3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc

Analysis

max time kernel
141s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc.exe
Size

96KB
MD5

36ec4e1a18dec6245b189df704edaeef
SHA1

428497782b38c43ba5b7191ed0bf3afbc4b0ca22
SHA256

3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc
SHA512

45bacbb4d47a06b465de7daded085fd199f2ec1ac486ea1e0b9d04d7c4c3831edce374300664c959835d09071b64d7cb7a8a57f32c30eaea2c5e5bb92bc5ff8c
SSDEEP

1536:/6gZFlxwBKWcx0XKhLr402Lk1ePXuhiTMuZXGTIVefVDkryyAyqX:/fKbXK+aePXuhuXGQmVDeCyqX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe

Executes dropped EXE 64 IoCs

pid	Process
1936	Kiidgeki.exe
4520	Kfankifm.exe
892	Klngdpdd.exe
4908	Kbhoqj32.exe
924	Kibgmdcn.exe
404	Klqcioba.exe
4852	Kdgljmcd.exe
1620	Liddbc32.exe
4568	Lpnlpnih.exe
2752	Lbmhlihl.exe
1320	Lmbmibhb.exe
2096	Lboeaifi.exe
3680	Lenamdem.exe
2208	Lpcfkm32.exe
4984	Lbabgh32.exe
1408	Lepncd32.exe
4300	Lljfpnjg.exe
2304	Ldanqkki.exe
4324	Lebkhc32.exe
3476	Lmiciaaj.exe
3756	Mdckfk32.exe
3908	Mgagbf32.exe
4640	Mlopkm32.exe
4732	Mdehlk32.exe
1908	Megdccmb.exe
2428	Mlampmdo.exe
1912	Mdhdajea.exe
3780	Meiaib32.exe
2552	Mlcifmbl.exe
4140	Melnob32.exe
2652	Mdmnlj32.exe
4428	Mcpnhfhf.exe
4188	Ndokbi32.exe
3212	Nepgjaeg.exe
2236	Nngokoej.exe
4492	Ngpccdlj.exe
1348	Nlmllkja.exe
3412	Ngbpidjh.exe
3668	Neeqea32.exe
5072	Nnlhfn32.exe
4032	Npjebj32.exe
4352	Nfgmjqop.exe
3256	Nnneknob.exe
3124	Olcbmj32.exe
2804	Odkjng32.exe
2264	Oncofm32.exe
4808	Ogkcpbam.exe
844	Olhlhjpd.exe
5020	Opdghh32.exe
5012	Ocbddc32.exe
3616	Ojllan32.exe
3944	Onhhamgg.exe
3880	Oqfdnhfk.exe
320	Ogpmjb32.exe
3428	Ojoign32.exe
2004	Olmeci32.exe
1328	Oddmdf32.exe
772	Ogbipa32.exe
2224	Ojaelm32.exe
1112	Pmoahijl.exe
4796	Pcijeb32.exe
4524	Pgefeajb.exe
2568	Pnonbk32.exe
3700	Pqmjog32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Klngdpdd.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Klqcioba.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6572	6480	WerFault.exe	238

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1936	3456	3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc.exe	84
PID 3456 wrote to memory of 1936	3456	3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc.exe	84
PID 3456 wrote to memory of 1936	3456	3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc.exe	84
PID 1936 wrote to memory of 4520	1936	Kiidgeki.exe	85
PID 1936 wrote to memory of 4520	1936	Kiidgeki.exe	85
PID 1936 wrote to memory of 4520	1936	Kiidgeki.exe	85
PID 4520 wrote to memory of 892	4520	Kfankifm.exe	86
PID 4520 wrote to memory of 892	4520	Kfankifm.exe	86
PID 4520 wrote to memory of 892	4520	Kfankifm.exe	86
PID 892 wrote to memory of 4908	892	Klngdpdd.exe	87
PID 892 wrote to memory of 4908	892	Klngdpdd.exe	87
PID 892 wrote to memory of 4908	892	Klngdpdd.exe	87
PID 4908 wrote to memory of 924	4908	Kbhoqj32.exe	88
PID 4908 wrote to memory of 924	4908	Kbhoqj32.exe	88
PID 4908 wrote to memory of 924	4908	Kbhoqj32.exe	88
PID 924 wrote to memory of 404	924	Kibgmdcn.exe	89
PID 924 wrote to memory of 404	924	Kibgmdcn.exe	89
PID 924 wrote to memory of 404	924	Kibgmdcn.exe	89
PID 404 wrote to memory of 4852	404	Klqcioba.exe	90
PID 404 wrote to memory of 4852	404	Klqcioba.exe	90
PID 404 wrote to memory of 4852	404	Klqcioba.exe	90
PID 4852 wrote to memory of 1620	4852	Kdgljmcd.exe	91
PID 4852 wrote to memory of 1620	4852	Kdgljmcd.exe	91
PID 4852 wrote to memory of 1620	4852	Kdgljmcd.exe	91
PID 1620 wrote to memory of 4568	1620	Liddbc32.exe	92
PID 1620 wrote to memory of 4568	1620	Liddbc32.exe	92
PID 1620 wrote to memory of 4568	1620	Liddbc32.exe	92
PID 4568 wrote to memory of 2752	4568	Lpnlpnih.exe	94
PID 4568 wrote to memory of 2752	4568	Lpnlpnih.exe	94
PID 4568 wrote to memory of 2752	4568	Lpnlpnih.exe	94
PID 2752 wrote to memory of 1320	2752	Lbmhlihl.exe	95
PID 2752 wrote to memory of 1320	2752	Lbmhlihl.exe	95
PID 2752 wrote to memory of 1320	2752	Lbmhlihl.exe	95
PID 1320 wrote to memory of 2096	1320	Lmbmibhb.exe	97
PID 1320 wrote to memory of 2096	1320	Lmbmibhb.exe	97
PID 1320 wrote to memory of 2096	1320	Lmbmibhb.exe	97
PID 2096 wrote to memory of 3680	2096	Lboeaifi.exe	98
PID 2096 wrote to memory of 3680	2096	Lboeaifi.exe	98
PID 2096 wrote to memory of 3680	2096	Lboeaifi.exe	98
PID 3680 wrote to memory of 2208	3680	Lenamdem.exe	99
PID 3680 wrote to memory of 2208	3680	Lenamdem.exe	99
PID 3680 wrote to memory of 2208	3680	Lenamdem.exe	99
PID 2208 wrote to memory of 4984	2208	Lpcfkm32.exe	101
PID 2208 wrote to memory of 4984	2208	Lpcfkm32.exe	101
PID 2208 wrote to memory of 4984	2208	Lpcfkm32.exe	101
PID 4984 wrote to memory of 1408	4984	Lbabgh32.exe	102
PID 4984 wrote to memory of 1408	4984	Lbabgh32.exe	102
PID 4984 wrote to memory of 1408	4984	Lbabgh32.exe	102
PID 1408 wrote to memory of 4300	1408	Lepncd32.exe	103
PID 1408 wrote to memory of 4300	1408	Lepncd32.exe	103
PID 1408 wrote to memory of 4300	1408	Lepncd32.exe	103
PID 4300 wrote to memory of 2304	4300	Lljfpnjg.exe	104
PID 4300 wrote to memory of 2304	4300	Lljfpnjg.exe	104
PID 4300 wrote to memory of 2304	4300	Lljfpnjg.exe	104
PID 2304 wrote to memory of 4324	2304	Ldanqkki.exe	105
PID 2304 wrote to memory of 4324	2304	Ldanqkki.exe	105
PID 2304 wrote to memory of 4324	2304	Ldanqkki.exe	105
PID 4324 wrote to memory of 3476	4324	Lebkhc32.exe	106
PID 4324 wrote to memory of 3476	4324	Lebkhc32.exe	106
PID 4324 wrote to memory of 3476	4324	Lebkhc32.exe	106
PID 3476 wrote to memory of 3756	3476	Lmiciaaj.exe	107
PID 3476 wrote to memory of 3756	3476	Lmiciaaj.exe	107
PID 3476 wrote to memory of 3756	3476	Lmiciaaj.exe	107
PID 3756 wrote to memory of 3908	3756	Mdckfk32.exe	108

C:\Users\Admin\AppData\Local\Temp\3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc.exe
"C:\Users\Admin\AppData\Local\Temp\3ef8938c1078a899b3ca4827c7c8d5b3769a353728fbdcaa92399b45b7a991bc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\Kiidgeki.exe
  C:\Windows\system32\Kiidgeki.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\Kfankifm.exe
    C:\Windows\system32\Kfankifm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\SysWOW64\Klngdpdd.exe
      C:\Windows\system32\Klngdpdd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        23⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        28⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        31⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        33⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        37⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        42⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        43⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        52⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        53⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        67⤵
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        71⤵
        
        PID:876
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        72⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        73⤵
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        76⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        79⤵
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1540
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        87⤵
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        88⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        89⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        91⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        104⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        109⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        112⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        113⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        119⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        120⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        121⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        122⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        123⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        130⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        133⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        137⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        139⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        142⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6236
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        146⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        147⤵
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        149⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 396
        150⤵
        Program crash
        
        PID:6572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6480 -ip 6480
1⤵
PID:6548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
9fcc6b95a33e16cfc0e55e2e3be2af3b

SHA1
7884d8799c10c46c3a7a8437f574962c0f0d16a7

SHA256
69df78627837ed58d83fe51d288aa972d6a32fffcb2acb8c573289bbb0fdca10

SHA512
c67972668ad422db435b6a5180eb402f26e131a64796a84e0d6dea454e994c3bf5af2ef01a859992c5c277b8f6ab38132e5c6682525e1106f5db144c9bf8801b

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
96KB

MD5
7568efb167868642a39fa041313969f0

SHA1
89c0df3eab3e10334f544ef0d6747fb8376bcda5

SHA256
d001cb8be01f53c297d0ba5ea69a568475e480dfbf17f71fd61ed5dbb9f26db4

SHA512
851cdcbd21c96d982ce49f9dce260241ade9e53595ca12866cf1c37339b104e9169e6159690b4d2713c7fce18f54605a6449c1de514abf15545c32f721e67906

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
72e178ad87c3aa3379e06203ff895a93

SHA1
f81baeaea286c91d90a2f76a2237c663cd4b8e0c

SHA256
ce6384bf5c6c87b2518dfec6108138d7214ca333f3fa7ae6c333539ffd896be7

SHA512
05599b88e0c28f42b7fca94a1b7504ea101ab44f37559edbc55cd55452c8849f62af377ef068357bcbdad346f0e4bed476509fbbee0d3ebc764f2dd317f43414

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
6d31a95c88616448e66bf92169437edf

SHA1
2933e47ac4a8d69afa2a2d08b33a94c05d29e0e2

SHA256
486eab952291dd3223a083590bb3dbec092b07c1b6dcdd6c13601528e94b2dda

SHA512
deb43c3cd63a13623d516752c4647b768c3c136e98ceb9ff12a95b376aa4e43f448f90f76440e2c943e20227c41a591c9d422c29f0fdd9fae0c651bfeb68abb3

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
a5447b4ebd80f8370eb45200b5a0d2d1

SHA1
e722bc05efc9db98e606e6c242fe466551ffedbe

SHA256
7b62b24dba20b24c9d51ee23726d6da4cf070998d20a16f3d5b27f796cd34b3e

SHA512
da06380712189d5cfd26cc498885c5985cc284f86fecb3a823f6f5c85ad5469d574bcfa55f1933694cd084cb3335ad7c86bf01d8d64fc2e14e998eaf60065b9a

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
48860291dbfa59730580450e78faa11d

SHA1
407ddc08b13f942c799c3970c1360ed487736417

SHA256
9243477904c524973b96ef2d5160025d5efe412294e4fbaed27e3e33dcca94ec

SHA512
01f1ab4c22b7db7a2af9b0219713f33753f5eb79e829853006e5144a837cdef1d397241b45d9718690c5340a5feba2113e6a12b39c57848f6fda48c204558ff1

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
b8c02482cd79632a7878d76461374fad

SHA1
a5c186c2c956209d8acf38edc22f0b83019e3377

SHA256
5686307a38b63c4379fd71a3f586c85fc1e44a763eb5856a7e91802073eccfb6

SHA512
6c629517bc7d6b4d2acee073a55161c63c5d6a7a77d141525ab38d1bad38f51fda6354faa897239b959e87ef5c0d6d7a9df8cca465bb7451f7745b826cb63466

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
96KB

MD5
a50cc6cc05f288efb6b23449ee886396

SHA1
47ddb881fb1eb2acae1a88daa4ea51311b89fa7a

SHA256
d7f17dc5d2d46729f237ccf6dc44c4425f4da35c031d391fa294928fc40dbf39

SHA512
c544b18e48bde92bd6841c1d2abea97d6dab3496dd7df09aaaf1a74591d333f853aba8deb48295bcf5fc495bee8fd1f02376b7db059d1e618f7f1fd080bb45d3

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
96KB

MD5
d387e70e4603284909375beb53ef79ae

SHA1
e8b4cfe579bdd7a014b2c86e283abe81cf9771c0

SHA256
0bf8ed61ce9a5a9316a7352877cef5876e65349445a2c03d43cfa56396e89e32

SHA512
186bccb533220cd3bf02adbcee1890d6135a4c9041ee3e9e3130560f1883faff92b995e8c926de7d2315941858f412b936426e6e51655f12f4fcc8f48eefced6

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
96KB

MD5
25110bd1e89cd56416164d734de2bd25

SHA1
b3b99d286af1a78aa807bfb16a08c33e0f1b9471

SHA256
d216a0822b99ff61d318e54cfcd763597ceaa375314b9fafd8a2992e5a00b607

SHA512
d3f96b597424281f925b4b2e3837207a5615e062e1de1b2b847c6b9ee93e6cb95d29651dd5c259a98f9af5db0b00b5e55e79af21768425141826761a73d7345d

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
96KB

MD5
5b3e1a7565dbc24359a98c4b8df8bf58

SHA1
b5ba9faaafe250656c88f8ed1f1076f4fa1833b1

SHA256
d16edb3a9baa70014d5d5bfcc5ba588f1e30ba3d3d76ac2e28bf300cf422c33c

SHA512
239e3dc8beea31576d7f2fd4cf9fd01ebb816f0e52dca7e6a32ba2555330219fd5fab6caa97572b4ba4f8cbc6f9919f0245a33e4ea31c4f282009a7feb9d342f

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
96KB

MD5
28aa2a3ef7832fffff000143cde25ea6

SHA1
e0e1e5921606836ffdb26c43ebebe822149a0691

SHA256
d3534d743ddaae6050e7d93ecab7ec8d14cdbaf89960a7c25661e1bbf9c96680

SHA512
312b9e202c89e973395ceb22de25b8237ee28428928153320412d6b47524e034e913dc538505083bc9e1492683d2ed1c28e71b09c013e6a52fbe96990c740f36

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
96KB

MD5
9f9261a3a1d3d73370300a76b81f7f78

SHA1
3229eabd7991ecd31804bc913dda1cb867f89dfb

SHA256
49c50295a2caac4d0630022f0bf8275d3fda1a65f0e248dd272e131b7bcf435b

SHA512
d048085b14d21debd1b372498007232d2f4638d8c7e19ada083d343821bf7cbc877082e2754144c8ec3961d3bd18991e3946e2fcb3c5d43be8d4bb6ab5643395

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
96KB

MD5
5577f7eeef283ec6394b0839933e6407

SHA1
523c8d4b8cd49808195d436a08a07b4738ddf326

SHA256
b35fcb785ba9d81b37a8f088dbf432d4964ae3d91be66c7a3b8a2ab4197c4de2

SHA512
ef96e8621e10a8e800a213749a5c17f08424f486edc0242bf1fca180d2ebfbcef8dc695c9f6e710e0d5117850b3e31fda571aa8b2cebefc033eba4f6f8c0a9d5

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
6cb854eb6940ff250a26460d658af249

SHA1
e75ad756b195af94e8d39cf8290904e4e384d0b1

SHA256
ba18d7c5fe20ad80f9777a37c4fa78cfa05cce23943d6ca5b483287be63c5871

SHA512
462392ddb9f62425b6be2ba1588da9646780136a0438ea247cbf63a10b22851a6fc48849e4d69817cdd0b458ef6929dbbf5600988e9b74d03673b644c963ff94

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
24f19007c291886f31f467cf2e17615f

SHA1
46a941c1cf618914811439afc986237bca8b4c24

SHA256
dfe6e4dddb156a87b923fb0e2b23602120e7c00358a1ab1558db012b3412b9f7

SHA512
f1c7e540162d99cf19025a8b4d8e4f39d12bc7892388750b1431d3dae510b69e9f7b18883b935413b3e3b0e3570c090d97cea5d50cfab53dae3be86feebd0836

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
96KB

MD5
e1287c2af8b818bb76533a592347424a

SHA1
7fffa1d43065abf0b1cbdb6dfd8294c9c2da8850

SHA256
e4c3c7fd0f45abb5df82fc1f29cdf572e3503385accfe6442468a75994ed484a

SHA512
725e65784580a06305beab1f35984c65226058fdeb7ec5bcdd5e4f597af3e28dbc36e20ff106997c11f8ce0facf1615edad155060120aba3039f9cf3701165af

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
4b9cd5c0c234aa01cbc6449db8e69440

SHA1
cff702d02eb923e69c1e84ccb44aa2ab3e86666b

SHA256
dc8891af22d65afc0cf98dea0679938d00dc2ab11939013be6c8de596b39b90c

SHA512
08ec99bb9919629e71beee6c0d2d828ca4bc6db0722b9417e72fa404edd109d1cb3d9b578f2a337d7b0ff49b7a9d35d43f9ca3a429f85c45e4e72b5509cc693a

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
0057a0f80a331a7d8b8fc9de65837b55

SHA1
d47257fb97f34dba1bb602fb6096a93f4681d3cb

SHA256
c391f3de93621c133ad34c00c5038569b0c46d0894eb273ddb81662e34070da4

SHA512
7f49e4bf01f5f1748dbf6d969ba371ddb6c0f77528874080ecb4789c2665c878311e387ead702162ea6078957022e958d3d00c43c21f45eefc35629474f25cfa

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
3840d58e1806c9c7c7ae2d28385a5942

SHA1
6b6a59814cb348af3f22bc1bd7c8ce3bf9fb84a2

SHA256
8373e3f147a7eefcd9426d4cdd28ba35df2f4083042ff8d82d69551efce1fb7f

SHA512
85ba6b9086172ba78afda59519ebfe25e020d3cedfa36dea83dcb7f81d27dc2d9437d204282919d9e90425392e778d8a21ea9a5c2543dc57d0975a7bfd72be80

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
96KB

MD5
8ee68983ba7797dfdb12ff2849738b8f

SHA1
cfb1826281e22f3b332de8bd36d26eaa6b39b8c2

SHA256
90866afe71370b2a327b8645fc7a7d1706bc62fe450719d73147f499d5d1c907

SHA512
0ce1daf24407e27e1abb862b7f1468f97da2fe4bef3046f5c40b7eec3a187efe84f555ae7eb7167f99f502631ef436a93ef4aff855a9ad59a5d324336ec4552a

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
9169a8f0b0f70cb96c8f4fa666b7e941

SHA1
4dd68945c809420f53ef53ac68386868a0758fdd

SHA256
c0f411f4039281fa914f7b04ea21e0256c39f6698260dd7f68ee3cf3af29ee04

SHA512
8e24d974c16453d1cf6bbf88ac3fb7679c651f152c474af0457cafe4ffe3a03d9dcf73b1ff539fd94b1f3bda887a38e0a617608c03cd361ce806a6de64a043ed

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
96KB

MD5
06c9819c722addebdf23315bbe7b50f2

SHA1
a6ad9f59ca4661a439533fd64b47649809d1643a

SHA256
4e6b78a5a1fba6e6cff2d16bddfcdafaf7418a8336fede7ed9e87cf711c52d6b

SHA512
6a89d4f3a16be12ca190caab3625194a6beaadd9311414d408432f04c5c8f9bf30d2ab39bf65cab50c482d9ce6cccafe899034fc08e7e5779de4eeed71e89e8b

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
c6bdb1d1bf1f0c303f54138b884d8b4a

SHA1
4595fbffb165db484bfdaa3ea024bee0350296ff

SHA256
079f650364301d2e62e3c8744adefc5a662c49a44ae36b980abe5a0d20851095

SHA512
752d3510ad2e51da57a4bd48fed2889dcdf9ca0b3a093173550db2fa7eda86f18863a83809a7fcbab1094c6f822ae408fd9359f0cb4ff9c111e9ed243fb7199e

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
264c009411d2f640435cea6b9ea24b81

SHA1
b3ce7a4c74aa3310c2c6d70d250db51cde0b3b2c

SHA256
8bdc51697b5d73d665993528603e5d987c53eed62cce607bdee18865066e556e

SHA512
bdc99ac06c725be72275984e1da299dd3419fd881d2456997360ac3fccc4fea218a28d7acfbc00fade38c4c9636e815cb46c51ba9ec18f5ef704d662a9c68d2b

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
a564a45f36e00eb030e11f6c203503a5

SHA1
d7449b6d98e03d0f08ccfb4a36075895ae8a6cd8

SHA256
f41600ac541489b7a552f469c40174ad0e9c2894968b2b548379cf2b1a01a8ce

SHA512
c64ce21f0e4dfc1b67599b653e345a1b8a2d8ea964200e438c179c8b843e44173b60a11f5f9a9bba33a3ca3ed6eb7f98d8f8a185a5139963a45f68a7651b061d

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
96KB

MD5
f4121d1d802c790bfd7f6035b928ee2c

SHA1
885d5ace1205593a20d4dc21abcfdb3f239a6ae1

SHA256
478c5e395b0a5c14c45ff12ec800d55b557646ff9444919799e9431e5baf6340

SHA512
946d009e36ebde2dcf3075147d834988c505f42fe3140fb5c990422bd87fcafd0c3a601fa004d9f938cfa895eb31adfa304292fd6df9dc58233c00c88d9aad9a

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
96KB

MD5
46850f446de3aadf32a49f254652d9a4

SHA1
5befc585f8067410c7cb50654b8845a84e11815b

SHA256
04b34ce8410de6408b36d0423bf3305f5fb8bf208a8203cd4bff3f6462b61c0a

SHA512
6ec53b190b126fa3169128c8c4bb3090639cdbdd41d0527ea4345cfcabc44200828abf803eb02e1d616a66ab2726b614dd3be45703553d3d822e18d60386b75c

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
05dcec41c4e5a9954407d024b34bd2e9

SHA1
08730952657b05e87424622aafb6858b56ce56fa

SHA256
dbc937c01ea759790b1a311b9c4326b0f1c2b9130fc2023e417ca48708b4506a

SHA512
f485e91564fa25847cd45e41431381ff01dcefefec197274e33404f9d90e284b48f36cbe2265cc6c313d8709a7aaf45893b82a4f358c6ad30c02670d960868d7

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
1caa379b57c8714306c470bd9d3873c1

SHA1
d26867f24dad691442031af152105aa0032fde16

SHA256
89e40f73fbbd4577c6b8de9abd9bcee7972b0b2ea50b902995f9195a0025348a

SHA512
c2fe4b934802869e6f7537311d99559a4b693e662be59738c4f96ee6079da6b33a29bec9f1428b5d3a49bc21c3ad86746ee24b78c82b788690005000088bc3f5

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
96KB

MD5
7ad120be87c1ec429ad39f9b41b6b4bd

SHA1
599072f33ad94d10cff6dd7f5a5bc5ed9b1fe0b3

SHA256
e1fc665da7f8bbc538c0890d077048d901bc2790bd0b1cb3128c195a5bb7d206

SHA512
2b2d7262dc669790814fc10e8d7cf29ed3d2d755c144cf671dc13d77f205410f3647010aaabdd9a6f6c4a8b46967836d2baee16e6b937766128dbe49b2843117

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
96KB

MD5
5f387979642f9c56a17d6a6777b0a3c3

SHA1
62585733d03e310af1e24822fedbf2ff639a23cd

SHA256
37ebf5c2eb48cabeb59dbf607368c173eca9405fe86b484f57ce1e5a8ddb458a

SHA512
d031c740f8ab19b456398bd303e308c34043ac37e55c93ada76306075df4dae2645093fa51342a4c0be8b5872a4d62ee0d69413253bf453db7f1322b0f6cce7b

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
96KB

MD5
34bcde81e8c25fc1dd794b44aae7d9a1

SHA1
7d87633feef56b834e373c616412c3defa951c14

SHA256
f07f207cff9a2c2ab0f80c0fdb4fdc859a5f5c433bc161dad8860a45cb0fb7b8

SHA512
d20dadebcc169f2d3a3f77b7f0bddc832f93844c7a73fe1f02e9db177d710b87cfb91f548119a304a84c5715fb71d4d278bb4b1a958dbc4c1380a465abf0f783

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
8a5807088b89e0c5ded6c80957139376

SHA1
b3a803d6288b7e3a9ddc48ab5ad534d7fc57dc9d

SHA256
b9cacc6d1288a26ee9b95598f8ba4a7e7704c4a79a3fbac802b0eb51b921b25a

SHA512
e6cda2de81a57f2b2416c29c10d1ec3b7c34f3ddaff787394a9a0a77c3c23ebb16eb93635711e007535ba7dc3be6751e2cb7018dabfdb2debb487a8d55a00962

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
96KB

MD5
474524676fc8d52b622c4e070570bb30

SHA1
3d16490611d48bb4db8f6d2a6a8e335782b5945b

SHA256
0062bf87c7c231ce07083d1bc54941fa66c7568c4b5f5eb6c6ab2edacabe66d9

SHA512
bfc7b0c21a7da63564324b853d124c750728843155f0c4d795eb7c4e1f9ddcbe587c7602e0e3e6ff287fbe60547bef401a839c46819e36c420f20d5ed8ef27da

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
e21e352f46cdf6e7f20e8bf94f0111c3

SHA1
db2da90d57e493789d7328d9e4d028208f80870d

SHA256
2bded6ea1fa25764bacff5ebe0ee032c2ef886b1985a21f486baf84c6e8f7794

SHA512
574cbf907929ffff30352996b1190fbf8a388c44a4e5303d3a403acb66d2cc0be1e1124f0f05c5d46549360659be494ea738f5e31136905701529112f5c37d88

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
8a630d7eec911d6f7ceed85f30a1d126

SHA1
8510b9b1692ca378317f2984f2d1ebbcb7118568

SHA256
2f61b76363e3d0ce1a597fbaf47f2486084e2eeee9b85a276c97d9e6d2064955

SHA512
6093b900bfb52a3c9d8e53f801091574e039daf312986cb1fa40db075f59d839a19db3f969454a126b8df4ebeb0f6e6c6cff7ffe9ca702cd0b6837fb959f9a66

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
c9b482a4da7f10a624e4f18cacf2c90c

SHA1
881568ed203878acbcc61cabc9202ea98e10f68f

SHA256
af342cd88266cce2104ae3db3c256afddc2219f9ada32a821cd9092ec5ae6c21

SHA512
d8f6dcbbe1d910e9f53c4299cc4ad9aade330362320f7e2924a796dd7bf6c0e9bae838252d20804eddcb3097cb54e340f3a1cbd0c01d2718faa8d911dd27d944

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
c5ead7d2ff04bc84bc30d7f2485a8675

SHA1
98fa5b99c6d28a329494ab24f0944f7bb6be7d9c

SHA256
7e4d21aed3560f1238609c732b3e7a11d86e2725c6ba3f8049a64eaacf1325a0

SHA512
a572186f39935d3eabf8ea1bb054a282b7124b6c73e5f63576b92a0fcc5df2947aee6a5697dfced4ffebbb72e64d0a311a5252f9344f395e718c39eca2cdb0a6

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
309ad0039598a6ec106220953c0aebac

SHA1
211aafa6796cdde9a9f730515fdb7d921fc9c077

SHA256
2c896a0bfd6a2fc9dd7662d036118f861a222001a760bcce8d0b4b73ace601e2

SHA512
c643aafaf3174f2ee662570a26cb7ee840405223bdcc3136c64296e5e88f8ad12a551b6288a3740553ef47d4d52b186a328ea7715581f216bf6d9900a5ec5f93

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
64KB

MD5
89b180d4a998869a34c99ffe832b2bff

SHA1
bf35d1c66121a363cd971c74fb2bb6b7115b4400

SHA256
4fa7f7e1a9952bf9a59cdfe5ab7a094cff51a486803c265c53dadc04024aa157

SHA512
9e48cc2ec1081e65e43d5a3f4de678d0faee9ffb317c080afcea0e5f6ca884abfd355bc320195f13472e69639094668c255bdb0e37d65b5800bea8a5cb2dd1d3

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
f40ccc0057dd1d6fbc698080f93eb49a

SHA1
42866602c136de8dfa7a1363fe7e67da95f33697

SHA256
b5149086ec712148cd31a050dd89741f42cf5e4605600c0c5da2f158c233efee

SHA512
053c3179e3821081690c1588a47d6a09a46caf155732ff44fea49e1f73998b0b5bef34c41645a4ed40d16bf1f1d7b4b736422c36bfcf11f918c62bf7b67a555d

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
eed5504825ccb8cd9701330739e1bc4d

SHA1
98e670716913e279acd11cd52c7bda115d9344bc

SHA256
c6880c2ffa4f6e09a27c702818127ceec43caadbdf2c698ed5d967ab9f7b9680

SHA512
6b2ea342fa19fd024ed81e19b12cb1aaeef6990c67f8fcd7029105993255278664d295410e6ad53757a85c38256c26e8314d5b0d08bc60c07d41fda814e635d7

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
96KB

MD5
48582be6753983023e5a9163155415db

SHA1
374d7fa8775072b7b0f089831884f6bd82308aed

SHA256
a28484d0970a1d63e4b18e96b5bfb9fb8945586eff4fa99fdd301e0b6485a343

SHA512
3da0a13a03c82b91ab3a3515d43e48a442da975e832c1d4f8cbb9374b88f4e2e3edd4bf29d19bc6b3718202878817e4ee49346d4b98ce2576fec8cdcd36260e3

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
a72a9ff3091b26aff0bad059f06ce46e

SHA1
5e0c0e9d754ce12bbd34678ace61c096b95ce442

SHA256
c979eee9c28ea2f8dfb41717cd9af6814e4674de905a82b7fb3426429ea0a630

SHA512
4a1a48d6887c93ac96ef35aeffa42eb305e7cfa3f3c115ca09d9f8f6f998bd079cb4d4a374b009568a6b7760145e3fd533d0e279794c3b54237ca3c518ef50a6

Download Submit
memory/320-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/844-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/976-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/984-555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1064-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1348-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-562-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3476-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3756-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4140-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4720-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads