6c2aa36052a867973aeb157e2d6d9beab78979d9455bf051f57124e8d44c75ce

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eccebc81560c709079f1a327be4f9730N.exe
Size

192KB
MD5

eccebc81560c709079f1a327be4f9730
SHA1

ac29ac17438d1595c2acefd88bb5eae993dad3f7
SHA256

6c2aa36052a867973aeb157e2d6d9beab78979d9455bf051f57124e8d44c75ce
SHA512

1ac1762c49158ba35c55de9d0f52819ddd5654348b1c4a27afea715c2ae52316f9f80e3422db4821e542bf50334c37bd5a71e8faf5618c664152bad3f296d9ac
SSDEEP

3072:Q2YA6Sz6ORAAm9hVh1meRF2qOQpq3HNr5GnV54c4NthaeKU3d5vEiLqsC6vxfdwC:nMSz6OR3mPVh19RkqO+uNk54t3haeTF1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe

Executes dropped EXE 64 IoCs

pid	Process
3496	Kbhoqj32.exe
536	Kefkme32.exe
4628	Kplpjn32.exe
4736	Kdgljmcd.exe
4944	Leihbeib.exe
2904	Lpnlpnih.exe
1388	Lbmhlihl.exe
4892	Lekehdgp.exe
2264	Lpqiemge.exe
1364	Lfkaag32.exe
3920	Lmdina32.exe
3092	Llgjjnlj.exe
3452	Ldoaklml.exe
664	Lbabgh32.exe
2244	Lgmngglp.exe
992	Lepncd32.exe
4060	Likjcbkc.exe
2068	Lljfpnjg.exe
892	Lpebpm32.exe
3468	Ldanqkki.exe
1676	Mpjlklok.exe
1460	Mchhggno.exe
1224	Mlampmdo.exe
4672	Mckemg32.exe
836	Mgfqmfde.exe
2176	Mlcifmbl.exe
3832	Mcmabg32.exe
3188	Migjoaaf.exe
5064	Mpablkhc.exe
2376	Mgkjhe32.exe
1380	Miifeq32.exe
4124	Npcoakfp.exe
4256	Nepgjaeg.exe
3364	Npfkgjdn.exe
4692	Ndaggimg.exe
1808	Nebdoa32.exe
5104	Njnpppkn.exe
904	Ndcdmikd.exe
4640	Ncfdie32.exe
872	Neeqea32.exe
2464	Nloiakho.exe
3360	Npjebj32.exe
1632	Nfgmjqop.exe
3108	Nnneknob.exe
4608	Npmagine.exe
3344	Nckndeni.exe
1300	Nfjjppmm.exe
3044	Olcbmj32.exe
5024	Ocnjidkf.exe
3940	Oflgep32.exe
4236	Olfobjbg.exe
4400	Odmgcgbi.exe
4612	Ofnckp32.exe
4740	Olhlhjpd.exe
4336	Ocbddc32.exe
2236	Ofqpqo32.exe
2756	Olkhmi32.exe
4460	Ocdqjceo.exe
1384	Ofcmfodb.exe
2668	Onjegled.exe
2944	Oqhacgdh.exe
4344	Ocgmpccl.exe
4880	Ofeilobp.exe
4908	Ojaelm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6660	6516	WerFault.exe	251

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eccebc81560c709079f1a327be4f9730N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	eccebc81560c709079f1a327be4f9730N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 3496	1776	eccebc81560c709079f1a327be4f9730N.exe	84
PID 1776 wrote to memory of 3496	1776	eccebc81560c709079f1a327be4f9730N.exe	84
PID 1776 wrote to memory of 3496	1776	eccebc81560c709079f1a327be4f9730N.exe	84
PID 3496 wrote to memory of 536	3496	Kbhoqj32.exe	85
PID 3496 wrote to memory of 536	3496	Kbhoqj32.exe	85
PID 3496 wrote to memory of 536	3496	Kbhoqj32.exe	85
PID 536 wrote to memory of 4628	536	Kefkme32.exe	86
PID 536 wrote to memory of 4628	536	Kefkme32.exe	86
PID 536 wrote to memory of 4628	536	Kefkme32.exe	86
PID 4628 wrote to memory of 4736	4628	Kplpjn32.exe	87
PID 4628 wrote to memory of 4736	4628	Kplpjn32.exe	87
PID 4628 wrote to memory of 4736	4628	Kplpjn32.exe	87
PID 4736 wrote to memory of 4944	4736	Kdgljmcd.exe	88
PID 4736 wrote to memory of 4944	4736	Kdgljmcd.exe	88
PID 4736 wrote to memory of 4944	4736	Kdgljmcd.exe	88
PID 4944 wrote to memory of 2904	4944	Leihbeib.exe	89
PID 4944 wrote to memory of 2904	4944	Leihbeib.exe	89
PID 4944 wrote to memory of 2904	4944	Leihbeib.exe	89
PID 2904 wrote to memory of 1388	2904	Lpnlpnih.exe	90
PID 2904 wrote to memory of 1388	2904	Lpnlpnih.exe	90
PID 2904 wrote to memory of 1388	2904	Lpnlpnih.exe	90
PID 1388 wrote to memory of 4892	1388	Lbmhlihl.exe	91
PID 1388 wrote to memory of 4892	1388	Lbmhlihl.exe	91
PID 1388 wrote to memory of 4892	1388	Lbmhlihl.exe	91
PID 4892 wrote to memory of 2264	4892	Lekehdgp.exe	92
PID 4892 wrote to memory of 2264	4892	Lekehdgp.exe	92
PID 4892 wrote to memory of 2264	4892	Lekehdgp.exe	92
PID 2264 wrote to memory of 1364	2264	Lpqiemge.exe	93
PID 2264 wrote to memory of 1364	2264	Lpqiemge.exe	93
PID 2264 wrote to memory of 1364	2264	Lpqiemge.exe	93
PID 1364 wrote to memory of 3920	1364	Lfkaag32.exe	94
PID 1364 wrote to memory of 3920	1364	Lfkaag32.exe	94
PID 1364 wrote to memory of 3920	1364	Lfkaag32.exe	94
PID 3920 wrote to memory of 3092	3920	Lmdina32.exe	95
PID 3920 wrote to memory of 3092	3920	Lmdina32.exe	95
PID 3920 wrote to memory of 3092	3920	Lmdina32.exe	95
PID 3092 wrote to memory of 3452	3092	Llgjjnlj.exe	96
PID 3092 wrote to memory of 3452	3092	Llgjjnlj.exe	96
PID 3092 wrote to memory of 3452	3092	Llgjjnlj.exe	96
PID 3452 wrote to memory of 664	3452	Ldoaklml.exe	98
PID 3452 wrote to memory of 664	3452	Ldoaklml.exe	98
PID 3452 wrote to memory of 664	3452	Ldoaklml.exe	98
PID 664 wrote to memory of 2244	664	Lbabgh32.exe	99
PID 664 wrote to memory of 2244	664	Lbabgh32.exe	99
PID 664 wrote to memory of 2244	664	Lbabgh32.exe	99
PID 2244 wrote to memory of 992	2244	Lgmngglp.exe	100
PID 2244 wrote to memory of 992	2244	Lgmngglp.exe	100
PID 2244 wrote to memory of 992	2244	Lgmngglp.exe	100
PID 992 wrote to memory of 4060	992	Lepncd32.exe	101
PID 992 wrote to memory of 4060	992	Lepncd32.exe	101
PID 992 wrote to memory of 4060	992	Lepncd32.exe	101
PID 4060 wrote to memory of 2068	4060	Likjcbkc.exe	102
PID 4060 wrote to memory of 2068	4060	Likjcbkc.exe	102
PID 4060 wrote to memory of 2068	4060	Likjcbkc.exe	102
PID 2068 wrote to memory of 892	2068	Lljfpnjg.exe	103
PID 2068 wrote to memory of 892	2068	Lljfpnjg.exe	103
PID 2068 wrote to memory of 892	2068	Lljfpnjg.exe	103
PID 892 wrote to memory of 3468	892	Lpebpm32.exe	106
PID 892 wrote to memory of 3468	892	Lpebpm32.exe	106
PID 892 wrote to memory of 3468	892	Lpebpm32.exe	106
PID 3468 wrote to memory of 1676	3468	Ldanqkki.exe	107
PID 3468 wrote to memory of 1676	3468	Ldanqkki.exe	107
PID 3468 wrote to memory of 1676	3468	Ldanqkki.exe	107
PID 1676 wrote to memory of 1460	1676	Mpjlklok.exe	108

C:\Users\Admin\AppData\Local\Temp\eccebc81560c709079f1a327be4f9730N.exe
"C:\Users\Admin\AppData\Local\Temp\eccebc81560c709079f1a327be4f9730N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\Kbhoqj32.exe
  C:\Windows\system32\Kbhoqj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\Kefkme32.exe
    C:\Windows\system32\Kefkme32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\Kplpjn32.exe
      C:\Windows\system32\Kplpjn32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4736
      - C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        25⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        29⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        41⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        50⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        55⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        58⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3460
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        72⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        73⤵
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        74⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        75⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:532
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        77⤵
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        78⤵
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        79⤵
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        80⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        81⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        86⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        89⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        90⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        100⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        101⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        103⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        105⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        107⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        113⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        115⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        116⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        117⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        119⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        120⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        123⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        125⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        130⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        131⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        132⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        134⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6328
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        139⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        140⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        141⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        142⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        143⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6776
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6820
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        150⤵
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6912
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        153⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        155⤵
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        156⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        159⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        160⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        162⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 420
        163⤵
        Program crash
        
        PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6516 -ip 6516
1⤵
PID:6632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
192KB

MD5
9fd4d724e01ac2dfaffc555fbd6e8cab

SHA1
3bdb3e8844520afac5ca2fcfd4ccff368a7dee8d

SHA256
e3d5a38d137229de74eda5c0b75f2c7ff53c92462eb3c4ffea6b949b0e760d63

SHA512
a032db9dc57a6781d7f4548356bc9ff0f95548d82bde8c178306f013e10642b8e1c1000e2d439df2bd33917bc95f7530cdadb1e7295518444162be1c1dbb74a9

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
192KB

MD5
a5cf4a280b6f08463e7bf76b2fc5a5ab

SHA1
982121fad898c93346244221207eefc056e29382

SHA256
c4a689aaaddd3e849e26ff6186edc6e880116b207eaf57e1bbf0d5804af02b0d

SHA512
578a60d3b2852299020df4f846825ff8f1b01bda71928b49aba5bcef82458104c53f8effa91f30643e82e01aa40ed0e792f048d113b7f76de34f2cea94be1c60

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
192KB

MD5
744821075816c5d526e76b0e04e25424

SHA1
b27728d2816995008908394259a43742a1f1c684

SHA256
8d11aed670de63e9c7af5900c697f7ae54d01fd57684bae1da6c7550c4828952

SHA512
63577f9621cc93aeb81b4228582a9fe7d3325823349caad41aa25c5e627dcd399eef82ef13adc251138c942e722f88c4832a627b14c261d9b2f47d94b69f9afb

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
192KB

MD5
69207025b907e9cca7fb31b8cb9fa9d1

SHA1
0cc70008fc12f289935470abefc1e96a87bbe12a

SHA256
1389796d207ae1f6f2eb7a4b5ff4e9bd9d8199e5cce1f687b87f42f0be70ca9c

SHA512
9732598cc5cc2f6d5763bc9144870dcbcce5e1c44e78afb9e544fcca0b035f17d56e65bc25163e245640cfe7dbe162de3f419297b3ae9db3a8340ea9347a5581

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
192KB

MD5
ce5030dc22ffb08b4a035c9ff113bfa4

SHA1
bde9f12f8c29d806f8986915d184d4bc65ad2949

SHA256
538c977e3c7730ffda0adc826048014e4ff9de6e635762211fdfb979132fa823

SHA512
f9240f1750d373a3da9ba47f380613db326864a241ab8c3772f0d6ad9db0262ae4d01d2d46af8610290272cda0bbe74bf8513d1fe9f46f0efaec922c473a81b7

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
192KB

MD5
386e62f8773751786f4ec9694de7b156

SHA1
c58cd1f810604820a60ee6fd8964a5f47687e208

SHA256
0e260022d8975038f23810eff605c3c171f88c8ed1e53b740d16a13d9a87e2dd

SHA512
a74bdc42d020e40a0c1cb9c06819c63433266a65a91f44cd242c6282113edc9b0265068abda3b85ce4c8340dcaffe90b9d92fc8fff0abf2cfa64503080894c1d

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
192KB

MD5
0e9e64f09ba0a8437260fb46a7c14f03

SHA1
978a630c23ffb5f08349e52de01ef83121cf94d4

SHA256
41af1f2dbcab44d80308302c4a277338467b29a1a0ab14d5ec9da65052b6c4f4

SHA512
13819d6f8191779e4245ba32a01213d66a8743c0362d6709ed6ee6ab2831ec6458cfe5260bec9d9de631f017cea29fe9b8e8f4c67fa0a38fb70957f2bc47c679

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
192KB

MD5
34bef3f6b4fa2cf6a65fb74d55e346f6

SHA1
4d7f40a196e0347d68851f6e812c67131cc324b2

SHA256
16a936bc5d2a94007a5575669a42185c1c5d7b2fd9beb7b58e2c395f41c463b7

SHA512
c6cb3f096e7c2bebfb7d109359f9ef7fc6494a221c4602286a933f84c04ef4d5a35eea70f3d2afeb7e412edfc947c32a91bd90bad9418136e1ee1dd5577f2733

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
192KB

MD5
22afc4ee4b1946ad5c38d62125cc1da9

SHA1
9fc44354fb73fb78ebfbd22e1a4f04cec2c7701c

SHA256
720119cc589d7f98b711f31fc96382157e465d02a15922deab0c075ea16678d7

SHA512
5644ad9fb34f1fc8f04458dce6772691a4174767d5d9517c4e542bad03111f2bf160e476cb6d41c1ce9a11934b784de767ffd19d6aa7ad8cfbf9a29669257737

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
192KB

MD5
d9f281665d0802044b1de661e0607def

SHA1
e6099a869d6cc84c42cdc446706d775d3a67c14a

SHA256
65e87f4bba55ed8f4626fef98fb6e66198a13914cd9902d44a6713c3daf22d26

SHA512
46d0bb193ff66696007ad17391f352377ad12bfa9e72fdea845989093f93925c365f3fd5cee50939caace834c48284880860e8efa44def30515c8bf829bca0aa

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
192KB

MD5
62e27c11e767c7fd62c3cb7796dca7dd

SHA1
7b5a70c679d991590476dbb4e2873ad9ae01bde3

SHA256
1ecd821f41b0be6a146f0d7e022738b0b9ba161c0f72c666a385598ad0d47175

SHA512
1edd55e3af8a92604489e0f014e688dee4aacd3e3a3884589c87df73e684fd07e9cd16bab6ecbcb915ff1e6c97440243e509084958b1cf34bcda6755a79ca428

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
192KB

MD5
83cffc2325d952e3dea7dab24ca107f7

SHA1
35cc7bc9f33dbb0d1b70d15007cf0a59b9f3e3ea

SHA256
c7af5baf4c20ab22969c6ef81a545103168da319c756ccbf6bc4b9e6ccc16ce4

SHA512
787d5d1bbd72a10433b979bb28c045e5d5a3b48affe2ed7471a133eaa955680f86521893f295948234a629f7648f10aee016b7438c3f1ec81284eb99537ba624

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
192KB

MD5
1e74316e14666c9fb7d03500119abedd

SHA1
83819321dc468f668fd8a1bf82927fb845eec12f

SHA256
1bf46cb6962c0a1605a1afd07dc7ab235b58ed76e720ae0c5d958ec153b1edb8

SHA512
a33063c123dc635f6972900362a53cb768d725bfbac052a263fad1a510fcf2806fc04114ba530846810618d6b7f51c6f289b412d583d17e492c87ec1196e0119

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
192KB

MD5
ac2e4a24a5e0e59af8f75a7ab583c95a

SHA1
4fe236bfc5a01cdd9cdf6a205c1a81348a13857b

SHA256
b4fba8b051aa7687eb85d634dcb3c0d93f3939352aba5614f0d4c2692a2d075c

SHA512
ffd97483c395c08089643035508dafe58560d1b814671b74b8cb639d99fb92488bd6de68c417ef96a23abd94e8c32bff6ba7a7a061f9c52b8a5d8c54c629cd99

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
192KB

MD5
007154928d56e7313ac56ea47bb96599

SHA1
dc6691c22d19786816e0bc608390636ca6aee2b7

SHA256
7020c223837226e4a93b83d029cf0f8bfb70da78472318800114215bfed19bbb

SHA512
56e8fecc8525bffa6efa843caaf696128449caa9e1f967a4272771a40c29b36277b31c9916d664a498f2e2304251fece83294dd776e08fd7fab2db527e516fc7

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
192KB

MD5
75f1bc68ca3f409593f6ba026f9c87d2

SHA1
67385c53f275c3d44ccb61f049e2ede1dedcd2c8

SHA256
c5c436ff08077275f00a5e776a7ea5ab95b680ca463164e3d9759f10455f093b

SHA512
376e0031f3bdfd049683c12893801d98bf3ae4551ecc36caa7c350cb02d19df032f1341cbbd14e906c15f29e1b11d1dc312ef7bbca56a286340b1ddf269fc766

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
192KB

MD5
2c412b7cc771111104c163800ebd1cc0

SHA1
9705acd73f227fe7c05215c479aede50ab9e7898

SHA256
5de8e033a41a10c4422ce50dc40836d0eb49c5da08609ca5530a70ff527e794d

SHA512
4123a20dd5f34e1efa6f4e37d2bca761e97dc9ee8898b266fc5f0029d64b90bfe308cf96e567829f9721c12959baed2750663ee361120783761cd70a78a80777

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
192KB

MD5
8642a3052b58ab069eab58b9458db864

SHA1
06ab78a773d21a903f7ebe10a8f130b7bb015bb2

SHA256
3130862d16b0e02c169b726b28f676b5c7f41f46c3a351ae4727e2194c2b619d

SHA512
17a1cc8ed11f3db501cda270ffe160652898900511e011c278192bdf87c59a9a747a921804dba823c58f8085c20acd7c2335bcc99a08fa4fa83b33d5c70799ee

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
192KB

MD5
deb804ba6a79380ecad6b6befd25f987

SHA1
c0d99670d7148e11dcc83968912fa36c4d567a14

SHA256
4456e6131e635e869f9aeb1ff773514f2d599e635500acf1f6b5f39bf3c46760

SHA512
0ca5cfd5f231348ba4a54f77b0338037c3534b6c81f33119e99441790a3293e29eae670628e12a12651c519ddf912b5e2aedd1561ae946ecf40d97281c0e2222

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
192KB

MD5
884b61f30619fb39f0e372537d230ca4

SHA1
b9f10ceae959daae893262cd098d1dbbaa7d66e3

SHA256
852bd2399a671f630bdd290aa53107d48cc460c28515e7d3173c5e9537aa9f09

SHA512
d78071b0af588451b6ca52e129c567916569ab94a63bcf8bb90a0b3d85bd44e678670f4bece02993f9d4f122b7cc72e59d8f4ec5a7157c8b927e55220c27d376

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
192KB

MD5
3511d4e831ad737b7ecffa3eecdd03a1

SHA1
949ee44083b565f80626d2f96c8be2122ee3fbc4

SHA256
afd193558552faf875441e1afed8a36188d925ec033ccc15e6ba6a5c4c5af4e1

SHA512
9b45e8c2f777df24cf045472c010c7eef0a2776635f04724ef2a8d395f819c2921c927e1ce6b9bdf6a60bd09bedef4feb1cc00f4758ff48dbfefa8a214afe0fc

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
192KB

MD5
79f9872a53ffa1fda7bdd65ed3e4a77e

SHA1
375db6f0492d171c5ce9f932488dba1a9ce2a0dc

SHA256
55aa72c264096076b664103ec96ad5e4b99bc0050314ad0d83eadfd59b458bc5

SHA512
80ec6595b4c9659c317aa12d9ccbd95cddd6a70b639eaa7859431ab5d247db2d369406d1a24c75f0731bb6e51584ee2ef81f9670de77b49fe2368855fe92dbf7

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
192KB

MD5
295865ca786e0511099fbec6c3abd38d

SHA1
748507a820fec619b690bf0df6d533deaa6a2d7e

SHA256
f3304271e8ce4b87e0c422eb68ddf86e8335d18222c016aa2253f59f649b7595

SHA512
5b46645308f3198f4f5dc5455d7b67f919f3b4988a9498c75e4768708370d9868bd390ae85b6ebce81ad70b5902243062b7bf6d2b749ef658558670c5517d4ca

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
192KB

MD5
d8114cacf95a8008dfab67b35f89ee33

SHA1
683cac0135db28ce94966022d992f7564f651d3e

SHA256
b08d4d3a4231e121a505bf0c348262c948d9db7a62346f183af7d25cb3da5cef

SHA512
8db3a41da8c713a2997641085aaff922222f0b93687558b3bf10176c7409350187b61ea5cb597d4ff45299cc96dd6e9a24b1fb1d2a57c19e8d4d2bbac0676a79

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
192KB

MD5
84f8b07f1f7a2eefd9b30e933d3d6131

SHA1
3189e425f157c4e11802cb930dcee4d4dacc70cf

SHA256
7a1d8953c738fe3fb982b673af38135b983a76bcad4faf9c8fae5dd7a59dc812

SHA512
d7fc5106ca2696d46b1442583eef3ca73cf90307228e4465b87751115ba62e79833bd2bc3af078d1d610cb2bfa92add5ec4eaad2b1fa0cf83b058f416c32ac11

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
192KB

MD5
d335cd091424056f85e92e8c75affcbe

SHA1
3b8337fe95aedba3f7a625a720194a5d26fbd81f

SHA256
073a4a561251c768edb44c293958df542dfc2258cfa79fc22806e5fc992d78d1

SHA512
9151f0affc75077b6947677672c4a7497b235bcdf0602bae5e9429546de50f907fe3e0fe9d4f1555fe5b1cedd6989ec48c6465e6cf113b28a263e7bcf51738a4

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
192KB

MD5
0831cd197aa32800fb6b2ea1656c1212

SHA1
a3df8b36f26e77a3fb2748f4374753a2aa19a1c9

SHA256
181ee543705837d7039d86159de99979484ed088b1142d6765721d78c3707ee6

SHA512
9c37e1031727e4d0007b0abe2557ad1fc9e71f55625a58417d18e56c41eddbc1986228415118d7dc4617bc9c6fc0ba1d9af18b6792c00dfc27410fac81098603

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
192KB

MD5
4ec9051559baf48559141ee716d2acb6

SHA1
85b2fe4b66c84b2d98c55fb522f6252520889f4c

SHA256
4e67ff227017705a61ae796c65f22a8e7149c718124cc6675f7dd8a5fe00723a

SHA512
f22881de4127315e3331f950634a313afab5ffaeec4b94ef96ecf23c7d2788350bf2241363bedd30471b487a007ec63397bc57a89bce1ab0a991b7e99ce2d10f

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
192KB

MD5
1b6799bd3196dd33a0af44080d350cfa

SHA1
36e443620a178407fe4b6b0db6d76bab591a4eef

SHA256
77fa1e4e41b6c9eff6de496a734609d258abd579338c740d1e5654f101d16ebd

SHA512
055dbcd004f0f2912e3a0a88c8fdf538db6bcc58375b66b7a5243bd55db30e993e0b797816da7a43c15a5158069b6e6bf8ffe5f4500724af0059fdb15ad2bff4

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
192KB

MD5
f251bce39223cc282eaddfda138fe708

SHA1
b399a44f293b4136448b0746af1523bbacfd862b

SHA256
d92863e8f0ebb405706949fb636c29dd44e30e4750651882dcb30b1ea3361b91

SHA512
a571e00613c95a517a54836af58a4ade6c320995d086e00482e200dcb211d400b8aa5ab36489fe8cf6638f8c31bd87e01ae07b93ef47eace1cc595d573ba2936

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
192KB

MD5
3e4a38c9c072209c212c3ba734af733c

SHA1
8fd935ba20eaab21ff39195660d85765e69164a5

SHA256
d048460fd7d1455d043753817cb5d7cd78a38efb74acd36b47f2ff443491a853

SHA512
aec98809fe950e8b4704dc45b93ba0c50e0ec1b2fceab13c38aa89d0822c2545f4ad809d64b510fb9dae5d6c89e443a62e0eb3a114cfbd7229fae98f6ebfef99

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
192KB

MD5
afeba92cfb2aa322b67eafb28f5e7b2d

SHA1
2f57e5088f92c90c159ad54278e561c5932b6776

SHA256
d44a9c13a30e9c4a5c38205058c6af71daa7f3e6caba3855275b045720d64bd9

SHA512
43e7c97810593c0722e31a32f1e3715ab9b5f171ddde05d640dd51c12eac95c8ca7982ca95be1b9e4b16b746cde22e38926981761d2be3652ab32751cd37cc60

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
192KB

MD5
cab0571654f7cae66164a67c7f84f311

SHA1
67042c19954e2f5d22a38afaf3fa36f7affee9da

SHA256
924a77c9bf1d6c2de5ae1bc669b3869e453b45c174b5683a25f30891ad9e5ea8

SHA512
0c897ac0b806a778140db15202bf5a3d82d2c773d82a1bf6a948c293476cd9a84666f9e32f8f15dfec766afebbb258d6f0d9d2754642185caf76893538655396

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
192KB

MD5
c0cbeab22244aadf628d11d649beabaa

SHA1
7df0934f7e267637dfff37fab0419d931b57b599

SHA256
76846925994a8d61c30d5217b62d0cc8afe4ffec271768d1f36e1d0cfb5bc101

SHA512
8ed1fb34b49bcaad7760a5c952bfeecbd56332b44aa327a75aa8ba4ad2889e2336dbbd316c6cf47d21fa062aebd3f06f0163220144d4b11dcf16c5d2b6406c30

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
192KB

MD5
b570cdc448a198613b647b792755e167

SHA1
ddfbaa416ee5799a7b84d6710f11e87b91e4d40b

SHA256
533a5b88113ba844b346c19f2aab2bcec9ddba365616e2532bcabe3dd7112a3b

SHA512
9ae04369a73f49ad4ee637bd8f4919814b9630eaf7175601b3232682a87616451e6157bc172c1a8b32de1fbd8e2eaa180e3d1cdc3f578bc9e9c0db7e916eb724

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
192KB

MD5
2fa47a4cbd6df7322194b9b053ac2213

SHA1
a2e636508695ed323bcf9daaafe3bb9c15672fea

SHA256
de6ebaac3d9540a987e8c69255419a9e19e30643a993d50d2f8f351077c0ba78

SHA512
36b7f6c106c43d998713bcd8126765f4f01a4e42defb15014dc1d2f5c6f7687f72ecd936a6c35ea262dcc8ba59840e10c011a4e1e3bcc5967da12b8a5cc91e9f

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
192KB

MD5
99311a77e621bef759a8a1806213d048

SHA1
c396b64cca2e93ea6b98af07f22c0491bf766e4f

SHA256
c4c99451bd67b53c5f7deb78419f51cc9c1f37af2cfd518db718bd5b8185fe23

SHA512
287c7bc4eda81cc365ba58377f90861afcbee8e2c1e5d5a15b8dbf8f47f07d48d6cb1641850dafbf57380aff82da46e151087100beb5d889eefd9c0ec7ba2ce7

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
192KB

MD5
640375025cb4277b15a1595b161a21de

SHA1
bbf7f650646313a379d5cf325d68ca70faeb32a4

SHA256
bb6b21620d5ff975a49623aec35432c91adf07ae859c5484f08ecfd9fdc9cccc

SHA512
3bf2c570bbfd240b5ece9335c7a78e4cb30538a5f82cae5c7efc668477ab0d22ac56f9adf6249ffb7c43d9e9ece1ba2702967f4b0482713526cb58cd5c5d1ec2

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
192KB

MD5
f335062ee994f076a2feac093df61ff3

SHA1
820f74af354716053beb9f55e8ab315f5716513a

SHA256
c9c077594df030ebd7799745603d69655764f28cdcf6c55da8f9045b224fdddf

SHA512
10cba91a07e8f376d8c8f81ced7c7963e8776e5ccdde836e8a05d11e8a71a4e68e1dd543ad8813a421186efacb352baca178ea28884783dc04f049cb9e06f25c

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
192KB

MD5
441df565750d7a49806470dff32ba475

SHA1
c2050754c54188aec1ca5248d7d4f1ee5a7f9735

SHA256
5007fc3a768f9dba6c6b33ec6d711688a6ff572b4e8416317ddac2718196cadf

SHA512
969ab906913291cf5d4e1438b6bb382396b115fb51f9120e9cfa5f4a7de55d2f36fcbcf8980677721ca10ab0b32bbc70c9e265964c6f4111da83a8c617646971

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
192KB

MD5
3eee4d03833f95856646c2fc25226ca6

SHA1
6ec60f20cee24d6db8ddcbb81755b962a7c0f217

SHA256
238c317ec1e92850869ae324b0ea93c91fd3f0f107a5107f7593d7632cbe25e3

SHA512
222ab484da7a1bf73db49f9ec2c550099fe7c5cb3d20a34cd3ecd735d7dca3616183e37d8503b5d94474777166432704e8e7016152fb0d96b6844f7ae38272ae

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
192KB

MD5
9c32b0ddeeba5fab10060b7dfff94a3e

SHA1
9bd581646b00e5670428d16f9bcff8b7bac2bbe4

SHA256
d1075e9f20e043c97e16cc3e79b1c9e1be17b4c01bc4ff049d08f2e6397136f2

SHA512
44e88701ea7fbb01ec5d0e601a7462ffb1c09d9fe9436650538609e554424c7e47bef02b7cbdaec4fe28964d9cf36b050cbf3eebbe1f69c9cc2be4a0dccfe5ee

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
192KB

MD5
f1c945eec7435a886f03a234f7c4cda6

SHA1
d833470dbeaa970ba7fd39adf9cdf4e08f18a338

SHA256
4d88f2520686b5675afe5d124988b3da439930c68c2faace61e999a87a6debe9

SHA512
68816c32ef30813675aef0b1838cb26f0e2c01ee89fe8dd749ae183877744d730bee56d41276aac97cfe9169506b79e0ab0a360b1f373f24efbd86826042f16d

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
192KB

MD5
5463176f8422d4dda35e58ef8288c63b

SHA1
2864d91ac1fdf275dcc29d48463d9e4dcbf2a757

SHA256
92705aaf6f849bf33135ce2907e33a9061282396e7180bedbbe6b51c1e9caf87

SHA512
10c0bfa9dc4567c607b35325225e3d534c2422f10ac529ebbac512af16a57b9bfc64716370d75d06de963f68fde7fa12dd0234b3de9ac5502a7dd65005c9021c

Download Submit
C:\Windows\SysWOW64\Ncmlocln.dll

Filesize
7KB

MD5
4db913bdd81850491fb3eac01ac73c32

SHA1
3d710aefabd1fd7b5a45837f1adab7692d6aaa51

SHA256
aed764d30e865840b0945bca125cacc791c0dd6273b35801a34681f4a308f360

SHA512
a3e012e85a50c5a9582af003f2adf8319ba43babbfb2d645744c6d58aafcdbf8967f2045ddc336c9742ea72299daffd99539904d1d5cd9f2d77b4e8983bc3b78

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
192KB

MD5
9a19ebd15fdd38b9edcb25905e5f3549

SHA1
eaeeb8d9fa38df77ed374a6dddc071efc7fff22b

SHA256
fec8f8d070a28e6566ffefa501a9ac5b70a4ec0fb2c3e9357d98be3cb2b88fbf

SHA512
3259dfcb2f0d385a20aaf5e1503dff5bb29f76576eb047fc9b81a189fccc3edbcf50108a13c9d0f23905f6610ebb217c4c699e1aa8ab55db38f65778aa25ccb0

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
192KB

MD5
c660f6d62f89e8665fa157be3d487523

SHA1
5ef992bd96a11677080850af85e0e38d5e261e1d

SHA256
8a84e78f8dcfaa05e7794991eb35332549a5a96cf66755817f9105940d95b782

SHA512
2deaa75805f06223c7b84b7f8344bdac24c77e33db2389469178a1903309c36190e3bffb34250458aba2511c30a512b6f1f93cf913774e7948477305a8661921

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
192KB

MD5
6c88989da327a6fffb632fc62f74c94a

SHA1
7672da90ac314dc60e94bc6d92984ddb7d057fdb

SHA256
48ed1a7d9f63906d89d664cc9b45dbb89ce93b69f54d7b209136645ff1b4918a

SHA512
a87f7551c89a4d9765c26d853432361d0a4a3e9ebb5460b3fe49d9f0c9b01a03169a5ea7fd79a7c5da9dceeca46262c9451fec041f4bf652041b5134f4b342bd

Download Submit
memory/536-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/536-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/664-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/664-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/892-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/904-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/904-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/992-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1224-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1224-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1300-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1300-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1388-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1388-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1676-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2068-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2244-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2464-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2464-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2756-444-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3044-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3108-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3108-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3188-237-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3188-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3344-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3344-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3360-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3360-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3364-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3452-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3452-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3832-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3832-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3940-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4060-148-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4124-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4124-271-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4256-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4256-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4612-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4628-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4628-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4640-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4640-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4692-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4692-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4740-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5024-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads