8802990e2661c3d4cc0259d00d1a1286fd5b5687b96d47cc0e6afea35dbf16a9

Analysis

max time kernel
102s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79ce06ddc9e6a498c51878172cc969d0N.exe
Size

1.9MB
MD5

79ce06ddc9e6a498c51878172cc969d0
SHA1

cc270ba4f78adeaf7b9bfae45b90a530d20f8567
SHA256

8802990e2661c3d4cc0259d00d1a1286fd5b5687b96d47cc0e6afea35dbf16a9
SHA512

d843c500e3dccd1f5d0b0e63e544a708fe3e285f605523ddc23b01fcf5aef6f9fe43fa36959733b5b081dd2c4a072c27ad78edd3b7b8ee90603c36a1b619133e
SSDEEP

24576:IoNIVyeNIVy2jUChONIVyeNIVy2jU6Y+uoHXNIVyeNIVy2jUChONIVyeNIVy2jUO:IHyjbByjA+SyjbByjH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcpclbfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifefimom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	79ce06ddc9e6a498c51878172cc969d0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe

Executes dropped EXE 64 IoCs

pid	Process
772	Hfifmnij.exe
440	Hcpclbfa.exe
5024	Hecmijim.exe
3700	Hmjdjgjo.exe
3892	Ifefimom.exe
2928	Iicbehnq.exe
2036	Imakkfdg.exe
4076	Ibcmom32.exe
4280	Jlkagbej.exe
3820	Jefbfgig.exe
3984	Jmmjgejj.exe
1740	Jbjcolha.exe
5084	Jpnchp32.exe
3196	Jeklag32.exe
4308	Klgqcqkl.exe
4072	Kfmepi32.exe
4632	Kpgfooop.exe
4856	Kfankifm.exe
3204	Kdeoemeg.exe
1132	Lpcfkm32.exe
2348	Lgmngglp.exe
3992	Lljfpnjg.exe
4224	Lingibiq.exe
4348	Lphoelqn.exe
4772	Mgagbf32.exe
1520	Mlopkm32.exe
4548	Mckemg32.exe
1208	Mdmnlj32.exe
2228	Miifeq32.exe
564	Ncbknfed.exe
3768	Nnneknob.exe
4844	Nggjdc32.exe
2368	Olcbmj32.exe
4712	Ocnjidkf.exe
4360	Ojgbfocc.exe
3260	Opdghh32.exe
4624	Ocbddc32.exe
5004	Ojllan32.exe
4048	Oqfdnhfk.exe
4976	Ofcmfodb.exe
4328	Oddmdf32.exe
4320	Ojaelm32.exe
3460	Pqknig32.exe
3096	Pgefeajb.exe
572	Pnonbk32.exe
1568	Pqmjog32.exe
1252	Pggbkagp.exe
2244	Pjeoglgc.exe
2324	Pcncpbmd.exe
1592	Pjhlml32.exe
3264	Pqbdjfln.exe
1948	Pgllfp32.exe
536	Pjjhbl32.exe
1196	Pmidog32.exe
3488	Qnhahj32.exe
460	Qqfmde32.exe
2484	Qgqeappe.exe
3140	Qjoankoi.exe
4728	Qnjnnj32.exe
420	Qddfkd32.exe
652	Ajanck32.exe
1932	Ampkof32.exe
3720	Acjclpcf.exe
4368	Afhohlbj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Jefbfgig.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Lejfpelg.dll	79ce06ddc9e6a498c51878172cc969d0N.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcmom32.exe	Imakkfdg.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Hjakkfbf.dll	Iicbehnq.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Jeklag32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Jeklag32.exe	Jpnchp32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Hecmijim.exe	Hcpclbfa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5680	5176	WerFault.exe	214

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79ce06ddc9e6a498c51878172cc969d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmmjgejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbhll32.dll"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifefimom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnaabfm.dll"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejfpelg.dll"	79ce06ddc9e6a498c51878172cc969d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjigbdo.dll"	Hcpclbfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 772	4184	79ce06ddc9e6a498c51878172cc969d0N.exe	84
PID 4184 wrote to memory of 772	4184	79ce06ddc9e6a498c51878172cc969d0N.exe	84
PID 4184 wrote to memory of 772	4184	79ce06ddc9e6a498c51878172cc969d0N.exe	84
PID 772 wrote to memory of 440	772	Hfifmnij.exe	85
PID 772 wrote to memory of 440	772	Hfifmnij.exe	85
PID 772 wrote to memory of 440	772	Hfifmnij.exe	85
PID 440 wrote to memory of 5024	440	Hcpclbfa.exe	86
PID 440 wrote to memory of 5024	440	Hcpclbfa.exe	86
PID 440 wrote to memory of 5024	440	Hcpclbfa.exe	86
PID 5024 wrote to memory of 3700	5024	Hecmijim.exe	87
PID 5024 wrote to memory of 3700	5024	Hecmijim.exe	87
PID 5024 wrote to memory of 3700	5024	Hecmijim.exe	87
PID 3700 wrote to memory of 3892	3700	Hmjdjgjo.exe	88
PID 3700 wrote to memory of 3892	3700	Hmjdjgjo.exe	88
PID 3700 wrote to memory of 3892	3700	Hmjdjgjo.exe	88
PID 3892 wrote to memory of 2928	3892	Ifefimom.exe	90
PID 3892 wrote to memory of 2928	3892	Ifefimom.exe	90
PID 3892 wrote to memory of 2928	3892	Ifefimom.exe	90
PID 2928 wrote to memory of 2036	2928	Iicbehnq.exe	91
PID 2928 wrote to memory of 2036	2928	Iicbehnq.exe	91
PID 2928 wrote to memory of 2036	2928	Iicbehnq.exe	91
PID 2036 wrote to memory of 4076	2036	Imakkfdg.exe	93
PID 2036 wrote to memory of 4076	2036	Imakkfdg.exe	93
PID 2036 wrote to memory of 4076	2036	Imakkfdg.exe	93
PID 4076 wrote to memory of 4280	4076	Ibcmom32.exe	95
PID 4076 wrote to memory of 4280	4076	Ibcmom32.exe	95
PID 4076 wrote to memory of 4280	4076	Ibcmom32.exe	95
PID 4280 wrote to memory of 3820	4280	Jlkagbej.exe	96
PID 4280 wrote to memory of 3820	4280	Jlkagbej.exe	96
PID 4280 wrote to memory of 3820	4280	Jlkagbej.exe	96
PID 3820 wrote to memory of 3984	3820	Jefbfgig.exe	97
PID 3820 wrote to memory of 3984	3820	Jefbfgig.exe	97
PID 3820 wrote to memory of 3984	3820	Jefbfgig.exe	97
PID 3984 wrote to memory of 1740	3984	Jmmjgejj.exe	98
PID 3984 wrote to memory of 1740	3984	Jmmjgejj.exe	98
PID 3984 wrote to memory of 1740	3984	Jmmjgejj.exe	98
PID 1740 wrote to memory of 5084	1740	Jbjcolha.exe	99
PID 1740 wrote to memory of 5084	1740	Jbjcolha.exe	99
PID 1740 wrote to memory of 5084	1740	Jbjcolha.exe	99
PID 5084 wrote to memory of 3196	5084	Jpnchp32.exe	100
PID 5084 wrote to memory of 3196	5084	Jpnchp32.exe	100
PID 5084 wrote to memory of 3196	5084	Jpnchp32.exe	100
PID 3196 wrote to memory of 4308	3196	Jeklag32.exe	101
PID 3196 wrote to memory of 4308	3196	Jeklag32.exe	101
PID 3196 wrote to memory of 4308	3196	Jeklag32.exe	101
PID 4308 wrote to memory of 4072	4308	Klgqcqkl.exe	102
PID 4308 wrote to memory of 4072	4308	Klgqcqkl.exe	102
PID 4308 wrote to memory of 4072	4308	Klgqcqkl.exe	102
PID 4072 wrote to memory of 4632	4072	Kfmepi32.exe	103
PID 4072 wrote to memory of 4632	4072	Kfmepi32.exe	103
PID 4072 wrote to memory of 4632	4072	Kfmepi32.exe	103
PID 4632 wrote to memory of 4856	4632	Kpgfooop.exe	104
PID 4632 wrote to memory of 4856	4632	Kpgfooop.exe	104
PID 4632 wrote to memory of 4856	4632	Kpgfooop.exe	104
PID 4856 wrote to memory of 3204	4856	Kfankifm.exe	105
PID 4856 wrote to memory of 3204	4856	Kfankifm.exe	105
PID 4856 wrote to memory of 3204	4856	Kfankifm.exe	105
PID 3204 wrote to memory of 1132	3204	Kdeoemeg.exe	106
PID 3204 wrote to memory of 1132	3204	Kdeoemeg.exe	106
PID 3204 wrote to memory of 1132	3204	Kdeoemeg.exe	106
PID 1132 wrote to memory of 2348	1132	Lpcfkm32.exe	107
PID 1132 wrote to memory of 2348	1132	Lpcfkm32.exe	107
PID 1132 wrote to memory of 2348	1132	Lpcfkm32.exe	107
PID 2348 wrote to memory of 3992	2348	Lgmngglp.exe	108

C:\Users\Admin\AppData\Local\Temp\79ce06ddc9e6a498c51878172cc969d0N.exe
"C:\Users\Admin\AppData\Local\Temp\79ce06ddc9e6a498c51878172cc969d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\Hfifmnij.exe
  C:\Windows\system32\Hfifmnij.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\Hcpclbfa.exe
    C:\Windows\system32\Hcpclbfa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\SysWOW64\Hecmijim.exe
      C:\Windows\system32\Hecmijim.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        24⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        33⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        48⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        52⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        61⤵
        Executes dropped EXE
        
        PID:420
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        64⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        71⤵
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        80⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        87⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        89⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        94⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        98⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        99⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        119⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        122⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        128⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 216
        130⤵
        Program crash
        
        PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5176 -ip 5176
1⤵
PID:5616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
1.9MB

MD5
6862c531569327badab55a2cfdd3c6a1

SHA1
ba9e854c65dee021b875330ca4696b10b128909e

SHA256
cf9e2eab11cc24b7f7a40b21fd56f5cc89ef7f4b9119825650b7c661acacf694

SHA512
b339963041fc76276efdd99c8b7fb0475a672893e20e009fb0e862fcf59797a5d7af69878f890f376ef9f29b2e8fdb5523aa19acba93c816441daca4ada4060c

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
1.9MB

MD5
d2845d4177360acaab3a8dce00e4eda1

SHA1
bd2277439dbdc597c3ab02ccc461d6ba3560358f

SHA256
819107e2b34cb3be3cf31f4cd00a5a9c606ad9607472f3245d960b8ab1d2251a

SHA512
175616d5f0d8f612b7d5ef035fb73c192869ba364866d04fcf191be2d26383ec190a6909ce98ab1945d49573ed53814ffa7538c8d8021e11cb575bed1dc04211

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
1.9MB

MD5
22b0a0c235f346f0bd11515e1318a5af

SHA1
33535537ea826c603168ba7757a93474984aaa62

SHA256
b2f1f5d7e1df54ae4f65a7f55d4d1f3a39099a3b81d3c7993d5f845ed48606d4

SHA512
94e6cc65379addfa5ad46d1afe4d7350b29c22cd600a1c8a24670b71fbf0da3dbd0cd9c216f158eec2593c31aa1fc4cd2a23e18352c47ae9ff7b2f2ce29dfa72

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
1.9MB

MD5
d5ec9761c8ed70652cb963f6c6f131b9

SHA1
7247b6e44a0c1c17e72ceb1900fbe47f79f30143

SHA256
d3513b490c414b0dbdc04390b9ade36d122dd7badf1b84840c1fcd3eebdba766

SHA512
38ddd440ecf9ef520edf3abff4aaca7d922a31ab4a6c6b2ae4311b1fa42f84e8870b78c6f20ac6803e5ec112446c1d46b4ec26965578081a0eb55a4a66a74f1b

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
1.9MB

MD5
7c05faee981b18f204f0ced81693ee70

SHA1
8b8e3509ff5f82c68c9060a1afc9fa3a855abc11

SHA256
ae5a4f94a602622cb547942d6db7cd926eb1562a175843472dcb393f03950432

SHA512
f347d00aa9851d1645970bb0bd638ca11561504ff440e12c782d7de36806103be2fb4ec351f75edb724b468cf2f82d158fcebae70d864ec927c1f08f292f0379

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
1.9MB

MD5
64cba074f03b1300f3f141049077cbc6

SHA1
ec743f1c158c062d5abbf7c03631e80fcefffb12

SHA256
55946acd7631928228d5c4cd75fb2143cae7d0a57d15a6933292ba6458d647ff

SHA512
ee85b2add76a7d22bb9d81bd4bb2899468137d03467fad956f697ef2d8fc3d41880f5c0479c97cf0ab366c759e6dede7e109e1bdaee828e52cd8308b2f78c0d3

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
1.9MB

MD5
96b726e11e1a3924c881510464864d63

SHA1
306434d0d2250a2c314412106f9f801c2e318103

SHA256
2526f8c8434bfcb1da6809d55de771bb09c999a940a7cba32206a62c4d8c9073

SHA512
b873864d5dd0d9a65c2dae89719ee51ee26c057eb3147b8993ac641aa046bd4b0331d282d7bd35628c8534a87fe556dc72c7d61973e446c3b98fdccef12fa8c8

Download Submit
C:\Windows\SysWOW64\Hcpclbfa.exe

Filesize
1.9MB

MD5
349949db8746f9b5a88a203b9f4ae0ce

SHA1
037a8068f724ac535b3adc3e2dd7a9a69cf8f2eb

SHA256
97e46847e7ca64ebfef627c28a4eabf3e87ffd8a8c9c407407aca84b8e3bd371

SHA512
7a3c3176dc211d52053751c349d9ac4ff8d8aa17dc4c46f1f23014d8817b0ac238c29826e5fc7b7b5c0ad20b2532137b774da35c86948d2789ed05963e31a1bc

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
1.9MB

MD5
394f59ac2d0c29ae48e5f4de997b0d85

SHA1
cdae472d60d02a4dc059b3ca753c127355576f15

SHA256
ecce4b333fbd5422fe906fae6b3eb91056b24f73f45138afb55151a37f94e245

SHA512
6e371ca4b1c7db0fb76a844e31f9e1cec0c71c9f1a27dc2d0206b1138f61ed743df2fea24aa711928a24564b58768d81831cb23778ce24131f6ad222aedc015d

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
1.9MB

MD5
97145fe43deb5e3ded077a221b86a946

SHA1
ce85c31244fa140b6e77038d90b2d7f7df2ce7b5

SHA256
014ebd1275fd60233c34cc7af5b7010aa1910bba06b317605eb5039474b24b0b

SHA512
25fca96cc95f36ffe8502dc41ee6203f3de63904c74a055d894f595f7c0cfcd22b7261c5b3f3e0cf9707ae3d2c8eb8dcd12a7e918f9696e55740034d491f3a40

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
1.9MB

MD5
53958de05607405045b8d3f81e74cafd

SHA1
d61ba335d26fe9e5fbd1a34bf96b08ad2481f65d

SHA256
ca8115cce06527689a62131c148eb83f36060eae464b36616e2f76dda3173bad

SHA512
e693909cb05c147a009f489aa9903f25cedb86d9db0f5238f174a4131d658ed6f27e757da95da033cc867f94eff3dbbf8a6204b52a1e3e28e7944503cfea38b5

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
1.9MB

MD5
02b3e9403db79dd02af2b8a1f1d2be4c

SHA1
4fd06469f537094d6b5f5bbce9dd84a6231191d9

SHA256
0a71f0312990b4746a792c11a1a399a933e6eb6e070f05e00d6a7a0ee5a6ad75

SHA512
64f1973ffca6def3b4d8a998dc0944e52b300a3f6016384c8ee0cafec11f49f05af0fbe02e62e77e48d18dfcdc888d2291db7cfa52ff1de23e661bbe39abba92

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
1.9MB

MD5
6c867987fbc7bc4b77767dc0f929345f

SHA1
f26db1422fadb2574f489e02b195c0afd53d4288

SHA256
19c8abbf8cb9219869af368a5386755c07aa436c6bb21d106da9a1cde7b28509

SHA512
1223ba2f66a126963c8ad21ee37039e1a15296af909d1609b8ae48d7667e49c808fbbb2612f7b473f547fc8f6f7f20c8dd7557d4ef27a7ee09cf589d656cea44

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
1.9MB

MD5
5b57fefb6998befe8ef335ec037a7088

SHA1
0f058139d04e134d61aa4d595499c6b10f00d4e4

SHA256
e9f905fc7bd78e3569c0cfe7d28eb6025bc48ceec4817bb6c10494fed36cc770

SHA512
420332a627817b36bcd7e2a571734a723e29b36d6744cf2ab1cc140d14aae7c02f4e6ab16c195a2ecdb25ea88c2d7ca330430546627e55d4b0e49698d1db8925

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
1.9MB

MD5
0d547a6f0bdfa5f2135e2abd218616d1

SHA1
8161bd144acefc7231ea0df820f895aaa8df22f7

SHA256
f26b947eb60d8587e6ecdfa52a5d42ce46f06b15a2801f491e60648ed2df9f7e

SHA512
92cab4ee37a90bc241738e06c13fde5c1fd34f83f92e2fbc5bdd770c16d4d29e76b330b5c8836dd48d217274845e9f610a7f5b18bf5acbeacbfefd6ef93a83f2

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
1.9MB

MD5
d4706dba55157988e6186893bac7536c

SHA1
16ddc5eef053b677c89f0d3377486d696ee9beac

SHA256
bc8bff569c60551e16a58a1fa4d45d0fa41d634766d32a331df9e4d812f54a3a

SHA512
f46753a6d005484c474e147087e679333a1f7a6d8b7cb979633de181da3c14cd03cac59c5a0a1d63341e6ab3093073a059b063c30be726fa6c4c785ffd4d87ac

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
1.9MB

MD5
57be9050368d69cedac345e882bf8f15

SHA1
9d08f5080e1f9197d3dab2e493151594a683b2e1

SHA256
c1d4c4d63e19afca06e27e0a9af764a79d316d060271c26e0feb7c8024eee8ad

SHA512
2171ca82a0bb925d14e0073e5454ab20a626faf184a6f05a7f099463ac6e574b669c4be6fc342abd640c1b3915426205730b207f4aaa01c4932155d4ddd7c37e

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
1.9MB

MD5
85202fde1dba4d5c06965de7a7f9f2bf

SHA1
96e298d6410fcbeba0b5ab557cb92889cc3a0576

SHA256
6195271630c3abee777f6246a78235d6685854d1aeaa814f7187ca00d4d4dc1c

SHA512
ea821a00a2dc81307d76ecaf752acb4e82fae92f9946a68bad54b3e93867fb104e1c1c3313ae8a36766ae2a6a288329a0b95867b2671537bdcd6bb0cdefa157f

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
1.9MB

MD5
ae3e9dd6121bd40c366765c6b0866874

SHA1
f32a3679249de2bf8d01a4705dec11253977ebe4

SHA256
1ef34f700b68a1ccb58c94e0a3330e5d3a092dcc9019904bc0ebbaa94fd9119e

SHA512
20c6c6fd6c49f28bc293dfe5363c813c37daf388c751cd845e12904d22bf75c08b2e804de3c84b11450fa4bc7d2de16c01e602a4b59993a9ee78e8ffd51baf14

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
1.9MB

MD5
3be2036c9a24547b44d18f87a6132394

SHA1
1a44962ecce177f684ac3fa9d389dc192c97d438

SHA256
099a62ec2ee3b0f085adf25b111bfefda5feced33dd8d5c84ae413993ef913a5

SHA512
76076b58f9b617160eaffbd03b2eefa69dee09815405bc104072108c017d8f804d87b1cbf606debf56764fdd3c2564d285db43082fc66ff3dd0daab8453f0d29

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
1.9MB

MD5
2642c7edcd7ecce2a45ba0f2956d1b66

SHA1
12dbfa209331cbad8138281c6569879b59bfa39a

SHA256
3ccf3b087ca5b949c536557a069208e3c31dfd4c335d3c39c6e8c26a81ec4d62

SHA512
3f279038955190584621659ffa9419c0dc8e55a70a24f08581051d9bbea1343703c16844d86825802fc99ad62a91ad5759baeded7a44ebddcd120940630e36a7

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
1.9MB

MD5
2bb4c24f4fc87e0b076bbc20b7eeb127

SHA1
78f77b7a71ecbda5cdd66417fe6cb81534fe5701

SHA256
616c6e6b89fb8448ffecfc797223e352ba6b6710ff497d4d1a71c747000d52f6

SHA512
cb9eb6e7158693e172ce6c0c9d6f1167cd3dd9639c61937a8c74dbfb11ea85207dfbe5d7ce61c47d5c3ed44f5e4e393997eb18f8a22140bc266fdafd8239c5fc

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
1.9MB

MD5
eef721f01da77e3968df9a8eaa5c87d4

SHA1
790474924e28a2ca47f1b97832d5e790725940ef

SHA256
83117da85f6e0bec3f0d45ea83386dbc05a7059aa1221550f108ec99d41aa7ea

SHA512
244270affb94372554836b0e6773b6d53d33d8992acda5e569afb1a1f05011265e6de3a57ffcaf7876bcb0f664303acc07f18dd9a0b37c9a887fde490ce33a5e

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
1.9MB

MD5
4b582b6c9993d9652b4983967c828163

SHA1
c389902f9500eb444904d9aaee6b979bd3ac90e3

SHA256
c06ef5f7ea456fbae5db86f6b1c74f129b7cad37c8d9fa2b62b131647b1e87a8

SHA512
4aedf63e127397da10c477262f328048a9867d6d24ec63c4348e7b2249da6b7112bf38a930d2c38df075e6369e12ee1cef28e18cbeaa78d1487e23fbafdc9adf

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
1.9MB

MD5
414b6c2c9915db25eaffce53fc3cc57f

SHA1
02a9694612ccfadfe2b156cd52877acf8c65d927

SHA256
bd88cb138031ccd20aa91e4da3ac5ca000badb2bedf3b9af78af0b32111f51d4

SHA512
afd3e7a3b4376455ad561e5346505a2b5d410be634fc6fd39666f4ab23fecbe5c10df78c0d92b447d30b9dde9744f85c3dbb151627dd337d5d214e0c548cd1ca

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
1.9MB

MD5
92abb19f4a298b6d42de059eb395808b

SHA1
d4cb44353e92867c93f29538084124537b5713b2

SHA256
a803984716d96d1106ac52bba3ad48ede99dd4ec053fb747047979f1170709bc

SHA512
0c39124dae3490a219e8f9b48e1dd535f38bd9f89291e46193577f6753eb209ea18ba4c791b78d6e68b922716ef1d12b38c03517eca6b01b7b6fd35f49af5a47

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
1.9MB

MD5
6862bd06dac026ddf7b35397266e6691

SHA1
ff1a972d5cdd715cbc27d70e8a1a9f07440462c9

SHA256
acebbbb5e4e20fb252c3fa69c14b9614f9228b59ad7608d6ace508f2e075d213

SHA512
76b7c32344c06bfa5accf6c179fdb3970ec41c7af1f64fd16e395f89f52f74dc8d621c01e0598034776b66cd9b2d7fdd945c8c97abc6c7264b7b542a73b6ae46

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
1.9MB

MD5
dc3378b9f5fa9f65f6dbb33c8f10f50c

SHA1
00840bb8383fe2e6a7ef5d1a9d21289f81041d29

SHA256
019e0a83a228024900ca203d67ecdc38c193e62d4c8ec7aa0f9a078d6d93e740

SHA512
d49b46f6f04acb09cd1fbc94b228580c8260e2ec8137d471ad68f31402bc38d7ac0e53d651559ec6976c273bb2c82eed593504d509d8d47c68bf370644c61abd

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
1.9MB

MD5
c3d134bea04eefeb9e29407252ba918d

SHA1
52001f09afc202c48efeda25d72d758098685677

SHA256
53a049a3f2bad98afc5faea9e5b2dd21993a0e76fea9589c21b823f1c6fdb6a1

SHA512
ff48bec361f07add8e7b18c750d3e774102ade45d4bb0888a06a2c880617f10d778e7b7437a7ae24b0f2a819d6ff600231ab7a8f8a8ff54eed5dc8b1d094ca6e

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
1.9MB

MD5
031b23d775067eda100202f22fcaf769

SHA1
ec2856f7f592e4821e784b475a918addf53204bc

SHA256
47032903507ed28c0ba73d9ca9c84dca1bf2007bc4cf30b4bfb0c9691f66321d

SHA512
26164a45b78d4cf5d9459e5386f124febbe276ea451c742be8bd82637bee837b32a247ac799f66efb5745705c83ba6e8e3aed9774c993c6b10b186b52710c188

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
1.9MB

MD5
108d3b4f5f6d91d06073538707c0faaa

SHA1
128657b5557de82156b94431af88d962795f2d6c

SHA256
781b49e0e724927f6dd1738d9d21ef9c3dd6c2d992b78faa90c7ac9604341a91

SHA512
747a1c1f37416fa1d03eff62674727e8d54df5bc84b4d4813e9094dbd1cc394ebe277624a7c47dbc2c010bc1c9369c073388ea69a59f1ac0618fe0d072380966

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
1.9MB

MD5
fd6743d40b4024390996096205d26b00

SHA1
7440c0a745dabcc772e7801cfe8d591454aef730

SHA256
6873a5424f01a22e6dfcdbf74b61085e4690eeec28ffca0a9fdb21454c42da72

SHA512
8edad356235893dfc8fed98fe5fc41d0f5ad58f85e1e7476eb8c1eb68fa8eba57c48f72ee90c45ba34d1f6c4c912c78d3767110fc8cc4067d04c2e9c752293c4

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
1.9MB

MD5
4c8ca53e89d4828ef02e7d136b22911b

SHA1
ec8b4fc4bd5fcd24f908f490bd6f1572fda29c0d

SHA256
6a921ab668e36e2dbeb294ab181e29eb8f5f2d8568ded0bd361aa183c04c2f94

SHA512
b0f6e040e19fb67aefdfb5068935003ed922d7284b56f86f97b63f44fbaa2b8ed622908e31e7162345d7f8ba81f5d6c171ca94fa4e64e38070e530abc9620b3f

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
1.9MB

MD5
87fdbe5fc9c0c66c5d74c85b6348c1bd

SHA1
04810091e3136046a0199b0d95001236efc752df

SHA256
8e10f7e419feb8dfdd23e32f95c4cefec62847e356afb622ffa2dc34d0386974

SHA512
8d97f755015ce8049da0dc0dd1dd69c35367b71e94b3167542f7d3132df120eb53fa754321de7882524917a794e5e76ad4453a742dc0a50cbf5d29a036cccbe5

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
1.9MB

MD5
69a0249a3c2b6fcca98560533d69b436

SHA1
24a38103b17c10029b89623d84b90427aea46553

SHA256
c9dbc62228c6a89bcfcc80c9801fbfe3f93a4838a10b9a448c0bb08e3ad5efb5

SHA512
96c05db14d6cf36e8b0abc6f870fc8c1a6424c3517801038f3d21eb74f3a3dd254e9b9d97185cf7d78af353d86e95424b5d34c324e29fa282fb1edcb3de19d25

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
1.9MB

MD5
98061e14e2a473bb7a1a6be82b191c8f

SHA1
90dcdc18cb772c7df423701edb3ff137036b06ab

SHA256
9f5ab966c84ef7a6588d7e359dcdb2f7ec0e66330a848253fc36e8af4c9c697a

SHA512
3b2ceb485869735337c719e7c3f86052e50c9fee36969c3d99a19fbd6dd8f17cac8bd459876510e7993971b5d56bc2d1dc20feee82002cab4867a537d15b0a94

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
1.9MB

MD5
54125583764c87207847706ac8a59bb8

SHA1
33dfa556db74e917784b5d5054c257aab6683071

SHA256
7a0c37b1049058070de079ad1100ea8dc83a6c8de4ab26f63871000dd33bdce1

SHA512
65cf8b726342c1d2952ab735f3d13789582678abc1fded0e784a9bccbce824ef69eef3e7bcd3ab352938f0bccdb4d5922eb9d6e0dac96894f084370bff96e349

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
1.9MB

MD5
6afd018cfc02f508ea24396d73c8fd6d

SHA1
9be5da918b71a2978ac57e5bf76b5fee5125614e

SHA256
faf0a6e40fc00bccf18eb031bbe26282592d8c5d0842b29e0b6204688401cfae

SHA512
48bf05988656483d0d2f956553f56ce2c0483518b5b6fde7f7e504e9c15087c93f351d4d0208e05785c6336c100a8b4c504444e54405dbfd328ab6574d100f4a

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
1.9MB

MD5
9625f19368bdd45baad39fb5a2886157

SHA1
532223eb286939b35d4f16ff44a3ab8109fed151

SHA256
43d736170be6beeb47edcc0cc7aca0d0ce5deaae0cc89307b7bff6eba7732e74

SHA512
af3d8b485652df8916194ba29868d14c8517751366e9ccfbc1cf29ed1815383a73ea6a1383370720ee8058c7c72f3cdb74dff43b9c1e61cca1f8cb45350676e6

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
1.9MB

MD5
885dc170990d9efc5ab3a3ddc38d55d3

SHA1
5cac114868871f0cae5d74c6b6d8389f6fc9b092

SHA256
004faf83ab8f5a5793ae412f6bb6fe1be283513247667d93a394e09ab27dfafb

SHA512
61ce6ba10d270ecffa9b2dde15ab409e67e75b5194eb9e1769b001439fb1b5cf758f742c26469c077b2b28ecd6f42569e569060dc89ed3c56b4be30a5cd9db10

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
1.9MB

MD5
d1c7451e599a18cc696b798ff69bc0f4

SHA1
85570bbab574df952bb78ca38b76d5ece34a0c4c

SHA256
265b474ff5274e51c4cc95b99ff5987b8c7af5c265805b21f8828b5fc89d45d0

SHA512
e1f2388bbf4f1e6d2c867e83fdaae5d011a4bc6c7bdd7c03bf9daaa7daf42ade05507ba2c63521e59fe2622e4907b03552b563b95fb3752e3002413899dc1af5

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
1.9MB

MD5
e94e9a46f52fc6c02a9e97c6b0f3432d

SHA1
b0739300df7b5083a21da707bcfd5e0a649e31bf

SHA256
d0d85a8616677a57d7bf0720cad4b95446ca89333e44ac59ee1f34158d884ff9

SHA512
2c91d81dca95098058d4d0e0a5df9d20cb1cc3fa39995bb3ad383ab7deadf2c01c34d0808c976d5010a980cfd5f4d26b532102ddf1562cba4e81bf4ea7f4830c

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
1.9MB

MD5
68df9584019de27eeddf86e5033f4a3c

SHA1
7b3404dc87dcf3ed016995b097d12c1d8e44fb18

SHA256
38b70865eb7183a7f0abdcbc7d95635f3951113d3836ff492ba6343d6f653e97

SHA512
fc7c875fe6a4f06770ca8cfa576206985602f752089cbb56ba6b14868e28515482676184743cf2dd6c3e40cf00cf89f0ce1340971a5b593a64843fa7dbe618c4

Download Submit
memory/420-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4184-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5228-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5228-984-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5348-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5392-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5432-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5440-908-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5476-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5520-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5564-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5608-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5652-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5836-900-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads