18ca3aa64e86b8532c0ad55af0bb6b19c4d36626ed60ec76964e6fc62600c195

Analysis

max time kernel
106s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

edc256dba4cde0523675b9c1cf349a60N.exe
Size

1.4MB
MD5

edc256dba4cde0523675b9c1cf349a60
SHA1

8f52489922954cdb84428e10a931f3d6769bba8f
SHA256

18ca3aa64e86b8532c0ad55af0bb6b19c4d36626ed60ec76964e6fc62600c195
SHA512

48c4e8c9bb332b39d402a7d9ee6ac540b31a38f87a6a9817ea243b9963588aad052c32ab362be8f9913ce97b2fbdf9cafece72c342038fef023a0a2c28860cc6
SSDEEP

24576:0q5h3q5htaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARmaH1aUu:iaSHFaZRBEYyqmS2DiHPKQgmZUu

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iemppiab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe

Executes dropped EXE 64 IoCs

pid	Process
1888	Hkdbpe32.exe
2896	Hkfoeega.exe
4988	Hflcbngh.exe
4572	Hkkhqd32.exe
1908	Hoiafcic.exe
3916	Hbgmcnhf.exe
3264	Icgjmapi.exe
4148	Iblfnn32.exe
4456	Iemppiab.exe
3516	Ilidbbgl.exe
1760	Jimekgff.exe
1336	Jpgmha32.exe
544	Jioaqfcc.exe
2712	Jcefno32.exe
904	Jfcbjk32.exe
3828	Jianff32.exe
756	Jlpkba32.exe
4716	Jcioiood.exe
4292	Jfhlejnh.exe
1628	Jifhaenk.exe
4536	Jlednamo.exe
3152	Kboljk32.exe
2528	Kemhff32.exe
2484	Kiidgeki.exe
1940	Klgqcqkl.exe
4828	Kdnidn32.exe
1220	Kfmepi32.exe
1688	Kikame32.exe
4924	Klimip32.exe
2796	Kdqejn32.exe
3924	Kfoafi32.exe
2820	Kimnbd32.exe
4000	Klljnp32.exe
3020	Kdcbom32.exe
3876	Kfankifm.exe
2472	Kipkhdeq.exe
1368	Klngdpdd.exe
1956	Kpjcdn32.exe
4652	Kbhoqj32.exe
872	Kefkme32.exe
3032	Kmncnb32.exe
3912	Kplpjn32.exe
4812	Lbjlfi32.exe
1588	Liddbc32.exe
4476	Llcpoo32.exe
2200	Ldjhpl32.exe
3816	Lfhdlh32.exe
1244	Ligqhc32.exe
5048	Llemdo32.exe
4588	Ldleel32.exe
4964	Lfkaag32.exe
3676	Liimncmf.exe
2668	Llgjjnlj.exe
3492	Ldoaklml.exe
4352	Lgmngglp.exe
388	Likjcbkc.exe
4936	Lljfpnjg.exe
4900	Ldanqkki.exe
4908	Lgokmgjm.exe
4180	Lmiciaaj.exe
1568	Lphoelqn.exe
3872	Mbfkbhpa.exe
2924	Medgncoe.exe
208	Mmlpoqpg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Iblfnn32.exe	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Jifhaenk.exe	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Mpnaemnl.dll	Hoiafcic.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Klljnp32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Kjqkei32.dll	Icgjmapi.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Klljnp32.exe	Kimnbd32.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Iedoeq32.dll	edc256dba4cde0523675b9c1cf349a60N.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lljfpnjg.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Mjddiqoc.dll	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Kikame32.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Jianff32.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hoiafcic.exe	Hkkhqd32.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kfmepi32.exe
File opened for modification	C:\Windows\SysWOW64\Klljnp32.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kdqejn32.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Llcpoo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6180	7104	WerFault.exe	249

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iblfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hflcbngh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoiafcic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilidbbgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgjmapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgpfak.dll"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnaemnl.dll"	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhmqf32.dll"	Hflcbngh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll"	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 1888	4024	edc256dba4cde0523675b9c1cf349a60N.exe	84
PID 4024 wrote to memory of 1888	4024	edc256dba4cde0523675b9c1cf349a60N.exe	84
PID 4024 wrote to memory of 1888	4024	edc256dba4cde0523675b9c1cf349a60N.exe	84
PID 1888 wrote to memory of 2896	1888	Hkdbpe32.exe	85
PID 1888 wrote to memory of 2896	1888	Hkdbpe32.exe	85
PID 1888 wrote to memory of 2896	1888	Hkdbpe32.exe	85
PID 2896 wrote to memory of 4988	2896	Hkfoeega.exe	86
PID 2896 wrote to memory of 4988	2896	Hkfoeega.exe	86
PID 2896 wrote to memory of 4988	2896	Hkfoeega.exe	86
PID 4988 wrote to memory of 4572	4988	Hflcbngh.exe	87
PID 4988 wrote to memory of 4572	4988	Hflcbngh.exe	87
PID 4988 wrote to memory of 4572	4988	Hflcbngh.exe	87
PID 4572 wrote to memory of 1908	4572	Hkkhqd32.exe	88
PID 4572 wrote to memory of 1908	4572	Hkkhqd32.exe	88
PID 4572 wrote to memory of 1908	4572	Hkkhqd32.exe	88
PID 1908 wrote to memory of 3916	1908	Hoiafcic.exe	89
PID 1908 wrote to memory of 3916	1908	Hoiafcic.exe	89
PID 1908 wrote to memory of 3916	1908	Hoiafcic.exe	89
PID 3916 wrote to memory of 3264	3916	Hbgmcnhf.exe	91
PID 3916 wrote to memory of 3264	3916	Hbgmcnhf.exe	91
PID 3916 wrote to memory of 3264	3916	Hbgmcnhf.exe	91
PID 3264 wrote to memory of 4148	3264	Icgjmapi.exe	93
PID 3264 wrote to memory of 4148	3264	Icgjmapi.exe	93
PID 3264 wrote to memory of 4148	3264	Icgjmapi.exe	93
PID 4148 wrote to memory of 4456	4148	Iblfnn32.exe	94
PID 4148 wrote to memory of 4456	4148	Iblfnn32.exe	94
PID 4148 wrote to memory of 4456	4148	Iblfnn32.exe	94
PID 4456 wrote to memory of 3516	4456	Iemppiab.exe	96
PID 4456 wrote to memory of 3516	4456	Iemppiab.exe	96
PID 4456 wrote to memory of 3516	4456	Iemppiab.exe	96
PID 3516 wrote to memory of 1760	3516	Ilidbbgl.exe	97
PID 3516 wrote to memory of 1760	3516	Ilidbbgl.exe	97
PID 3516 wrote to memory of 1760	3516	Ilidbbgl.exe	97
PID 1760 wrote to memory of 1336	1760	Jimekgff.exe	98
PID 1760 wrote to memory of 1336	1760	Jimekgff.exe	98
PID 1760 wrote to memory of 1336	1760	Jimekgff.exe	98
PID 1336 wrote to memory of 544	1336	Jpgmha32.exe	99
PID 1336 wrote to memory of 544	1336	Jpgmha32.exe	99
PID 1336 wrote to memory of 544	1336	Jpgmha32.exe	99
PID 544 wrote to memory of 2712	544	Jioaqfcc.exe	100
PID 544 wrote to memory of 2712	544	Jioaqfcc.exe	100
PID 544 wrote to memory of 2712	544	Jioaqfcc.exe	100
PID 2712 wrote to memory of 904	2712	Jcefno32.exe	101
PID 2712 wrote to memory of 904	2712	Jcefno32.exe	101
PID 2712 wrote to memory of 904	2712	Jcefno32.exe	101
PID 904 wrote to memory of 3828	904	Jfcbjk32.exe	102
PID 904 wrote to memory of 3828	904	Jfcbjk32.exe	102
PID 904 wrote to memory of 3828	904	Jfcbjk32.exe	102
PID 3828 wrote to memory of 756	3828	Jianff32.exe	103
PID 3828 wrote to memory of 756	3828	Jianff32.exe	103
PID 3828 wrote to memory of 756	3828	Jianff32.exe	103
PID 756 wrote to memory of 4716	756	Jlpkba32.exe	104
PID 756 wrote to memory of 4716	756	Jlpkba32.exe	104
PID 756 wrote to memory of 4716	756	Jlpkba32.exe	104
PID 4716 wrote to memory of 4292	4716	Jcioiood.exe	105
PID 4716 wrote to memory of 4292	4716	Jcioiood.exe	105
PID 4716 wrote to memory of 4292	4716	Jcioiood.exe	105
PID 4292 wrote to memory of 1628	4292	Jfhlejnh.exe	106
PID 4292 wrote to memory of 1628	4292	Jfhlejnh.exe	106
PID 4292 wrote to memory of 1628	4292	Jfhlejnh.exe	106
PID 1628 wrote to memory of 4536	1628	Jifhaenk.exe	107
PID 1628 wrote to memory of 4536	1628	Jifhaenk.exe	107
PID 1628 wrote to memory of 4536	1628	Jifhaenk.exe	107
PID 4536 wrote to memory of 3152	4536	Jlednamo.exe	108

C:\Users\Admin\AppData\Local\Temp\edc256dba4cde0523675b9c1cf349a60N.exe
"C:\Users\Admin\AppData\Local\Temp\edc256dba4cde0523675b9c1cf349a60N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\Hkdbpe32.exe
  C:\Windows\system32\Hkdbpe32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Hkfoeega.exe
    C:\Windows\system32\Hkfoeega.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Hflcbngh.exe
      C:\Windows\system32\Hflcbngh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4572
      - C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        32⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        42⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        54⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3052
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        71⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        72⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        77⤵
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        82⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        83⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        84⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5044
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        86⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        89⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        94⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        96⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        100⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        101⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        106⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        115⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        117⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        123⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        125⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        127⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        128⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        129⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        130⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        135⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        136⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        143⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        146⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        148⤵
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        149⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        154⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6928
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        158⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        159⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 404
        161⤵
        Program crash
        
        PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7104 -ip 7104
1⤵
PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
1.4MB

MD5
aa2d496bca6e77292911f5cd19d98db7

SHA1
cfdc1e580d3645882797449561a744efd5c07ac9

SHA256
4fd3bb0ce26563806775ca1e8df699cf40709d6e27cd68aacff61a13d674bafe

SHA512
685d13f4c9aebfc5189900396ac9bfb1bfcc9bea69d045d3121912cf0f66147d2a8b324893dd91d01fdde0b0ad64b2d3fd35a23b9bdc2a06a2ad837e491f188e

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
1.4MB

MD5
b19ef8fc99b540bc27c04a6eac9d6bbc

SHA1
25ed07a67eccf954cc23ca2d54fd639b6f74a0b9

SHA256
ce8a719d2e1fa58e65b1dea9b68c42846b9c29a7d7128f1de51da9c0f7595bfb

SHA512
29489f097bb668dcd6e8bce734f5bbb0d7b395193ae1ea2bc426531407356a643a37aa6454c87b194dbff1ecfb1f3239142b7ca2688b6d85e2ea07c5949c35b2

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
1.4MB

MD5
cc94c87213977f533996d49b79de450b

SHA1
cc761e265eac2d52b9362de30b9b681282767c66

SHA256
6e05d5f8af35edd8bd372c5630c6dad0c50d895da4120c13a67d63fd8d799753

SHA512
033e0151fc43ec2eb6743befdbb1e451b40f94f68d298ac2ce52177fb9d1d414f562decccab793b29ddabd14940906107ccf47774662d7645feea019c5c2ae0e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
1.4MB

MD5
9f712b16cc8a2a95471d630ec9a46cf9

SHA1
c73413337c8bf06bbb963f829e7f17548f174a78

SHA256
1788e8ecd3b2188064265136718894a0ef7c5a0987ccd1282aa0a81024c339b9

SHA512
77fd2063bdda6f5581b1b6b65d6bfede3dc1baea9971fd40d6ba65c8c5a95e5406253837202e2349895e645b33d90c4832fc4701f681517112784e7c0fe662d2

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
1.4MB

MD5
00926a29c7391d84dbd1fcb40dee4d05

SHA1
0ec6b0e160c3b6f724f2155cb3f47c37d833c3ff

SHA256
9b17d31556836287eb36760bf5c9b6b61c4617dee815b65789da3beecf0de8c4

SHA512
6a5af4cfd09ae93c89c8e6bb6b20c2e4899f76d5aa2b426bd6bdebf02608fc5ecda581ad7f26e709aa97aaf453edfeca2de3501064ce03de82383baff24646e6

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
1.4MB

MD5
cb405731d1a4864b878455fcc71471eb

SHA1
4e5103676a08707bc5ce7fa29b10a435d013e25b

SHA256
14a2228a0c07c1d1a2d5aba51bc1da20cdc945100daa250d9f2b92365970ef99

SHA512
0ddce504544c0f0322cc37122987323d2ac88daa52aec7779de375310f304b7ace41bb63e9a8e2c1da93b0c8b4e94f1341c05f9ec38552ab9b1589a61847c7cf

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
1.4MB

MD5
0d90c2e9cdbba0b9e7f2a085339e697e

SHA1
74ef244acb3f5dff65aee3086cb349c0ee7f0d26

SHA256
272ee3893a5dca259319c8a9693226a6d73c8df723fe9e52107c612e5b7e7be3

SHA512
6a82ec342984102581c7ea9c033a46f43caa1e869301389541486d92b3c9c682209d41e7ec9df7f3ce05650d2800952ad9e89663290ad62130bd9bfacca7e176

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
1.4MB

MD5
f05ecf3edd1d82962475eb2ac58ae693

SHA1
b08eb9896056fb37e7ea554e299066710e801517

SHA256
a3ec2c0e958373efb3b61ec769f00f34f2dafcbdadf4f74bab3b9ade6a2259a9

SHA512
022d5797db77528508f4f0d069783528aee6448f23594093733af5d2fd6a05d036aa16bad369a7a14cadca070cbc7bfc6fb4f14440ba40d564548aa29e780a4a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.4MB

MD5
3d4ee1ae7aa7787bd6071e7d0f01550b

SHA1
4fc872bd5e84b660ba99b58bcdd1ff09f3e9db84

SHA256
4dd908e3059f0a96d6fa3d14bc6c8893b7d26c5bcd766cc5a5be84513f5c88c0

SHA512
67c5563252ad87121820ddbb6ae55388e5af5152f340b048c4063f473ef5d82c54797c0c61bd169dcf2371bee9e28b56d2369923de43dbd3fb1d64d2a446416c

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
1.4MB

MD5
84b7d2dfc52a95bfdef89e820910421f

SHA1
623da256105733adc3b244c15f43966ac949e587

SHA256
f1bb9ef62d7547583bb06e17dd0d2fc4425027e8ae5496c91162f31945b6e424

SHA512
c0544d31e7f48212a06acaee268144ad5f1ccbc972487819a1e8f24e2f12536294d076d479c7d5910296a10e9a6dbb71623a71cc222dea1331e77c171a46269a

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
1.4MB

MD5
9b0ee879a4d97a3607b6d2e2eb982ec4

SHA1
51511a3f5b47248b3cdbce45c6f27c235f33d4bc

SHA256
6d952350521791a7adb389a7a5a6a598b1ca7b7094e4c7bc7973aa66e3834380

SHA512
534048b8b663d8abd93e5d0dc8209e60f3be1ca881db151402112c7b8f3a3120d5d4aabe03d7edeb91c7f3e6bed1851f62c8cbf4b03795a68e10e811061d4a52

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
1.4MB

MD5
d426bf10db835eac9c6db441d75eef11

SHA1
f470b6ab21105bfb60d1776d002b4bdc1a5d10a9

SHA256
89449964e2dda4c277bba23049e9df79b4efae215929f40d5c487c073b9a96f5

SHA512
ee208b7ce88b029f4127e7fe3539363c108a53725696230e1a995b938d49024ac32e96519e3fe9bc57f06645267690b33e456f3d7925ea175db7e4fce9e51e6d

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
1.4MB

MD5
a076ef01952deca514f072659b30afa6

SHA1
a8c4e4c5e0ce1d7228f4e21a7526a8d47d580e46

SHA256
f38032a17cd908cca5e6d6d6545ad0616a859bc4780b212a5e422f11ca87ab8f

SHA512
87541d80beb305fe670a6eebc0b8704eae0591f290298e5be9a3ccc59733ced5c8d8194b65c26d7a6240de3085040090571d7c688e5813eb932158aae6f3fe21

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
1.4MB

MD5
ebf9e0bf0fbe8b82f649c0b570dc2ef7

SHA1
6534e4c1f67ef49b9f9e32cd7f33c6ff985fc2a7

SHA256
50a806f3c1dd921090ea9aeec7d35049a88f08928a098afaf19d6e48f3b6b896

SHA512
b82b0cc01075f8c5c26125acad1b3a52653f7fe01218d72a1ec5e89c58345cb05e4dd0be42eb260ab90a597384050b617c31f212db7cf5fd19b4c01bbc6566b4

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
1.4MB

MD5
2be07ebb5809812e9d3a80fa0c6611ce

SHA1
07160d59b55c534dc0d7d6c3899de3551279a188

SHA256
758e02aa3bcc1ae51ae77125c554b1110bd2786ff1a98017f522297a6769a021

SHA512
9eafdfc4ae144ea63c6d413c03f41d52446a3fbfa1ff672077c7d04e5b8c5b7660737daefbc02736a68c52b4d5df07e3c9c2cc27a84b803bd15ad4eeeaa219f5

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
1.4MB

MD5
fa018f5da3beb76f0da3f2b17b0fff68

SHA1
3298b4e53ac1073a3009207bb83269cb050790f3

SHA256
a52407c185d9c66f14064a857f9dcb756d3e9907a1978fa961ab04b16532d1b3

SHA512
bcc07e26d273526c78e15c1779938e27d00dd9b9bfe53141413b8cf78017397bc073926a452f333dc39c4aad122e8ddb5607e735968462d9837879affdc357f7

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
1.4MB

MD5
70cfa87a7c766109b6ecf05ea1f6866d

SHA1
019eb28ab966b808894b29e957153544ab54a50b

SHA256
b8469f07ca83f2412029445d4c80c6cc2db00028ce245f21d4a84255986456f6

SHA512
0c0eece84356eedf450e96a481571084359b9c5d0343614c62cc4509e49096a6659afbf185605ec34288e11b75f360a522ce956dbf8929107c68c3624d663442

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
1.4MB

MD5
a422b2ab5807e6dcabdaac89f363e086

SHA1
fe5688341312a11dd8da36a17cd558c555c7a661

SHA256
ab24f7ae5824e25572a30a5e8daccfc662bf9624e747af0f926da9bdd0d7b56d

SHA512
0b3f8c3946399a4d98d2e3a13be4a91b36e1fa78c6b01775168a49a34c679e95ed84deea1c5dfa1c27d1fb1f944c382815cdcf428c26b2f94b6f1f1264b2c3c8

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
1.4MB

MD5
1ea50bfe7caa9ef8261b792b585330e8

SHA1
df48af9c22529059a03bc37bbf3f9123ead9dd33

SHA256
ab79e00e995b24c369bdcbd293184cc810d1d67bf9cddae850b3632f98a5aba7

SHA512
aa9b80ae2f94851aae9deec05912e1721b22c4b835f82cab776040c6508af864ffba028117487effd1800e77b9fe9f90959a84cf5ceaf580bd0e67e9078a5f25

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
1.4MB

MD5
abe3f26edcf84bbe5ba3e2aefe1ca62f

SHA1
872760a513a0353fa3223c7bdbf0f27129ffef01

SHA256
b35d248586da6c473872d9608021fa76c4466c9ccd1f6cdbaedc8f6a0c55cc24

SHA512
74b1e9c3023ddcbb893a96e07d2c369e46e13e4b0b024b389b3a25947874cd3cf2646b41cceaa9eefdc74c3cdb60d783c3f064a439ea3e914f087328bc041439

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
1.4MB

MD5
e7f37a0e9265a6155da5a17e4caa2de1

SHA1
16beb4a0603d3f18901abe2d751475f600c4fa8f

SHA256
866d860d7e15ef417cc91517e731ac0ac6bfeb4dba2919e761cbeba1c0b41d99

SHA512
81f0bc5f55bda8beb41b9a78cb76aa0610c48e85771b4d71c7b1b0fd047c3d24918166d6901aa78bdbdf2bed5f098d83423d77c025d8391d300759fffc1ec8f4

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
1.4MB

MD5
f45e4aa33430477c2830b837c12da181

SHA1
f19cde1fa6b283362d3afdc560cac8219af1191d

SHA256
b54f42674e7ff9776175a382cc2317755e982225d9f53cc4bbb48fe6781864e2

SHA512
de2d6cba6a5c906186e77f1131c21d526af0c5edbe1eddb376dfa0c8c0c7254baa85634a1c152880b607621943855d7ffa0fc6fdd5d788ed0f673728a14b1164

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
1.4MB

MD5
3379877fae120e34cdb168f4d63e4440

SHA1
43a1fcf2e6078a773db9235087d1916af70fa159

SHA256
74446f05e746f314cf06904c26e3770e7978da1730830390516153410b6de67f

SHA512
efd734bf700d553b5335163c524dd02dbbed90d9fd9c8b0ef209a0f4a6e5af4679d6757692f3e454bad78f050ccf124ea5823811abcafcecd5d037fbaf7cd44c

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
1.4MB

MD5
4eaa4d9e0873a6ba30b74271f350774c

SHA1
5e46a2accb941e0957c70a80daffbb6fa8ae84a6

SHA256
3cda19d10a287042ae822ce86e00e2cbf8c208e11288eca981d3b9855d319add

SHA512
8d288fe0a18dda8185c777ff8dcab6554ab989d5f7b0e934f561d167a61a6c2cbf353d3254a4eb60fcb3c9d3c034827650e91905f571dde09b5ffcbb54cbd602

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
1.4MB

MD5
ef940df4345057e82acc0813b817dda5

SHA1
b2ade5065da24b20bb9130d3dbd2a1e64785423c

SHA256
87ba5a0d9cba2f4d4fd4ddc13b28a893049a9b9357f4e7744fba1d7cf1a26769

SHA512
f43f59ff9b23e42dbdf3ddc8b07c38f23205780aecfe36c225bb0a20041f2b9bb5d03cd04b2ea3cadd27ea758133b7b0e7d7e3a110a1c8c965bb4200795f41f2

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
1.4MB

MD5
b0020c807307eb387dfe43592a7ded2d

SHA1
7529b2811283c7ec30f40c58fcd445cc20e221fd

SHA256
70e8479e2af217d6da2c7f870363bfa1e7d5ce849a38d73fbb2547b3387b46cc

SHA512
96dc2a1bcc5bd1cdd2cd86c0f2c5b58fc0611887ee4992b9fd81847821fa645a9df84e4334f2131b1280cf51a9c1812ca911361daedb9b1b1f8248b300b947f8

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
1.4MB

MD5
2cb79678b12814f81ca20ee6ef2aa37b

SHA1
6ba59479939c2a80ac00fa25045c2ce27f95dbba

SHA256
7635df4443fba72c3f852166303f1537ccd1d3ecb9b9f6668c9abc4a2c009dca

SHA512
799222490842b7fe54365f5203464413328a8702ec27712a43096224a171165ddaea546200c09669ab9ddad18d27505e3e2550b1cff63ce45d724af7fc90a140

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
1.4MB

MD5
3a7b42e533e9a0aece88d99c4cf8a931

SHA1
253d3cdb3e623be9b72d0c5d2d1769730b4d5a6e

SHA256
a97136c057160cae1d88c2b6b9b337f7a55cdd8288e6d197e59324d8d4c2f06d

SHA512
e415b93f36097129826ec3f0f7ff708e5fe7a8b827b31eb19530a679a21e6c4cdfa368310c653d2ded440a54d173f50ac967c8d338956cbdf0838abb783883e7

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
1.4MB

MD5
a239e3e9d8cfc6758eb10cfe666a208e

SHA1
d36b80c89fddc65828d84fcbcab7a87fe1335a67

SHA256
0b1f957d9a9655fa4a09400e9d94271f22f8ff2d6803a1cbd4611d749dd78c36

SHA512
7d34f476ecc720a351548c3ad9344b70659f88e753c0039ed9ad7e618ce2c11422319d9ed86ad810d09ac307fd063f81a207367ff081aa9d008d27ec593c2c7c

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
1.4MB

MD5
047a94650ac4e7b9d523ef3577184464

SHA1
7d0ab6af7c979eafa5f30a1ddb1237e98e32bcb2

SHA256
60ea63334d819d7684f7fa94335722ed2645b9a5d7a0d1b51464e7c3ec8b4ada

SHA512
d9f3aa20c4df4817298d1ac11add235d944dd7d2addd943c77cabcc52b3cd8fa0a446f8edd7585bda4a24132c38b6c5b3f8930ee7172b56ea378f44f12a38b0d

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
1.4MB

MD5
b918f3f33cf1b038492031974cca7965

SHA1
320ea948582e7cdb88171a4ab8ed25d97a3fb23f

SHA256
57fe1622d405b4415ba89d494cffd35f4ed97f2bc0f68231d9e790836dce0253

SHA512
936765c356a8eb91a5b7b9fa5dd5f700cd521866b5445da8029d1dd75a7b3b5616755723faf91bbaf19dd7e3833d8af95d37411ef951be5c84f27abfbc495402

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
1.4MB

MD5
1ff7c11ee5631fd621e018a6eb565b93

SHA1
875501a787ed456c11dd71fc197dcb796f31b4ca

SHA256
892738886df8d6952c1e9ad65278eaab5dbfe12ef987abf18999091c19bc290d

SHA512
a64482261bfadf91bc1e91429d872c82b7ef3dbc764b1a806ee5f8e70f60c64ec482bea73b6d7891b892d0879d6e524e65ea1f490ed8468d619020c489fa8bf2

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
1.4MB

MD5
8f9b6384cac5be56c7aef71642ce0f44

SHA1
115809ecd61d870755c7076c043ef97de82d6d52

SHA256
8837b81917f79923e866558e307574a1aee26c330633067e50822fad9c414775

SHA512
a4822562701fff850a04739f31cf3db099111f7f71c49368d28e773601d6eb5aba773039864bfcc2d890cb5295a67d567de4938a572513b7d0e8758f343a9e58

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
1.4MB

MD5
30e1a7cbb8b964ebe20f99689cf56c4f

SHA1
d4116f8694d46be99bf5c584c6f8e84c09f72e9d

SHA256
ee8575324e40d7524affb47d02e50d1b5926f85d3d5c516ab3c2e5381db559b1

SHA512
e12fe77be49e0afb7099477ebaece8757dd03ff2ab8b13224b75b03714a214579ca7bfb832dcfe2f7973848164a6146e0ad1d4854aa60816f95fa1cd68dbc3e8

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
1.4MB

MD5
8c8ee73920c272f7393abf1ad8d83aa1

SHA1
4d6a82342e888c11854761bdd2338d65693b8d15

SHA256
9e85675731d593c726d724a97d8e57c313a0c2209fcde3829990b13bb371c9f8

SHA512
2af5a99ccd8b595134b6412f35a6f915cb6483ad0c4bf901db3eb9411294b903fea1034d731ec7c6a4b80928fc1bf30f054e427da787e8fdb4c8b7cbb3f6ca68

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
1.4MB

MD5
fb16eabc4e8bf2a1b3c2b9d595eb773a

SHA1
a59bf483af620f233e6a5e371e0324730c73fe89

SHA256
dd439f73a0086fa6d4ea47ebff03ca85daa6ec3d36dcfd0e5939ebda7e7eb827

SHA512
31207fdd33eb505c4f24f9b5c67a4f9f7a174155c82fa10afddc2de5538953e2fe193a94c0ef158cab401371c67794ad75c169d32dedfae67aa0c322169ef577

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
1.4MB

MD5
a852aeb5f711173692fab2f6fd680728

SHA1
15eb17439d7e6177e0555e875c18b029cf7a0580

SHA256
69dfeb4fa434438fae7c4a903a09d9f92f2be7d413d7be84bd51936d35fdb17f

SHA512
08da3c6a60a3bc5a8c5927680eaf12e5055cea0c6a5e9ebca08a8389671c5c8d1826bebdc88d4169e1435e9ddaff3b7f196772e6f5c35c2910cc5e6593b59491

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
1.4MB

MD5
f7f4fd10c29a162199575eba5afa0826

SHA1
eea689ffe6325fc5783219fb8585c5c6e97d2c85

SHA256
39c7d4075467843645a6a51eb8586c9901fde11c91309892ddf746be4776e960

SHA512
df68504ce8733bc9b09eb82be3bdb2bfc8887b7e1a28f767f6b7793579bacf393042122b818bf9125f5b1cf67a66ec8cd52de8039bf0ad22d949a0f40f92099c

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
1.4MB

MD5
828c4358f990403dee09f24a91268866

SHA1
28e608b43e6ebd35c2307e54db81d11550dffdb4

SHA256
cccc23b4dd20289099e682c22cf3473b232aeebe098826cf8113e14c5caa3184

SHA512
bc97f36fe7c42b50a76f22d5f600fd52b5bece7fd3166737d5013a89f9929cb4a75bd9258dec0376db821ec2d5559df5ceecc436c095f91a368c4c17fdcd84da

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
1.4MB

MD5
e083b38dcb9bf6d74d0384f79764bc10

SHA1
4b1e51523bd03c5b91d6a1cc69e903c2dfcce853

SHA256
53fbf7cded5e3e7a0b0476901e870bdd8b8eb0b62d65b8715c83e9bce9c13e8b

SHA512
f5d120e27d45447a95104a53cc3c522281fd6ca5de92fba7e36282c0f084928c9bf2e934ac48e8b61b02b068c810076d40255ee986927be62159398755795c25

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
1.4MB

MD5
83e0b875a45ad1f72c3fad10e4339b49

SHA1
c391b404506f73c1333a6e9668c82e8a55cc016b

SHA256
608e3b58be623026256a354e27b8ab71e651b75264dddf05d66e0e772c15dbf9

SHA512
3bbcb772f837730ec887d2f67cbf4cb36039d09bd7b6e71320ba738144df181c3a1b4b7bbbe14b02023047eab6300016b93124c529cc12b8eb222b57e4c2f4ea

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
1.4MB

MD5
3b16b1deaa45654646c8a3e479e0f777

SHA1
3d303baee456d52790ba3bcadc816f70a1895541

SHA256
96a8db4aedab0d1147b0b16fa2f2435260728e79294a009aeb20884e4d94c2fd

SHA512
6d2f5a100721274d0e39669ffdfabd2768a513ea6a4246074981de71183cb8e908431fa1546bba4d875d47589991635f65316d64f1b9d55e56a805401768e46c

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
1.4MB

MD5
bdc5397f7395d98c6e2fc4932225b8a8

SHA1
84995e29a8d6b6a423de11551274fbd525f0b724

SHA256
abf5e7ba2506c4d6ced9459b7acd1f7523f36f6c40c482ef4c3f9a8df3123d33

SHA512
50672f6ed9712e930649f03da3fa1b16f5428982e287b16a504249fbbb0822db153f49f65c3a093867ecb2e6b5b8e55686cfabe2a7ed7398c2cb74b6999c7f15

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
1.4MB

MD5
cde1ec0a6cfa0dbf2877b909c6d6ebbb

SHA1
7570c921055b448330f741af4dac3eae24c048c4

SHA256
c754f69e177bbcec9dc57d778b005fde7528321c3c08198af5aad25aed984c9c

SHA512
7589d0f7c51a329fd765194ef6497e9aa18f73ce30db71d72132017ad43ba5806ad491b4806e98d62ed2123eac16d9feb34657208ea0b654e11a8dc7ccd68325

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
1.4MB

MD5
fe6e1945a875059b006f05fe248e7386

SHA1
5696a8eef3db0a5afdbe172ee4d7de91cb0cb71a

SHA256
b2224cc15be76815dc84d0b793e0d17b5a75ade7b95770aa455704c6b37b1e10

SHA512
fcbf8ecc327056e7ef508d3f6f357fbe40b75a845e3ad6989658a05bea0b60d51154724b6308ec8622863c40147cfa0ffe30018d0c0032f78ae354b75648ca5e

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
1.4MB

MD5
da333e30386feb09ec809248e94982b7

SHA1
cd9b3dac3b4af3aaa34f29e6e08ce441a067816c

SHA256
69dc26312b631d062cac6ba13d9a74d850a8cac7422b9e6ad76c90988e7c7afd

SHA512
ca2b6fb299826a353dd444955b06bfc0948b3d0f40078606154f41553577c134380a4105b7683789e731fe9369bb036aefccc1f69d23fd27855f75d43971b46a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
1.4MB

MD5
f9ca1a28bd863d71aff8e2683cf54dce

SHA1
96bfb69cc5c37353f784a7a2b4f004b1b735c940

SHA256
fb42873cabbe781daef61f95ef5c3c79919895a8e6406ab75743163f43b76de4

SHA512
630df4bc6b43d47e2bd4de909b82eac2585375ac3f93304b3de74c090a16380049e248fd4ecc34c83afdfaad98582d98a309f3eb066d010badf712907b8b2bea

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
1.4MB

MD5
3ddd10fbd79625ef95b92386a2b53a93

SHA1
ae8ef9a40cb944e9f4a1ee0c32ce9f8d6964f7dd

SHA256
3522da6e37b16c09081ec167d28dfa1f678034f87f65a83d5e2d06769f2c8212

SHA512
b0529ef45cf7e55897921e7f371baa2d7d01cb18548261556a2996e6dcd0a5cc6303aafb45e62f85d4d23843b93f265966d99c40588e97dcd804b8380f9a1a24

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
1.4MB

MD5
6528781d8e2b4400fdc6b0c061ab4c61

SHA1
87771246e453a070ce8edfdd66edb0acc8234747

SHA256
679f0cb6b69ed265c55cb10522ed00a7953cee16f584f153ff471c1dc13d4fe5

SHA512
3aa794a427d4828e732ea213948b175f0b04b57e4afd74d04215a77bff6b8a6e25f8310b28d2075b1880c2bba2e23db8fba5d225f811e2a9fddf812943f077de

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
1.4MB

MD5
5db6bdd895af26201787be61f1cc2045

SHA1
1cb992f8e7f250cf2484ec923aaae6f782057dad

SHA256
6759032514aeb7baf3f3076521c03e3a501b4e2df85a5d9902268df8985b3451

SHA512
993cfbd502c201856dbccb7a808778f6338491a39ee29c75727d03b51a09cd187699aca27eafea5d1c97094dc38f82007e8ba2e1062e4f038f3a5955b00be808

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
1.4MB

MD5
622373b60c9eb13f8be6489dbee96c33

SHA1
6e230ea4546398e382d21c8d541aea85e6a76cf3

SHA256
3183e3a75196d1f31be7f938e555ebd41e0372da1f00e575afa066d60744e390

SHA512
3dc8ad41a84eea0ab1e494ac81d208cd8ae587638b20f2f6bc1c61db233f31a04aeb344d8e0fa2295b3c15cd767bbd44f19637cb4be8605d1dc04d3d580b1a45

Download Submit
memory/208-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4024-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5544-1132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5604-1170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5648-1110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads