539b208e5fbf772f7d0c1c07d48ac13067b3b42f3f5c9ed62d2b735aa471c545

Analysis

max time kernel
110s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a45c533a9194d69a289c34b1d34c3b10N.exe
Size

448KB
MD5

a45c533a9194d69a289c34b1d34c3b10
SHA1

13aea8d9aa7418c6e59961bf2140f493d19b5ea3
SHA256

539b208e5fbf772f7d0c1c07d48ac13067b3b42f3f5c9ed62d2b735aa471c545
SHA512

cf2a43dd7af3b3037c8d76127b39a6c904519f8e1d960f02bf83fd814bafea5ce76381c5c63f1cf37458c3ccecf8bb20bc602d5dc10fcdbf2ed085818ff0ef58
SSDEEP

6144:R7ufMCOPH37aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzxC:R0MlX7aOlxzr3cOK3TajRfXFMKNxC

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe

Executes dropped EXE 64 IoCs

pid	Process
4908	Kmncnb32.exe
1384	Leihbeib.exe
4660	Lmppcbjd.exe
3824	Lpnlpnih.exe
3532	Ldjhpl32.exe
2504	Lfhdlh32.exe
4636	Lekehdgp.exe
4844	Ligqhc32.exe
2972	Llemdo32.exe
5088	Lpqiemge.exe
1968	Ldleel32.exe
4628	Lboeaifi.exe
1252	Lenamdem.exe
1520	Liimncmf.exe
4332	Lmdina32.exe
4716	Llgjjnlj.exe
4268	Ldoaklml.exe
5056	Lbabgh32.exe
4184	Lgmngglp.exe
4440	Lepncd32.exe
2728	Lmgfda32.exe
748	Lljfpnjg.exe
2780	Lpebpm32.exe
1444	Lbdolh32.exe
4028	Lgokmgjm.exe
3224	Lingibiq.exe
2340	Lmiciaaj.exe
4416	Lphoelqn.exe
3708	Mdckfk32.exe
3788	Mgagbf32.exe
2276	Medgncoe.exe
8	Mmlpoqpg.exe
2232	Mlopkm32.exe
4472	Mdehlk32.exe
5052	Mgddhf32.exe
4944	Megdccmb.exe
4724	Mmnldp32.exe
4912	Mplhql32.exe
2044	Mckemg32.exe
3208	Meiaib32.exe
4520	Mmpijp32.exe
2864	Mlcifmbl.exe
4008	Mdjagjco.exe
1516	Mgimcebb.exe
5096	Mlefklpj.exe
1612	Mpablkhc.exe
2152	Mcpnhfhf.exe
4460	Menjdbgj.exe
452	Miifeq32.exe
5012	Mlhbal32.exe
3784	Ncbknfed.exe
920	Ngmgne32.exe
4264	Nngokoej.exe
1088	Nljofl32.exe
5092	Ndaggimg.exe
3876	Ngpccdlj.exe
4480	Njnpppkn.exe
3564	Nnjlpo32.exe
5144	Nphhmj32.exe
5180	Ncfdie32.exe
5224	Njqmepik.exe
5264	Nloiakho.exe
5304	Ndfqbhia.exe
5344	Ncianepl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lmgfda32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	a45c533a9194d69a289c34b1d34c3b10N.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	a45c533a9194d69a289c34b1d34c3b10N.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6296	6276	WerFault.exe	283

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 4908	2648	a45c533a9194d69a289c34b1d34c3b10N.exe	84
PID 2648 wrote to memory of 4908	2648	a45c533a9194d69a289c34b1d34c3b10N.exe	84
PID 2648 wrote to memory of 4908	2648	a45c533a9194d69a289c34b1d34c3b10N.exe	84
PID 4908 wrote to memory of 1384	4908	Kmncnb32.exe	85
PID 4908 wrote to memory of 1384	4908	Kmncnb32.exe	85
PID 4908 wrote to memory of 1384	4908	Kmncnb32.exe	85
PID 1384 wrote to memory of 4660	1384	Leihbeib.exe	86
PID 1384 wrote to memory of 4660	1384	Leihbeib.exe	86
PID 1384 wrote to memory of 4660	1384	Leihbeib.exe	86
PID 4660 wrote to memory of 3824	4660	Lmppcbjd.exe	87
PID 4660 wrote to memory of 3824	4660	Lmppcbjd.exe	87
PID 4660 wrote to memory of 3824	4660	Lmppcbjd.exe	87
PID 3824 wrote to memory of 3532	3824	Lpnlpnih.exe	88
PID 3824 wrote to memory of 3532	3824	Lpnlpnih.exe	88
PID 3824 wrote to memory of 3532	3824	Lpnlpnih.exe	88
PID 3532 wrote to memory of 2504	3532	Ldjhpl32.exe	89
PID 3532 wrote to memory of 2504	3532	Ldjhpl32.exe	89
PID 3532 wrote to memory of 2504	3532	Ldjhpl32.exe	89
PID 2504 wrote to memory of 4636	2504	Lfhdlh32.exe	90
PID 2504 wrote to memory of 4636	2504	Lfhdlh32.exe	90
PID 2504 wrote to memory of 4636	2504	Lfhdlh32.exe	90
PID 4636 wrote to memory of 4844	4636	Lekehdgp.exe	91
PID 4636 wrote to memory of 4844	4636	Lekehdgp.exe	91
PID 4636 wrote to memory of 4844	4636	Lekehdgp.exe	91
PID 4844 wrote to memory of 2972	4844	Ligqhc32.exe	92
PID 4844 wrote to memory of 2972	4844	Ligqhc32.exe	92
PID 4844 wrote to memory of 2972	4844	Ligqhc32.exe	92
PID 2972 wrote to memory of 5088	2972	Llemdo32.exe	93
PID 2972 wrote to memory of 5088	2972	Llemdo32.exe	93
PID 2972 wrote to memory of 5088	2972	Llemdo32.exe	93
PID 5088 wrote to memory of 1968	5088	Lpqiemge.exe	94
PID 5088 wrote to memory of 1968	5088	Lpqiemge.exe	94
PID 5088 wrote to memory of 1968	5088	Lpqiemge.exe	94
PID 1968 wrote to memory of 4628	1968	Ldleel32.exe	95
PID 1968 wrote to memory of 4628	1968	Ldleel32.exe	95
PID 1968 wrote to memory of 4628	1968	Ldleel32.exe	95
PID 4628 wrote to memory of 1252	4628	Lboeaifi.exe	96
PID 4628 wrote to memory of 1252	4628	Lboeaifi.exe	96
PID 4628 wrote to memory of 1252	4628	Lboeaifi.exe	96
PID 1252 wrote to memory of 1520	1252	Lenamdem.exe	97
PID 1252 wrote to memory of 1520	1252	Lenamdem.exe	97
PID 1252 wrote to memory of 1520	1252	Lenamdem.exe	97
PID 1520 wrote to memory of 4332	1520	Liimncmf.exe	98
PID 1520 wrote to memory of 4332	1520	Liimncmf.exe	98
PID 1520 wrote to memory of 4332	1520	Liimncmf.exe	98
PID 4332 wrote to memory of 4716	4332	Lmdina32.exe	99
PID 4332 wrote to memory of 4716	4332	Lmdina32.exe	99
PID 4332 wrote to memory of 4716	4332	Lmdina32.exe	99
PID 4716 wrote to memory of 4268	4716	Llgjjnlj.exe	100
PID 4716 wrote to memory of 4268	4716	Llgjjnlj.exe	100
PID 4716 wrote to memory of 4268	4716	Llgjjnlj.exe	100
PID 4268 wrote to memory of 5056	4268	Ldoaklml.exe	101
PID 4268 wrote to memory of 5056	4268	Ldoaklml.exe	101
PID 4268 wrote to memory of 5056	4268	Ldoaklml.exe	101
PID 5056 wrote to memory of 4184	5056	Lbabgh32.exe	102
PID 5056 wrote to memory of 4184	5056	Lbabgh32.exe	102
PID 5056 wrote to memory of 4184	5056	Lbabgh32.exe	102
PID 4184 wrote to memory of 4440	4184	Lgmngglp.exe	103
PID 4184 wrote to memory of 4440	4184	Lgmngglp.exe	103
PID 4184 wrote to memory of 4440	4184	Lgmngglp.exe	103
PID 4440 wrote to memory of 2728	4440	Lepncd32.exe	104
PID 4440 wrote to memory of 2728	4440	Lepncd32.exe	104
PID 4440 wrote to memory of 2728	4440	Lepncd32.exe	104
PID 2728 wrote to memory of 748	2728	Lmgfda32.exe	105

C:\Users\Admin\AppData\Local\Temp\a45c533a9194d69a289c34b1d34c3b10N.exe
"C:\Users\Admin\AppData\Local\Temp\a45c533a9194d69a289c34b1d34c3b10N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\Kmncnb32.exe
  C:\Windows\system32\Kmncnb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Leihbeib.exe
    C:\Windows\system32\Leihbeib.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\SysWOW64\Lmppcbjd.exe
      C:\Windows\system32\Lmppcbjd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        24⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        25⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        28⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        31⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        34⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        40⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        50⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        56⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5224
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        63⤵
        Executes dropped EXE
        
        PID:5264
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        68⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        70⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        72⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        73⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        75⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        82⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        83⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        86⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        87⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1380
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        91⤵
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        93⤵
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        98⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        101⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        102⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        103⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        104⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        106⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        108⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        109⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        112⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        114⤵
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        117⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        118⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        119⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        120⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        121⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        123⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        125⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1736
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        127⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        128⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        133⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1092
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        137⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        139⤵
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        142⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1500
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        144⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        147⤵
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        151⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        153⤵
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        157⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        158⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        161⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6428
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        164⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        165⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6588
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        169⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        170⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        171⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        174⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        175⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6992
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        179⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7124
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        181⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        182⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        184⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6372
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        188⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        189⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        190⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        194⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        195⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:7160
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        197⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        198⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 228
        199⤵
        Program crash
        
        PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6276 -ip 6276
1⤵
PID:6448

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:7000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
448KB

MD5
4102722a488a9fdc2515745d2bcaa1bc

SHA1
4a48a61df135cd228edfb81c4903e2e79636fb09

SHA256
9a8f3a5ce84b9cad0bdf8c7d468df58d537e3b093fc428790b67901869e5d2aa

SHA512
2e5f0680f0bc2e584f801c989d1491ca2440effdd60005960af2bdd1df6e0c51984916db623853721f80e0c88730bab0d423c5a2031df915e68539d965d5e5a0

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
448KB

MD5
f3fd0a6e8ca907762485bb39f3199176

SHA1
17894baccb125b011fa05a27abbb0b931f1cfe37

SHA256
cb58e6907cface5ceeda4a633e216f5caf8014d541c40f3dd63e1491254f3c69

SHA512
3d9e00e352ea6413fe39e9177e713d481fb3b3405ff068b702b908a4b7d828fe03959943909b20956b3ef3993c08acd127965f8735fd28836f06e2e59f9a5c22

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
448KB

MD5
ca0a2fe11c7651c593fc78fc3baa5f94

SHA1
81d76e3679e491bba2e64c4d97c77da27b96cabb

SHA256
e93b82015b4c59f0c49863ca6d5a04f5b556302c381bc62e550ed5a94dedbc72

SHA512
948f6e005e7cd92f6ba606d1cac2ae326a47d44dd3903407ebf64af2e3bb9cdb04ab5772ff6e137507ae97ec70ea39420e18d838a9d96ff863c4ddc44b58006e

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
448KB

MD5
a5942bb352043d50c40c36f03055753a

SHA1
ff9730a035f2bf516586b55b7207150da703097b

SHA256
b36ec42353477a6a0fedb6cb9eb590059dfd2815ddd83d672546c9078d59cd4b

SHA512
dbf23360091cc10becec8d32a447a8750e32fd63b19dc3bc2d60d8044974caf8f0f0342c5c3c3489728381adba1c3148b963ff9b5176b000fc19e8b935999a16

Download Submit
C:\Windows\SysWOW64\Jlineehd.dll

Filesize
7KB

MD5
9e853aab904d19d5d4eb8e3628accb80

SHA1
e3c50341e6fc849d31289c999ce50ea48ae42d3e

SHA256
0cf748350eab83f44d92fd829335122116e622aca7b2a0eabe5507a1b1cc87b9

SHA512
979f1d340982fb533a8265ca93478d7a5c3e63a613745413a2382956419493bc2be7f7daf9023f162f9db71279d1f68fbfa15ad27c2cbfea7458a8ebfdbf58b8

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
448KB

MD5
9b436b8591e1a89a9bff2ef9f53bd57e

SHA1
2b32700518d875d964db2bef6a1b4836e119f48b

SHA256
0250685153394c73d72809a5546526387094537723c5c6a17248c9b316e30990

SHA512
0f4472162661dae1db5a5af5a243432b62bef9bb05b94591f620e01d2457252ff7870d4c8dbb3ad9a52a7844a05e99441be10c2bc3463432956ec3f4c99dbdb9

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
448KB

MD5
67f85b8ebc4f8de20879f7ff37ed5c24

SHA1
ead6feffcc476d46e7a2fbcdbcfacc89bcf18459

SHA256
72b5059ef040602749d0e13e67acb978c5f65f9f75765e1f9c01f2cda46e6d00

SHA512
1520df8bfb1a72ad066649617a01f99f6b7648e1b3b0cefe72607482d87d175c79e3ca64ed3d15cf3ed0475a56528c99e33e3bb43ea6cae19204d9a1e49098d0

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
448KB

MD5
cc9288411b7f0aa09339b9b2c76ce50c

SHA1
ec096ed1ab9d83066e9afb124883a6790cf019c1

SHA256
44e551d4a41c1347500704c87bf2e6429c8d9e82431f1844607d4eebfc9a9a21

SHA512
34c0275045f4d742c19930580c99701fe2c672c83af37e977444df55966c9f64ee6eb6d117d9e04675f4070a7cf75be6b1ecfe76908281dd5d7276cbb76f7124

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
448KB

MD5
04ccf07a68240f162fb497645cb153d1

SHA1
07242b95383a843ab95e578b9530ca7627fe81a6

SHA256
264601625911d3dd5d228796187c7e703abf231f175f5d6370feb2459dc831da

SHA512
7c574ede15b4d8433542a12f3e8b3ccb3df776cbf7b4301a2fe66151dbb80525a1c6e9687a697ab6a624224f5e624c131690f3b5f2178f796b5aff1be328f832

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
448KB

MD5
cfac6695be2a035ccab94eac9c95efe3

SHA1
5f5f7b5e00fb88911b487bfa30ebe8b282a907bb

SHA256
c7d2c9c6664a9332d7632d738eb3bcca3e1b6df228d4a0cd84be8221850f2710

SHA512
03a41b1f7924e76bdf49f93f780b9d9531bab3fdcb7d058ba49f572f7f456901725f224bb67697683985bd7bb98179e3baca2c932dd21bfecf4b1401228b3d45

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
448KB

MD5
a276b74fcc329555ca18f3bbbe3ec7dd

SHA1
cde0ed4cee47afaf0e7b641eba84ec1c670b3639

SHA256
9a5d3da67a62f9a4fc16c91c67abc4e3996bc3a85eaf2e33187afe7a5e24331b

SHA512
afaf2075b6eeaaf57428b608412dacb516dbb3473158739d0a998b401075da9f89d085806df6ff92999dac1d12b0e6826d9da77f10e8f0586b3ee7dc69c82aa2

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
448KB

MD5
75712e86241f00ae62c897427c8f4f23

SHA1
2d22038e364ec2c86b5c7a5e91de6b3a74f69937

SHA256
45c820a8089667579a21319e1a69048cbac95f669ddd212c90877a4574c6d1b3

SHA512
14c334fb47192615fe7b0d9a756e1274dce23f1aa9e7cc8cfe738a55ffc9ea7ea114db22f2e604eb1b71441f468a8dc17843149d2ea8d9822ba894c6f2bc0444

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
448KB

MD5
ec704b3482acd9440fec3c3e1018439e

SHA1
5eb6712dcfcd183869dcb3699ddd3ccd4246dd5f

SHA256
66c4340292ea304dd8f7dcf157397d58dce8853b88474a003b527e4b52eb0518

SHA512
4f481ef315c9b67e6258f6af6c76543db286b38770a8a132d401da6a603b44f45d6132944f27c5f4ee37a5ee4a6ef115d4caeeada50fac4b841cf3837e238eb2

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
448KB

MD5
10680ed15817dcee5ecd8b2a0994fafc

SHA1
39e590ee196b8e2a5963ddb2cda9e2fe1c0f8748

SHA256
d1c88996147f71bbe4c6aae1b06da156cd2b50354e7c0798ed18a57e264a890f

SHA512
ec82aba2ee39f7135da0c1c3e21cde1d6a5b855a483b142948ef914ba5071e6281d8325b93e855b1f9db70000742f4cbed16f6dac48f1cd00d59afa0e71f5b24

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
448KB

MD5
2a05ac4228e4c2d8a04dc9131a5f03e8

SHA1
3c77fdb03bd9815e9a1bbce6baf116aed4a5ab35

SHA256
3c19ba66ecd8705d3828c3359ca35379e01a8f49776367ef839371f72e7f898a

SHA512
8ee085eae5aab5fd8931b2c46947610eefa5d9b2b36a9a5c8cafdbba27cc6ac4f48580e300fed415ac811dc196e8008a3dae3d9b36fe9d262da45bd59ca948c7

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
448KB

MD5
b3cea0047728ed7a173dd5a8f4e5c6e4

SHA1
dd271ab2a59b52d8e48a5eb8193689c547c0b529

SHA256
13edda16fabbf3f2a468f6764760925229a5f43fd469116edbc2ced6cbe189fd

SHA512
90655228c67388bf5f83eef1c85ea2c2d075842419dd3782a7aaec7ad76110387daec4551ab5d6ff82f88fde07cd1741080457a6351f66dbbdd697af07356d50

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
448KB

MD5
e1478b646d00059e9291bd9436e62bf0

SHA1
82a0710aee84b8383ef9f24260fa2885c7c4db7e

SHA256
134a427f0168bc85d1181fde8301d21489e37eb7f549a61c93f970a1a2bc7fc0

SHA512
7065c2d1ae4f77e2fb01ad67befffd3e859e52d6ad7819385954175738836674a4822045691330b807a4d7517a210e4bddf94ea5b58a0517dcce779e4b59abd1

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
448KB

MD5
0bcba5caba4594ab4c608fd01e7ca4ad

SHA1
61540ebe1a3919829f2e3caa2b4988a4bb5c016f

SHA256
e7960e1704a3f1bc2068949aa8d790a7880b0a1930e1de0e425c743ee08d45ff

SHA512
31b8eef96071263f0c8f1fe4d0dff06d6577b10e308d12392e7b66f9733c52e87c83abd432304c1220365336ab27e2f02554a316e8bd3e53064989e4eae519eb

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
448KB

MD5
c386c524d4b79d3f4138898d3b0a595e

SHA1
dea21bbde3f54efc81c6f34935bf0aacfc5537fc

SHA256
71db7b1f6ad3bf7696a95b4d3bf46a33ddf7adbe9e608569bc2fa15f5337d848

SHA512
fb0bffa1f53f254cbc9d67cdd9543b6cf93d1cad865dc73b22089aced98c47017b84a490d3fc425fa853c109de451388719ed070e2a1f5b19e1186da8f200fd9

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
448KB

MD5
841b72f3f38df4e0a38a8c68e0f18f69

SHA1
a1330331dbb27c4ac1552c08c82f4cc3fe9a1c69

SHA256
5435bb73e1ba3438a135444f92ad27fbc65979221771d6b5edf6178d7c400e6b

SHA512
8c53e292b9d3d2d2623fef11730754229eb3b52b1d5543b145b2183b8084666d3b62478e3f1e0ca8e6d406b2e3bc7d14684103628ac63c867e738c76a5228a3d

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
448KB

MD5
dfe54f9b72933462e115f803539382d4

SHA1
e1e1f8f5a0b1c23f784142ae05881a46f30b29ed

SHA256
6dd71d579e8a8fb5e42fc9adeb912e5fcc322fa853491c122bfb7fb8ad795f3a

SHA512
b34fdb7bbdd589d61248d8e5929ce1e6d89ff89744cd101853dc725cabb401251693aad5817989a576ca8ea654bd337b30a76d52be2d209bada0537ac6d4b7e5

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
448KB

MD5
b66641e4d198ffac773dac6c02ab1d2d

SHA1
ec1e2cd058518f48efa169d19d4d8f95e94bc5be

SHA256
17a08759f28e4adf8ba74e754c249c5a54fc54626def154833262a82c33ec5f5

SHA512
eabe235899fd8ceefe4a3b3067c8d8006f5f1b6fc9a9fe2cdf64d5f408523ef5086e282454d8a568ee78f94e44a82fac15b4e6fd9a5b4e2daf89eeb9e7f26672

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
448KB

MD5
c344b7235e1bdc829389f7f2916ddf71

SHA1
5e8e9d44e4b9e30893322ec1b094a02a91b953a7

SHA256
a5fc87177d4706e90b7500619358a37fe42f5a7183b70be7d7ab7efe767261ef

SHA512
e65d735bda4f88821a9395e7f82c684e1ded13db6daf8ac7dbca54137ea2f4c0afb4bd421f35f27116bd4f84cf9e08c9a5544f7704d2c1b32512b2f54c2bbbbf

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
448KB

MD5
9a52ae54963fdfae959d9b9581fb66aa

SHA1
7c9e4733fa9b99ea11c6dd785df0527f71619037

SHA256
84ad23cb7cb14bf405208b2c2cfd99eea20ccfe635f65bdbd1e4fec2fc43a62b

SHA512
7f7bb8a5abe090b3c0640f0aabc22d38c79b70fb5e3eb6359dcee2b4a84f27c98462afb5ba8ae4da5529759198f0b8c75d0fb3f5ef2376145085a86de7085266

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
448KB

MD5
5658975bd2392e795dd885fd73e66407

SHA1
70de07432899b427cdb29c33b6ee3c5dac1107bd

SHA256
5e56708171ed8baf011d4d028faa195d8537f674afc3e8378e7547b817a0d939

SHA512
c3edd8fe48b5162725d309e2f338ca448661e64dd8497121a5f2d697e648f524418bde7d3b3ed19ba775b8a6ffa274021efaa74f3d5b2f3942bee9251192d18b

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
448KB

MD5
eff81c33207fe47161965e07088fe9f5

SHA1
af48f72c65e912ae38bb3d1e533e294d8c3d5ad2

SHA256
b608e4cb5eaa15555b83ebd712c2a77076a5523091408540429cbb6186fbf87e

SHA512
75c305c3fdb95f9acf8aefa14e24138de99e83f6014b15914f3d77aea441d648591558bed5f3671107354982f1011c665315adecce41c909e052a1383cb946b6

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
448KB

MD5
457daaf710e8873799ad1d74cfeb5d86

SHA1
f74c0acc926f1762be1bea8f8c8ef6438751201a

SHA256
558a34faa2971270d4f36296234fb4970b9b04024d7de3702943d61f03fb62e3

SHA512
553554ec3cc66e618f724b42bc8f052dd17e87a46c851994ee6cea6e3a821285d518fd0c7e7c5f8e71722ec8ccf044a98770be57df3bf536ca7d038899e2ab4f

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
448KB

MD5
073fa495ae87f4d7bbd53aa32f4b87a8

SHA1
3c0ead4c058036c17942c247549f16050fcf6047

SHA256
2d91cdf6123fe45183083d045a54cb81f2b971a3ce1ff1aa6d67791d1599d182

SHA512
b71c67c42afdb0da3ad62ac7df631f1b528bfd0631a5d427d2d4b07ac8eaee31f361c222c0fc2e9efdb3abc1e227f9bde2a6a64bfb5d4bdcc0e0a0783a890796

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
448KB

MD5
fa6af1c5172d31f3799ca646acbe14fb

SHA1
c2049310cc250bcb801061756e031b935a5ff7cf

SHA256
bbc020e9d9a3423cc835543f5744b215117f40c84891b3f35d0002fb03d62437

SHA512
c6aca4c3290cea632b3f906f7b6a9c3160da3608844362947e12d4bbab19774664a0d2e6483cce9514da42cebaa19d2c78caeaec0be2e952075293f2d15ebf06

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
448KB

MD5
13a50f613b5461e58fa4683086cb8798

SHA1
7fa8606564859399403cdf152b52190d179e2b61

SHA256
4fd532359836431f46c7730af9d61dade7c1675b06d4cabb57dc5c9ed0a3cdd3

SHA512
539e199a1733e5cb7f208031c4b33b866a1ddf98c10582da6e6933bbc7f0e8c134ecee51c2023574523126f6e27e908724f6ace2b2740293c80797258b2f3f80

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
448KB

MD5
e7bef081fc1a01d337ecddec4dc81b46

SHA1
50d3094782f7357ff796611503df8163598eab11

SHA256
3d19fed27c89d00170b4a24ae95c8702ce05a817c6fa0205f260d70c2633fe3c

SHA512
e221f056c64793b52339e2ef1e32a16e672aba38e50a2162f7aabfda876fe78c89cafccbb23145eecbfd6351f8ed8054a3412a07a2b3de531ae32f96e1bcd7c2

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
448KB

MD5
a709fc773bf9f3f1fe4698b904e08864

SHA1
8a7e967ee5d15d6c603eef8d509c901d9a25b0b4

SHA256
eab674d236f27899f0c4d6d90066d1f9a8f21ab4c29b1dde433d2ecfe257fe5f

SHA512
dbe9809b878e08645115ea63c3bb27d75abff7a0c12240b9f96cdb7764d9e25ce527fceb5d2f54820ab99a231e0b1a8fa65c0af5677a694b1ffee2ae478ef25f

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
448KB

MD5
5342781b583aeb3103856844ce41905a

SHA1
7d0f4eede53baa786bd82ecc276ee2aa969497e8

SHA256
c1a0f0f43b37db6e4dd113d367fe5b4413a6168a75c637edef731904bf763592

SHA512
6fe711db0a88ebb4d9f7ffb69816c6ad8cb140a0618460575c74a61f1fcb20f5cf2c850ce4904f9fd052f779a1f021b70c0ba39d130ab0c689eeee8e94fb812d

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
448KB

MD5
6d9b001c697c00aa65bf66c55a51818e

SHA1
7ed9e39d97e48c0c82a7580a71f6ebe7e72a3223

SHA256
05b6367226c4c59c4adc98ddd91b3a4f736d0fc05e43270ea67b03586246bfbb

SHA512
7945be4bab107d4af55b301fabd9a7bb650403968e753369de87b66d5a47f3c34ec9556975cf07efeb03914dbf2255fb9449d26c46b5d7b8c526c332e37e360c

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
448KB

MD5
87e1d2e258488a2e56cec506bc84adc9

SHA1
95d03b92835446ca4a8f5fe9366acc36b57766dc

SHA256
f376f1f1d528d1af55f5ff2a8c657a7bcf59fd4430fc69472424b54407413944

SHA512
30846abf72c35efd204d29487d5cc2f5bc0eb004c4606888a27e5f5ea9462d1f290f0c0c616f2c923305dc300411f096a9f4c121991c00ca29257d71ccfa0956

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
448KB

MD5
b7f5e29893e6cd000f032b06a3b2bc76

SHA1
461580bd426ba810e39bfcddc2274eb3abd4caa6

SHA256
e03ccae517df9dfbf5b19bf27638a2048fa24f0ffce1b29afc6a74c3d4993b12

SHA512
315623749cf75db9aad1e85049e6119ca488b38ecf92e64494448521d55ee382271ef3fa18044180b5e5f1d93e20ecaf367f490880a2f42c2fffe853fe5eb3a1

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
448KB

MD5
5c2528af3fb92a806647e4811245c67c

SHA1
90522a23503fa84de98491c69f9e3bcce691c863

SHA256
5b80cdcaed5e569d11bf4f1c46ca0c2c369ea912241dc3dbca6478bbf54182de

SHA512
4a74ed2e0e850a649ac0065d32e72867c1ef466d26548a34bb10993a3f606ea3b6c0b3070b5e91388cd4e4c8a97b4948166fcfe2de8cb31486d9a482bab79b57

Download Submit
memory/8-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-617-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/748-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1252-109-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1276-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1520-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1612-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1968-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2044-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2152-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2276-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2728-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3208-309-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3224-213-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-611-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3532-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3564-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-605-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3784-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3788-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3824-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-623-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3932-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4028-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4184-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4440-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-411-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4960-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5092-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5096-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5144-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5176-629-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5180-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5224-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5264-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5304-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5344-453-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5384-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5424-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5464-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5504-477-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5544-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5584-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5624-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5664-501-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5704-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5744-513-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5784-519-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5824-525-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5864-531-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5904-537-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5944-543-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5984-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6028-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6068-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6112-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads