f084b75e06e18547fcd01828f54e71581c0b5e6b2f9f3fc3f45f614e26d7e174

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8b07d69522247037f714fd521053970N.exe
Size

98KB
MD5

d8b07d69522247037f714fd521053970
SHA1

200d37fdae7efa9cc1dd7e98f022664a6d9226bc
SHA256

f084b75e06e18547fcd01828f54e71581c0b5e6b2f9f3fc3f45f614e26d7e174
SHA512

5f3da6660a1acf2a706633b98294d0f33ad451c9a50c7212a89321d0e6ac3b2955a4b418ab99429a974339e95c8fbcb2a0a37bf82638dd84d88337ec5b6e5e9c
SSDEEP

3072:qli/jj7lmY5NWtZ4oVLPF0ZlCPuhrKaGbgEbeFKPD375lHzpa1P:Yi/n7lFkn4+0ZlCPWVEbeYr75lHzpaF

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe

Executes dropped EXE 64 IoCs

pid	Process
1820	Jblpek32.exe
3956	Jeklag32.exe
944	Jlednamo.exe
2448	Jpppnp32.exe
884	Kfjhkjle.exe
4752	Kmdqgd32.exe
1424	Klljnp32.exe
3312	Kpgfooop.exe
1948	Kfankifm.exe
2584	Kedoge32.exe
3296	Klngdpdd.exe
3216	Kdeoemeg.exe
4468	Kefkme32.exe
3112	Klqcioba.exe
2120	Kdgljmcd.exe
4032	Leihbeib.exe
4676	Llcpoo32.exe
2304	Lbmhlihl.exe
4324	Lekehdgp.exe
4564	Llemdo32.exe
2832	Ldleel32.exe
3940	Lenamdem.exe
4256	Llgjjnlj.exe
1944	Lbabgh32.exe
5052	Likjcbkc.exe
2068	Lpebpm32.exe
3396	Lgokmgjm.exe
1700	Lebkhc32.exe
4376	Lphoelqn.exe
4520	Mbfkbhpa.exe
224	Mlopkm32.exe
2016	Mdehlk32.exe
3636	Mgddhf32.exe
1788	Mibpda32.exe
4760	Mlampmdo.exe
928	Mdhdajea.exe
4556	Mgfqmfde.exe
1636	Miemjaci.exe
2208	Mlcifmbl.exe
4984	Mdjagjco.exe
4404	Mcmabg32.exe
4444	Melnob32.exe
2796	Mmbfpp32.exe
3548	Mpablkhc.exe
3756	Mcpnhfhf.exe
5024	Menjdbgj.exe
4484	Miifeq32.exe
3824	Mlhbal32.exe
2036	Npcoakfp.exe
2388	Ngmgne32.exe
4648	Nilcjp32.exe
1992	Npfkgjdn.exe
2336	Ncdgcf32.exe
3836	Njnpppkn.exe
3212	Nlmllkja.exe
5064	Ncfdie32.exe
1332	Njqmepik.exe
5072	Nnlhfn32.exe
2708	Npjebj32.exe
1092	Ngdmod32.exe
1676	Nnneknob.exe
4236	Npmagine.exe
4328	Nckndeni.exe
1812	Nfjjppmm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jeklag32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Klngdpdd.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Lbabgh32.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Hledan32.dll	Kfjhkjle.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Lnhjmp32.dll	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ngmgne32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7080	6864	WerFault.exe	269

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmlocln.dll"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpocg32.dll"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ojoign32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1820	2740	d8b07d69522247037f714fd521053970N.exe	84
PID 2740 wrote to memory of 1820	2740	d8b07d69522247037f714fd521053970N.exe	84
PID 2740 wrote to memory of 1820	2740	d8b07d69522247037f714fd521053970N.exe	84
PID 1820 wrote to memory of 3956	1820	Jblpek32.exe	85
PID 1820 wrote to memory of 3956	1820	Jblpek32.exe	85
PID 1820 wrote to memory of 3956	1820	Jblpek32.exe	85
PID 3956 wrote to memory of 944	3956	Jeklag32.exe	86
PID 3956 wrote to memory of 944	3956	Jeklag32.exe	86
PID 3956 wrote to memory of 944	3956	Jeklag32.exe	86
PID 944 wrote to memory of 2448	944	Jlednamo.exe	87
PID 944 wrote to memory of 2448	944	Jlednamo.exe	87
PID 944 wrote to memory of 2448	944	Jlednamo.exe	87
PID 2448 wrote to memory of 884	2448	Jpppnp32.exe	88
PID 2448 wrote to memory of 884	2448	Jpppnp32.exe	88
PID 2448 wrote to memory of 884	2448	Jpppnp32.exe	88
PID 884 wrote to memory of 4752	884	Kfjhkjle.exe	89
PID 884 wrote to memory of 4752	884	Kfjhkjle.exe	89
PID 884 wrote to memory of 4752	884	Kfjhkjle.exe	89
PID 4752 wrote to memory of 1424	4752	Kmdqgd32.exe	90
PID 4752 wrote to memory of 1424	4752	Kmdqgd32.exe	90
PID 4752 wrote to memory of 1424	4752	Kmdqgd32.exe	90
PID 1424 wrote to memory of 3312	1424	Klljnp32.exe	91
PID 1424 wrote to memory of 3312	1424	Klljnp32.exe	91
PID 1424 wrote to memory of 3312	1424	Klljnp32.exe	91
PID 3312 wrote to memory of 1948	3312	Kpgfooop.exe	92
PID 3312 wrote to memory of 1948	3312	Kpgfooop.exe	92
PID 3312 wrote to memory of 1948	3312	Kpgfooop.exe	92
PID 1948 wrote to memory of 2584	1948	Kfankifm.exe	93
PID 1948 wrote to memory of 2584	1948	Kfankifm.exe	93
PID 1948 wrote to memory of 2584	1948	Kfankifm.exe	93
PID 2584 wrote to memory of 3296	2584	Kedoge32.exe	94
PID 2584 wrote to memory of 3296	2584	Kedoge32.exe	94
PID 2584 wrote to memory of 3296	2584	Kedoge32.exe	94
PID 3296 wrote to memory of 3216	3296	Klngdpdd.exe	95
PID 3296 wrote to memory of 3216	3296	Klngdpdd.exe	95
PID 3296 wrote to memory of 3216	3296	Klngdpdd.exe	95
PID 3216 wrote to memory of 4468	3216	Kdeoemeg.exe	96
PID 3216 wrote to memory of 4468	3216	Kdeoemeg.exe	96
PID 3216 wrote to memory of 4468	3216	Kdeoemeg.exe	96
PID 4468 wrote to memory of 3112	4468	Kefkme32.exe	97
PID 4468 wrote to memory of 3112	4468	Kefkme32.exe	97
PID 4468 wrote to memory of 3112	4468	Kefkme32.exe	97
PID 3112 wrote to memory of 2120	3112	Klqcioba.exe	98
PID 3112 wrote to memory of 2120	3112	Klqcioba.exe	98
PID 3112 wrote to memory of 2120	3112	Klqcioba.exe	98
PID 2120 wrote to memory of 4032	2120	Kdgljmcd.exe	100
PID 2120 wrote to memory of 4032	2120	Kdgljmcd.exe	100
PID 2120 wrote to memory of 4032	2120	Kdgljmcd.exe	100
PID 4032 wrote to memory of 4676	4032	Leihbeib.exe	102
PID 4032 wrote to memory of 4676	4032	Leihbeib.exe	102
PID 4032 wrote to memory of 4676	4032	Leihbeib.exe	102
PID 4676 wrote to memory of 2304	4676	Llcpoo32.exe	103
PID 4676 wrote to memory of 2304	4676	Llcpoo32.exe	103
PID 4676 wrote to memory of 2304	4676	Llcpoo32.exe	103
PID 2304 wrote to memory of 4324	2304	Lbmhlihl.exe	104
PID 2304 wrote to memory of 4324	2304	Lbmhlihl.exe	104
PID 2304 wrote to memory of 4324	2304	Lbmhlihl.exe	104
PID 4324 wrote to memory of 4564	4324	Lekehdgp.exe	106
PID 4324 wrote to memory of 4564	4324	Lekehdgp.exe	106
PID 4324 wrote to memory of 4564	4324	Lekehdgp.exe	106
PID 4564 wrote to memory of 2832	4564	Llemdo32.exe	107
PID 4564 wrote to memory of 2832	4564	Llemdo32.exe	107
PID 4564 wrote to memory of 2832	4564	Llemdo32.exe	107
PID 2832 wrote to memory of 3940	2832	Ldleel32.exe	108

C:\Users\Admin\AppData\Local\Temp\d8b07d69522247037f714fd521053970N.exe
"C:\Users\Admin\AppData\Local\Temp\d8b07d69522247037f714fd521053970N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\Jblpek32.exe
  C:\Windows\system32\Jblpek32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\Jeklag32.exe
    C:\Windows\system32\Jeklag32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\SysWOW64\Jlednamo.exe
      C:\Windows\system32\Jlednamo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        28⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        33⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        36⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        39⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        40⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        47⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        48⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        56⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        61⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        66⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4812
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        70⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        72⤵
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        74⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        75⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        76⤵
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        78⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        81⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        82⤵
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        84⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        87⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        88⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        90⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        92⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        93⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        97⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        99⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        103⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        110⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        116⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        117⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        118⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        120⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        123⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        125⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        132⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        135⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        138⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6384
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        142⤵
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        143⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        146⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6648
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        148⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        151⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6912
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        154⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7044
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        157⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        159⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        160⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        161⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        162⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6412
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6552
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        167⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        171⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7032
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        173⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6168
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6276
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6416
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        179⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        180⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6864 -s 408
        181⤵
        Program crash
        
        PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6864 -ip 6864
1⤵
PID:7040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
98KB

MD5
9b65aba7293d113193e3a4471f08d79d

SHA1
7b70e3dda63c67aa771f4121fa127503b0790a2f

SHA256
e64f00133d365fa07ef1288bc9f3c9e2cb7d6ee8eca9f7fb2f4ea0c3d561e7bb

SHA512
d7de1873aa3952c6446baa1e7d6733ea04deea06901055a6adc0c7e9578daf21ed0bc41c3b9ecc3aa72daf76739db01788591588797596a665e1c9fdb4bf28a4

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
98KB

MD5
1362ecd5e21db00221fa8419b3d6f3a6

SHA1
e238a86f5dd7a15e78a6139869aec5cf4475d03f

SHA256
d2a36e4b7a40866e0dfc96b7712bf7053b142141181b56784e208648d8bcab45

SHA512
e911873383f01a383d480ab4b80d39204ece3e98e618ec80f8fb4759a3db94ee140da716f11f97550e85de7247ced09fff8142def8e5e4718c315ff43d25fbd7

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
98KB

MD5
96545872951d04b683b0fb9ee7c68853

SHA1
b740d20e23bcad4288d2f5fbf3616c3955e1d940

SHA256
37c73e01ee69dfe51d72e8f34fc8522981aa29e386baff6bd34a025cef7d43af

SHA512
d4ed4c757eae02d715fc5df937bba3bbfbdaf69b3ee25c200a3683b2c262f7e1678368cbd0ce0837b3efaf34e53489b2e4e890d5908a283e3dc54b099c14ea92

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
98KB

MD5
e410888251ad215726c1684a4013a5e6

SHA1
e4eed025d692b40bdf3cfe1347c3d701265ea5ab

SHA256
fad052384105030c61eb0cf993b9c02c8ba30e3348f6c81e137fbdfd87132db7

SHA512
dbeb1debe3d915ea7acffe4e4642e9949776976a56616454ad4761d2a11e18ca6e496e33dec4e600240cd799b791a198ba0c6878e88176209cb870ac0ceb19ea

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
98KB

MD5
2e4b73d9c3c68b484e875ca11559e606

SHA1
366b54e3781dcc1b24ac7be4db027c63d7494237

SHA256
b822a48735b240227e58074381b9a532918ee63c54dec3c65ab0e1a724985749

SHA512
42b3715da15d8ddf687ad1d7060f6cec4476d2677e9cbe318a9f237ed4ede187391fdc34e4467b96c1ba70f38438509848ed281a0b0baae6bffb0ebbce12eff9

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
98KB

MD5
0bcac2ed80dddab25b66532c902c5d47

SHA1
0e393e37cc4017fa7836b5fba654a536b94f1d17

SHA256
5413d44245bd3c3c976f68ec64934ec614f2d69af6d9081e107762e935f188c8

SHA512
989d1cf1d96b946073bbd104b84666991580d554d56f8a449bd7d9b261c242d52d49344f2e4d9177f0d1e5c1b4e02a7047058b6cbbf9681e63f192a516526e28

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
98KB

MD5
c82310c3afee42d7388878a484331de6

SHA1
fe12b1128959a5c76e373e17869bca435ae8f3e4

SHA256
dbabbec82a6a72ed7345f77aed804365197d0067555bc556d1ae508b58b1ec7d

SHA512
05bae08d015927705823615785e22e811cfe6eb247053ab0f4991f870462ece578f44105f1253eba901d6de7a21f388ebb87e2fbcfd1526175f9217ad85d8fc8

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
98KB

MD5
f36ec8ec9b2e73caff298bcfd29b9efc

SHA1
5ceb6b930704765ee2bd0d197e684979c647b1d5

SHA256
268966d62c2fd11bb9e53718a3dffd7aad713cfbedb7258ce99988309711141a

SHA512
122aaef7e1a38acd90985a9d19cb8f66d17d5ddc3068f4abf5a43a1c2534be644e7af8b694783ae6e18f3198d1dabf16503ddd51e7dffe3ce109f1da82728d54

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
98KB

MD5
788210fc26b471355fdea55d3bdab453

SHA1
bf0da0b8169213f9cec7558f080a738c8293d0e7

SHA256
f505f268905a621218f67c3ece907222d0c05f978d2da6d7f362d4ec07c3e6bd

SHA512
c347f509d7430eacfacce094c1fcb4f209dcb98fb442546e1efc6d25e2549684baa1d3a8da8d886ee89a26c2ccb1de181de190b6bcf6a30bee2869ef7fd10eef

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
98KB

MD5
b96a68f991333b11a13527c89d5cf452

SHA1
d01a8e52e18fafc23308c21239901c30c52c55fe

SHA256
de08fd88d5aac3b9f52741030e4bca8304e7a299f696b073e5ca59ac053a16df

SHA512
bc7094f91357b612d1cd6e0d50e0308a98b5e3d0acf20000f33db8e8e2b264b4831e08573e0150d8ba693192a28c644213b20b5fee801e98f7146493a70eac0d

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
98KB

MD5
ac49d6f94b71152d15abdac318da973d

SHA1
b404b1d16c6f10e5596d8bbcb693b25760ee9375

SHA256
fb7b488890dc70594c3977a02f006b075284b7ae2939982f80361ada642b4091

SHA512
dc08a52a5fb5c830d700c952fd30c0f7c34ed04ad9278472b9e6c23daabd37f896c47afcca30a9e820a0ca5344fa6a32b48dcaa4303ba18887224cde46717f2e

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
98KB

MD5
e6aec55757cd256a6dff426e05883b87

SHA1
d7332e5861faf626d2c3b0ba8ff314152d7dfc01

SHA256
8acb9afe7018e0b815a84fdf705c4069a18edcf1c5dd972bd98fbf0ea1527db2

SHA512
cde319576a932861a05fed91760b5e5c57f5119180295294fb41a84802227f92dcd177431e2a064d22e5911a015705cc02ddd0d69c3d6ff556c4a880e93f2c4b

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
98KB

MD5
c5161e3efdefe76805e79fe034fb1283

SHA1
a1363c19e0a57ce66247207f230d241351f3928b

SHA256
a2bd4c9ddb2034032a43a3055bf8957d8467804c8ca85fc6b7c22b55520557c5

SHA512
34cd882523fa1600ef7eba0a92593000c3dd57f9953b8a19e35970ea792cc703aab2a7ba07d2b246656984d56be40eb4a3e380dbfb4d4385c77868342b6cb516

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
98KB

MD5
e81fbdcc9e0d120f6d87b3ab55e17e81

SHA1
e6ec97419267a51ae88c72f3ebcbdc8148fbcf8e

SHA256
aeeba81b636f5b41fc8548eb0b0434b0bf774e716bd8a67680ca0274ce20fb3d

SHA512
d654444af91cb6201439be6504f569c5ba0141cbd80d436a91d8aa01b7f5bab134675b2eae53b74737493c98a3682dbe33b635999dc9e31893e08fc47c1c0259

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
98KB

MD5
25164736cd4c4859070facccb4ce08de

SHA1
bc4844a3d26b0d1a61d897ee432c8b1cc41c7929

SHA256
07984fa11016e814ba76d8e958e7dcfe2437c1f54829a022a685490547d2f262

SHA512
6a00298cbfa22224cf8728d40731e7e3b972c2785aa56e3769ebd47f10f11c89cb4c5a37c934578419c9f92ca32059e309adea7f600c0d00607a12edc1cf0f61

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
98KB

MD5
e03ef4cbfe77fcfafa1447663c876ea3

SHA1
f96bdfd4633373203ef20f89f82296df25b72dad

SHA256
0379ebe71f54358856dd583857bbce743ee95e32ca7fee063111c195dc05044f

SHA512
c4897ecefc2776561d1101cfdddaf3d77d8c841117cebaa681a3792ac31a788562bdf825ff43a53ac778e55360b28827bf5e9467e79b5e370fbc789a67a5d91b

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
98KB

MD5
c7bdf526a9496338312c09eb7ce39318

SHA1
290657527aaeae38d511a1a9f8aca4388d2f8e8a

SHA256
636b04cc470fc8614ed8545f4202bd809bc2381f40f4a7564dd81a9d1a6bd469

SHA512
813f970a39f5f771fae128d89d6acd3c149b50c045adf9e46eb64188297f7c211ec0f57826393a7b4f51eecddcf060a1ec7516f034ee7efc24fef31dd86f965e

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
98KB

MD5
b54dcf107839bc954828457fa6e38022

SHA1
94bff4152258adb6c59762b2719e97b7a67cc1bb

SHA256
90ecae3796d2cf799e914c4f2002a54c3df5bc0faca7d701b41ea8532d2d4085

SHA512
b3053b0aef17d4fef372fc8ec58626e09750671f252371a830cd34c093a50ee773b18da08c6e4d769e58f7462c59df134995e6569148148cec50ccbe48e5e418

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
98KB

MD5
57d6886a3d693c08caa5dab2dc5f5ca2

SHA1
449b640c16e737d48462b9e468630c7df60f97a7

SHA256
755d39998383824925de54bd3a7773297e4d1a2b576cd763df524c26735088d3

SHA512
1924da270003fb53b92e6151341916af0ad4145e8fe842017a0a835f2f4bb03a5c1ead1752e4c85d50f7584595e477ee3db61e39118c37ec85400cc78592605d

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
98KB

MD5
3e1dc9086c24f70b5073f3ff061252c2

SHA1
7214cd78656c0651e861f62b9b235faac8c85a0b

SHA256
38c8e0f1b852c63ada0abb1448fb0ff407d869e8810fcc0f7ef977a0e5045f1b

SHA512
a87674102d70d29a34b022346a57e14208deeb7d8a0e1789de043dfc028cb42ca981474e45fa66179044bc22dfda723da9a6239fd0f7a7e1b8e012e9bfd8957e

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
98KB

MD5
cabe9d19847c8e27e796654b93608746

SHA1
150e71c723bf05b8a3419a931140d3d65833bc27

SHA256
5c204dd4446b1004d7f33e231f86dbeab57182db99cb1869704042c1117f14c3

SHA512
ae2bbfc88ee646b7516aaeee911f376e6a4d1323a100e0d36c0b4e8a29fef01da28a9dec81d307a9d21351215f905b330eddec1b46519de70993276bb9c2a7d3

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
98KB

MD5
a3cebc7c6f4253ba36422aa95dbcd3ad

SHA1
5ab016b5f1fd71e9c467b385c1b0375f8ee36f2f

SHA256
0a5731b296318c61d017abc1a0647bbe5c4141c38659647b19ace7a881d85451

SHA512
d6a6069c6054d9c3cbc49c7c1647afba9dc9afc7cbe17fd90cbf455f180e0825dd185e7298695813fd314639868d2014d88473a22b94cc6a7149d25a5e87a383

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
98KB

MD5
b37a625af721a39059669a05df4b66b4

SHA1
2606aaec17d1ce0b05bba7c5dfbdb2ef0d2dd1f9

SHA256
1e08c11b2e83bc577a87953b2eb952c01316cbeade0d40d0c24e37140fa47936

SHA512
99a752a756b2ed3bf590681843e6b3809158e6bfd4e009595d0e0b8810194a6a273e2291ad67f55ec46998e7818f4e70e5ad2a1d0c7fe2a2465a15ba11451472

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
98KB

MD5
6a2e7cbe09f75c9de2e2a6e78aecda63

SHA1
50249714953fa1f6ec56774f5fd9b72755d7e477

SHA256
dd5c9c8c63a887ad634996f56f8fb5466b71c915253b5d15562e58a91fe5cd48

SHA512
4d723a36c40f70a81e05308ef2271833dc4365775a59b0032abb0918240b3a4bd8e3c5b59d612347550cc0ec365758c02bb985ee241a9f96ce4dc41e8e6cefc3

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
98KB

MD5
9fee5fbe3dea4af760300f24f8b57507

SHA1
dea66e13a0ef7dd054e4a174928f7cdb0ecbb1f4

SHA256
8a1f70b16f75469e564af91e0c34228a5c4edcd5939ff277f2a8171b143a29db

SHA512
3ec0936d24ade431c03225b0aa6dfe171049bda8ef345b713fe119433163108f1f9bbf3079531a7b73578a492aa2880ebb0178611b204e85924e6e500b27d1ef

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
98KB

MD5
ff1c0ec620fe07afbaba6ea9ed4e63ee

SHA1
73a5d6bac6d5c1926033b553b06014642e370142

SHA256
90f3b1374f72a7de7b536304de7e601135f2cab6f62c6bbda4f6c495fa86cdfb

SHA512
d4135f8974b58524b8c3856c58fe26f4382ec7b63b8de10db6f6813127b3189649be77a5bd4017b885cc4c5805ad72b15997f3bb32c6e81e43009e207b11dd55

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
98KB

MD5
ecfec1824fe8cae18d05ed1987d5ff60

SHA1
148e51bba3fa692c22b10623f8f0adf8f075d119

SHA256
cb7e3a038a73915323f80446b7848ff81eb41d226df4412eef802c0f7fa98336

SHA512
981f63c8d204e6831a5054dd8cc860d051a3659c7a56d01a7ee8e182b2bace911cd1d28be8bb1609b7733dac81a2757099565dbb822956cca60374f569d65780

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
98KB

MD5
744b912b0b65cd4beb79ba9d31482bbd

SHA1
1927fc009495bff3103f7523c3ea8274464e0aa5

SHA256
16ebf6957d8399a9a7666bed7d55f8bc2d3154554d18e7c2a177734a99d66b28

SHA512
3f75746458ea29dcf2f2e6112bd591dec279f97b0b6484954550778eeb71615587415600a9be16eeaed11a474f8e738df0de281ad9c50e2690872101bd1e8751

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
98KB

MD5
eb4f5933ff5b68ed3419f7c755aadc60

SHA1
d935a230e8e300cf8cdea21f1fa39227ccb87224

SHA256
42f779aa72de48ac39a502269e8b91954d8af430b1301f56af87e4f81d73aa79

SHA512
e2d6e707dec8f76ce66194096f5dcd543a04caa3a1674a58000dd2145b5f46a12b50e3666e9ac7124f3a0a78db8e0be636d211edb273f155a2c1dd61e4cdbbd3

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
98KB

MD5
6071edd3b2207add0d7c914257ebc8f3

SHA1
0e47ba9b7b76773c713ee15a1bc62934da99aae2

SHA256
796f593b6ec04edf57d17866e00eb9e8633be14ebb25deca69289d2c18fee140

SHA512
0abf14a97d867e23402bb916b8b07aeae89a3986aba49eed42f15286a40b6ff0c61b78f24155cb61d7f6fc2a1af5aea9a50ac7d8e939b63ae7c1408582aff7c6

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
98KB

MD5
e3b0a188d8cbc2e7e9ec0f48ddcfb5eb

SHA1
dab659c230b69fbe9f312cd49ac3d7db4e30bfb3

SHA256
38bc2cbb7f000c4f6bcc6015edcf8c06c5b5cb4e4112ded9f0394f0f95fc4089

SHA512
08ebffb4cc06424445276a2da8caa9f0c4e30c96f2d09a617f0e3887217d362209a146455d895473ced919e5a9c37030bb7dead77479df9d289b3f5c2ae30da7

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
98KB

MD5
a7f12d74a8330c5a832cf1602e392de0

SHA1
e5a180bc1f62853e4e0bbfee9daeee5bfb95f89f

SHA256
f78d8edc41b552e0713b6bb015d19c1013de40a3848e496c8dab7c9b71ec2fc4

SHA512
94f504c8cb1f90cc0ef9a6cb496d88a1e11d00bfe1fdfaa8da1ccfd09ca4622008b49599a88b8560162a7a39df5cba925fd5a97004d20f4845bbaeaf08720238

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
98KB

MD5
5c9b4f9af86dabc40ed5d66d937a057a

SHA1
27dc5968a9c797f31528e4d9385583498039478d

SHA256
2c24148624febb5e93826d2825f19837d6a72997d156f7e4bf9a6a20af7b7f41

SHA512
d640ea07f1d47b814faa206c9907b2d593d40405d6370817ecbb0cbebed88e6c82bcabaaa618c6d042225170fdfaf6c609cee8ed48ad15ba67d8a32a752b8569

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
98KB

MD5
e4446027794a3bd691a49014d774b78e

SHA1
0bc75e0f42f8522425bb476fcade91f3347e0241

SHA256
341fe39cfd512baa3bf8c4b3426dc19c1c9a0b6e78c1d12d9cc035e9334a04cd

SHA512
b2555f219953aa720186548ddd8c6802631659252a2b0006e541ff9f4b38a287fda336652e5ced517e435ad54a28dfec66220667ebaf966700b2879088b755de

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
98KB

MD5
35418d22716505132a86685e147f57ef

SHA1
0457fce2cd6b8f3adad00bc61bd5c58cf2d68b48

SHA256
1fe943743365d1a7edf7319c47ff5a6a5da79d287337c368a21ce9efbcbcb97e

SHA512
8e7876f70a66e7b6841f40a80b653c2da207dab6123ed43c2974c3fe96d8a13d8e4662dfdaea58abdeeffcf87369399acc03e26a064bb3d6441900859c4f833b

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
98KB

MD5
02c7b1c1a2b40a73bd186bff521dd9c3

SHA1
265147c93c28b4d19d1dbc27fa65b61c1caaf037

SHA256
3dd2589b83a2a85eed50a673e4ff895a8232b0b05a93aaacfdc83f037b431cea

SHA512
c77941500557b2367517f164316c4f60b299d8e7a9477283830aa36d09562c614270723926d2e7d3f3ccd43844fa1c9794d8faa0408ecc6057f18641339e7819

Download Submit
C:\Windows\SysWOW64\Lnhjmp32.dll

Filesize
7KB

MD5
55c38088df9684c41a575347139e944f

SHA1
2d78ad2ce3a1848c78250140fd391be5a896a426

SHA256
417f3f64645fd96424476b92e65a90f0c88556e522f0e82f0c210278583a7e5f

SHA512
4fb1cc7a84d4eac1740e5be7f8ef47373569939008fcf7846133ad173154d23bccc76e00a0c1e8d4ddb790e8ab4b40769cfef67ef7660a43d43ddf2ce45facd6

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
98KB

MD5
5d807309a2e3565d47dd0c0b09087715

SHA1
e521089a7d0797fdf81f709e4658341b0cf4ae39

SHA256
85a7fd779b6d5d0087ac322d936b8576c7df323ced796df308b5121e762dda47

SHA512
15a973afc04ebed2df31172221c77fab8d76ff3246a33c30817c97e28446cd8d5840adf040f7b7804a580c3c4d21ba24f40d38a08912b77c9d9e6f2c5d9f20f3

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
98KB

MD5
cf4e16fab71b000019a4fb228c8c4d8c

SHA1
52a6bc6f096457d9e3b06ab5f5bef1564863d9ef

SHA256
3a3ac823de09072b3b64251166cb75a71c646143a4609168bc0099006a5ec0eb

SHA512
0fcd29a120c47d8549d2a8b29e20829413dfa64444638e73830e8ed39a6fc270906338de35c398ecc66dc224afd8670d417d018285ea16e0a8059b69cfcfd108

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
98KB

MD5
2b44e53f15e3a45d3f0c8e72a878d9ad

SHA1
eb513cb5e9e1c21822f76389ca20b8f9e168fac2

SHA256
33439f20e2e8b915fc3329495093bec8b94766b8200b5b5963e3cc4a7f0f5fe2

SHA512
92be9527af7d7902992cdd096b796372a6bf239989dd71c9fa1e0d0890c4ea1911253ab723ee0d7f72cb462fc6aa2446e2deda9c0a83a51e8cb6b79f342ab897

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
98KB

MD5
6916a8f4c2e1cd91493113b3e0793942

SHA1
0bcf33f48b5e34a4d954b4ef93f922ac1ab98858

SHA256
ee8604a3060768fc7d2a4638700fc6ecb6716103d7f9db0742049602a1ac5a20

SHA512
0e91010200f1499584665b87dafc55654b910fc2bfcb7067e1cd362565066709617794a5e5387910e14eb4b868f25f6482f0ce8141e06799e8d0593ebab93b1e

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
98KB

MD5
a1cfc0e397a580e7e917d3be15907b0a

SHA1
82765a0fe1fb07f47740efe71933cac5fd2e16f0

SHA256
2975dabb8d9eaa52907cd75e726c5c84f9d915632517917fcc4528ccfc938cf5

SHA512
9a651953c2f3dcedbd8f626578c4851e3053ccdcaa7e0e667ea0cb1d158e222c451cb8eb7072fa478ab35d02e8e6707230216809fa6b0f76c3549aa86a4b0dbd

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
98KB

MD5
9b18d3e85a5d040890f939e3b5a80fb3

SHA1
f8fcc80dc1481aef35042dee21416b5265521df0

SHA256
4e6293e64ebf39256848687c888693e4c7f51187e46c889fb7bfeb54434fb00b

SHA512
2e657ba632f7ab3775bbe4d781c257bcba30c277d638426b599d185e52523bc27fa6e137eaaaff30ecf790c94a0e25912fe06955b2dccd473b80391627cbc44e

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
98KB

MD5
78c82bc5bd5745f1ddc9f5d1ecf79a4e

SHA1
9ef5b513086e21d3ee6f7ea20a0a1a92078da368

SHA256
c50b498e92a28e37199ead15b370884fa47fe3eff6e20eb6d0ba0f3110a4024b

SHA512
b3f76b577332be5c1ceaf49b02f24417e9dda1fd5e6e3298c3482a514475faa43eb7276c4b57ba58c2dea5bbaee239a9f0e055f2072275c510639111be1804ce

Download Submit
memory/224-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/928-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/944-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/944-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1184-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1328-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1332-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1424-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1424-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-542-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1676-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1812-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1948-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1992-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2068-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2120-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2448-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2448-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2832-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3112-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3212-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3216-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3312-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3396-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3548-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3552-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3780-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3824-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3836-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3940-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4236-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4256-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4324-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4648-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5072-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5136-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5196-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5264-598-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads