm32.exe
1184	Qodlkm32.exe
1184	Qodlkm32.exe
1708	Qngmgjeb.exe
1708	Qngmgjeb.exe
2160	Qiladcdh.exe
2160	Qiladcdh.exe
2676	Aniimjbo.exe
2676	Aniimjbo.exe
2204	Aaheie32.exe
2204	Aaheie32.exe
1096	Aganeoip.exe
1096	Aganeoip.exe
1844	Anlfbi32.exe
1844	Anlfbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pqjfoa32.exe	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Blmfea32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Blkioa32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Acmhepko.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Lbbjgn32.dll	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Qngmgjeb.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Cdblnn32.dll	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Aohjlnjk.dll	Ohhkjp32.exe
File created	C:\Windows\SysWOW64\Hmomkh32.dll	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Ocdneocc.dll	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Pkidlk32.exe	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Ikhkppkn.dll	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Blmfea32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Nmqalo32.dll	Pfbelipa.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qiladcdh.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Pfbelipa.exe	Pcdipnqn.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Agdjkogm.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Nacehmno.dll	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Aaheie32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1592	2008	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbelipa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blmfea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcceqko.dll"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll"	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll"	Qngmgjeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2752	2884	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe	30
PID 2884 wrote to memory of 2752	2884	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe	30
PID 2884 wrote to memory of 2752	2884	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe	30
PID 2884 wrote to memory of 2752	2884	efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe	30
PID 2752 wrote to memory of 2916	2752	Oancnfoe.exe	31
PID 2752 wrote to memory of 2916	2752	Oancnfoe.exe	31
PID 2752 wrote to memory of 2916	2752	Oancnfoe.exe	31
PID 2752 wrote to memory of 2916	2752	Oancnfoe.exe	31
PID 2916 wrote to memory of 2656	2916	Ohhkjp32.exe	32
PID 2916 wrote to memory of 2656	2916	Ohhkjp32.exe	32
PID 2916 wrote to memory of 2656	2916	Ohhkjp32.exe	32
PID 2916 wrote to memory of 2656	2916	Ohhkjp32.exe	32
PID 2656 wrote to memory of 2040	2656	Okfgfl32.exe	33
PID 2656 wrote to memory of 2040	2656	Okfgfl32.exe	33
PID 2656 wrote to memory of 2040	2656	Okfgfl32.exe	33
PID 2656 wrote to memory of 2040	2656	Okfgfl32.exe	33
PID 2040 wrote to memory of 476	2040	Oappcfmb.exe	34
PID 2040 wrote to memory of 476	2040	Oappcfmb.exe	34
PID 2040 wrote to memory of 476	2040	Oappcfmb.exe	34
PID 2040 wrote to memory of 476	2040	Oappcfmb.exe	34
PID 476 wrote to memory of 852	476	Ocalkn32.exe	35
PID 476 wrote to memory of 852	476	Ocalkn32.exe	35
PID 476 wrote to memory of 852	476	Ocalkn32.exe	35
PID 476 wrote to memory of 852	476	Ocalkn32.exe	35
PID 852 wrote to memory of 2068	852	Pkidlk32.exe	36
PID 852 wrote to memory of 2068	852	Pkidlk32.exe	36
PID 852 wrote to memory of 2068	852	Pkidlk32.exe	36
PID 852 wrote to memory of 2068	852	Pkidlk32.exe	36
PID 2068 wrote to memory of 2420	2068	Pmjqcc32.exe	37
PID 2068 wrote to memory of 2420	2068	Pmjqcc32.exe	37
PID 2068 wrote to memory of 2420	2068	Pmjqcc32.exe	37
PID 2068 wrote to memory of 2420	2068	Pmjqcc32.exe	37
PID 2420 wrote to memory of 2804	2420	Pcdipnqn.exe	38
PID 2420 wrote to memory of 2804	2420	Pcdipnqn.exe	38
PID 2420 wrote to memory of 2804	2420	Pcdipnqn.exe	38
PID 2420 wrote to memory of 2804	2420	Pcdipnqn.exe	38
PID 2804 wrote to memory of 1248	2804	Pfbelipa.exe	39
PID 2804 wrote to memory of 1248	2804	Pfbelipa.exe	39
PID 2804 wrote to memory of 1248	2804	Pfbelipa.exe	39
PID 2804 wrote to memory of 1248	2804	Pfbelipa.exe	39
PID 1248 wrote to memory of 2300	1248	Pnimnfpc.exe	40
PID 1248 wrote to memory of 2300	1248	Pnimnfpc.exe	40
PID 1248 wrote to memory of 2300	1248	Pnimnfpc.exe	40
PID 1248 wrote to memory of 2300	1248	Pnimnfpc.exe	40
PID 2300 wrote to memory of 2584	2300	Pokieo32.exe	41
PID 2300 wrote to memory of 2584	2300	Pokieo32.exe	41
PID 2300 wrote to memory of 2584	2300	Pokieo32.exe	41
PID 2300 wrote to memory of 2584	2300	Pokieo32.exe	41
PID 2584 wrote to memory of 1780	2584	Pfdabino.exe	42
PID 2584 wrote to memory of 1780	2584	Pfdabino.exe	42
PID 2584 wrote to memory of 1780	2584	Pfdabino.exe	42
PID 2584 wrote to memory of 1780	2584	Pfdabino.exe	42
PID 1780 wrote to memory of 1928	1780	Pqjfoa32.exe	43
PID 1780 wrote to memory of 1928	1780	Pqjfoa32.exe	43
PID 1780 wrote to memory of 1928	1780	Pqjfoa32.exe	43
PID 1780 wrote to memory of 1928	1780	Pqjfoa32.exe	43
PID 1928 wrote to memory of 620	1928	Pcibkm32.exe	44
PID 1928 wrote to memory of 620	1928	Pcibkm32.exe	44
PID 1928 wrote to memory of 620	1928	Pcibkm32.exe	44
PID 1928 wrote to memory of 620	1928	Pcibkm32.exe	44
PID 620 wrote to memory of 1532	620	Piekcd32.exe	45
PID 620 wrote to memory of 1532	620	Piekcd32.exe	45
PID 620 wrote to memory of 1532	620	Piekcd32.exe	45
PID 620 wrote to memory of 1532	620	Piekcd32.exe	45

C:\Users\Admin\AppData\Local\Temp\efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe
"C:\Users\Admin\AppData\Local\Temp\efb8ad0225b2295a210d39d18f750e6e1068dfc51c0f6b4f31f0a45c3b9a8432.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Oancnfoe.exe
  C:\Windows\system32\Oancnfoe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\Ohhkjp32.exe
    C:\Windows\system32\Ohhkjp32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Okfgfl32.exe
      C:\Windows\system32\Okfgfl32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1688
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 140
        74⤵
        Program crash
        
        PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
60KB

MD5
04f1bab867b11e37b7742d39d21d5158

SHA1
38c8ba574ddb19779700f2d0ff7c746e66a87fe0

SHA256
0d5dba50fa5b15cc6f6d6c1f6e2066a8678cdb869aab10a5f024d2d35fcef1c7

SHA512
317edd29697fb6b77687c5a406f0ebebd85bff3ea0b7c0dfedf7a86883ed9323fc4ad12c3af4a691cd2935f3feb2e1aa3582983b0454affa3005ae692ecb8b38

Download Submit
C:\Windows\SysWOW64\Aajbne32.exe

Filesize
60KB

MD5
0ba4bfddfba3b96770da6def9f3cb3e6

SHA1
a803f4be3e3afc2b1e6b5f1512f72d8c489a6226

SHA256
4a130a48a80976585f299bf2943c1db62008a444718ea803dcfff49f6a7dd388

SHA512
a2ff5571c8651090a1e62e74f5e62d6f7b5d313434fac363e1f833788e50ed727fe8c7f34bbe76df03c547268a8170646db2a10e9ce14d91881e065be044b663

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
60KB

MD5
f3e96cb82c3362c535992c9cfb959c8e

SHA1
2f55ce2f4a6285d84c994b0eb339ca6ee910849e

SHA256
c6ebe18aeec58b91dedcd9a3d9c4f0d6b4a21da9ea63d277dc941f133c0ad858

SHA512
3dde4e8fcb441aa651798a4bd648b10b954fbce5404955c9a5a5606f25b8f8e0ef68287da93051861665cb2ee8790833e478249553f062a0760654978148acec

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
60KB

MD5
0ab814c3f0966c823176c5b5dc127882

SHA1
f839eef5a676a4493340cdae2b90ad7a3d37cbdd

SHA256
a14902c9477cee61382cd30b521ad1797a471e6a05855d8d84b2be03c36f2f8a

SHA512
bfb8388c49af92529fc2035bc5b62957a66d271b00839ef99be2e8aec7f049c9ad41b5d35c59335d563b3441a8de786b0ff6f183ad298113230c8a9c6bdab5fb

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
60KB

MD5
dcd64bc0084ff4261b8e90ad960571c1

SHA1
672ed2706fb950ce4f7dd62842b19127e01c8d91

SHA256
9734128d8aec6ea87fed63f0a07ebdb78f4813829ea810985c3e5cc89c1eac5c

SHA512
8cad263d657b035e2f91929ce9d6ce2101fc2cbe5d66ed7153fd360cb6104336ef39f7f4f149f90d1b193c39a1790da782cb548c277eaa876d149b76df545778

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
60KB

MD5
e09e00833e878b5945944647f739c60a

SHA1
c8a8121eed77345672d35ebb7ece9a68fe0838b0

SHA256
4dde2eb3e2581c55019a8565e66d278b9b145661f1e683a7940eb39dd7cb6666

SHA512
02cd4573424b1c0b9cd19926544bbac6c4190c0269bfc900bf0762ca3a9e8fcaa0612682e986589c0d9acede9de09bce72d26b3bfb6924f31da996be6b2843f6

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
60KB

MD5
7c76bdd21773a696ee38b076e204aef3

SHA1
2e703c72dfa2e987b9e16ea60ed2aef4567725da

SHA256
e0519b1a62faf959c64911d06a943439eaa637ddf69e1dc4900c089706f28179

SHA512
e4cdf97a523c0de182cc5f7f36db0f16532d3d51ad23acd37c6a108268024ea305996a9f5331d3249b1190a51dbc786874f2b86c8e89d81c7f13edda05117826

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
60KB

MD5
93019f5cfb979a024339346171c58f89

SHA1
db78eb692af0297d9bce2908e8eda6f593e789bf

SHA256
08432e5300cc282fe8e6939c759ceae8b3651d9de25129c8551dcc3720f069ca

SHA512
1b8a0c157af7d60147757af2f38bad892e8f7350b4dab617afcfd49c698bdd6b8e7265f34c29958eaf9680786e6d30752da5293a952a24a0b2a6c3d6e9528acb

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
60KB

MD5
6bdab0f4d0f5a7bc01a81c303a0ae7c4

SHA1
384ec1596919e23ec932efdf403dc7e01ddf0a9b

SHA256
d679a066736ab4ad379a75d024a6c420f254026fa5e47ecd0b6d1f34ea43eb67

SHA512
abaaa86fafb36fe426dba3bd084685a59e7c730c63d4feb923b099941732218e8f87f85ba050ce9c693e79b455b6ef263b7f5fcf16f867b382411989f79fecb7

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
60KB

MD5
87acc7fad78afa17e75a9518e0d18d78

SHA1
78b58414cb22c55d59d0006d535b081d566ba5ad

SHA256
90fc1727a0af546f5025a077e43ae3aab26a77326fbdeb271d82adcb4a64838f

SHA512
95c57e4938e2bb2a05aebee4f67e835a9bd155a6b9a89c0ee812c9f3d2463a6a96bdf06b3d0fc423c64578181c265e604b3028d8b7e27b1a2e83cc6f2e7057f4

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
60KB

MD5
046fd31ee747bd537d3c9aa02b87b53f

SHA1
316a8603ea807a06d7926c73bbff1fb3b9c23d61

SHA256
0ab9f0c602b54f30ce9f479e647093ef1d97beee29a48aa71bbbb6eb0a523ccf

SHA512
bc3454b6e727cabcd27832421b61bddc1ca4e79fe267a55c400f67f0640ae258a4e35b92501337ce437ff7b956ddef032ee11e25c207ecb04c6ba153c8327a33

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
60KB

MD5
a1b53518b9b8881f5fb53fe257df23ae

SHA1
c893151e6e4201959a73a3a3649438a9f0270755

SHA256
06029994acc0d287821bd3e3e257eb03b0316bad0b56952c1e7a36c80a566e7e

SHA512
2335df9d237d9aab2e02631049845102d278de70da7066af8224492d207ea295df78307d027c63f1b904bf22555ac288b54c8f615b89b955831b1e809bf01815

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
60KB

MD5
3abe129ee4daec33d33b7f8073b6835f

SHA1
51a5254c2906e63e4ca244022a261e271bb10eec

SHA256
220d506e33c5b9624e9cb57692716f01da661be2e5390197bede2786a519e2d5

SHA512
dedd0317216869b25319a95a8fe468dad1dd64b4751d98c179d71f83bc2105f1df9e1fa0a99e213f186a0eb4bec49f911c54ddfbbc9ee67b05dab41fbcb9632d

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
60KB

MD5
a399152d6bc8cbea8b5b294e39d1ac7f

SHA1
7a486691dd948b2ee05feda4d342e0296e6606af

SHA256
3c4a3bc2a48a7d5666a76e05ced881da5d75a3840a77543c65639d73331a87b4

SHA512
eef486cda7c75e97fc3df3d52d0f329b9b26770fa55af7511dff9fd7c492cc206e8b2914923aeae6cf5c9c572bd5a9c5fce6d96d69738ad033877b78e317aacd

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
60KB

MD5
05559f12e706603a8c483d907b0e8719

SHA1
049b84befbb6733717b3d7b507c4c6ae12c1c37f

SHA256
b8fa284c7fcd776fde0bcf8431ad1c35da28c8278e04e9435f4caa947db5c458

SHA512
50adf82446a6f8d8bb79ed89a3942bdb2866832b05299ea06a2234653709e4a2b444eee0bcb2f64d0813c5d37a82b1ac5487dad560901e738f24890c8f8cb7c8

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
60KB

MD5
497c4bf47f8f3f429d8deabf0f48f3a8

SHA1
c993dc21ac1cb4a52536270b255b8676557d52b4

SHA256
d5260defc63d1432e1ebd17e342e1e38620ba1728ab61cabbdb7524d5a96975f

SHA512
a330e27d43a605da64e40541635ca98f8118826da36aaa6a1f1116bc533a794f47808517a815355e7bc9f6a9e299d4b72e74ded5bac3875964292de04991875f

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
60KB

MD5
25267f09032be6db7fcefc5960bed93a

SHA1
816fbc8ac8d74fd82ce78094434812dfe742feec

SHA256
0e564bd1662bd3809503a58b4ec70d6eaf45995633d046e8f32fe8e33b4698ef

SHA512
f22701dc6bcfbe2e0032b02f0f28eb3b69bdbefdf3c7690973c598e6a31f9361bfe3430a5b6e5deddba489bf9b145fbdae2fb2a9113513ae948e714eb45e0a15

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
60KB

MD5
ab293b052b3bcaca11d50aa9e84a6349

SHA1
8811c6291ded26eef6d3fdc41b85e88aea327b2f

SHA256
cdd1ef3deb17bcdb1c076b5a75042d1f0af2fdd9ee9121ebbb218e01d06ecd41

SHA512
d580d13703366fbe628ce46b750984eca8662c1255f19ff0e0a880ff73625a916f9bfa18de16e7c40d4396dad1d3f3ccc2981e4358337aa11a28953de6b7a055

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
60KB

MD5
a6a78d266911c14f3e319b5215b7325d

SHA1
ad1ca5ddf6f2c9926362f3fe6abcef917b6b1107

SHA256
d57242a89381893e4561ff6d24f7444837d667645a4ffd12317775c9d6c10ba0

SHA512
2d3ced117d96a48ea284fd1d47b7f813b385bb6c1ee1c5ec2de3501cbe32e8135d59ba5a88675b9850c7e565aee1724b7587800cc57e30282de0282f3b8af294

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
60KB

MD5
023ea19ac10e0023d637b14650954381

SHA1
34e1754cd74e894d54ca80e34b2bca8121d3a897

SHA256
7d98b4b63d768522fff260e256aea60b42befbf5327b5a4e387c7c460a5bd800

SHA512
ac5ee6c28965e0c2c09ed237d5d9c2ffe5883a555c417d673a071723537fedc3d180f5e93db4221821d939325fada12a2f81d2007ed231cab3c105bfef3c032e

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
60KB

MD5
fee93e97114cd345de6d629567b7c519

SHA1
81f595828bc772a894de61ea83783f1add0574ff

SHA256
c042b48db78c90a09b39e206a31f8c0f08f918e751eb1a566a53b9f8a52011c1

SHA512
4d158271be947f706750a9f0acf77d00d6f2178c1a3094fb5a74d2cdcb81873c1e07670a28050ce438d27be5072321edd9e764676a05b548dda74c56b4374c9a

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
60KB

MD5
40ecd243845bc43703ba611369bb1ba3

SHA1
ea777ceafded198a94bf42f0866f33b0399fba4c

SHA256
fc254fcada099b5487ed40d5f902d6574cb56fb15742b691b768c93cfa3ba694

SHA512
deffeb3672e8d5e1c9f04222f3ca9452b09f72f525ef890cbc9456fcb6d3cb389b6c82d382336528eeefbb795ed0d5dacad9abfd0ff741db9bdfc6af09c2494e

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
60KB

MD5
513dd8ff1595ab66cfc12f9e643cffcb

SHA1
fcd8c3af7319e202cb836737b10cf6c19ca73dbf

SHA256
bbd1a19402aff35d3f1e7cc7cf2854f07420218d66e4457a81a6f0322260baf6

SHA512
578363fac14a8a3bd0d5f214d98456d6234e8fbd0f4f33398f9c3b49893e79a44705184356fd5dfcfaf7eaccfba91dbece270eb112dd39182641144f7cb6574d

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
60KB

MD5
59ee45948c05f32d5194bdd9c407975b

SHA1
fc5ad34bffa6024706b0988cd33326252b34fe51

SHA256
7a46f86c07a084cfb74c717fa9641af4c838adc8763e5c7401b292f2a9576741

SHA512
cf2b7b6425ccc02b8ac90024511567d730f38225120fa01da8da585bd92cdf8ed330a88ecdcd1c2dc4be1d68421e4b8573a2344ffbbaea0af9fe370f67ff3871

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
60KB

MD5
0d960845a32d39ea5f39987af17cdbc6

SHA1
5e6e598ab87faebdaff8cdc8a413951b9a559017

SHA256
c3caa671ed9aec6a37d5cab405e3845c492ee7d5a7c4f9163dd74f19e0edaa04

SHA512
cd3035a6e7c51ca3971da9b6433d966be6dbe02dacd6f3a20d64ffd2c3f0359afbfea69590a6d6b44016da48e7f32baf23c26d0bba78a4a4267d871bcaae2b6d

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
60KB

MD5
c2db575021ef86e55fc36b708501c3a8

SHA1
281c02dbe50598b372fcb98f2c9b93711cc43fef

SHA256
53aad97caa1a52bc4587890c0f2a1bfa6abaadd022f855b3c71d4cdaf30f41d9

SHA512
65c8ed06f893d80253aa274e27597c24a1041ace5e69815b34520c3657775577083eeaf1ef2abc95f12a6993175c8733c8585a0653908843220261889baae0e8

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
60KB

MD5
e3038989d48341cafd1aadc201e282eb

SHA1
174e95506b6ce44399ee18ec7d4e448bb67b9269

SHA256
f07c1148d12665cc9947a67152edfde0d148b92e6d4011fbd0e369cc61626af3

SHA512
ab55147ba0ff33331f4c199bb331a8b1e0a7c2bb8f9f247d4f2bcc4f09a18b2bc8b37fc12ef3c832a66ce0057d798c3fee0310daf33eb8248f2e76da527d75ff

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
60KB

MD5
1effb2b69beb8460e236ffdd013c5262

SHA1
1bdb00bab339b92c8571f2b860d4f59d93a7eb5a

SHA256
ab3cdb7571c880dd61eea93f08258f13b0f8dc21fda535c8654d465cb4743034

SHA512
1bbbf2aff92af4b19eaa1de27548728a8bb273a2a84abb6e9db4e474fb12df40e5a0932b2f4795c9e1b1306322b0790f35f17201a58c2265ae131a1c3f3f21f8

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
60KB

MD5
8ea3116a0e8eb4e7f1f89089b1ce776c

SHA1
63707dcd4f84c4bb6fae108f695612ecea411d4b

SHA256
4ceb50c3882a0d846b4d9a0ad63e0b283f88efe9926ac7e2f6b8469531419b67

SHA512
61931b7b895a060c2c134dcae2c2ea91789194edc2f49f4ac0de84cbb99da591b327eb4aa514d61f4c504307997f466f2cc2ff02f37ab897ce3d627b546bdd21

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
60KB

MD5
9ca849cefcd64150a156d196d3cc3baa

SHA1
dd6984633217f219b46cdcae8e0b106baa174ba3

SHA256
404fc11e544cc6f47a3550e8b3c48e0ce943c23f0355713ec895dbd362cbb840

SHA512
79151fe38e42dfb65a5d7511445d5e2a9e7788d61d3842abc1d6749af4c826d400f4c302e65045a0f13deeee148372153d59775090c96fbd87b5cff48f516264

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
60KB

MD5
4b2df2525335c16292f88b32b9706bf9

SHA1
0ca72b7e4bc75cadd2db9e6de969b1332bb4654d

SHA256
18854aacaebcbaf874e8efd9bc124bc27344d58098ad852c7480952e8b805732

SHA512
f20f6b0b7b46bead75fada1eef6608a40ca5933d19460b5fa898a5461ae5a7936f7dd36e1bda43aa2fd70ceb9128bc3db6c949f396df2019ddd08d7d6c4fa2a5

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
60KB

MD5
a09112720b3224e7e16b8306ad27ca70

SHA1
fd64f5d99c64b2855d891901931fa9fc8c7085bf

SHA256
d51a5dfaafd0591a325e2b7bf6a15806c43510dd2f71f3cffa73125b7f89a269

SHA512
24710e63e5195e2466857d8489baf295f6fe3687328497c4d2352e7cfd68d117f098cf0a8bd26f163fade7a4b85ceab1ddc85f50efbfe47a827b7c13a08dc783

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
60KB

MD5
3e835ec4665b75d94c39ed33c5edbb09

SHA1
22233742a6335ebf3b7276ba43ed811418caf834

SHA256
bc9bffc70f56bb073eec4c8cb4035978cc55ec62090813795e72a95b87312b22

SHA512
b7f76109dbefa035638093f623c6755373e791192cedf56bebea723c2c277061a8c5c65cfafc2e8a1743ebf83a709d19616420556bad2daf46f5c0ec98f96121

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
60KB

MD5
53fafdae2bb363de2794a344ba4e9a18

SHA1
a42313b4ef1ee72c15c2cf9831f3764a73ec720c

SHA256
86d6ef5ed8b9a775e8e27fe2ac202e08599e565c91f9f9c7369ff435d7e386c2

SHA512
f0b6c6d16a7d974364020a29b0f60f5d2a0fb23079db4612cf27388091f18acfd657e9a4244319d0a0c28a063daec49f19474ab6667b242ec15ba51eee489037

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
60KB

MD5
a8e0db48a1b5ca5d19feeea7400b6638

SHA1
1ab2a3a4f21e8491af94bbf7bf516781a68b00bf

SHA256
ae91dec6814579e26196ea82ad9fadbb1241717e89d8aa9bb1263cc9a4e24692

SHA512
39ff2a11d7ba8eab0894c895c453cc227fee6b9f9ccd6ba6b70d07b381e4abfb7d58399b7a8bfc6d05d9744901ebb5887cc8825fd981bf4016459332f68ac39f

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
60KB

MD5
a097422625695284da72b7952b9335f0

SHA1
e48f5806322193f5090a0f17424b3f04739dc5ac

SHA256
4802bf0b01ed70951a79a1e2a7cb7cd7a8b7378782a1604c9768cb224ec5018b

SHA512
9845032f10a1563fa43e7d93123b14253fcb9e76bee7fb51b18cc6e68871424840ab578b102581216ac2eb90c5c14e0921532b6096c9b8e0ad670bbff981ec44

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
60KB

MD5
1d4d1f35b130f7c856adacbc03e7c217

SHA1
e109d29ba35c8df431e96795d31724ee3b35650a

SHA256
f87f5dedce02a2dc0d98ff0896136f905dd96a680468ac966183b0b6c90681d1

SHA512
024e0e73a311d870c83e104827eec59a658076b66a70f4acbbdc85acebec66204c13759be280ec528e00c1d317c87228e6122ed8b66c8e7f4479948992ae1c9a

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
60KB

MD5
903102e61e8a5bb2a173bb4f491703ba

SHA1
d657e1139a9f944ff1e45eee9ffceda006f9424d

SHA256
cda9a98325ab0eaeca06f0b27b695c11fcf370e3e8d3f58ef0c8e6bf8b4f4789

SHA512
62796a961908cecf3bcfb505e4927d851c15162fce40f2222ea52d5787e56d5667979620b182c87172ea99822bc5bb2316db12833c91419e3d96412f3829ac5b

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
60KB

MD5
b7ccb97f946131e16df4389411fdf0df

SHA1
cdae6ab42fe1b9081f68544ad40c2ccf35f310b5

SHA256
8a6edde016075aa9c476e32e8db4a0fcfddd3eb618c8a9359f8e86e8c260ec9c

SHA512
bea350393a03191e4d8e62be483ee6cd777916c113d4c11675ce600497ddc06665f38b0b8e7c288a224bafd854a23f0d77bf870b1f7d51fcbba9a84aa638b626

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
60KB

MD5
fb843c8880ddf89ab2454f11166625a0

SHA1
686e19bd2495596108772a61a8d6508da7a51456

SHA256
9d725e099d76ac08ad5176dd6b9e5cc387bd3c02a36d2b27b9f581d747187cbf

SHA512
89fcb4d84181870a97a11acdfa272704c8c18aee72516b9be06c6c85447117634af92ffd3e7af396b6ef85cd8c96e23ef5b547e5a9fda7f5769a6e0b6199eebc

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
60KB

MD5
e645abd757e56ef8f9b98eb4dda37e47

SHA1
6755f7d0700091fda924e07eb26f5c0909513c14

SHA256
e8a6c21d7d4164b9e1310b5ca127359d5a04e86270d8a90962dbce310876138d

SHA512
7b9777955d76a011d4df9195c79d39ef403ad1fa056b4d63cbd7c8d58991e2eb56ea5db38552556302e0ffd8223eea44021d077d84116ee510d7b70acc7091ff

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
60KB

MD5
1719d2de3b516bd2162a76d913714326

SHA1
6769495a9a59331c52857d19e0ba949d99ecc469

SHA256
1681538ba874e17e44e45f7944ad89456195ad047bc007e50f2d59bd5b1e0a11

SHA512
51efae5019666a4807bef6ed54841431bb79f3725d488812567c56723914971c32e5bb079859d929546db257625eb21898438d51daf03d17b0c3d7527996b6c8

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
60KB

MD5
06d84578536736de451364921dff1323

SHA1
21a02b273e25b86f012d2f845e8788380b9b98b3

SHA256
23d40aa59604c3fec6f12da55178e30c90a5fab2bce1873a76b6618a0f52530c

SHA512
e069a5673698060666f4898f510e82c18540b71a2a8060ba69457ec7af0e9e7c8a754cff5ea39da21167008415412885a68d43565257a24802ea9bd9d6851f85

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
60KB

MD5
a9f7d29f18f745c2ef35663097e0fa1d

SHA1
5a0d572b14ba888a1602bae54fc9463476793ac6

SHA256
6b1ebcc9c39fc6c4c05f35db125ca8b165eab2da50aab1ebd4baf94cb4b71d79

SHA512
69e1343ff6d39b72890080b1a1a4b168087a85e678bc6a1443784f12ed27964065e1e477de5fea33b0d6924d5a5e0bfebb29ce71228cbf00e1f6d4c14f07229c

Download Submit
C:\Windows\SysWOW64\Oancnfoe.exe

Filesize
60KB

MD5
f67ce951b4382a070c9ea289c9afa61a

SHA1
ae941a22d7fd9c8aee0cbf42dd8b9136374f8987

SHA256
539f9dfea4e7c79380b6534796367eb7a2b8304481f457d1eb640b3bf0269f9b

SHA512
41fe2150c8a19474894bc960e5e19cc1fca1ccef7bf03a3d2dca6b9c0b54d09c438b2b9aca025ebaf9c5e0de6b92261a2cf8ca46ea430444e724502d05c5310b

Download Submit
C:\Windows\SysWOW64\Ohhkjp32.exe

Filesize
60KB

MD5
60f06fb3b7001b3c179b835e12a89fd8

SHA1
41cf86453b320816e1bfeb02687f867c6ae0ba08

SHA256
240b7cc858a43ca0b525f09cbf9a601cbbc9d038e4a8d57e2a2ab44284912d7f

SHA512
db268be784383dc9d6a969d98b8e801f90b4d0990fe5667ed058009eb02823be2eaf8236d6f8502dfebac5bad08f621ec01adce0f5fc6063295374a806e86696

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
60KB

MD5
6c447b3010b7e951613be997cca241fe

SHA1
a1b9d1cdd7638489de6e0d7107c67cae2030b4f7

SHA256
822aad89b202ebda4948a6b6dd3a7c23e91648d7495cba564a2eda884a4d7909

SHA512
0c61a0b73187346f43ba4e0ee1c454b9734de832fd8ae22e960ef5afbb8fa7c6002450ee297f660375002e4eabbd96fb6d5740ec39ef69e85ec78aef25283bf7

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
60KB

MD5
a9290e15a97cf703f678db1ab3c8e8d4

SHA1
6b1722c4a6631d9f403d5121003dd54f143d6821

SHA256
884de44927e34697db1d5227900b12429620c8ea12e9f19986be7ba3635eebc0

SHA512
003b2c235a5f1e06665913f1e03416a088c30e01c0390d7ef25f7b62d2ec3b2cd71377cdb510361344c8fee90e536842b98924019e5d362db0dd54ff94882be5

Download Submit
C:\Windows\SysWOW64\Pfdabino.exe

Filesize
60KB

MD5
dae070f641599c0e52f6c64f233a19c2

SHA1
195a38ad0ffe069ebb11de50df6c00e89a277ece

SHA256
173f05312d18b59f6e7701a12276f669dabeb214b6a7171683c78bc576641d17

SHA512
8defd920085975088d103a0b3239c66ae736b3fd9395e684e9cd0bb497b17d68891fbf61bfab9011b5bb174c549bdac4aa4139150f569dd40f1e62d10fd727b9

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
60KB

MD5
8d37a9ec0ca2c6c14f29045bb4681d4e

SHA1
d333a9ee329bbc869ab2bc31fac88dc116a7a1cf

SHA256
c1f73e87547fb0eb787850a77575d570e6489399c3e2ec84f2b49980b1afcb09

SHA512
7771eebad9882cfcf68c0e338e499c5f71efe33b50c0633b76384aa653017924ee960f1aa4ad11c981a973c37e8456410c02755248d5b8bbf678bb2d4fd0bedf

Download Submit
C:\Windows\SysWOW64\Pnimnfpc.exe

Filesize
60KB

MD5
293afa2413a704b3aa94ccc97e096109

SHA1
b776f236e0406ccb81179024651c91db69ef84dd

SHA256
1215372ab801c6b279fa82e5d31c80f3229f8db7cb8cd85ecdb0368cb71216fb

SHA512
4f0f846c9ee30e488be95d8c59b73e0c9c422cd5a39a98b7b04a378470a5b7018d4246af3a09f48227d0e8251e9f8cc243262f67948922ba77f16f41bcaac6da

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
60KB

MD5
811ccfd1a30a3026ad3009422fb5a040

SHA1
f33fcf6aa9c117ea0b8f0f741c8e95abc17b43b3

SHA256
8486124471bdf092a1c3e989f805f0bed897b1d16ace5500e6be984cc71d38ef

SHA512
69cdd5450a9146c968f757bc9792f4b8e5a99642f979aab119240c8cb89abff1e44da78b71912c3b7de5ff66655201859fdc4dc30b17d2b72a08dde852cfe111

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
60KB

MD5
86b9642907a7e4d084b357bf08e907a9

SHA1
e20edc451fc567f2d58d38b0309df29e94f4f5a2

SHA256
31d07f933fcd9b5c0a0c97c44749b34ac6ac1ce160b58eb423f56d74c7505d56

SHA512
60b7b20ab2a21b998095e6b4634c5ab9788e057de4c985dafc6c5a40ae6680b6910b091cb07589009a70f4697f5b8f2094ff0b664f0722903459934be781140f

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
60KB

MD5
82376200a0f32013e75a1538bc796d95

SHA1
df1511684090103061fd322bddbfb288b0c99f7b

SHA256
cbccf4e8db00c9c5aefc94d6b0fe30f6b85c5ee47942f5b103dd72b9681b5c91

SHA512
2d862a0c4c1271596d286d8dc7b397baba314c42f5576d811ba03945524967b69d06a803b0d0607ef95bcea178f4cf5e42d8f2519328c2551296f85f57fa7f70

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
60KB

MD5
f28632448352e05f76d9314b15b8f797

SHA1
f391d2f233459204603ee9afa27bf2679dd6fffa

SHA256
c375c9804eeb81d7a77777b201d55812011189762734bd614c78dcb8351e327b

SHA512
19e5a8bad0b6eb2aa55b7597f40fe708ce4ae1577daa834b2e281d29634b55a45a492be72f9217245333814f9a97454439a6bbbb0a415d2ed6e9f5b36938c970

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
60KB

MD5
6c9ff0caed3196c55f27f428afb73fca

SHA1
6d8f5e3628573548c49c9dde477cbd06a0566479

SHA256
4f2319e99eb4ada5a8e0fa59f3b0020d13bc912d9d5faff6e9147e32807329a1

SHA512
adeea465b43dcae54e590d46b0e56be195c31dff8eee9e9a70bb7f83ca94d573b368b5e8dfbfb9ccb03db29d510019977b076a91416ea32caac425db7d072fb4

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
60KB

MD5
8d1d698165562d5b9e86b142109e6d02

SHA1
34ce170e2f425769acfcd5c09dc3b2ff28d6df3e

SHA256
291ca63b9ce86d6b0717f87eb33d641d94a4ee9b4dd919690c2e5ba52d6533ad

SHA512
d7db0fb320d9d3f14548e7c8a2a95e7ffe990bb61ed77ec425a51b2f2d1b60de25225e75fed3e4de53010f452579e4a80250f889dd107696bcee198f22adf4c5

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
60KB

MD5
6a4056ebfbcaad9b84a20d0d8e972805

SHA1
ef90d326f51db2312d2a6fa8bac58cd5ad97260e

SHA256
7130b4ea8ae8314f2d00a2352fe1593b206ca7861c0df8569b026ffd1b7b666b

SHA512
720c75301631af801d40facc041bffa79b68a3e85306141f23903c08c69deb56480c61a347d1a0005e5fe3c5595f4e1144a7d299cf650484b4887fff75830b4b

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
60KB

MD5
0c24fdd0bad8a8b51776e05d3524a615

SHA1
a0009e5702b6bf622335f1980f6690741037393a

SHA256
4916b241325aa10bdc6144a12e80b64359e3f1301f94fa3c7c2cb0a2715f32b9

SHA512
434be573664e430c588748f895561fda5806474b787f685d19da6f2e5472b6d6a0e3626dec6fdd727cf6eaea7bcd4b1ec2e26c63a553b1e5eff49ed96f886837

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
60KB

MD5
8a630ee38ec88f6a9719c7d87befafac

SHA1
a70de462bd427593cdc45c91197e51809723d864

SHA256
a4202749fbb7d9904541c22752b8bde5ae05469449022eae9bf880575de3fc73

SHA512
36f9a128660345fe3bd26731e0a6b4c8dc05ec42f5ec86583268aa8e3553ddd3651da3c50e1102447f4ff29b18c60770e3b6cb676ac1b6f049f27ccd905c6401

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
60KB

MD5
d4c45873c1f72aedfae760a56a46c68a

SHA1
3e1ec30e374138b572f9ebd2cb5325b66e2df4d9

SHA256
77226b554a895b0afe47d5c9ecea577a72d7eba5f305a2c8badeee3c3c13c452

SHA512
939977df4fcb424c9d9d2d41ed34bbffeee1e916f402aec2ac1fd9619a9827a0608b7cff870f95bbf2e8c45a654bc3c2b89ebc826bc6d84f6ecbdd16c6968408

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
60KB

MD5
2e802cf4f2064388757731be8d51ebcf

SHA1
06d8db1287695e4adda27987540f5010075403c1

SHA256
93ea6debc2aefa8c13cbcf8fc0a00c9e9df86a265776f462d8a1cdf3a26e5b8e

SHA512
54d0fbf5fc4326b64cc61b5ca95ba7e5080a107d54c5a00973331abe1bcd6f0e4d08c9e239c4c20e98ec73ca353bdf51db596563e2ec246ab45237dcc199477a

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
60KB

MD5
b2e51652ecba87e9fc829a7ec1d5f96d

SHA1
13c3da3f56880a692caea682ea11c7a4f1a54942

SHA256
10b13ddbf885f78e85822eada3c55a457a3e73bbb1e24502072563636097afa9

SHA512
5667717b288d467310f6e69160204b2c889e41d9a00f3e36a8833a114c4c51fb0aa7f6727652d2e8bfedf23ea3aa4f9de21cb5375a323f35c0168bf2b62255e2

Download Submit
\Windows\SysWOW64\Pfbelipa.exe

Filesize
60KB

MD5
143e085380d92041ab93f64626684665

SHA1
38c8493280e5976ffac65426cb1c59f27c492637

SHA256
09921d6084538a131b8926d5f5c9f0e850843af7bd6ff5abce510bd4721af970

SHA512
91e9dea1292efb905440c9d793eff66f15ef423a9942e67d83261d1207a7d5a909086f91b91616b8d7b62089fce7fc23e5c0be17201b52ccb3b788dd70b501be

Download Submit
\Windows\SysWOW64\Piekcd32.exe

Filesize
60KB

MD5
f1c7b54bb4bbf348b262676f340580a8

SHA1
e76d523b495341dcfe1c6aab73096063af83e88a

SHA256
d0bf95b5d81f8c8d48fcd3a9bb26825a787ed15f1bb7f6a7d46a42352d2dca71

SHA512
847d67fb8307f9331b08342173a97d191755b9cba5d55c728e3d68ac9060ad7ae57fc3fe2a68bff64db0f8ccf5990120e0861bf5a6303405eceea4c02d4e1fa8

Download Submit
\Windows\SysWOW64\Pkdgpo32.exe

Filesize
60KB

MD5
00e9f6c7f1da28b8bf969f2d784c97e0

SHA1
d7eb260f7149566424712b26a0b0ad8935433c08

SHA256
bba36f134448b15e0cd26a64c8c4a8f57fa51a2ac147b94b95ddc9de1011fd43

SHA512
14573f234348c50c38325f5a4798d09d7fd1abdeae23edf071d785812e7420b27fd7fbcbefa6ae9159bfff463ccfb906fc7012cb566f4ceaea56d5bde9c4e5a4

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
60KB

MD5
8c06c3a4cc0d69a01cd40f7436b76292

SHA1
aa413ffc0da1d12265d4d99a545d78f48b90c6a8

SHA256
ccf119b1ce015964154eb5a3af7e982641699b0b52a8c5d9d69727ad124cb45b

SHA512
d755ce7ebb8698a20011fefa896ee3095ef6c232fa0882a2d5799cd3cc59abea74664715fb1a7f96d1a3e0c5068960c001d5a68cfd955bcde9eaa6bff2065d42

Download Submit
\Windows\SysWOW64\Pmjqcc32.exe

Filesize
60KB

MD5
2036448c25855f05062b360de64ee6e2

SHA1
859c523176148f2b68d0dc1bb4ef84971fb3a061

SHA256
c735630ce09b97e79c5c132f1b0659bb0c7dca1d7bbcaccea92d1880c04e0a8b

SHA512
7a8b0d16d5269d856c67c9a19123d0254e8d37c80158bebcb1f7d113806289418c5e2dad2e81c2711b5b154ec2fa5afe152a5e05e409968657b5d197860170c2

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
60KB

MD5
9b9a2563c4eb69cb8821b7ed5085f478

SHA1
8976036610e8d85742b90e7d961960f0c5287b94

SHA256
690af32285ba70d95dd81abe02b5a1a1dc85e5b74f873c92e382a7ed19cf2dcc

SHA512
9f939c18b38a272bb00e57a55c9630f18365941b0277b817a29d88244fb50f2407b02e64b78e7b9a09d1de95113b47f390faf97f0439efcc0bcefd05415aca77

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
60KB

MD5
6855e9ab082d58351bcedd3bac576ff0

SHA1
b59586e201660ad1c4b9316e12dc82a493586a77

SHA256
b302b24e8995363ecc6e407eb060e4db07e2c66e88d3698203846ee895fbc419

SHA512
23cf744a8f5a613a0f915dc61be4d870cef0e52b5fc7c9a5e31690c95400982e27ea2f7580b6cc8bbf9871650420899cbcb050387a57abbeabcd4843b8bb75ee

Download Submit
memory/476-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/620-301-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/620-209-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-531-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/844-529-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/852-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/992-349-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/992-306-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/992-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1036-431-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1036-475-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-369-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1112-540-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/1128-493-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1128-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1184-315-0x0000000001F30000-0x0000000001F66000-memory.dmp

Filesize
216KB

Download
memory/1248-144-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1248-244-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1248-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-155-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1248-232-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1284-528-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1320-438-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1320-445-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1364-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1520-497-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1532-305-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1532-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1532-236-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1532-238-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1576-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1576-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-319-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1688-281-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1708-370-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1708-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-324-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1724-291-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1724-292-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1732-302-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/1732-345-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/1732-337-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/1776-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1776-313-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1780-193-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1780-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1780-188-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1856-964-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1936-408-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2012-477-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2012-483-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2040-66-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2040-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2040-136-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2068-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-462-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2136-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2152-476-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2168-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-399-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-164-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2300-165-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2300-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2324-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2356-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-109-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-271-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2584-179-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2584-166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-53-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2676-394-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2676-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-348-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2704-428-0x0000000001F30000-0x0000000001F66000-memory.dmp

Filesize
216KB

Download
memory/2704-474-0x0000000001F30000-0x0000000001F66000-memory.dmp

Filesize
216KB

Download
memory/2752-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-441-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2788-450-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2788-395-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2788-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-122-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-208-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2884-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-11-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2916-134-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2916-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-39-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/3032-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3032-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads