4f79668ebf75ed1c4481a98d740315f0298eed2f278515a7a2d3e4aa31d2c44e

Analysis

max time kernel
107s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

566b50ed03c4647e7d872614c1d9de80N.exe
Size

96KB
MD5

566b50ed03c4647e7d872614c1d9de80
SHA1

d7580c253bc62687a8090be006dd946133a81593
SHA256

4f79668ebf75ed1c4481a98d740315f0298eed2f278515a7a2d3e4aa31d2c44e
SHA512

5a818a5321e99baa4c7db56cb93fa5575f1eff49e8334e006049b0cb1734a8a9412c32aef98d15c6236afb3fb54e47d9c9ba4d8e7d2963ef8649a7a6cf35680d
SSDEEP

1536:kjECBcxzsCUIB33D5Lh+tswAvilEK4NCBYajUABmkP6Mq7rllqUOcyoh/NR4+G:muxzRNB33D5dX9ieKFBxjUSmkCMQ/9hO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe

Executes dropped EXE 64 IoCs

pid	Process
3020	Lmdina32.exe
3688	Ldoaklml.exe
2336	Lepncd32.exe
1448	Lmgfda32.exe
5028	Ldanqkki.exe
824	Lebkhc32.exe
2152	Lllcen32.exe
4960	Mbfkbhpa.exe
2308	Mipcob32.exe
2520	Mlopkm32.exe
1220	Mdehlk32.exe
3320	Mibpda32.exe
448	Mlampmdo.exe
4612	Mckemg32.exe
2120	Miemjaci.exe
2796	Mpoefk32.exe
4280	Mgimcebb.exe
4224	Migjoaaf.exe
2304	Mlefklpj.exe
3260	Mcpnhfhf.exe
3476	Miifeq32.exe
3756	Ndokbi32.exe
1588	Ngmgne32.exe
4484	Nngokoej.exe
5016	Npfkgjdn.exe
3696	Ngpccdlj.exe
1428	Nlmllkja.exe
2228	Ndcdmikd.exe
1700	Njqmepik.exe
3504	Npjebj32.exe
1316	Ngdmod32.exe
3972	Nlaegk32.exe
768	Nckndeni.exe
5008	Nggjdc32.exe
3312	Njefqo32.exe
4760	Olcbmj32.exe
3024	Odkjng32.exe
4492	Ocnjidkf.exe
392	Ojgbfocc.exe
3112	Olfobjbg.exe
2800	Odmgcgbi.exe
1048	Ogkcpbam.exe
4300	Ojjolnaq.exe
4324	Olhlhjpd.exe
2944	Opdghh32.exe
5024	Ocbddc32.exe
5116	Ojllan32.exe
1908	Onhhamgg.exe
2416	Odapnf32.exe
3396	Ogpmjb32.exe
3964	Ojoign32.exe
984	Onjegled.exe
4864	Oddmdf32.exe
1560	Ofeilobp.exe
1612	Pnlaml32.exe
1620	Pqknig32.exe
2880	Pgefeajb.exe
4736	Pfhfan32.exe
2312	Pnonbk32.exe
3848	Pdifoehl.exe
1092	Pjeoglgc.exe
4500	Pmdkch32.exe
4256	Pqpgdfnp.exe
5052	Pcncpbmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	566b50ed03c4647e7d872614c1d9de80N.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	566b50ed03c4647e7d872614c1d9de80N.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7020	6928	WerFault.exe	244

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	566b50ed03c4647e7d872614c1d9de80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3020	1508	566b50ed03c4647e7d872614c1d9de80N.exe	84
PID 1508 wrote to memory of 3020	1508	566b50ed03c4647e7d872614c1d9de80N.exe	84
PID 1508 wrote to memory of 3020	1508	566b50ed03c4647e7d872614c1d9de80N.exe	84
PID 3020 wrote to memory of 3688	3020	Lmdina32.exe	85
PID 3020 wrote to memory of 3688	3020	Lmdina32.exe	85
PID 3020 wrote to memory of 3688	3020	Lmdina32.exe	85
PID 3688 wrote to memory of 2336	3688	Ldoaklml.exe	86
PID 3688 wrote to memory of 2336	3688	Ldoaklml.exe	86
PID 3688 wrote to memory of 2336	3688	Ldoaklml.exe	86
PID 2336 wrote to memory of 1448	2336	Lepncd32.exe	87
PID 2336 wrote to memory of 1448	2336	Lepncd32.exe	87
PID 2336 wrote to memory of 1448	2336	Lepncd32.exe	87
PID 1448 wrote to memory of 5028	1448	Lmgfda32.exe	88
PID 1448 wrote to memory of 5028	1448	Lmgfda32.exe	88
PID 1448 wrote to memory of 5028	1448	Lmgfda32.exe	88
PID 5028 wrote to memory of 824	5028	Ldanqkki.exe	89
PID 5028 wrote to memory of 824	5028	Ldanqkki.exe	89
PID 5028 wrote to memory of 824	5028	Ldanqkki.exe	89
PID 824 wrote to memory of 2152	824	Lebkhc32.exe	90
PID 824 wrote to memory of 2152	824	Lebkhc32.exe	90
PID 824 wrote to memory of 2152	824	Lebkhc32.exe	90
PID 2152 wrote to memory of 4960	2152	Lllcen32.exe	91
PID 2152 wrote to memory of 4960	2152	Lllcen32.exe	91
PID 2152 wrote to memory of 4960	2152	Lllcen32.exe	91
PID 4960 wrote to memory of 2308	4960	Mbfkbhpa.exe	92
PID 4960 wrote to memory of 2308	4960	Mbfkbhpa.exe	92
PID 4960 wrote to memory of 2308	4960	Mbfkbhpa.exe	92
PID 2308 wrote to memory of 2520	2308	Mipcob32.exe	93
PID 2308 wrote to memory of 2520	2308	Mipcob32.exe	93
PID 2308 wrote to memory of 2520	2308	Mipcob32.exe	93
PID 2520 wrote to memory of 1220	2520	Mlopkm32.exe	94
PID 2520 wrote to memory of 1220	2520	Mlopkm32.exe	94
PID 2520 wrote to memory of 1220	2520	Mlopkm32.exe	94
PID 1220 wrote to memory of 3320	1220	Mdehlk32.exe	95
PID 1220 wrote to memory of 3320	1220	Mdehlk32.exe	95
PID 1220 wrote to memory of 3320	1220	Mdehlk32.exe	95
PID 3320 wrote to memory of 448	3320	Mibpda32.exe	96
PID 3320 wrote to memory of 448	3320	Mibpda32.exe	96
PID 3320 wrote to memory of 448	3320	Mibpda32.exe	96
PID 448 wrote to memory of 4612	448	Mlampmdo.exe	97
PID 448 wrote to memory of 4612	448	Mlampmdo.exe	97
PID 448 wrote to memory of 4612	448	Mlampmdo.exe	97
PID 4612 wrote to memory of 2120	4612	Mckemg32.exe	98
PID 4612 wrote to memory of 2120	4612	Mckemg32.exe	98
PID 4612 wrote to memory of 2120	4612	Mckemg32.exe	98
PID 2120 wrote to memory of 2796	2120	Miemjaci.exe	99
PID 2120 wrote to memory of 2796	2120	Miemjaci.exe	99
PID 2120 wrote to memory of 2796	2120	Miemjaci.exe	99
PID 2796 wrote to memory of 4280	2796	Mpoefk32.exe	100
PID 2796 wrote to memory of 4280	2796	Mpoefk32.exe	100
PID 2796 wrote to memory of 4280	2796	Mpoefk32.exe	100
PID 4280 wrote to memory of 4224	4280	Mgimcebb.exe	102
PID 4280 wrote to memory of 4224	4280	Mgimcebb.exe	102
PID 4280 wrote to memory of 4224	4280	Mgimcebb.exe	102
PID 4224 wrote to memory of 2304	4224	Migjoaaf.exe	103
PID 4224 wrote to memory of 2304	4224	Migjoaaf.exe	103
PID 4224 wrote to memory of 2304	4224	Migjoaaf.exe	103
PID 2304 wrote to memory of 3260	2304	Mlefklpj.exe	104
PID 2304 wrote to memory of 3260	2304	Mlefklpj.exe	104
PID 2304 wrote to memory of 3260	2304	Mlefklpj.exe	104
PID 3260 wrote to memory of 3476	3260	Mcpnhfhf.exe	105
PID 3260 wrote to memory of 3476	3260	Mcpnhfhf.exe	105
PID 3260 wrote to memory of 3476	3260	Mcpnhfhf.exe	105
PID 3476 wrote to memory of 3756	3476	Miifeq32.exe	106

C:\Users\Admin\AppData\Local\Temp\566b50ed03c4647e7d872614c1d9de80N.exe
"C:\Users\Admin\AppData\Local\Temp\566b50ed03c4647e7d872614c1d9de80N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\Lmdina32.exe
  C:\Windows\system32\Lmdina32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Ldoaklml.exe
    C:\Windows\system32\Ldoaklml.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\SysWOW64\Lepncd32.exe
      C:\Windows\system32\Lepncd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        23⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        36⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        45⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        48⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        56⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        62⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        67⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        68⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        79⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4708
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        88⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        89⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        94⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        95⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        104⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        105⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        106⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        109⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        111⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        115⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        116⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        121⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        124⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        129⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        132⤵
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        133⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        136⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6264
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6352
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        143⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        146⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        147⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        150⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6752
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6840
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        154⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        155⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 396
        156⤵
        Program crash
        
        PID:7020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6928 -ip 6928
1⤵
PID:6996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
a12ff8c140b2e6ed7e4aaf07ba654216

SHA1
5ba82f5b18454ab3893126a80ae24eb787ff693a

SHA256
cbd634b03d5339cd32f66ad991ed21c2b585847018e53e0e1b89720e471daf89

SHA512
c8ac7b7fbe9a2b916eb6c53e154a9ee07f3736a1b458a6a26b87f142ae9e2bc57cc83cb32ecd6f4e08c0374f7d977506c67fc356fb33467a86513bab8bed3957

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
96KB

MD5
ad89a875637dc3ffb870dd1bde371802

SHA1
d93d6b7fae0cbd680323d4c09ceec78cd00d2f5b

SHA256
15d1cb9b5bf35f70b77e57ae304e2f47ed0f791bff95f544b145eef1f9bf10f3

SHA512
849ae9843d6f9067bd7dde56453b83bd3695af88edb12b1dbda2ae1cbce7d4b438c4fa95ff5811a84da3b81967dbba47c7b360201d642429a73f0433ee476f5b

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
0952cc0cb031840dd8ca56b810946a7f

SHA1
d190f867c1ef8d0114600693e93cb5cefe72bd14

SHA256
72cad9d33cebbeec7dd753edc889097e26c735cd9f17be49ec7a70f5b5efbd85

SHA512
3a55f5af41a834bcb2ba61212e9e5d1296fc96c5398c7bc9ea5f02d71dd42fd5f8ec386808f6845aec914539e0e6a3105b03c4eed03b7feba598bffa24cb225f

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
64KB

MD5
14a9a623be5224744f874c265eff91df

SHA1
9c7991ffa8f9672c06c6218daceb5421dd4d8961

SHA256
f524751e547f158bc2b744653a6136ef3126bea8e1ad5880361ba99a02867508

SHA512
a33b00f0d92d313bbfe3d5b6c5269967865964960b79d1f9f59fff12b31841b0a1c1ae99eccc1f3927fb127a6a7a21dd97e5fd51fdf095218b838e6e6437248c

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
dd03ee043ed84091416aa65dce08383a

SHA1
0f80f7648e4e5b19fc3608390b168cc07ec8b89f

SHA256
494393ef544e01a9bd7a6d12a65c25317884dfa6571c7828e9db7c546f86880f

SHA512
3268c9b9198ff08fa14ae8de3beeaad6c69e8bb50e7de6da9c2d06063c12d4e830196889814f42260277ed159bd3b0e22e3cc4beaf2d07f43d34ef836611417b

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
a669ab33eb718c63e2c3f5b301ad720b

SHA1
38d764866e752b7049df712514c67e0482513745

SHA256
130b5917db8418eb8e3103787af1f2b9a3a3cfd7cada93bef3e915d1a6ea7021

SHA512
cc84c960ed0ac48937f15364a4768cf5b83ed85a627a62f5e9a9499e907739269c088670a3a166a4276a9f0b248c0805d3e5d81a6b2f214f3e5eed9665fb5d73

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
0ee614e82541a86b13bed41cece53613

SHA1
f887e7f447c7b1e9c5ebb125ea361972561f7467

SHA256
4be28505aca7cd32f2a4981f8ec69c74363fd68d6863d354cda3be2bd374b6dc

SHA512
9b9c26692f03dba501c8ec96b633a6869da7fe3300ab4daa57a0fd74514f0dc4fc814856bef6e875bd358a770b145743d117728ba3cc18732370153757503cd7

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
b50bd7b3953fab83543939fabf798a87

SHA1
1d8b37b8d0a8cef45354297e8c5cb606c5d68b19

SHA256
c1403e831d3412a2ebdb52ee6adeb25984aa2379ceec2b2083c4bc48eb08619d

SHA512
e8838f17ce339b1a49683d6f579d723690f4f62fad1daad69b44e13cd4b2a81bf1896e28e12e95ad8c60df3a12a23c34ab94e20dc229a752a38c7bc3cde6af9a

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
3cf081eebfa3001698c91b29f1bd3c4c

SHA1
0282ea259d3ad40979623d1ed01e759791ccb200

SHA256
bf2e2394e24dfe8a4c2ed3f74dd4ed9875fae0a002c551654d286c70408e197c

SHA512
9586f4d7c80a42468545aa129e37352ac7052332720eb2ecee835628f6084301428f00335a0b5e951b52e5d2513bcc002728e23e146e494d4d965cee6a6ecfac

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
96KB

MD5
3994c953dcb36cc48ca4cd0a19357069

SHA1
bc33cd926f9ee346ac8b88d3a816b947fe5590e7

SHA256
faf3d2634acd4dd5b122d39e36bcbcd891a0fa0655b8f3a0064b28853f5cf64c

SHA512
367b407c607782d911c596d1b01853e180cf3df35604bb0aa2980c91facd05c879bfa90531558b3347d2c22a83c43436ec02164f22735f16597d51db7d162293

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
5dd94071b55efafa735a82ba30293769

SHA1
1c7a0fa66d456e876d38d3f84f27a75c59bf0582

SHA256
9cb450bff31160832b238f706a9a5adbbec9382c54ad1916f765a400daed1bd8

SHA512
f16c9e001083863ecfd743bff8b6a6c35cfc2ee3ad0fef0cf9b85f47d7a053ea1443828b3c9d269c6c1fe8b2c189baf4f08054c247b23b47a3a1162ed6a47a9a

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
96KB

MD5
a44d0b7289b2beb4f2eec76caa5d7970

SHA1
dc662e3642e319a5c26e1a454939713a59fe9b3c

SHA256
a012a59b7b4de4686ca971ddb57c5972ee1193e895519009ab904cfdda094d52

SHA512
ad6f1dab4a06f439c935614fc6c9fc19adca27c6e0f807064a867c307bdab82d313d7b3d91c0564187223b1e3f9251cc4baf1db42788de9a34fc2f7c0d6f3111

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
27804d6949664fd35c16facfc07425d8

SHA1
c0a0ed6ca81b55703e4edf3ebb9521ca2684551e

SHA256
5c1f824b4a5e3712f2366dc6d46f3b2205a6f18dc432c426a3fdde222dc4ebda

SHA512
dc5669ce6b40c5e2a0da0a8b3682038fda637aac75e67e04b51e61c43174501cda77ecb38bdcc26a94c064b4fbec05105da0201212e3d4de5fe308a1252f173e

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
96KB

MD5
ab874b67763ec29ee69f3bc722a391fb

SHA1
3e7309a55830fd2a2c28542428bc167167ea9dae

SHA256
7300a1a5551935d256245dc17a4ce66659218a1cc2d36819472bd4ac16296a59

SHA512
22a403dc0b70327b45619e1c5cef1034f131d74401e33223454c2de551638c9c790a1bda5180e994bafd2ef0537930c73d35e561c2fe46c55f1e08bf3422ac52

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
7fcc85ab5562df273b5d9bf86479db32

SHA1
aceb1c8ff0563744fb6ace2a5cab5d85baf46f56

SHA256
2ddcfa7c1da7b48a769149a51ff9fa3e525d41628e58ee03415eab0dd513429e

SHA512
c232f36ea1ca9d4a415dd8635e5176eeff011bb45e58652712068d2c706fdc1fc0169dc83b79c130bd35ff2cf1bc9f650220392a44c2a81276186f995265e609

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
96KB

MD5
b21a2434bedc43a95b499cf1d1f8c340

SHA1
edf5f5b7ed23991c558b5b63fd055776b22631d1

SHA256
50d3d4022a25c3d26a0f829972e5c9b34f26a50e8d23325d77b18ab9d1fe0862

SHA512
2e036da5ed5e454286fd29808e4721067b64b8928080a103fba37965f942c68e66d4d9cd9abaea3aaf145ceb67f42f62cfd6bd16aa3f45dfee3aee3ae17ae834

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
1868977be2c1301a5b9bc9e3fd316df3

SHA1
d4cdd0e5a82fd9612e3579686a4c9f5558cd2dea

SHA256
cb8be4652dac0168696b0afcdfed111b6c935f036819e993b2d0bcd4755b0dc9

SHA512
9df9f182f53cab4c9217013824c46b282a391dc4aa92fbd1cb7dedea0efdc66041aa54a0d0d19b486de8f2d723718c776c33d935e3d3fbfecd4823848b2ab6c4

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
96KB

MD5
c464dee47d490728f1979c18a6b18d8d

SHA1
e33566bafa3838fcba0bd50c16589219b858afd5

SHA256
a98f289d634548001cdacb49ec0a60e7be02333d4e6e57f03f620b99f7b927e9

SHA512
dc92b9d6baf6beec6b87a69ce08911110d4a546f18ca5ccd4430030bf331dfb32151c2af61e8706c65c2e0d8f1d9b3fe432e1d31b4922a0c5ddb6a3c90fb66a2

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
6639af420412a5be73d873197f981827

SHA1
d000280724bb203e8fffeba274eda541429f3499

SHA256
7d3798a35838ad6984185b0d18ffe5820c5ae3b658d7cf8527bf856c6fb50fb6

SHA512
0e9c473dcdc599119fc851b6100c3fb8eff5f34c56e5f93717ac8b522257ba84937b758e4b05734833e6291408dbea0a56cdc5543695399bcadbc3a5f1ffa918

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
abffd212bc49d64545c94f78489f1728

SHA1
95199ed75b0e923d9931ba201e80d31be6090569

SHA256
383bc838fd1d55089f288c44d87edbd6bff9c90b85b0865efd0b6834d92f4cab

SHA512
25ac88056feb38847ad2545651633390662acf2aa5b54878f4ef8903bfa2f354ea63720c57c2741c52967bb35701deda4d49f1e4a52bf9bbabcb0ef1aba91ad7

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
b0345e77168af130025bc99b6ba63ad0

SHA1
7fa2f313eeb70351770fc96201680eba2bc37f24

SHA256
e0c1af407c6e2dd630122175c7e215503c562e390dc614219d27648e4bd80109

SHA512
9f70755cae64e344d07b4bf2950ba810b61a7611af603eea2dd892029ea6a565725add89a6d6ecbfa2835007dd9afc60891c058809a255d497b2f75fa0620676

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
96KB

MD5
6b1c9ed6898bd05fad85b80144358c9d

SHA1
bab42a9da977c24d918874cdeff92353fdc92166

SHA256
956844295c7d59723766bdf7ba5ab86d94b31d0b2744eb9f9371ba2be5da137b

SHA512
18187393f55c47e9e4b5e715b9bfa75f428aa97f5e23ffacec99f80e705bef733f5b0f5aeab88d3273d98a0cee8882c95d8f61bca18bb650ba60ddd4dddbe873

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
6da68612bc639b4ef832334000042d22

SHA1
e28685f16a7869f3671d9784e388616c6f8876e2

SHA256
a698ee9117cc90e952bcb21232233b97d8bad06daf599542af04b26bc9331737

SHA512
87a5f10ea33635e8bf7daa344f7e146ef3e8c3aa0c1181f3025ab077948c0d4900425ae33fd457d27539d8313d930559680486eb8cfd37a65da5e8d1514770f0

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
2962b991345c5b66114eb89993f10123

SHA1
10e5bb3b007d94f69f9a9212df10282621a4d7d8

SHA256
f0e84abc3bf48607b092035965ba2790c9496c893d0476a08245feff361730d4

SHA512
82942cf566e5f3d9c6b2a6b1ebab18ff86c60fbf9193e7b89620e9aee0ba176560c157f22000a9b8bc83aad57c0f3cb9ef88c69e678cb2b59b95ce8483a136f9

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
0ead1494a34be2a61c9877d255b0c257

SHA1
4de7e431abb50063bf4dd373aff6ef5bf350972b

SHA256
30b1dc99f582dc5294d94b26655af0406b46227889d398ba420580e717c04770

SHA512
9c574d98dc54b53f2a0a5314cd1c20741d441c08520202870bbd20e54cfdbfc319d256b08d46e12eac6b6ad9d76aa96323e5b9b36f6563b04cf410673e5b10d1

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
25400ecffdbbb8834a65229760367751

SHA1
a2ba6451b97e9eff72893e79e107067fa5139428

SHA256
30ae940905682e5c20edea109291e5f1f1bd5d6724f0493cac4a496382440bca

SHA512
2e2477a0d662e5ad7b09f8da5760de3a29545e79f2bc566561a4ad7c8d70a2eb1a7d541d1f003912c805b4deffc13a7095c142b4267b81aba9ab7a60b316af8e

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
83f833dc8f61bac07f64fba2a6103b81

SHA1
dfa601c550d8e45b423677aa218b42b5249d89a5

SHA256
94e2de06426fb2ec23cdf54980e0aaca3b3bc2347d5526fc0e9574bf395c4073

SHA512
7d3bd341ab0f301bfa1347616f6bd672e1cb875c5e4f43eb5c388703ff3545de5dcaf456d7a61de956caf115fa4f586cffff792686c174633ea7ad2d29b1ecff

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
f373d1f3df51785c78281963fb9ef090

SHA1
68386958045beb3a3017459340da7faf53039bec

SHA256
74bc883da7ad50b3a6c8bb47ad5ee402b89cb058f83d39f328ebcf12ed1bd162

SHA512
7043c765a48326f58c87aba4fcf40c6a999d9f4865d6fae7984a42e806118bcdab296873828b0e4036241f70af9b88e53a3b2d7c28bc2813017c653e577feaba

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
f3a1976c59a7b8e993ad5d37b74da9f4

SHA1
eb766431c200d14da341b3e45e935245eff56010

SHA256
5fdc7a08776920d553a702be8539224018d0383a9d8717f539e870dba6acd011

SHA512
564de840ba929072ce672fad47a3047235d75fec84079692cc1c0362071d907d5265e7f6bdd46f5992bc27bd23d56a8245fb42309af3e55f6aeffc3d0dbca08f

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
96KB

MD5
98bafacea312d60a43462d522b7a2853

SHA1
53794e104fe01e20bdb2feb1f272202312e4ccf4

SHA256
e0cc405531fdaefdcf59b8ee587876cdca9b304c73eb8436ca267edc60cd04ab

SHA512
67a10e376aadf8a4d9ea3f7f4ecd214efed1724fd32a9e3021ed3769ee872ff7b8456eabaa65f8e09343c036985b8331fc0535ab706ddaf9c0f0dc79fef2ba26

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
28cb2530f8f2d86e05b1afc30b5df203

SHA1
99accf6800d0ee50044a8acfc86171226e851d7a

SHA256
912cda0148432e7c13135d52da8448b836e2192994298330ae6f38c22edba148

SHA512
30225891093c0fd11841d9e9e7c9557ae9e193ccad4b9ebc27dc0447c022f93bddb099e0d6ce4bfd1c29d2277dbe3223cec00ac9af51b29df41725da3d0da865

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
96KB

MD5
9a310846178051879b937369756b804d

SHA1
afb381561886f0c178c7f3b79b24c1852d3f841a

SHA256
f6524073f7b52326dcaca52a6ac644881d6a30f6e151dcd95535f830091aed07

SHA512
771e523e845ca5217bec5e6fee16943d9d2354bd21080f645d1809ddf94ab07681ac2064ecfa2dfdba2bf40cc2b3eb2e7f3b94592e241a945371c03609a0ac36

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
f9eaeaf1d766e47b80c8e4b09a8df89a

SHA1
2b44c28ab34b1e39d030e35c64df0a6426479f6c

SHA256
4786923bb1a5f200235f870ee19b569198aa4a9a033edb41ca94b90eae9aa44e

SHA512
d7af885ee5e86cbf9658b2ae950c0fdb4b70d0142fec39ea126016549597f46674d91bc24916976ce16d86936958c23c858d8d7f17fd0192cd85bde9f0214491

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
68b50215e98d5474367d2964173c99a7

SHA1
6b1c07731d8ce565b5ac5cc2a4eeb04ecd948cdf

SHA256
6d2ccc83939feb25ceb7e3d8ffdb2d986c8b7a78dd12abfa8bc07ae50f0012cb

SHA512
c8dd4456664e094c49759884b90aeaa115947935fd2faf96e09caad4833941b73fa648d27640f6676f8e023aa180658527bff9d7afcc913be5440d15d2558623

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
96KB

MD5
d2b91cc79911dda99b6c5869fb16c713

SHA1
f5853be0048a736faaba84a96bf67024abcd2e04

SHA256
af756341fb281b940e66686a6512bfe8a1b9888c31990743e1e98261b043e4c4

SHA512
840c2cf4a98faac37b0e9e4c34fc65e682fe4a0dca64cdcaec813d9354edcc59a3a8b062ae2481391596744f13995a711268fe4ba7a794d0ba0172d3f8166b9a

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
3dee84f044ea194cab11188b21970f1b

SHA1
a1ee4e58ef2151d10ffff85f199426cb14f3c416

SHA256
49b72c3d45db6a172c99333786c820ffbea1613cee083270a2bbf4346ebe96df

SHA512
2b43605e8a2003421c2fe5661845fc743bd9c4851212608cf8216a59930b7d2315ad07bff78b21016293de7cf6370c5e34f4cc9256daf31566d5cbe752f31e23

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
96KB

MD5
6813b1f84f3e9b557c22d31e172476bc

SHA1
e60c5ce2b4812a442b9eeeb3e3bed7d1233d5e7a

SHA256
f235c197ca8343cacee5a0bdf1f4e207a9886620e98efcd4b1fdd4015c94b3be

SHA512
12d62ff8fb1098fe9cd27bac9464bd6bd3a3ea33962323f44334146b06b0ee15d99450cb2a1c483d5971145cc4f586f9a1d3dfd839fe2fd67398679decd9cd21

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
6fe3ca8475a6868967ad60b7b8a1ef55

SHA1
bdaeb4f6a9d83eaedfaf3ae964516d42979a99e2

SHA256
31edb39dffe601f841825463d81032f3291566f124e7044341016e5567e9a076

SHA512
dd3e741c24cdbb8d26f3e54852d7e5166cf00d6dcb2975f3b99995cd7e976034f2cb2d4f2a211063c3372cb3f4f732813f19d0607a83951274ab979bd778915e

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
60ff52f20a3ac119fb3b507803a9fe0e

SHA1
0eac508601362257aece81c46dedecd10900fe3e

SHA256
472e2aafec52f88d2b8dcb69e278ea553254c5e3b918af55bc3f9a0414bf68c1

SHA512
ad0531c3a492ecd0cd8693eaf1c8d8b2ea87e5a6b83d67ecc68090372ac66d1d7c29076120fdd16f89bc05f05cb6011c171dac65b422174a13374b3e35be731c

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
96KB

MD5
5aa4c63576695c2975e123190524d33b

SHA1
d2e1ba37cc4bfaa3e4f9d10f51c89a7eac94e909

SHA256
9e67a1230013e9b20002a79b028256b34ca8fbb1c3b52115e01b583ec80f5325

SHA512
065dc935e5a4d0998f9f5e757dbfb710636ba38272b3adad1e037c600d458eba6783766ad2bfbdb5c775d43a04223f1274d9943b7f04c614cea137c5ac7d4dc6

Download Submit
memory/392-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1560-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-1171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5728-1122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5732-1170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6752-1068-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads