4ad6f3ee32113bd5e6732a66979ecdeeff3ccebf99da10f7905cef06d55433ac

Analysis

max time kernel
33s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57d9b7d3fd6e7493780a44e9215b0480N.exe
Size

94KB
MD5

57d9b7d3fd6e7493780a44e9215b0480
SHA1

a47b17cfd8116e3b3934f8599492f6bd308ce3f2
SHA256

4ad6f3ee32113bd5e6732a66979ecdeeff3ccebf99da10f7905cef06d55433ac
SHA512

b495e9608654899dd06c5b34f62a05aeb104e57ee72703feb0c23342687a6224fdfa7e9ea4f4f8b340dd777ef29ee7092db857f83a3c2d25354803bb6238cacb
SSDEEP

1536:8MdQJA3DMfSv9zFVFaXU0j+90l7Vl2L0S5DUHRbPa9b6i+sImo71+jqx:J2A3DMfSv93F4K0W0S5DSCopsIm81+jE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57d9b7d3fd6e7493780a44e9215b0480N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	57d9b7d3fd6e7493780a44e9215b0480N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe

Executes dropped EXE 64 IoCs

pid	Process
2088	Pkmlmbcd.exe
1808	Pafdjmkq.exe
2760	Pdeqfhjd.exe
2772	Pplaki32.exe
2852	Pkaehb32.exe
536	Pmpbdm32.exe
2988	Pcljmdmj.exe
1748	Pkcbnanl.exe
1472	Pleofj32.exe
2360	Qdlggg32.exe
1404	Qkfocaki.exe
1228	Qlgkki32.exe
1720	Qeppdo32.exe
2880	Alihaioe.exe
2196	Aohdmdoh.exe
408	Aebmjo32.exe
972	Allefimb.exe
1176	Aojabdlf.exe
912	Afdiondb.exe
940	Alnalh32.exe
1500	Achjibcl.exe
2264	Afffenbp.exe
664	Aoojnc32.exe
1444	Abmgjo32.exe
1464	Adlcfjgh.exe
2324	Agjobffl.exe
2704	Andgop32.exe
2732	Bgllgedi.exe
2728	Bkhhhd32.exe
2724	Bnfddp32.exe
1964	Bdqlajbb.exe
1512	Bgoime32.exe
1612	Bqgmfkhg.exe
2520	Bceibfgj.exe
1688	Bfdenafn.exe
1952	Bjpaop32.exe
2840	Bmnnkl32.exe
968	Bqijljfd.exe
2964	Bqlfaj32.exe
2532	Bcjcme32.exe
2188	Bjdkjpkb.exe
2000	Bmbgfkje.exe
1648	Bkegah32.exe
2368	Ciihklpj.exe
824	Cmedlk32.exe
876	Cocphf32.exe
2488	Cocphf32.exe
2896	Cnfqccna.exe
2692	Cepipm32.exe
2428	Cgoelh32.exe
2664	Ckjamgmk.exe
2608	Cpfmmf32.exe
2372	Cbdiia32.exe
2448	Cebeem32.exe
1884	Cinafkkd.exe
1780	Cgaaah32.exe
1480	Cjonncab.exe
1520	Cbffoabe.exe
2928	Caifjn32.exe
2860	Ceebklai.exe
1812	Cgcnghpl.exe
2388	Clojhf32.exe
2348	Cnmfdb32.exe
1460	Cegoqlof.exe

Loads dropped DLL 64 IoCs

pid	Process
3008	57d9b7d3fd6e7493780a44e9215b0480N.exe
3008	57d9b7d3fd6e7493780a44e9215b0480N.exe
2088	Pkmlmbcd.exe
2088	Pkmlmbcd.exe
1808	Pafdjmkq.exe
1808	Pafdjmkq.exe
2760	Pdeqfhjd.exe
2760	Pdeqfhjd.exe
2772	Pplaki32.exe
2772	Pplaki32.exe
2852	Pkaehb32.exe
2852	Pkaehb32.exe
536	Pmpbdm32.exe
536	Pmpbdm32.exe
2988	Pcljmdmj.exe
2988	Pcljmdmj.exe
1748	Pkcbnanl.exe
1748	Pkcbnanl.exe
1472	Pleofj32.exe
1472	Pleofj32.exe
2360	Qdlggg32.exe
2360	Qdlggg32.exe
1404	Qkfocaki.exe
1404	Qkfocaki.exe
1228	Qlgkki32.exe
1228	Qlgkki32.exe
1720	Qeppdo32.exe
1720	Qeppdo32.exe
2880	Alihaioe.exe
2880	Alihaioe.exe
2196	Aohdmdoh.exe
2196	Aohdmdoh.exe
408	Aebmjo32.exe
408	Aebmjo32.exe
972	Allefimb.exe
972	Allefimb.exe
1176	Aojabdlf.exe
1176	Aojabdlf.exe
912	Afdiondb.exe
912	Afdiondb.exe
940	Alnalh32.exe
940	Alnalh32.exe
1500	Achjibcl.exe
1500	Achjibcl.exe
2264	Afffenbp.exe
2264	Afffenbp.exe
664	Aoojnc32.exe
664	Aoojnc32.exe
1444	Abmgjo32.exe
1444	Abmgjo32.exe
1464	Adlcfjgh.exe
1464	Adlcfjgh.exe
2324	Agjobffl.exe
2324	Agjobffl.exe
2704	Andgop32.exe
2704	Andgop32.exe
2732	Bgllgedi.exe
2732	Bgllgedi.exe
2728	Bkhhhd32.exe
2728	Bkhhhd32.exe
2724	Bnfddp32.exe
2724	Bnfddp32.exe
1964	Bdqlajbb.exe
1964	Bdqlajbb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Aebmjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Qdlggg32.exe	Pleofj32.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pleofj32.exe
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pdeqfhjd.exe	Pafdjmkq.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Alnalh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Kblikadd.dll	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Pafdjmkq.exe	Pkmlmbcd.exe
File opened for modification	C:\Windows\SysWOW64\Qlgkki32.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Gmoloenf.dll	Pafdjmkq.exe
File created	C:\Windows\SysWOW64\Pmpbdm32.exe	Pkaehb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpbdm32.exe	Pkaehb32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Pleofj32.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Imafcg32.dll	Alihaioe.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Ibbklamb.dll	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckjamgmk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	1664	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdeqfhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57d9b7d3fd6e7493780a44e9215b0480N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pafdjmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	57d9b7d3fd6e7493780a44e9215b0480N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	57d9b7d3fd6e7493780a44e9215b0480N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	57d9b7d3fd6e7493780a44e9215b0480N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bqlfaj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2088	3008	57d9b7d3fd6e7493780a44e9215b0480N.exe	31
PID 3008 wrote to memory of 2088	3008	57d9b7d3fd6e7493780a44e9215b0480N.exe	31
PID 3008 wrote to memory of 2088	3008	57d9b7d3fd6e7493780a44e9215b0480N.exe	31
PID 3008 wrote to memory of 2088	3008	57d9b7d3fd6e7493780a44e9215b0480N.exe	31
PID 2088 wrote to memory of 1808	2088	Pkmlmbcd.exe	32
PID 2088 wrote to memory of 1808	2088	Pkmlmbcd.exe	32
PID 2088 wrote to memory of 1808	2088	Pkmlmbcd.exe	32
PID 2088 wrote to memory of 1808	2088	Pkmlmbcd.exe	32
PID 1808 wrote to memory of 2760	1808	Pafdjmkq.exe	33
PID 1808 wrote to memory of 2760	1808	Pafdjmkq.exe	33
PID 1808 wrote to memory of 2760	1808	Pafdjmkq.exe	33
PID 1808 wrote to memory of 2760	1808	Pafdjmkq.exe	33
PID 2760 wrote to memory of 2772	2760	Pdeqfhjd.exe	34
PID 2760 wrote to memory of 2772	2760	Pdeqfhjd.exe	34
PID 2760 wrote to memory of 2772	2760	Pdeqfhjd.exe	34
PID 2760 wrote to memory of 2772	2760	Pdeqfhjd.exe	34
PID 2772 wrote to memory of 2852	2772	Pplaki32.exe	35
PID 2772 wrote to memory of 2852	2772	Pplaki32.exe	35
PID 2772 wrote to memory of 2852	2772	Pplaki32.exe	35
PID 2772 wrote to memory of 2852	2772	Pplaki32.exe	35
PID 2852 wrote to memory of 536	2852	Pkaehb32.exe	36
PID 2852 wrote to memory of 536	2852	Pkaehb32.exe	36
PID 2852 wrote to memory of 536	2852	Pkaehb32.exe	36
PID 2852 wrote to memory of 536	2852	Pkaehb32.exe	36
PID 536 wrote to memory of 2988	536	Pmpbdm32.exe	37
PID 536 wrote to memory of 2988	536	Pmpbdm32.exe	37
PID 536 wrote to memory of 2988	536	Pmpbdm32.exe	37
PID 536 wrote to memory of 2988	536	Pmpbdm32.exe	37
PID 2988 wrote to memory of 1748	2988	Pcljmdmj.exe	38
PID 2988 wrote to memory of 1748	2988	Pcljmdmj.exe	38
PID 2988 wrote to memory of 1748	2988	Pcljmdmj.exe	38
PID 2988 wrote to memory of 1748	2988	Pcljmdmj.exe	38
PID 1748 wrote to memory of 1472	1748	Pkcbnanl.exe	39
PID 1748 wrote to memory of 1472	1748	Pkcbnanl.exe	39
PID 1748 wrote to memory of 1472	1748	Pkcbnanl.exe	39
PID 1748 wrote to memory of 1472	1748	Pkcbnanl.exe	39
PID 1472 wrote to memory of 2360	1472	Pleofj32.exe	40
PID 1472 wrote to memory of 2360	1472	Pleofj32.exe	40
PID 1472 wrote to memory of 2360	1472	Pleofj32.exe	40
PID 1472 wrote to memory of 2360	1472	Pleofj32.exe	40
PID 2360 wrote to memory of 1404	2360	Qdlggg32.exe	41
PID 2360 wrote to memory of 1404	2360	Qdlggg32.exe	41
PID 2360 wrote to memory of 1404	2360	Qdlggg32.exe	41
PID 2360 wrote to memory of 1404	2360	Qdlggg32.exe	41
PID 1404 wrote to memory of 1228	1404	Qkfocaki.exe	42
PID 1404 wrote to memory of 1228	1404	Qkfocaki.exe	42
PID 1404 wrote to memory of 1228	1404	Qkfocaki.exe	42
PID 1404 wrote to memory of 1228	1404	Qkfocaki.exe	42
PID 1228 wrote to memory of 1720	1228	Qlgkki32.exe	43
PID 1228 wrote to memory of 1720	1228	Qlgkki32.exe	43
PID 1228 wrote to memory of 1720	1228	Qlgkki32.exe	43
PID 1228 wrote to memory of 1720	1228	Qlgkki32.exe	43
PID 1720 wrote to memory of 2880	1720	Qeppdo32.exe	44
PID 1720 wrote to memory of 2880	1720	Qeppdo32.exe	44
PID 1720 wrote to memory of 2880	1720	Qeppdo32.exe	44
PID 1720 wrote to memory of 2880	1720	Qeppdo32.exe	44
PID 2880 wrote to memory of 2196	2880	Alihaioe.exe	45
PID 2880 wrote to memory of 2196	2880	Alihaioe.exe	45
PID 2880 wrote to memory of 2196	2880	Alihaioe.exe	45
PID 2880 wrote to memory of 2196	2880	Alihaioe.exe	45
PID 2196 wrote to memory of 408	2196	Aohdmdoh.exe	46
PID 2196 wrote to memory of 408	2196	Aohdmdoh.exe	46
PID 2196 wrote to memory of 408	2196	Aohdmdoh.exe	46
PID 2196 wrote to memory of 408	2196	Aohdmdoh.exe	46

C:\Users\Admin\AppData\Local\Temp\57d9b7d3fd6e7493780a44e9215b0480N.exe
"C:\Users\Admin\AppData\Local\Temp\57d9b7d3fd6e7493780a44e9215b0480N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\Pkmlmbcd.exe
  C:\Windows\system32\Pkmlmbcd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\Pafdjmkq.exe
    C:\Windows\system32\Pafdjmkq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\Pdeqfhjd.exe
      C:\Windows\system32\Pdeqfhjd.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Pmpbdm32.exe
        
        C:\Windows\system32\Pmpbdm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2224
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        68⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 144
        71⤵
        Program crash
        
        PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
94KB

MD5
f53d4b5bf43f7c4ea2f9f6ea7af40ba4

SHA1
ac94d0c91f7f7b1e35ec2d087a05d4efb0dc43db

SHA256
4a8ddfdc80b16a029a11869e10547c3503aa5d4c97914e62c85ff50928e3f45b

SHA512
4e6bdd2bc7dcf7adb31cd736740d3187ab1197b8f1a370616d73175bc81b4e0d7cc2600ffbbb9d5fa625ddf85769cf706757425ce06ab64d09dbc3b6e7352e9d

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
94KB

MD5
8531c28fc3ee728f49da790a6439e76c

SHA1
2e15a4eee4fe332411280ff87ac979d152e834e3

SHA256
952d45a47c85ee40cd331f49765dd766f71f2c162319b3d70656dddb780a880c

SHA512
62152c18079c9854b5b240bcf1990b442c0c71dbb83f551779deebcf6359197db30246efe5614317a062853d6241f1f48e348e3edfc3e13e965c47b4836527d4

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
94KB

MD5
b95ca1c4c79a55b35413810623e70cd0

SHA1
6eed669bb2ea192ba115733db87ae9229a80e339

SHA256
af8773efe75bf1c8d324b2991251589c6149fbeb57c17a105fb0676093c3f8c6

SHA512
6f6e52b78f7c68110532dc497602b6753079a36e59ff1a24ee20d7123a4933a9a57c3017ce3c65878d1328ec2c75686ebe2f9af98335ced77179e0292653236c

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
94KB

MD5
ee213e6c0f2eda092c378ddba8009cc7

SHA1
90724dc19bcb3a91879a1746d990af72265eefcd

SHA256
d3bc56c3262605b8363aa0affc46de1046bab5991e6a7ec5cb18907d7a5ea65a

SHA512
b45b9bbcb1227fc5e085f6f7ca8de0b7855735bef829cc02fcd3aaf983fd05f160e219b9574a44b3c638fe4b59200bd9ad235977ff6f814c98f1c00ddece479b

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
94KB

MD5
11e4c9067cf362f23a0417cae50d6193

SHA1
6ccd141d4e7e5964b11084941fdd0fbbdfb2d42a

SHA256
b975595352273d1f312a8c42b1787309234e27e6c607d0044adcb4a92dae9ee8

SHA512
0e3788d9b2cda7efcdb7e50a0651ea655d15c63a797553b7ebaad381a4f54bb4ba37974c01c35c9f0af27f3ac988befb102ba549355e9c5c2aa7e510b9bd3043

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
94KB

MD5
ad73db40e09df76b72b425881c1c4a71

SHA1
27fa8243d9dbd06aa6e8d989b1e94003f026f1c2

SHA256
697831e605b56b3cff2e6b4348e75087fb5811db8daadce5db88ae33175d7cdf

SHA512
d33981f59782adcc213cdecd39307541e49eb15d8fea05953c87f37dadfddef37a899f72219c6d6a97eb40874908b4fe305b00a52a55190c9ffdf4cf42af8fa6

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
94KB

MD5
1312e0a7ed22474c39198bb59f9e4c1c

SHA1
1936023bcbd426c010a88edc228d7187024b1585

SHA256
7be3f680d90ff39ae4f069420d973fc5f735325ca632bdfff4611058c32a2a74

SHA512
2189b43d22f6fdea6cacaa784c9ffa8cb7404c3b78c0c6ac57edcc843b2a9743fbe488e92236523f0637a81efc40a348b0ef26cfc56e5227d6c1384c24296c75

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
94KB

MD5
3084f1e18d7129d1d7e0d12698584b34

SHA1
5d67ef918a9e6b631f831e8d482460247d28e8a8

SHA256
ad57cff829f743ecf146a0e6d2d7a6d114774746ce065667e376b7b001bcc6f7

SHA512
a0d95e6cf6b6694dc27260f986294170298ba61f594b24697b524f6abf74c3fd8f3fa437a9ec2e88c041cebd99af94e0043bf27ab351910dc8fd2961653255b4

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
94KB

MD5
931bdd21e173a15359930a67077ce6d1

SHA1
69a934b1c2b5bf566b67654647f322864f541076

SHA256
c6fea1cdcb6e56930bf948587b87bf34dcf93d0d2d8b75c49fef6c7288ef9d65

SHA512
b963c998ab4fae291b5245b0ec8e77a06bee856619f2bbddf338286d8c91444d3b16df72e585d24b9c07a3d34d8e4e3cbb4009752dfcee8c3295a60c1df1ee6c

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
94KB

MD5
ccc7c24bea10316a3425b74739954962

SHA1
7b2a397ac3e8267d0d4187584536c77362de6f33

SHA256
bcc3b759fa30d690e11baa493e97c1e9709052799e3fe2d0e113b57d86756dcd

SHA512
e4198ef102ed1a3ff88026ef11b96613f678d24f9a4c788473ed1bd4089d790d5039a4fbe9dd26f63347e8d78c49bef3afc48a800c8173fce93c2e5f85000c50

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
94KB

MD5
55542a1f48c6c25cfadd0e9ef32dcb80

SHA1
2bb0a0fb4d33edd55165522bb7468534a25d495c

SHA256
71469d5a58c3cd281fb8a0d2dddd4a84afeec229e1911b084dd26f201047ada9

SHA512
0d782b7f813926591616a0c44aee403c146cc8e3e18e9975751085fa1666237fb144a9529066383d379f524360620065a9a2f80e62db444ebb32421dfd6965b9

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
94KB

MD5
73297b417c5b6db77db8696cbcd86401

SHA1
609979326a5fe48fed86c4092067c3250db87633

SHA256
5a01321140795340375a8688eea595119778ee0bd8e701413130e93a248d4955

SHA512
d4066b77d072d2fc193e0aa8976e7085554054b1d0af8f3ffd4d4145b7b8d980c8f68eb0fce1cf780e28cd3d6cba69b66526780f594aabe94003d8c96279def9

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
94KB

MD5
9733abc917a72cd5b50d0ee7a3b8622a

SHA1
7ac46fdd1995a11a6af23d63d3ab1e3c0574c7e5

SHA256
bcf483cc32692f9be903a5aff2d95d5003743ab9163b79786c20ad911bb1d4c9

SHA512
6cf0b965b4289ce922ddaa7e07915abec6df746275d8ae0da2425b603a92fde8848412be4bb4d75fff0f9ae678eb9cd2fb99bf5cd61c48c24257a65eabd5ec82

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
94KB

MD5
8975ffca66c6c215b1245c5a3e210342

SHA1
7ae0716f4819febb174acc2706445fea082a5d46

SHA256
aff12d10181686b91896e9947f0aa0c2c8e6ab8b256796d7faf7eaf8b8b4a67f

SHA512
b2deb1912c1517b9207c1fa4d6d113f9eb7ee04acee958eb3d660f9df8fbc2112c5a612bfa6041627b1102981f5b9cdefab09b977cc91b4db03945d5cfca1fd1

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
94KB

MD5
1469ced3e666394033e76a0c4e426af8

SHA1
1d9d1ecf614153bae47c9f69df3629333720fb1a

SHA256
e5aa1e98de1279e05fbec82a690fc204f0c5a999ec9b3bc1d220f846ab6bf77e

SHA512
d82a24f1187329ae03c0e49626096607f2095b159e31e5935e8074b100720a5f58fea1ff8da4c6f664de689441add63f4c83184a762e0ca0db6433c715ff5503

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
94KB

MD5
f88ae4672327665a7ab1bdb5346b9d9f

SHA1
860aad4b8a11ef06af0a114ef17cf21fca0a08f0

SHA256
50e07078c58ef835620265cce894819e86bf8c3dc88a9d1a260b9b08ca5c098b

SHA512
4bb858600a8b7ab315fba687f4bc808630b06e223c7846ca37898b1198395d7776051d53d60352fbe7451323015cb2a9ec3b25adcf59e7fec388399ea4336efc

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
94KB

MD5
5e157e7325ff92e2d54d864c99c00d14

SHA1
a57539c93a59ca2792bda208cf6db10d81ee913f

SHA256
a1a5727c2d07a04b827c4f225b57caef8ee555904a52aca47e11cf43b0aed79a

SHA512
27df7c17720268d798b961fdf34436698e13a487582d7fe1aa0bc57581a69459cec22b38886d00910149961d2043e9fa0207accee219b91cdf126b4f3ead4076

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
94KB

MD5
9465eaf5e2fdb91cbac914e196ee826c

SHA1
8ad73b909f8b1940aaf0549de2a309a4aafe6993

SHA256
80e75351e69f3e72b854dd7ecf57a27ace5d11fafd320bf0b7e7d1f994f73dc2

SHA512
0d90c46f88f9d55355d6eb64fcd3184ceb8c0e9e7b7360fb45974052cb338d77e8dd560374f1968ef3574c062de123088e4eca1b7dfafeaebb595456996bdf70

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
94KB

MD5
2047b51735abc293f155be09cc8dc034

SHA1
8eeb91d9ab3ec83061aa2c9d6989701aacda23b8

SHA256
d9717f7ae6ba836ae24b5387a0620522ec3dec2175f9de3ef758e340bf965138

SHA512
33b4d921e70a98e89353bd34e7d4a96e3627d51b6022598abd6171f64342104d66c0a0067a06c94573960c811e9585141313b32d8c69453037577a4b0e84c120

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
94KB

MD5
62fa0727ce81ffeb049862307330df43

SHA1
a254823e0405654773e2fe40e84f60c6f9eee6af

SHA256
1424d91d2d8c9524709bfc146b878748ce171656be9e20e0e3e098ca900837d3

SHA512
e616ca73df34f7f7b8d18333cb4e76142f2f0a960409b2929711b0b761fc8756c719ea3883883f41962af120e30e8cddf49c06594cf78d60024525c861a939c1

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
94KB

MD5
84a8c8670160370b7c140db4b82c30d4

SHA1
7ef2eab122c5744489077418f2df583b263763ca

SHA256
5f9151dddb728bfdf90c99fcb0af20b3455be7221693cac22640bbdef25201b5

SHA512
57b15e56cdaec5c3a27f4d7807d9b5f8b868e42a8f90412827da38a38345b2fda8559c6d201a639ff0f7435bf0f12b909396d1eef23286491ac2435940fe5f7c

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
94KB

MD5
e88f28a33793697bf7aa421281647c08

SHA1
31fd31c3abd6e75486903c729faf7ac06b6686f4

SHA256
9ada35eb8dfddeae0f0db12bb8e1b409711d7e9a843a84e27fd6535f0e3ddec1

SHA512
364a60cfca8d057243f0737c8939f232c1ad666b074cadb1359c88ee8f3036cb9deaef72e457fcb6c74e385c40ecbb449ff295c0741df836b84c2ac73d213fa7

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
94KB

MD5
e6f9fdf9fb8037519426a7a8b3ea1022

SHA1
fec7c7df385124ea96f71510834159c075fa4a1a

SHA256
f95f8b0507b280b346c72c2e248daa40c14bc57dbbd4f3081f1e2173bfc94d75

SHA512
cff52370af84c19c229a512e11e3362825dbed291b963f881f95d6bdb58d6c78a0dd9d2798dbdad78968e3aee3867fd6a5e809093e281b1faf289c66f6dd6652

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
94KB

MD5
85074ebedb5bcb38546f5c6a67b0721b

SHA1
f05e4b273c217efad7669b140472ad20bef28a1f

SHA256
e9e3b87fd77505d1e0d4319af65c04a250ac3d6a708fe4cef1bbf08dd2398dab

SHA512
d31e98779e84afa878648f1e169eea7dfdad4c828c3ca0fb7e316a441765f1f8f6770a4c31ebb23eb535af50299a819f090b20c2eaf412a46d3c01dddf17d23f

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
94KB

MD5
c5d97422b46f886842e5aa3a3352ea52

SHA1
a6137f0e48b30b6c899a44a94c5e3a68568bfb15

SHA256
09c185bb3bae9eb8bcd7a101bc24ea80d89f9056646fa23fe07b13a600acbd9c

SHA512
57e2c81be7aebd51e0d8d3a4c154bf1201147b2c528dd2434219ca8fba59acbf7420792fc464bc4c3d62f89d4e93d58019dfec20fab811f247fb7569ab2451b5

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
94KB

MD5
6943130479c8a29e959932120cf741ee

SHA1
ef131320f84463e6c0ab6fe8e7bdec3fbaf2d9ba

SHA256
99eb46bb736209170b2f2a3ed3622657ac4348fcf5874d1dfc3a1ada198e1cc5

SHA512
62ea0c40d36304a8367810db219cdc8abdc77ff44751cbd1b4b8ee4597c00795c922d012d9673f092ec50c85cb47bcdd4e31e1c0350ac98e39ff0600041f43be

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
94KB

MD5
185c26e04fe91ec9a0e62b2fb51e3500

SHA1
e099d5bc6b0e76f5c6094bb45345c7cb8af9f87a

SHA256
ab6ee63213f65cb87ad2666b86749bb9f60fd77ca59c3417918cfaedcd6e4604

SHA512
b1b50d02cd8fe076dac9906692f695712204a15e7d21d50f79a8f46c5def6c8eac3a5749e24668a513253becec1d2db9bb06dca80a363e90fe72b115dd229a39

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
94KB

MD5
48b46a32a3d56b6e39b455a03eb14ca8

SHA1
b3f191a970fde1cab4d93cc0d24f5c37f8a6433d

SHA256
8c5c66160490564c733d4883fe68192eb96f26241cc0bd1e1e1f4f24395926f5

SHA512
051f7cc179435ae2b9d43784d8efec09ca654340bc195ab85308f93360b353c58ffcd60bd437bfd73cdb7e7925914c716567c382434ad678fba28f1a3587f36b

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
94KB

MD5
8f666333cda17a099a836ba03cab50ee

SHA1
40ecd2b30399941200a54cad46db1a79920c8b28

SHA256
dc16eb4e6bcad274aa3d70197e19e09d9005d1763c8779139a28ea92e44f72c2

SHA512
d8f7335c59f787fe2380838cc6faa8ad5e7909eb598c2744de32d695633e3b8146d37132b6b523da6030910447b1d33228d3b50b3ac79936b14fc15304ee1142

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
94KB

MD5
0b8ea65c425c2773d7ca986a2dbd2188

SHA1
5ccc431f8b7f97540ab5af31910058fd6adb278b

SHA256
26d6432d8e7a641f9a51c6238909c632315b42a6ba05d59ea5c05fb88ce48b61

SHA512
0d766c573e94e46bc05bb9779000ab1dd249fb778e254ee0ea013e2f579369127f2520bc04dca63c71bb01dab701ff8f0ea021fd43bf5a7a6c7995aca2d295c5

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
94KB

MD5
7d6b1402edbf91deabd2870dde3284ee

SHA1
0c780fe5fe2b2ce80c2c441854752813c35f49e6

SHA256
389ec130b84e5d6a34e328231aa8e7c997e3e0543fe3c0e7cdd8f89fa8da3b14

SHA512
c22c8c781c867c452d144ea37b8470f3a1de57193667e9984574ff0ae34e2aa7c29b918479e4fbdfc0a6387d0aabaa551e10dc83533d6e7e09e6f2829f3409e4

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
94KB

MD5
e312cc263387fc02fa4f682af982feca

SHA1
78ea2465263df12189a9bffc0554981270e3d316

SHA256
7c191911de147a7e94c30e1c838f6b63ec553d32433fd683fd0e401c94b31553

SHA512
86fd6fe00df87a5e1e2970cbf242d920ed74443e8e92c7efda99735bb2a85b3a3f57084023339fc04a16e939c1ddccff9cd21b5cfae2cf25e30637958b9ebdc2

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
94KB

MD5
bb6382cbd022ab2e0f5cecaa209d052d

SHA1
9b109bbd24ad314a0d2c2770dcb9a8f53f33da88

SHA256
bac20cf93c54855f838cd3afd7d051acc275e623c66c6de631d0cb336daed296

SHA512
2345e83dd54653e836fbb448ae20f9fcbab24ed3a79dfd46ba7a6e7bf6bc39de96ace3e7701774b398702c270517bfcb92feaaf369d18da3043d36d9e24ea694

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
94KB

MD5
2213d377913388e6cf417e9ecfff1657

SHA1
c7523179fb1c40b5aa0fb0a85b2e66beaa4b8138

SHA256
2a0f9cb222d36baca52ddf63375a395d0830ffa0a747a4a58ecec1f93bc3a348

SHA512
1b20f775d312ad67eb770bd84c3d94da1e9ec1adac645f6656c93d9d91fe42ebec2109d82a94e9bbd5b6efe554e955b61a1ff9391f2be3267377edc546687e23

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
94KB

MD5
d399eae2d463f2c285553ea6f92ad99c

SHA1
92fd9faf08cf4593c530578d8fedd9ac0eaa0182

SHA256
2eb4c0549d2037f56c94a35a3c7b861b9dac5b33c3f7edc8b5ddb31543df44ee

SHA512
c4e7221e67276021bff02e95856b4413e2a85ac4c0d82b41f16ec0087a7ca28934b31fb3a0148dde3351fe64e19c6562ebf56e055a20024c6f2b51ce04c328bf

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
94KB

MD5
a570be12a671ce6c7e97d67962372271

SHA1
fe4edefb327c0284577482c8c7ecdaa0598ac52d

SHA256
408a3c7ac0cae9b96dfecb71ba9655cd4baaafb2a7035885871b1a002d66d22f

SHA512
2b26917cde7a5cca78f983f9f6f4142aa6d9cd1fbacc2b10113ec7f3c8d0e7a96d492e58d422be15781a9ef18581ae18795e0b5ac196c1e7e1e64f4f8a6d8a8b

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
94KB

MD5
2228b6c1978cffd9b53a3c11f8e8ea4c

SHA1
8825645cf6879db2df81632a9cc4745d699d8499

SHA256
5312cdc61b4455b44a31bc9885c56fb0b3d7e4bc2a597864afa196a2e9e61bbe

SHA512
4660c4666bc4f3978dacb8503329da71ac4c26e9f4d0600c9aafdbb92663aff8052db52054373eb939888125afc53ae6a0aaab165ab4adb959e0c84fbcb9ff9d

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
94KB

MD5
506ecd726a37590452a13d27f387c3ef

SHA1
0fce5f25a7cf4610159861b95c063f828788f47f

SHA256
428a0b061e05978a2a035e1e9ad0fbbdf26c49bff209ab407deb3053db49478b

SHA512
961ae0107512374fd4422c68645fc0b30bf59f64ca2e629c6979495392953e0ae89e11a479b2ac904271db66967fcc2f6eca391655ec551e41c7e5ffc94fce81

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
94KB

MD5
ccba3ddd571bcb2cd0183fab06a329ec

SHA1
142491a7d7edcf8a18e85dfd9bb48b0afe1b4740

SHA256
91927e30f8f6908ad0779680193cae93a246a0428ce9cb7768aa086c557efe2e

SHA512
9f6fd27fdf60f61e49755cb7aad8a08cf836a6be9ac30e9340525ec815d6bc61fc80549590bff6f7f6c6031d8b1866de371eff48ce782b6596ad916bb5092979

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
94KB

MD5
4aec9917dedafb877629306e4394b8d6

SHA1
b2f165484f45f50b42b631134a2be5f5128f4a15

SHA256
8372549704345c6b1b222313275527e8e586fab4984356ac1d7955e763fb704f

SHA512
3a0834d0015b138ef919d5ee2ee2b8eec241f3fe94c67cf16b49e183779e6ff2f698dcff09218f99986d35277e9b8aa1a7ea01ee7d13921ba94907607feaf565

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
94KB

MD5
89c76a9d4b381a586e456b320147bfc4

SHA1
712cfad1f454e78a159fd201ff1c8a4f943f159f

SHA256
582f0a565d3cf1c02edf61147a7fdb73130671c754c09aff107dcdc6b6d77623

SHA512
be9e871bf428c162af990e424d8bfc649c4deb462118a03058539915df9fabe107fcde2756a0a5826d2be1fdccad77cbdf1d8116e4e9a2ad6674b697e0e31904

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
94KB

MD5
b13835e1c8676d367991b8945a82541e

SHA1
c7098510ea1c946a5e5a32edb96e175c574d75ce

SHA256
ff23da7de9aca762658b4c9c12448745fa1699ef8e8165e3188597acaeaefac6

SHA512
7c2e087b20beafd617536d5de48c53e574bb25e02178d03a72c01af304ec28a380c32ee82a7e7c841bf7db5c5f673823070cd4d5036c504d74cab54b1bf25b49

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
94KB

MD5
333b82b015a2ff643d3832b45b67dd93

SHA1
4b9b82564b8bef5627dfff8e7523b714b500fd54

SHA256
5f89dc8c10ccaffbe2d2b907e1f005ec42a5a66aef2af4aef9e324f15ccaeade

SHA512
a6e6c1f764a83d457dbf5aaad70a91bcdc71f3ed3c68d2019731dcaa5d45c4c4bba917ec77d6588549d8391458c1747c873b5587463bd9c4573711af7914ee57

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
94KB

MD5
d5be8068ff8ffac84fa8c1bc1cc4eade

SHA1
76073bb91e356d3b5885e71478aa1fd56417015a

SHA256
c971d7c2cbaf47827d27403949272613a1479f82fe3b741bc870dc66a15cc7bf

SHA512
b1af5173855f526bdc7efc06c2d5c59b92173330fbf9fadcbe276b59a6ad278a46932e46300bec137070ba423920253304838066d1cb54910a3d6e55eb512dfe

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
94KB

MD5
9383e4c1aafcdd4498b7f064250bb053

SHA1
93df7e1504acd6c699d6465e44e804b837a6cc7a

SHA256
82cc8751e92a5b23e6d450e6d2df174a28496128fb666e3394e1ac6214540530

SHA512
e46a7ba5307b658743385e6d2604abb341fa10b417784c23f4015f12a229cf4f3aebea12eb63004e0a1670b48b80a79a4cab54c41b4f03bd0a25b4ef1d4519d2

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
94KB

MD5
33d503be144735248b783c8390765aea

SHA1
7360a34287e045e468f408d4ca8a62f0ef55f3f7

SHA256
afb2dd430a49dd813cb6196af547ac235dfefdbccffb2490aa86acee0aad8a12

SHA512
965a07cfaeaf467c59436bbbfe72ba98ae908a7c2cfde5a9dd7db098f87035977e50085f4e7da34ae710b4c2974a42e50e49c6c14ab2439ef5feefc47640bc7c

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
94KB

MD5
a373fbf1ddfef1e975856566aafd3015

SHA1
ec957b52f3070c9178ad08c0b533c8761464cbd2

SHA256
a08620143f0f2e118cec98473d4c33587bb1311df81348d35886c378eb6c1523

SHA512
2ced19330ad9face5562edc6027c21e906999592ed23ebdf4a4a0b114e3f796d6d596ae3ff630ccf187047b904f3b5a0148892b26938a2d6dfd53c4e73953ad8

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
94KB

MD5
7d77aadd44a1baca12dbe0d0e490925b

SHA1
0ab9abcb7c004f1e64a3585505ab02ccc85a4e02

SHA256
ca997f49c61697a8a3c195b558d6db0694245e21a3327065de7a208f4398a5e7

SHA512
6f8b41d6f5eb16c24bd1a5913a22fc855a9d2ca619f9ebb9891b0dccb3395919baa551e905e7cdc56537645f2ee9bdbd4230bf037971fd9022a6635abc9b1976

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
94KB

MD5
f9b9fd0f113a554881e23f1441833581

SHA1
1f90b83ead6114591eaedc680a9fcb2859a39667

SHA256
ea335e64205d78c7a0b6361ea300c1e5bfec79625af0d6d5b1aa12386c952915

SHA512
120c2f09132642550e1ef71875da5ef6dc6fcd2734da2c46101fafa78ebb7d0acf9ef246fa1de028392d16635bd474ec3490fe90a1b0f4cd3afd56a083992db1

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
94KB

MD5
ff97441044ef56c24cb3bdc58bfe7147

SHA1
ba30cac0098fdabf25c2fe023e681cf7df54c385

SHA256
865c324840de24d4f8024e10fe8b42c8a58328dba05adf4125a1c92ec1ca4327

SHA512
dc64644181c444e1cd9a2a4c5efcc07dff69390b7316bde8824349f3c5f8664789473b418a07beb0dd32d8a6dde10722118089482208f2227f92fc2918c6ff66

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
94KB

MD5
73232a63420cd04bf646842d5bc7aa49

SHA1
d952544748ad2f8f4d817b3431b1e61fb7211a01

SHA256
b9c7b88c6780802b150ca78183a6a623515b5399cd437ef8cd602e0702faa849

SHA512
e9ffdba3e27700b479964978fe1d2bb9f1f3e0a5b05ee80f4d8cc2448e8c24f4b6fd4760235f2e2500329c20b73657b306909859030f5c9087bea2c375d3ac52

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
94KB

MD5
fd8ad46e8e9cce3e14518c5c82921664

SHA1
a9f03b821ce432274a8bc520586ab458e94b4724

SHA256
1f1380cdbe7c8b7676b30fb146eef8172bedd0a5cd2ea90694f6397c838cdbd1

SHA512
80b670f3c0bcb2ea5395469cfcbcaf67cb52f561cc49961c8ac198e45424d7070284231e4a018f1ba04ae3d8024195d2e588007c52bbf89f7f28565761b8a430

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
e334891d326db17cd68e478beb75f2d1

SHA1
a11be2d737f4df750cb0ba24d830263db50fb689

SHA256
e354bb1917b2663ed45038f7d5ba4bdb3dca6feebc60346c0a0ea254b9e38d04

SHA512
584161fc1a03783e49161c88f106530aee22ad48a69d48793b84dc121e2a20a010772db3652bfb42d5738b25509cafa8987547e0a2d174aa26d15d1d5f8c4407

Download Submit
C:\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
94KB

MD5
66badbd4a3fa0b7d922e83a91a28a0fa

SHA1
28357fdd7d7a3c7511146ed20fead38d4253454b

SHA256
704d4beaee393a3bf8d779d88ec357fa57247b810a0a7a821525572dc7e4a025

SHA512
80992ab2d89a5381416f041c4adbe4d90f5e4c3160da0a8006f1cc908027fcb338f9facf2dc1b9362a188d99a94bf7a19274dd06754c94172fac9631695a8741

Download Submit
C:\Windows\SysWOW64\Pmpbdm32.exe

Filesize
94KB

MD5
c60441ec884a64a9bbaf3fc7239e61ef

SHA1
aeee08e9aafe3d7ee755056b9702bcc219ec77ae

SHA256
6ed8892540f43e2854162f76cd46ebbf0a3b6b946ab114ba1f2e06887cdd5c35

SHA512
ee448b74a520a53d4055d85c933ade2bde25fc007ab65fd37d78977c15b5d5fb4c5383cb18dfc40fdef6706ed72fd91ddb2f6080b622e026da315d105d0d5ad2

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
94KB

MD5
c7b4752affca1534ef09d4f514b88c4c

SHA1
57f1933263e84d304f50acecd605cc895091e87b

SHA256
48dde28039a1495583e63e6986029a134f6190204fdbb0f0d8a9b9a3bfc93b01

SHA512
11e178eec293619fafca9330dda492be32011905ea936a2e7b3732a4823bf318b89532d1c80668493410d7004ba8727d67c9d4b27e4bdc76fa2c64e0ce0bdc5e

Download Submit
\Windows\SysWOW64\Aebmjo32.exe

Filesize
94KB

MD5
ff6cd117d2aaa7956ef76cb376aef08f

SHA1
0fde027822cc725ff693d1185f4df45ba65c3ab4

SHA256
f0002ddb8eaca2efba34b075f4951dd8079e35e0f7dd6c13cf5a273608d6b496

SHA512
e76cf93e7d8350383592a7cb1613485618063ea22d98a137ad7d395e8f561a09ac3037dffd2bffb319d45157620e14dd83e9604c4705bc7fc1e26554954cc3d3

Download Submit
\Windows\SysWOW64\Aohdmdoh.exe

Filesize
94KB

MD5
5ea1425c5cc0f0b6c8f1013c041db3f5

SHA1
1512ac6358565fc61a314dddb62393dc3b851c83

SHA256
2305818882590e09af9e68ccb8bafa49addf557058f10d420684c1ff8db72911

SHA512
73b2de176c62a1f499ef26747feb8e6f5ee1d2cb64698a86667e4c22a8dc4c71a0e979c21655804f3ec63fc6006ae5ad552e757fd395cad4b2fe5d0d8fbf30a9

Download Submit
\Windows\SysWOW64\Pafdjmkq.exe

Filesize
94KB

MD5
513072528ace436d84234a2c16aa1ae4

SHA1
490cfccd43b25ea8f7d3070eaf170228a09fd49b

SHA256
b4a2c1e1498e3e9df0c823aaa09a1c0c90b898e07413dd072c7167a684603d34

SHA512
60ed7bd8205a9e9943fad110905ca2244f4908d0bd7fa3466d1933f55927cd2167fe6fae4923e331de783081328ea74c63745a99d252a26a67f60e7de49657ad

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
94KB

MD5
bc22f8d8b606a7a91432d4dc71ef5408

SHA1
f428b7698e8ee57e3aa9cfd391b971e9dca370dd

SHA256
5dd35011cd7f6535be1f0a4702a57f392f892c789cc00cc7110509e3b8d3e3a0

SHA512
b8a0e2c63f05975426a4a0873bca5f37611ccf90b1921452b0758a763a155d8b8e989e606aeae30175fd6f22672e84423664f70cf623172cd87cc678fbf4b04d

Download Submit
\Windows\SysWOW64\Pdeqfhjd.exe

Filesize
94KB

MD5
b702f62a1ea9aaa847b84e9d70d93261

SHA1
a8fcf871f51f207fa0e27d374d6c03a33498fef0

SHA256
245b2d5fdf14a4d641c18d0714dda05dcadf182e707bdde2ded17fc244f97af7

SHA512
6ae1c6ba5421f6d8c7ada520f392e19ce60ad7b810eb54f7d4ba28a0b00eb455563f3a2a401284365dd87ddca2903d7b3767040cccf3edcbf65d2b78f50edaa7

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
94KB

MD5
2e3a965192d4a3d7afc7cd68c202028d

SHA1
408f4724fa5503ceaf20521f7b6e7f555f1ce88c

SHA256
90f24c6f1c421d02986a0252c55cbd386efb20c700c9fe040821f9afa3c927b9

SHA512
f4c8623866cfb663432bdb0ab009567e650f4f1cd5bc61c12efc8bc63da5fa520aa121e7e356158de48a9d37d624218c7d3d484ec91434f57a79d609fb20bc6e

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
94KB

MD5
8490f4006a222e5fe3e1c7886c94b1aa

SHA1
deed1a2e6099b78144f77feb320c93b6ebed9bd3

SHA256
c9841f9a33e6b2934a0ae6c39fb94566211a3852b971a2f853094451820dae96

SHA512
990c101fb8d8810f91ec662ccce0bf0d3b192946146f56770ca631b6f4f3a589c83d50b9af7e603839e2cf7b2297c9732bfcb08dbd5d8bf05762adcb267f68c0

Download Submit
\Windows\SysWOW64\Pleofj32.exe

Filesize
94KB

MD5
bfa660d6f0b072731b90753813f78de1

SHA1
a7500024f0e0f7de090fce48bc8061d5d296c339

SHA256
85aea9997683260445b0ca0d700757c67b4f72448dd0e94fe9a216dbdf781b3d

SHA512
9b210eb8e14199b3a5d04cc423bbdde874140ed1f339aa493728110bb576f89144967d604358be72f7710198dffb12f06a48bfc5b1e0fc4119f3d4690fd2fbda

Download Submit
\Windows\SysWOW64\Pplaki32.exe

Filesize
94KB

MD5
69cb419104c1c62162c825bf00dcb90a

SHA1
075a2c3d6596db620161fa9b8f86d6e78e7003a9

SHA256
cfed715eea53639622e8031c2097d6fa27366f052c9508fdc395243e59d8dc82

SHA512
353a4d4c039009796d9b0dd86edb71ce6ce977fc1cb87637d673acc12389ebb39a231b265554c2d2a19702bb692294d3e7805ebcca31b1de69f19695bc40e3c0

Download Submit
\Windows\SysWOW64\Qdlggg32.exe

Filesize
94KB

MD5
8e8747bab07aa243da253198a322bb1a

SHA1
0744e2c1875cde017deeebb2238967f9fad10592

SHA256
9933c5ecf6cf3001e9653e62316395ab96885bdb97c6b5668bf5bff8e59638e6

SHA512
e2df05593ffbe5f61b98cc99938457d87be108d64e9e74b75f68a0eb06985b21f5fd52c040bf7799796b4b2cfacd9f969affa00ffb15b56e6493e86ea9c2ccf4

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
94KB

MD5
36f9fa099b1593f78d15ae74ee6491b4

SHA1
0efc88da22e978bf9d3acda44c71dc78dec35a9b

SHA256
2f1deb4bbb0300b59c80ef2f6147318fbfa9a143f46710ece85bd4868ae41426

SHA512
0829bf68848b8dd7aba59e4a736d271b69a64f47344fafef973dbdc5a2071729ca3c51e2146083a175383f3b60000821e518a847c5dd3c557b90de22a9504ccf

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
94KB

MD5
d3539e1a3fb36a74916de59fdb0d18e3

SHA1
2a2b0f8995bd4dd2ae3b8c6fa04ba521710167b9

SHA256
10e326160eb7f5532becb0d9687cc072104b61934b66ed202b2e3b00a59c5bd7

SHA512
e3be6e9e0c2141bec963187b9163368b51cfea19751ce57d874183febf01fc13b799a25cf7a910c84cd155185c8af546512fbcf64c4444d306aa41f952708171

Download Submit
memory/408-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/408-220-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/536-88-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/536-444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/664-295-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/664-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-252-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/912-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-253-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/940-264-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/940-260-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/940-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-458-0x0000000001F70000-0x0000000001FAE000-memory.dmp

Filesize
248KB

Download
memory/968-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-460-0x0000000001F70000-0x0000000001FAE000-memory.dmp

Filesize
248KB

Download
memory/972-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-239-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1176-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-306-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1444-305-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1444-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-316-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1464-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-317-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1472-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1500-273-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/1500-274-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/1512-384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1612-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-424-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1688-422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-423-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1720-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-477-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-106-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-114-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/1808-35-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1808-394-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1808-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-437-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1952-433-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1952-426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-383-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1964-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2188-494-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2188-489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-285-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2264-281-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2324-327-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2324-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-141-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2520-404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-482-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2532-483-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2532-475-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2704-341-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2704-343-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2724-371-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2724-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2724-367-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2728-359-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2728-365-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2728-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-349-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2732-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-348-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2760-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-60-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2840-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2840-445-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2852-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2852-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-194-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2880-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-473-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2964-476-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2988-459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-379-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3008-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-18-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3008-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-17-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads