2a31f5dcb32a51f859a707cb6eaa4faa333b8d8dba41b7ca133da54fa3a577d7

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa2638fa415572d2fdfeb7c2eac139d0N.exe
Size

93KB
MD5

aa2638fa415572d2fdfeb7c2eac139d0
SHA1

84aab1d11ade4feeae8d01aa5dcb52cb9d1c4ecd
SHA256

2a31f5dcb32a51f859a707cb6eaa4faa333b8d8dba41b7ca133da54fa3a577d7
SHA512

965700c9a7a2b3f5deeffb2d18e0129844041e07ac5eaf4e9e06cba141c4c270b2dae1c9f5ab92788abb471523b903935ad7a8a239dbf6c9915939e438d80e73
SSDEEP

1536:r/EuFwZKPMNJ1l5uvH4X/Xlowb/ahagdrXqgV8WOFSzsRQtRkRLJzeLD9N0iQGR4:bbpENqfWPywb41bOXetSJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	aa2638fa415572d2fdfeb7c2eac139d0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Executes dropped EXE 64 IoCs

pid	Process
3832	Kefkme32.exe
3108	Kmncnb32.exe
4164	Kdgljmcd.exe
5064	Lffhfh32.exe
2944	Liddbc32.exe
3332	Lpnlpnih.exe
1588	Lfhdlh32.exe
4832	Ligqhc32.exe
2804	Llemdo32.exe
1892	Lboeaifi.exe
4236	Lenamdem.exe
2832	Lpcfkm32.exe
2684	Ldoaklml.exe
4864	Lgmngglp.exe
532	Lljfpnjg.exe
1476	Ldanqkki.exe
2484	Lebkhc32.exe
3020	Lphoelqn.exe
4052	Mgagbf32.exe
3828	Mlopkm32.exe
2712	Mchhggno.exe
4368	Megdccmb.exe
872	Mmnldp32.exe
1912	Mplhql32.exe
1908	Mgfqmfde.exe
208	Mmpijp32.exe
1632	Mpoefk32.exe
4884	Mgimcebb.exe
3188	Mlefklpj.exe
3924	Mpablkhc.exe
2936	Miifeq32.exe
4288	Npcoakfp.exe
2244	Ngmgne32.exe
376	Nngokoej.exe
2904	Npfkgjdn.exe
4724	Ngpccdlj.exe
3732	Njnpppkn.exe
3204	Nnjlpo32.exe
5072	Nphhmj32.exe
4836	Ncfdie32.exe
2672	Neeqea32.exe
2736	Nnlhfn32.exe
4244	Npjebj32.exe
3808	Ncianepl.exe
4464	Nfgmjqop.exe
2608	Nlaegk32.exe
1952	Npmagine.exe
4892	Nckndeni.exe
3560	Nggjdc32.exe
5024	Nnqbanmo.exe
3444	Ocnjidkf.exe
2856	Ojgbfocc.exe
4696	Olfobjbg.exe
2112	Ocpgod32.exe
4692	Ogkcpbam.exe
4148	Ofnckp32.exe
3384	Oneklm32.exe
4528	Opdghh32.exe
432	Odocigqg.exe
4156	Ocbddc32.exe
4536	Ofqpqo32.exe
1556	Onhhamgg.exe
2432	Olkhmi32.exe
4344	Odapnf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	aa2638fa415572d2fdfeb7c2eac139d0N.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Lffhfh32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bmemac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6440	6300	WerFault.exe	248

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakipgan.dll"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3832	1444	aa2638fa415572d2fdfeb7c2eac139d0N.exe	84
PID 1444 wrote to memory of 3832	1444	aa2638fa415572d2fdfeb7c2eac139d0N.exe	84
PID 1444 wrote to memory of 3832	1444	aa2638fa415572d2fdfeb7c2eac139d0N.exe	84
PID 3832 wrote to memory of 3108	3832	Kefkme32.exe	85
PID 3832 wrote to memory of 3108	3832	Kefkme32.exe	85
PID 3832 wrote to memory of 3108	3832	Kefkme32.exe	85
PID 3108 wrote to memory of 4164	3108	Kmncnb32.exe	86
PID 3108 wrote to memory of 4164	3108	Kmncnb32.exe	86
PID 3108 wrote to memory of 4164	3108	Kmncnb32.exe	86
PID 4164 wrote to memory of 5064	4164	Kdgljmcd.exe	87
PID 4164 wrote to memory of 5064	4164	Kdgljmcd.exe	87
PID 4164 wrote to memory of 5064	4164	Kdgljmcd.exe	87
PID 5064 wrote to memory of 2944	5064	Lffhfh32.exe	88
PID 5064 wrote to memory of 2944	5064	Lffhfh32.exe	88
PID 5064 wrote to memory of 2944	5064	Lffhfh32.exe	88
PID 2944 wrote to memory of 3332	2944	Liddbc32.exe	89
PID 2944 wrote to memory of 3332	2944	Liddbc32.exe	89
PID 2944 wrote to memory of 3332	2944	Liddbc32.exe	89
PID 3332 wrote to memory of 1588	3332	Lpnlpnih.exe	90
PID 3332 wrote to memory of 1588	3332	Lpnlpnih.exe	90
PID 3332 wrote to memory of 1588	3332	Lpnlpnih.exe	90
PID 1588 wrote to memory of 4832	1588	Lfhdlh32.exe	91
PID 1588 wrote to memory of 4832	1588	Lfhdlh32.exe	91
PID 1588 wrote to memory of 4832	1588	Lfhdlh32.exe	91
PID 4832 wrote to memory of 2804	4832	Ligqhc32.exe	92
PID 4832 wrote to memory of 2804	4832	Ligqhc32.exe	92
PID 4832 wrote to memory of 2804	4832	Ligqhc32.exe	92
PID 2804 wrote to memory of 1892	2804	Llemdo32.exe	93
PID 2804 wrote to memory of 1892	2804	Llemdo32.exe	93
PID 2804 wrote to memory of 1892	2804	Llemdo32.exe	93
PID 1892 wrote to memory of 4236	1892	Lboeaifi.exe	94
PID 1892 wrote to memory of 4236	1892	Lboeaifi.exe	94
PID 1892 wrote to memory of 4236	1892	Lboeaifi.exe	94
PID 4236 wrote to memory of 2832	4236	Lenamdem.exe	95
PID 4236 wrote to memory of 2832	4236	Lenamdem.exe	95
PID 4236 wrote to memory of 2832	4236	Lenamdem.exe	95
PID 2832 wrote to memory of 2684	2832	Lpcfkm32.exe	96
PID 2832 wrote to memory of 2684	2832	Lpcfkm32.exe	96
PID 2832 wrote to memory of 2684	2832	Lpcfkm32.exe	96
PID 2684 wrote to memory of 4864	2684	Ldoaklml.exe	97
PID 2684 wrote to memory of 4864	2684	Ldoaklml.exe	97
PID 2684 wrote to memory of 4864	2684	Ldoaklml.exe	97
PID 4864 wrote to memory of 532	4864	Lgmngglp.exe	98
PID 4864 wrote to memory of 532	4864	Lgmngglp.exe	98
PID 4864 wrote to memory of 532	4864	Lgmngglp.exe	98
PID 532 wrote to memory of 1476	532	Lljfpnjg.exe	99
PID 532 wrote to memory of 1476	532	Lljfpnjg.exe	99
PID 532 wrote to memory of 1476	532	Lljfpnjg.exe	99
PID 1476 wrote to memory of 2484	1476	Ldanqkki.exe	100
PID 1476 wrote to memory of 2484	1476	Ldanqkki.exe	100
PID 1476 wrote to memory of 2484	1476	Ldanqkki.exe	100
PID 2484 wrote to memory of 3020	2484	Lebkhc32.exe	102
PID 2484 wrote to memory of 3020	2484	Lebkhc32.exe	102
PID 2484 wrote to memory of 3020	2484	Lebkhc32.exe	102
PID 3020 wrote to memory of 4052	3020	Lphoelqn.exe	103
PID 3020 wrote to memory of 4052	3020	Lphoelqn.exe	103
PID 3020 wrote to memory of 4052	3020	Lphoelqn.exe	103
PID 4052 wrote to memory of 3828	4052	Mgagbf32.exe	105
PID 4052 wrote to memory of 3828	4052	Mgagbf32.exe	105
PID 4052 wrote to memory of 3828	4052	Mgagbf32.exe	105
PID 3828 wrote to memory of 2712	3828	Mlopkm32.exe	106
PID 3828 wrote to memory of 2712	3828	Mlopkm32.exe	106
PID 3828 wrote to memory of 2712	3828	Mlopkm32.exe	106
PID 2712 wrote to memory of 4368	2712	Mchhggno.exe	107

C:\Users\Admin\AppData\Local\Temp\aa2638fa415572d2fdfeb7c2eac139d0N.exe
"C:\Users\Admin\AppData\Local\Temp\aa2638fa415572d2fdfeb7c2eac139d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\Kefkme32.exe
  C:\Windows\system32\Kefkme32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\SysWOW64\Kmncnb32.exe
    C:\Windows\system32\Kmncnb32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\SysWOW64\Kdgljmcd.exe
      C:\Windows\system32\Kdgljmcd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        24⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        27⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        29⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        35⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        36⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        37⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        45⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        46⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        64⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1876
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        75⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        76⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        77⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1584
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        79⤵
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4448
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        81⤵
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3044
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5116
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        84⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        88⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        93⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        95⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        96⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        105⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        110⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        111⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        113⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        116⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        117⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        124⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        125⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        128⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        130⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        131⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        134⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6228
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        138⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6360
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        140⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        141⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        145⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6860
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        155⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        157⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 220
        160⤵
        Program crash
        
        PID:6440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 6300 -ip 6300
1⤵
PID:6400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
93KB

MD5
a62bdc4d9fbf62abca272889822bb98c

SHA1
1dae9bca8d8cd8da4f1a334d79308cda797dd7be

SHA256
5a9b787bd62c82142dd9cf4a50ebe48250f11f6564d4ae2811c305814aa33f62

SHA512
265a1f27380e44c056caa4495787cd4a386dbcbb0a43875c950d8d46a55b2ba8be855008e80ea8d8f1742b25283730a8394b441bcf1c18102b32b29ca634e1f7

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
93KB

MD5
2660931f5e9b3eae5ac8f8edc34a6e32

SHA1
2b63c36f6bf0baf8bcf37f95dd632daab9b72169

SHA256
2e3c6faac1bc54d910ac101b640e76b8f4106efb62165c367722122d6d7387a8

SHA512
f6ed060547ba5bee1217ae38e943079a0a058e457994a4fcca6e00099cd252cabf1f6682e22b34db3d027437630b84677168bbd110e9a8ceca8615d2435fa813

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
93KB

MD5
2927aad33e3f365973473211c770d5f1

SHA1
e1203ffa6fdc98eafacf75bec80f67ebf5d60e26

SHA256
b113434c904566c21e519c0fc9101cf8928e3e9904929435c955d06fe15caf13

SHA512
cca51c72a4e180c4c5f4e92253bd46b18cfba71377d4c6535f8005e7e528f7a12d38bfe6b60eac8d5c2abc4fc59ef8373b5189ea44c95f8736251b9e87c5b0c5

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
93KB

MD5
75c7d0f62881f635c4ed3017cf1e1914

SHA1
b145f800cfb68fd56f264415fb67254ea886b98c

SHA256
931291f8a16dfef9a081825a526e604a9f15fe9b66962674f512dae9800c5442

SHA512
d78ba4e07c35868ff8c350609e9eab98b87f0faaae89d38868dffa782087a05174ff094d46fef598671c21b1c414fa1ddaa6697cb7eba0f449b7d6ebb9ecc624

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
93KB

MD5
181252352b1f398f83ebc3222ebf9295

SHA1
2087eaea21f36ea8d237430e9faa36082fa65fd6

SHA256
1a178775c89fba64f88afd17cccac39bd4c3669e32cf6fe113640104d872933a

SHA512
e5d86ed0c316bf034a66c0bc2a7dc8a592e9692e1698b901a5a9221c56dec0ccfeb50665d78e3e6ba16117119afa190872d54cce2839668dd75d7243aff7852c

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
93KB

MD5
8695f588d476571ecdd1b7f8b33985c0

SHA1
d4d48c3f3d20583f3ce9580844eb85f929d56ef8

SHA256
f3d32cf9dcf2c74c05272cc4590b372befd6d6e935a51b1857ded5a7453d9492

SHA512
6463f2362816f43ea4e233bd9b5709c0c3755612d318459394924d0e6e131ec0b1f75204f89e2e0b640a21b0486eab21c2b1866ac6fb309e0297a765d1c51ac6

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
93KB

MD5
703bdfbcdceab0cab8ff4044ea50aeb0

SHA1
306ebf6bb66a994990e379e84205c140b8bf042e

SHA256
ab2aa8f05895d5b61292d6bc18dbd862817bbb9a76cc469733b324b04fd4b24c

SHA512
a01c4396cfde2a8e093d0a11ba548df708d0ba284629031f78da097d893ce6490e5fb2e04aac87d49f2d2a0d44b206409dc440504cd176b9d159251cd088d7ac

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
ace8f8d246e11c84e6e579d513c896a5

SHA1
288fcc5364b7b3157ed7fc336a80593b37bfc45d

SHA256
a9b876c7b3ef2b5d9092cf720b77219d0cd11dcd246d025c3776fb880bbdde66

SHA512
0286e658bb62bd05c3dfcfd002d49e35e29abc4de2ad91e632d164b0d85a07297487cfb29a6d6f390f571ddf814368b1abb43461e87095f4b1fb659d7a190459

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
30f79f9f598cafb3a7955345d3be6031

SHA1
3f4fb40da826e126d070d880e4956832d1f421ba

SHA256
78a6807f41b0b6eee8bed519fbb2b665f7609dee8a0e4db217007171e4afdb2d

SHA512
0d06796202ea9cb1c1617c206245a71a681f58151bb0c104f60a2cd612f08a0824d309ebac9217ef56089e3394daae740115bb1642d3546c6b46cc8014b16ec7

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
93KB

MD5
720d0abbbc47bb238a324a317db9bc46

SHA1
289641832f457916dd2562e1bf7035c94a626b9f

SHA256
a98a88466179b08550f7280614559f0b588ef04628aba4e4ca972a0422a30feb

SHA512
d5ee21058ffdb4d878906d861e80d298e7b644bbfc4d2fbb7d1735a9eff5a4f0e7e0e604a674d91de704900ddd6ee24190c5d9262abd75bbd6d8549347ac3862

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
93KB

MD5
d75c575c1cb0531fd980e4f20e56e0b0

SHA1
6248efede7a7c009a5ab62b66f8b860ce2671b17

SHA256
3c6c22eb2795f50260dd6f54ec7c8b928ed2ac77e8fda114e0901aaa9ae61d88

SHA512
2ed94791701c1cd7f938fb620de8ae18716eedd883b5721940fa0a67c47a5699a7aa700dcf21ea6dd4065f76b092ae16c0cc2f85601d0c815b0591c742ae800a

Download Submit
C:\Windows\SysWOW64\Jlgbon32.dll

Filesize
7KB

MD5
7d1987d180de97939e63ddb931a19785

SHA1
edbb71bdedab9ce97105264d38356d51d529f6ee

SHA256
5b8fad9db1b540e5e5b7d4d7c475c33a3990777728cdabf7ef77c17bda986b87

SHA512
b15368eb772c5c29c7e58da2ce4627eb60a961f63c5f47010027a2e4df7e28ae8980b6388cf9539b5952fa83b22831cf2ad917a00527ea7071484519b55c485b

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
93KB

MD5
3ba9daf28a19e6a81d4b38abf283d992

SHA1
6eba860cd45d6642a49bab999b4e8ae52ab544ed

SHA256
2f25ad2ad8d348cb0359cf1f2afa6b4f4a618bc267aaeb3ea491cd98ddd9eb58

SHA512
bab5a8397e30aefdb05679099b9cbc76b80c5f6f9ee26fa9a366a533eeb0dab38c64999e79a3c802287eee5ef09fa41b4282e1eb228afc6b61704ba3d6c490b0

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
93KB

MD5
825d4205524fa082f7c44c1e9c7b5c2a

SHA1
9a4be241ddce851a9ecc891db5a0a0f802ee36be

SHA256
f2c47283642b4d882de9e6c2b4133bb2f32bf9e84ea8957ae49b8fea96d6bdb4

SHA512
c2643f9b0b5c0030110c581970329180583d208377b9ab4f00b6955a779bb2b02dcd2ac5ba35c2e4594a37b6c24d8539ef0071ec87a615c93d1e9e75911466dc

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
93KB

MD5
837078073922175c60b86a603faebb7b

SHA1
ef821dad2b1124f0d08ad7d6d47a7846e1383079

SHA256
e8c9b20d3505845f0aa6def5206dc55a8d635c8783e056ba4ee7bc614ffa9998

SHA512
ee2d15cbdb01b2ff26880cae493c5bcb5f7cc1b7a0f0091a385bec4a5f14de5bf53c4e20f88436a77c54711c4cd9195dd795df9a3fa0861230bf897764d19b24

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
93KB

MD5
60c81f8756daa67a6aad02140222db9f

SHA1
aaf176b7f463d284d91843e1a773308ea1c6f81f

SHA256
33b8d65b0d0e751d57d770b0439d517283c1031f024f5e1465439e85a4121578

SHA512
823cdc126aa9a188fb73af84a966e39f3186961e0d8a6604718a400050aca979afc8f3b3310aae1be00353705806b747f7e70629eb1af76aee207061b745bb72

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
93KB

MD5
70bff7ec8d353169ab30b9eda369801d

SHA1
bee58385df9e2ec002d703c18d1c9d3ebe40162d

SHA256
0de0a68638418c0078854c87fa753eb0549d4524052c6aa0e7b3cfe2f56899ef

SHA512
8986c737a5378992492f9822147e21eafdc6614a6f7eccb6720d65a3ab65838e0b3c0fa1b8288feb3c9aad9b9365886caff5d6c665b8bf052d5d1f8dc29ed753

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
93KB

MD5
7d7b3481b85cf4933d36e70eedeb6586

SHA1
1e016c35f80ddcd1710196520e53252f553fbe00

SHA256
5e7439ae61e6d3f0da42477c88ea3a834d14b98d1be1d9af1ebec275f9c49651

SHA512
92d0c18619ed39eb2cc23ae0b7dd1691c3f97c7b6af21c18f45bf90cde2d2fe4fb8705d85a4e7b5e885e5855b3f64be59126f868aac65124ccc5d857562df84b

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
93KB

MD5
361823ffa1978bf75a215a9fe5d22ef7

SHA1
6a307d0de2e651c97f15e2ae35161e12a495289d

SHA256
0e397d293768db90522de182816755d42df32513dec0dbd6f51462bb4a3ba12c

SHA512
03b576acfa9c6d45a7af1a12149ed366af7fcb12363cfe951bd9c56a71078a632e6060693558de7f9aaf15a7096279dd1d14d25b73dcb7441429a2b3c11433f4

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
93KB

MD5
4dbd19a96aa91eb89c8514aac8320ae9

SHA1
7a0357e15d5a2d2fc84a3212a92eb1a93616fa19

SHA256
e8059fa889411032507f0b7b3141d3b712875d22f0a2e7319f1c700bd951be82

SHA512
16d6fe6ebf6a09bfb737994053738f9dd4de66f13d91a72c764492a8712c9deac5abdbf65e78979de24050b0a33fa40f82c427238226e78758437d5ebb1dfdf2

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
93KB

MD5
ce6cfe168890a4f069ccf78fc9e38c22

SHA1
af86a85c0fefd426d3b1edf68ba9ad39b7631fe1

SHA256
e3bd9e035eb1392df88f7632fafd9c53df3b3c22ab06ef51dcf8dbbb4aa8baa5

SHA512
4cc7396da67561e233ecec15db9b533497988c3b9ba5a7fd189e77c15448734cb65e96f193b9951662ba2e31077faad3e6afbcb86391070ebbde8065d041cd1c

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
93KB

MD5
e0cb82d826d32301db4d771d901b5b47

SHA1
6f4ce594fbcd883d9378b807137e80eceb73b995

SHA256
8cad58e3774f5cb7a14878861939ac7ffa06714b794aa2162ea378c9c242542a

SHA512
4cd839bb4474b2b1ca2d231c140160f5e851a6c20f4c4ecad04410366eeb82dadec735866a3f8f07055770f93898a27ae5bc1a8d7837d81130d3121ecf6d9a2a

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
93KB

MD5
1fbac6a4325b07b95cc358494e879f63

SHA1
7d8c6e179dddc1be3a084d9c7486fb33a5815293

SHA256
c693b7423908c4e9593b4a89257bcc621d3aab46d2ecac1245d6402f12ae1dea

SHA512
b1e0054e0e2fb2b93ddb3fd67c75d02dffcaebe9c30713673fd07237f382274b33993d757519135a321a860c1109d14f711bbc502f252855bf5c29931de27238

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
93KB

MD5
b3bc776ed4d11c4460493109d13638c8

SHA1
24ffe07782a5a2995d4f0dc6b55aca7b6744307a

SHA256
419948bd6c441e1c42f0255355ba81563b03aeac344986911e86a5c08860f20f

SHA512
e4b5eee52df537d65f1464538205dfae812bde764b07ef003c4a2308003e321b3b58c30ea749fd49d388df69a1a35284e263042430b7b5ce6379b685a9dbe573

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
93KB

MD5
27bbd662feb534e120461c0fa0ee9a1a

SHA1
1f620be56ea1458b729183f6dcca81b9fc27a92d

SHA256
667c07b23ce012506f969ad147ebadd6e0da869ff9c2424dc0ac814bbe9d6eca

SHA512
3024f4104b7895ca8df8a5fda16fc79db7f39b7ed25ffba31fa380ab54ecad5f3da12065aeb32313dce23305bb8ac3b2c840d260218e038efb3848c1d1e56c1e

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
93KB

MD5
1329a3cf2b5051dbf3cfa8d7cb06794d

SHA1
220b55d8f87841e11d4520d85b6da39cde61121d

SHA256
fc8fe3e47b02712cfc6c61a59a00935f54ba8cd64951510f150741eae9befab1

SHA512
f132c570d9ad288294ed329aa615e646adc6cc04ce2e91b0d52bdb089b835764427cf891711057c1fc1b5e768fd0d17959d1e0c1aa176ccb853fa46d1e20e821

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
93KB

MD5
2fb85b0fa3dea46e85ed32bfb4726b20

SHA1
849324f3b82fd86e567a3f1616b251c751582def

SHA256
91ea8f192c5fae55f9256d3fbab0bf3f75d2a0f9b01a004e0c07089e3a9ae3f5

SHA512
be6a33a9e9d9dd5b781ef01596954e06ed98651af25f07a2d0566bcf05555c9af31aeff5582bd8a714d94d8b5a0c2914b9ea8a1e0eaa1e991fd34ee2621b92e5

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
93KB

MD5
62c7308935a8ecd6f10173cb149889a2

SHA1
cadc92e2666a70cd21f8e36e7d89eb150b0220fc

SHA256
46363607ff3546fbe7f24d4c375bae343b0ea68a7b1ff41cecee543ac992dee1

SHA512
2494dc88c84d4481f7d2ea233649647c2839cc145d672eb9857bbdd203b37c543ccdefd906c96ac3ae1aa7b991d83cfdb04ff2dad5bdac8dc021fc26ebfa85bc

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
93KB

MD5
fd20cb02e16c02dbd1ba4055048e78de

SHA1
d8183f8dba65434f27e9a50a611f87f24d4098f0

SHA256
ba213986393dc525bf98884200f125871eeff1956e99d0e4081208bd6da1a080

SHA512
0770ed621269a8aa9b252b1e6a7c7d89fe8a7038bca3eb6098078953bd478cea2757b21c56854a78579cd8053ce5304a676adda49fb808052aed3cf5038023d7

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
93KB

MD5
242cb873c7a82d7b29be8dd4b42d1f4e

SHA1
38048f5bb7fe6e285a6d534e84f6835dee9ce212

SHA256
8cc189f2c66d23d78ab7727299dbb9a9f6ee3f6f4c251c4e6b1da3a82b197cfa

SHA512
28258dc98b3dd823e8af39a93cc1c280965544ad39730dda10c49d58b5941542d95f0d8b19941e01e8395265b0ad344aa72e10e07891cbacd2ce7164d8f17d66

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
93KB

MD5
4b7fc0728bcf66eaae0ae1fd01cae2f7

SHA1
f19e35614b803c38335e6b68beabf3268c65f90f

SHA256
e751308e03dffd403f8dc1d3a5777d51d9a89e6c30d3c1c641eef313018ae1dd

SHA512
5141b84b27aa8a2f7ca6e9e619707b4297c2a43c833b75c4d6be521a4b0b889616933b93da66a172a8709b5c16c574935c30d3e81976ba7ce8361913b55d0ffb

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
93KB

MD5
0a5b91cd14af8bf92afdc1f1c998e885

SHA1
fc7c62a24bccf4f6c97b63a72d75f45dbf57dc6b

SHA256
b4c882bc7932d2209fe1a525fffe09e0dccf014da7d324f9b9d00eef0524792b

SHA512
2377760b5ab25345f630172a7616173565bd7caa3574987dc9dbe3974d096fea741aa69decfeef2ca5cfe778b338e575a9b02ea32c3374edc7b74cdd1c0f81db

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
93KB

MD5
cb5d95bd94ee3302ea1133274e3f221b

SHA1
d269212e83edb390a3444e7bb1f7f6d2653910de

SHA256
54ea02a59cd64a95c2a87c73a2c5eb3bdee1b4cb522653ea26c6f2550386f7d2

SHA512
db7c586add410d5fe1fc16eded6a5aa858ff07752224758e2aa7c482d493068da8a7aae79a45e2abfdca623d74d5dc23b2966af6dbeeb0d22ebb5174b59014de

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
93KB

MD5
786e0719cabebc93daa4cf4ff93f7d30

SHA1
32302208294f6d76be435433e12673b5b7324710

SHA256
75f59f101ea15eae6dea271427773d95ce44937b42f9ba8999a30a6275c00cd8

SHA512
4f74949fdf10244417abd9884ff8f47ca7460534fd541e63ee9e5e54138cb80bf4344312cbce2cbfb11d66408a12d093d22d9b5acf397dc02882fbea7f35b9fc

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
93KB

MD5
3232ed7ced3f2b9211a711ab32483672

SHA1
f4829653712a395d300e637885902f7473661b4e

SHA256
ef4b1ddb8b69beeb9ea3842b32c775a39776679bd6e7f6226bf98731f06fbba6

SHA512
428e8556fc1669ecb858ecd7f2d04b11818d2dc877a0ec94e32985992ae207d51eec6e5a36011e3460b4c9e67de2f4ea23ce92e39cc5439bccb9f40c832a8141

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
93KB

MD5
0ad2f05e9233e89e0c3a45f4fdcfcf62

SHA1
e4813f238f7c0cc8156f4d095ddb94cd7f524d80

SHA256
8658fb961a47f4f8919c4356de58e3b2d131d3f85e48edc425ecffd9d99aab7a

SHA512
ea3eac28a7cceadfeaf9a632cac05055da4d7d6750dd446c95589a881b12fdcd81a2c14297ba26a4c6fafaa5e3272a15ff2a5983a9f31c0be05aa94a792f10b6

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
93KB

MD5
5cc16b6b87edc7f29891082ae33c0916

SHA1
332f8a2742a19ea3bb890d93ab7edb65d538f798

SHA256
b02ade13da0bcec50f15b06e5a5c476e789401d5e26dbb4672ded1978d1d3361

SHA512
a44fe1879f253c15978dbea396d8fd6c3fd3e8499550e0608ef6604eb24d6fbd8a7390384cedee0faf0c87e4d37a43eed8baedaa2378ab89c201cf06c935e4b7

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
93KB

MD5
33e45fc61698d0f89bd9e5f5043e6fbd

SHA1
06d5be7c0bebfaa0b431389cb264c47d47c089fa

SHA256
a31cf060b87ca5c2937391014db888fd3fee35d008b3b13b4de71674c564af3b

SHA512
8aa2627b49dc6ddd5c8fad6de6cc24bd9a1ff9f3fa0e1ad4320b55f32bc419fffe0b0ee0c75059f5a19f2b3e465c9ee0ed7471ddc3d889865a111a1f6ac7f0fc

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
93KB

MD5
86841523644931a711c3a97b9289a4f0

SHA1
1280a39fb587e441aeb413adfcb980e5f80f55cb

SHA256
720917d0bc49d2a60b6687ed21641a5093b06ebe6717eca79076edae6f57847e

SHA512
545a5489b5f78d9d315ad500c320f3b08c45710854d6cdeff26235cb80a685529785970909465206a7f50816a95148f891bce26d9708eab8ae17cc37c0df565f

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
93KB

MD5
48ff370d029ca853722b7601d693ceef

SHA1
cc97d5d23b81690807b8ddd6cf6df27de62f6236

SHA256
81696f0d68b9d00e16185eacf92832dd055c7bcd752fe44c4724c2e30ad1747e

SHA512
32ba9f3112a101b385618ab7854582647d82e7d027a48a8f4707a974df394484fdac95ec54546a34261a2d3d77cf41ff31d6814f7357850974c349bbbde16aba

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
93KB

MD5
f886f848cc612720838c1c44a603ea0c

SHA1
323e4d011fe3dcf1999da0ebaee6dca4345b0864

SHA256
7086020b0b4fa57c77499f559af370c470533f0ef2284ef2fb043c448fc2488c

SHA512
bdb4adf4ee352d51c3350ea35b1ba0d759c450692d966e15355d6a796e7897721583c8c0f2d498a78a32195b73d9f4c23d02845c0a092cf300a44d3ca6ad7304

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
93KB

MD5
d7485fba62212825efa1a664c26eef5f

SHA1
53259f7f24c3679abe50ad19c20bbe1b86adde96

SHA256
b45d72a2e59949b9ec39a7e994f632ac4a0b7a8c6b45d08fa4e4ae04816799ae

SHA512
bd91c0d9b76e2a994056813e65708b941d9b1ac498bb6399ecb4893b632b04c009474491a582cfd91434b417ee6ff5cc1d2f091fbfa5647adc78cb0efb7d51ac

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
93KB

MD5
daff233d0e1e71d0e2ba46e6a9bcfc9e

SHA1
a04b21b2d53c851744122d7b2f6451475e2d79b4

SHA256
c4af1dd30efbe2570d064fab251417067d6339495dab3e85e084ce0582671442

SHA512
aef58474fce6ba97a76cbafaa1ffc5e6e2e026a2e389f38db4aa9ab9608c5dc7a9950c341288d92ef0372cace443c0639ccf2eb310737c02938dd684c30d3b75

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
93KB

MD5
49211c75e64d1f3b1a15cc2fef5a9924

SHA1
c7c82dace1125d210521c65973a798aea7b7c6f2

SHA256
9b65dc3bda94d7bed1f54d979809b7c3915fd83abf3bce6e2944f38740890559

SHA512
455af1f05856788ee6951385ebc2b6ea4e4e85fb958da3427000244f417ef6c3435edd6c826e0e15016fe541eff2d21d49a15135eede05e27cb341ff68baf6e5

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
93KB

MD5
926e573f789a5fe85ac4f83b13d51849

SHA1
c76c0347939184c3c446145423b5c2d51d7f2cf3

SHA256
64c9ad964bbf4516b6aa42595af8035857b4d641c0d203c9663ca2582bb3c310

SHA512
3b8781d149e86d3cb505b895b433d37617e1c56dc6689ca8ab47507900eb65cab81d8b129cd7152c5dc20e3479ee0fdea8f16374e1a159bd12771cf3aedfc5bb

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
93KB

MD5
677f8fe1c636fc39bfa7f388cc9cc6c2

SHA1
3024771aa68d30a141fcab1770560a0a166f2a3e

SHA256
5badf9f87d4ef00841a92d0689c364f9b7175944c207e237942d5f806f6ffb19

SHA512
634764d2fe8abf56927bf613f14d4681d069ec559ddf74948832941b6eaca12a1bef345cc989a6fcbf3726293ea6e016f0d5017becbe8bb0049c536bd9a98a9d

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
93KB

MD5
9b8613c0c7a41a8830bf4100f155b749

SHA1
e105f3b67d9fac9c4fb9d02d1cc3acd08929b5d3

SHA256
28005408e3c729e6acc99193e074625015d39b248e1d7e3f8abed085d746e21b

SHA512
f68af243459b79866c8470f9c3f7fff5dca95ea21209325c296e6e5c5bc27628555630db372b6757767ccf8555ca225b787da24ab4d6b233c26923ba596378b2

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
93KB

MD5
3d60642b6f52b3e240e455787fc05c85

SHA1
21af4567da4825bc2dc7ac0a327bcc7316728248

SHA256
0cb2c163aa946bd826f8481f36e82fdd74568e501f0b98e222c9cceb42b81dba

SHA512
207e982b5a4275632edf2a289d37be6877e6bbcfa02d39ed88a8d16310a4dac19591678175bdd6ed62f1cd84c0172f9d2e1c29f73a762d99543248d20f61fb0d

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
93KB

MD5
16432d56ba4dbbe9f6fb69b62b0ae926

SHA1
c6ff578b45ba2ed14b98fb3df4997be8aed39c7a

SHA256
804fa9207f530fbb8efc8d3bd31433fd55fc0e223e12c02fcfa6227f539a6ac7

SHA512
196eaeaadc41a347e5fd59c3c4fce029ee9a5733afd7a5037863d0cb3e3e561b38563324033a907be3259f12b6f7ba26c473bdb1e3ce67a42ce0d1f775ae0e35

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
93KB

MD5
643696aef644f6f0104fb1a5dcd3b7de

SHA1
ce73f070c770ea393bcba41ab4f0e80edfcd1548

SHA256
4475635cd82d6ca126da743bfe23e5a5916d1fb5e600e0c2cd08d74da0c83eac

SHA512
27d3627761c769f33cfb5788d6d99f547fcad28051ed1ba7137c67c5905e8572f9b3e25150ccc75594c1ded223bc1cfc966d2bbf2c6867bdd1fed5c11aa98d20

Download Submit
memory/208-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/376-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/376-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3204-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3204-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads