046f8885218462efdc43747615d4f985ec84d2862ffd5a0fd370174e2541179e

Analysis

max time kernel
105s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b2fda6aa74d9d820dd0e30ca254270N.exe
Size

100KB
MD5

09b2fda6aa74d9d820dd0e30ca254270
SHA1

bf2687743330d7a8de2ec01626ea9085cecbde01
SHA256

046f8885218462efdc43747615d4f985ec84d2862ffd5a0fd370174e2541179e
SHA512

f79361445844058207f901ac8f7ae0a27a6e22c01c9450f44a694bb537e93825472ab2e4fcfc09ab3f0515bd0f81e947c82dcacf1e8d6d919713df88edaf0595
SSDEEP

3072:fBU3wNltn7aGQIn28hXXXqmEgb3a3+X13XRzT:fBdP7Dvn2SXXXqmB7aOl3BzT

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe

Executes dropped EXE 64 IoCs

pid	Process
884	Lenamdem.exe
4528	Lmdina32.exe
3636	Ldoaklml.exe
4496	Lepncd32.exe
444	Lljfpnjg.exe
5016	Lbdolh32.exe
2776	Lebkhc32.exe
2224	Lllcen32.exe
1888	Mdckfk32.exe
4776	Mgagbf32.exe
1340	Mmlpoqpg.exe
3220	Mpjlklok.exe
1008	Mgddhf32.exe
2576	Mmnldp32.exe
3108	Mplhql32.exe
1952	Mgfqmfde.exe
1332	Mmpijp32.exe
4772	Mdjagjco.exe
3712	Melnob32.exe
4500	Mlefklpj.exe
4836	Mcpnhfhf.exe
1876	Menjdbgj.exe
2200	Mnebeogl.exe
2068	Ndokbi32.exe
452	Nepgjaeg.exe
3160	Nngokoej.exe
820	Ndaggimg.exe
4732	Ngpccdlj.exe
4468	Nebdoa32.exe
1060	Njnpppkn.exe
1576	Nlmllkja.exe
816	Ncfdie32.exe
5104	Njqmepik.exe
3720	Nloiakho.exe
4192	Npjebj32.exe
3316	Ncianepl.exe
1376	Nfgmjqop.exe
4312	Nnneknob.exe
5004	Npmagine.exe
460	Nckndeni.exe
3812	Njefqo32.exe
4388	Olcbmj32.exe
988	Odkjng32.exe
3632	Ogifjcdp.exe
4856	Ojgbfocc.exe
1228	Olfobjbg.exe
2804	Odmgcgbi.exe
4024	Ogkcpbam.exe
3340	Ojjolnaq.exe
2404	Oneklm32.exe
4412	Odocigqg.exe
4472	Ofqpqo32.exe
1680	Ojllan32.exe
2936	Olkhmi32.exe
4456	Odapnf32.exe
5100	Ofcmfodb.exe
100	Onjegled.exe
4088	Oqhacgdh.exe
4384	Ocgmpccl.exe
1572	Ofeilobp.exe
4172	Pnlaml32.exe
2536	Pdfjifjo.exe
3688	Pfhfan32.exe
728	Pjcbbmif.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ahioknai.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Lepncd32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6952	6864	WerFault.exe	248

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 884	4048	09b2fda6aa74d9d820dd0e30ca254270N.exe	84
PID 4048 wrote to memory of 884	4048	09b2fda6aa74d9d820dd0e30ca254270N.exe	84
PID 4048 wrote to memory of 884	4048	09b2fda6aa74d9d820dd0e30ca254270N.exe	84
PID 884 wrote to memory of 4528	884	Lenamdem.exe	85
PID 884 wrote to memory of 4528	884	Lenamdem.exe	85
PID 884 wrote to memory of 4528	884	Lenamdem.exe	85
PID 4528 wrote to memory of 3636	4528	Lmdina32.exe	86
PID 4528 wrote to memory of 3636	4528	Lmdina32.exe	86
PID 4528 wrote to memory of 3636	4528	Lmdina32.exe	86
PID 3636 wrote to memory of 4496	3636	Ldoaklml.exe	87
PID 3636 wrote to memory of 4496	3636	Ldoaklml.exe	87
PID 3636 wrote to memory of 4496	3636	Ldoaklml.exe	87
PID 4496 wrote to memory of 444	4496	Lepncd32.exe	88
PID 4496 wrote to memory of 444	4496	Lepncd32.exe	88
PID 4496 wrote to memory of 444	4496	Lepncd32.exe	88
PID 444 wrote to memory of 5016	444	Lljfpnjg.exe	89
PID 444 wrote to memory of 5016	444	Lljfpnjg.exe	89
PID 444 wrote to memory of 5016	444	Lljfpnjg.exe	89
PID 5016 wrote to memory of 2776	5016	Lbdolh32.exe	90
PID 5016 wrote to memory of 2776	5016	Lbdolh32.exe	90
PID 5016 wrote to memory of 2776	5016	Lbdolh32.exe	90
PID 2776 wrote to memory of 2224	2776	Lebkhc32.exe	91
PID 2776 wrote to memory of 2224	2776	Lebkhc32.exe	91
PID 2776 wrote to memory of 2224	2776	Lebkhc32.exe	91
PID 2224 wrote to memory of 1888	2224	Lllcen32.exe	92
PID 2224 wrote to memory of 1888	2224	Lllcen32.exe	92
PID 2224 wrote to memory of 1888	2224	Lllcen32.exe	92
PID 1888 wrote to memory of 4776	1888	Mdckfk32.exe	93
PID 1888 wrote to memory of 4776	1888	Mdckfk32.exe	93
PID 1888 wrote to memory of 4776	1888	Mdckfk32.exe	93
PID 4776 wrote to memory of 1340	4776	Mgagbf32.exe	94
PID 4776 wrote to memory of 1340	4776	Mgagbf32.exe	94
PID 4776 wrote to memory of 1340	4776	Mgagbf32.exe	94
PID 1340 wrote to memory of 3220	1340	Mmlpoqpg.exe	95
PID 1340 wrote to memory of 3220	1340	Mmlpoqpg.exe	95
PID 1340 wrote to memory of 3220	1340	Mmlpoqpg.exe	95
PID 3220 wrote to memory of 1008	3220	Mpjlklok.exe	97
PID 3220 wrote to memory of 1008	3220	Mpjlklok.exe	97
PID 3220 wrote to memory of 1008	3220	Mpjlklok.exe	97
PID 1008 wrote to memory of 2576	1008	Mgddhf32.exe	98
PID 1008 wrote to memory of 2576	1008	Mgddhf32.exe	98
PID 1008 wrote to memory of 2576	1008	Mgddhf32.exe	98
PID 2576 wrote to memory of 3108	2576	Mmnldp32.exe	99
PID 2576 wrote to memory of 3108	2576	Mmnldp32.exe	99
PID 2576 wrote to memory of 3108	2576	Mmnldp32.exe	99
PID 3108 wrote to memory of 1952	3108	Mplhql32.exe	100
PID 3108 wrote to memory of 1952	3108	Mplhql32.exe	100
PID 3108 wrote to memory of 1952	3108	Mplhql32.exe	100
PID 1952 wrote to memory of 1332	1952	Mgfqmfde.exe	101
PID 1952 wrote to memory of 1332	1952	Mgfqmfde.exe	101
PID 1952 wrote to memory of 1332	1952	Mgfqmfde.exe	101
PID 1332 wrote to memory of 4772	1332	Mmpijp32.exe	103
PID 1332 wrote to memory of 4772	1332	Mmpijp32.exe	103
PID 1332 wrote to memory of 4772	1332	Mmpijp32.exe	103
PID 4772 wrote to memory of 3712	4772	Mdjagjco.exe	104
PID 4772 wrote to memory of 3712	4772	Mdjagjco.exe	104
PID 4772 wrote to memory of 3712	4772	Mdjagjco.exe	104
PID 3712 wrote to memory of 4500	3712	Melnob32.exe	105
PID 3712 wrote to memory of 4500	3712	Melnob32.exe	105
PID 3712 wrote to memory of 4500	3712	Melnob32.exe	105
PID 4500 wrote to memory of 4836	4500	Mlefklpj.exe	106
PID 4500 wrote to memory of 4836	4500	Mlefklpj.exe	106
PID 4500 wrote to memory of 4836	4500	Mlefklpj.exe	106
PID 4836 wrote to memory of 1876	4836	Mcpnhfhf.exe	107

C:\Users\Admin\AppData\Local\Temp\09b2fda6aa74d9d820dd0e30ca254270N.exe
"C:\Users\Admin\AppData\Local\Temp\09b2fda6aa74d9d820dd0e30ca254270N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\Lenamdem.exe
  C:\Windows\system32\Lenamdem.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\Lmdina32.exe
    C:\Windows\system32\Lmdina32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\Ldoaklml.exe
      C:\Windows\system32\Ldoaklml.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        27⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        34⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        35⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        54⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        56⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1096
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        69⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5096
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        73⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        77⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        78⤵
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        79⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        80⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        81⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        84⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3816
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        86⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        88⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        91⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        92⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        95⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        97⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        98⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        99⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        100⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        105⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        106⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        112⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        113⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        120⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        124⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        126⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        131⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        132⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        136⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        141⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        145⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6168
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        147⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        148⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        149⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6384
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        153⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        157⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6684
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        159⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6864 -s 416
        162⤵
        Program crash
        
        PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6864 -ip 6864
1⤵
PID:6932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
100KB

MD5
cbb86d9c6e161c948a283c06d752e638

SHA1
bcd67ecf5ea81ae311c1ed6c8513295bbca24c33

SHA256
18231fbcc203cc6d2876b241520a98d8732db0e9b866b7852eb1c5e88b27b221

SHA512
c80db0834974423630634963e37d00e7f662a2fad7a5343c95c52c7ba5d2b2ee0ae0e0f2670a203c77705d6f6e101d40804a4af92747cf6ea3c4ac661e3f752c

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
100KB

MD5
ed16627797f570af312dc63cf559d290

SHA1
101a4fc3b44bc54bb43627fdcae578d6d4a1ec11

SHA256
54e9c03053e2df32c1d7cc5998753708d28248b0dd8a1ad7e5798517005af332

SHA512
f37ba0a688e6c9f735c3bab89ab7d8bb0a5e657480b606ed4edbcf306e59b68a4f56a9e6fab84c5e06c4950bf4bee1cae4016df262cc10f10a7fde04aa7f9da9

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
100KB

MD5
7be14edc13e93156603b10fd03ff843f

SHA1
fd76c7915a1479d7913843fdc5daa5d297ea7fbb

SHA256
15c17af7d711582eb3aa7c343ea12f240ceeb08f4d8d0cf1a6ac9288d87407d8

SHA512
55e002b7a199be3b61dcbc4ddbf00b8b85893c10758d5e5ad8bbf56d81ec6a571adda1fc45414976a5712d95762bbc2829296726fd3b956a5d4263f2787d5bfa

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
100KB

MD5
c7cc9e12d823291402ba0af4171c3b90

SHA1
7cf0ed1e3003d98ef9c14fe1fbc99c9db7c377b6

SHA256
1a864a543d51a5a6f90922b22fa8498f32648eee44ea84c93b029a74348e9026

SHA512
d4fc028b5cef9db85168f7388791e8005b989b025134fffc1037920c5c243193ab5e6b54e42220144e00f6ee6664360d5652d165894877c6925289c27d246ba1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
100KB

MD5
c7998df7f7afb6d890595702724c36a1

SHA1
f6cc90d67f1063514a62262e37ccdd29b2d37914

SHA256
87c42aded217b0ec9a4ebf55a9a931a4e2c0586d53dd992cd9ca78e8361f8194

SHA512
bee5ff0f51fe6d96ca878e01a0c82c318b9ba6b6b0511f9febff3c6c17650e2aacfe2e429f0959b527d7fd18cfe81770822277496c9bbea956aec888acfccc2b

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
100KB

MD5
1f276de40b4253a458ae44815aced584

SHA1
2494c694aed90c24692712466da9e655a937fe88

SHA256
9a2a6ad2946723e7e69d1dc0a8f2eca16aecfc0838dbc3c2ae277ceca93d6440

SHA512
218ab23cbbc969a12260fd7f17f90742ca1d83502c2c6f638f23349d94cda7ead0d12017eb232d09cd3c08cf8047aeea2b801cb37417eb56def2da662e23c4e9

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
100KB

MD5
bcb4c42ff7e4bf39d07d63b43c5c5d96

SHA1
2cb6a4ab662718f895bff80385bdea69a6e8c23e

SHA256
9da59d0da856f9718ab6967682f61b8b03b28c2a2a2312531c735aab21fa62d2

SHA512
2c8a1db9b9de32d8291903b701bf300f72c93a7c01a51e18c0c0c23e038cedf3148853ce7977ffccbd8028f49c816f67bd9c92fcd21e277266ba9278ce1d5d74

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
100KB

MD5
84dca8be6ebb73006406a19729b39e81

SHA1
1efe052476a39b6249ec7832268147671cc955cf

SHA256
d8d72c7ad204b27e2792830545176ea0befca7b931446886439d50c49f46cd7b

SHA512
3f3cda4570e369a30f60f7b123f6c295284e3c307f7fcf9de4aec161ce513d0774fd09a120e0b139b5ba5c00d43fe1b587e2526aa9c82cea9910250ef3c3a25d

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
100KB

MD5
c1167c1e98e2da519177f28a6bc31668

SHA1
e8a236183ffd343d97f7478eb6835317e9db1bdf

SHA256
d8f7023b5284167f45b1be4414c51ea4a60dd8ebd2ac876457d3611babbe0120

SHA512
9936ad8911d60917857af2211eac2adee552514a09b162669b29d802c5d01472f564ee95d401278b4114dde0d7d789c1f8c3ce1ced760a7254eee4b1bdb90569

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
100KB

MD5
ffa41b96c649f71f3b94bb328b2694fd

SHA1
6a7de10a212ddf18d59860524ef0269af5061569

SHA256
9eeaacf3f64a600149f58a03cd6b7a652b429eac8cf36aa5bbddd13eaee6d8ef

SHA512
d0747bbe87c7694f406ef789f7e627146ede6c1196e848d1a5b3bb53d51e791d661a37317a5bf515c2a9a2db19e7b6c50e0bc813096327e1eda7a70204eac776

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
100KB

MD5
2b42c404708c5ea6318aca3c29562e11

SHA1
7049ee15936aaad4c1a53c5cd709cef159fe7b56

SHA256
d08997edae2f02855c09e45481f48d0427257a7976f54e2e1984e748d34154e1

SHA512
90eec0426d5427bba7481f987c0275d85fda0e53a989b462919016efe5406942f509d1e2ccc0081889af92f41182bf9f1c0bf0c6d1ccfcbe74e1b359b3afe704

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
100KB

MD5
0fa077c177bdef35aa9c80aca7de532a

SHA1
579a30e26e0a915f8a92dce0f13fb3fbd3d16774

SHA256
ae1c2f6226c1381914c7db6b353882e57620c7fb334d37eda96d96162a0143b2

SHA512
ca0ce61a28cdbd3c22a1c6f75919683477e06894d46de8a2cf1fb92c65a988fb40caee85731974fd7af2508b5bb7b5a9df4dc02355557e0f6fee5446dc3c0670

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
100KB

MD5
bd9f4b8b9c0b15c9ddfd7cf96b7e68c4

SHA1
7965ea6b7a0462b47ec933da64835800775be2cc

SHA256
4508aade2fab2763f3c95b65e23f544ceec36145f13741f9337b3946ff9077a9

SHA512
31775adc9234aa6c748be7026cb396d77b1a7529ca0a2540164a64c09ea96937299d462f9d9a4d60da3fc726b28d7b319785b2bd089a76c5b19cf4eaf117260b

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
100KB

MD5
b6fd4dc38b6fbf7f9a1c592497b36463

SHA1
264e3e43ec05105a0f2f16f6ee95ad5efbffc79b

SHA256
0de838c46a9db6149633e14963c1fc7181e94d0e9817a4ca27b6b3f7511a3d6d

SHA512
6481940c3406afa6ee122cc81b0895c5051c035dbddf44f974d605cc41739b0232177864bc4d68ee119090c7a4aab2edf4670ebe71548276bbc86d304bf8fdcf

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
100KB

MD5
45486f767e6b1e3d4cc85b92da06f550

SHA1
4d5b306480623b1f7004c9aff389aeb1d37f0ce8

SHA256
23f2711b5a848e994af9db273f74e04323f261fbaae0fd06d24c164fba077c1d

SHA512
191d0d527b406df03089715d334767ac3c52f34bb36c9114dfd3de5cd9e68b362f3d880511fc6a3fa70a42cafaefdb96b4f414ef4577dd49c8633abee5f22dc7

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
100KB

MD5
872b64dc00d41eace91723dc1ed29091

SHA1
baf345d88c814c4fe88e5a5bb3066f2d73109a52

SHA256
aa916bf511e068f0104e08fe1f9aefffcace9ad3e4caab10ffeca7a1bb2ecc39

SHA512
7e6eb56aa2fc400fe2c606da738976159196d6beb7de93a4a2fb9f3ed43e19ca7315b43269dbb58711287a090b061d4ab37c88a4c7a9e7113fb4217675cc267f

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
100KB

MD5
041bfb5e1d8d906571af35baded2f049

SHA1
7a81226cf9bef3e75ec6e8392828b123251c9b2c

SHA256
81e13a7202bc9462cb49952a305840e0ebb987c90b28cadbf6a55c313c4ecffe

SHA512
85e61fbd1b24bc75d90acfac63eed21375ed350543798924c827626a1eddc48cc1e3ef8e79cbfe12fc00c188bcccbddbcc1206e4a47e21b9ec0f145d66c69158

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
100KB

MD5
15a5e4d08aa083377d5329da79021467

SHA1
3faf07b2d9f7993729a10867b7b7776fa55ea7a2

SHA256
b17ed25719a363b927c67f39e55b5c0e4ffbf46c0358002c88319a1bb131973d

SHA512
05273246fa603e6b0104001d5a4fa8f70f15fa41f49531159be47df7845b6c834b34ce97b27361078ae846ca64f58878afe8e33608086db9e8613ef73efd0734

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
100KB

MD5
614d40e3115dda0130b547f207a857cd

SHA1
5db52eb16fdd171ae39a124ddb6feb2f3d500196

SHA256
95c2028121739140a6e7d154bbe99d9336facd1ad236190a2c1ae5b43c071059

SHA512
1fb67d027d2f36c72ff7bbc0851a61fa2b30687cbed3d7ba295ca39c82099e6104c71cfe1c3f57d6f20c9c33b76684b4d5343adb5638bd8caafa221cee82f640

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
100KB

MD5
ac061d2f8c6bd8567bf9350dddbf86fb

SHA1
9184c957699b8025fcc5e26c79408862c71a02fc

SHA256
54d90eb1812e93eda0cd43696146c800b260375a481981dce8e27f36eae0300a

SHA512
d4d98ea167f3f6fd1f9aa771954c698138a2c67ccb3272ccb0b8e757fb942116b2d2e56243266c86875a18fde916a706a1ee21a9b22bb814160d0caae7fcf898

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
100KB

MD5
29e84054457a8aaa82edf15e1fdfc62d

SHA1
6dc768e3d51fd748388f72610899440140e4d4ad

SHA256
623e3440b6205ec9fedc4f20e803406c6e836965303cc655f9fa1c2f38d012c3

SHA512
ef755ac94cd6a8b4b526ce132740821cf632d730f2079459dddb3782e0f17fc76c885038401db71dadcf25c582e85274b33a605dc58fe4baa987baf87f37a987

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
100KB

MD5
fd678fb7046f8454cbcfcb94d373b2bf

SHA1
dc405d92c8267c9a1dcc84b1a83e803d2fd5dc59

SHA256
df2786222c90b5f49b6a6f26cc864ad04c006e5ba1a8f3fa53181d0c9cd2193c

SHA512
cdf28a9a446af1f1debdb31da37bb114535f0b1ddd2ba4138adfe0b4304bcf47989304c00a97787adcb02f0b21165d3c6701a1c79c8b89561139dad8f4c37f03

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
100KB

MD5
e506f5539700eaf7dca11bf521af9755

SHA1
81b5e54c598f4380b19d6fed89329e233a801072

SHA256
77cbbb804392a0f729d139d19285d9cf1787027d4df6123af98128f601e2770f

SHA512
5224be34eb8c74ac396622be4106773fa7a06ba87696385579769587b00800d3f4e3e1db396c04a9307f3013575f5cb5bdb02da238489d174643ca9ec7d47d24

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
100KB

MD5
64e5a535403feab59b02db58168fb95b

SHA1
2585749937598af89fec6068bca4a78b5f59e473

SHA256
639c8e3ec11a6b08a2b9c81e04a4d711376be3f9350ee61d770e1008e496ef88

SHA512
7bba1465f4d3ed54b957430ab26a763bf06d7fd7af4614125fc79347dc18c3cd1e9ea30b89fdcdb3914628589a3840dc9e0044a6cb471eb03da3b159c039c7e1

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
100KB

MD5
07d53dcae363b9a4bef3e9dedbece331

SHA1
18a71c773e4a68435ba15bb4884bb5116b88a0d0

SHA256
27b70da5381e059fc2670fcaa77fe97914ff17b908dce36ea990b3ed9340fa78

SHA512
20fd990a643b1f31648745626933f58fbfa1ca2605c022984daa982b80f0e1a3b4bf9c6d8e1002dfe09233e907b473ca30f2a442d40bf169ae77b51cbf0faf9c

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
100KB

MD5
e503166858c937367d280ed228787adf

SHA1
6f87f8513f36b863d0cbc50004e133c5fabb4ee5

SHA256
acd016f97c9d6142ef26d62b3b7116c43cd4f3f564ff50d0785db69d97d1d99b

SHA512
f015cca761e40d8d33284c84d6e4e6be51ba850368ec904171443be70efed6c2b2935ea871d3ae5ad58c10cd6d8d8a0366e5f85022c729f17bcc4046b2f34b88

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
100KB

MD5
233076d5eff969384b67af315fc27cc9

SHA1
7f76a5daa8517b3488b65dcac59fb7b84c97549b

SHA256
22c4780affe376c6cfc65b2fda3de5a1d8abd9130b3429c45cf392b1bcaf89db

SHA512
37072300a58fa678c73ce94646d12058c4c73ce76b2381eed19953373e1e9832f0c46ba0f4dff6264592ed17f1a2ea459d4978300bd9a7f13a6ca309dfca17a2

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
100KB

MD5
c757d420e7bc5074a48cc3204fc19f69

SHA1
c43b639b3fec7c7ff66e0c50a5f45ea32ae11410

SHA256
b12b156db06dab7c4b9832bc1924540fae69fd98e67a6c3d3bf67a18c4dd10f8

SHA512
e28e06f7a0a943a825fc42dfbfa119b160dd45185ec80a270901720d903b10a31cf2b582e9c15c44948e35c0a794987874ecc6d8151b29099182ca836baf872e

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
100KB

MD5
3591a5d7c2f2049c5e2c2aa3a4c989a6

SHA1
f77daafd26db355196c8bc73cb4731b1dd98fc25

SHA256
8e014d0c06e4cf6282e4a896aae39493fcf19438db24e4d3a93f0d7219dd6e29

SHA512
468e8b00461a4595da5e55913836def9048bc2d0a112af43eede32fb6e9507ab14a88948c9158b50aafe018fe86c4c75b7a1140a00d759be7840ce0ba486be91

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
100KB

MD5
355b2eb0781fd3e802b67e6f71a482e7

SHA1
289ee5699a3a7b3a20bf033ce07a7589321efac2

SHA256
122e77433b3275a10e8fd7b7d556dbf4f25fab46fd77b4a30e7a26b59ce87fc0

SHA512
1224cdeb32a549406647e891386f71013282a2b19ee5cf38bc15011857d86ffab9d4c5476999778bbf91105934b4122d61cf81d4ca8ea44ef178effac2317db8

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
100KB

MD5
32d68d2dd3c550bf91ff6c173500244f

SHA1
acd4a08d1631c8af7be04473d47337e1f37efae4

SHA256
205b8385ceea0769500608a17c06e1462198a1669f11f34b905f825dbaea56d8

SHA512
23f027266be631f361178deebd8fa4479f789ff7d2646b5c40461daa4ba1a48b20d1ee7b7ed00808e956a46626eefd9ec0e2d7ac8c08831a44aadbbca1ce04f2

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
100KB

MD5
9094cced18dace625b58880cb5f5abb5

SHA1
c62372f6cb2712cc0942689fb63013068f85bcc0

SHA256
cfeec768968e271ff0731508412252ab43b5c4a489d0270ea35eea54cbfba487

SHA512
22269c10cd9e565f33dd74faba754951d49f6b3e1b55df3045cc032a809f99216c5d469787cbed3f478b86a60dde8d3a7bb306480ca2b393f56195e38705ed52

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
100KB

MD5
b36fa0dd7cc69b1ef9431e1e283af8ab

SHA1
87117fc943a15f897e046b48c27c02ebb26f21a3

SHA256
fad891ef9482ceffc73192411447cb7121cdc5efb184d4f15e30ed43d9d94fd8

SHA512
46e96634e515f527da2e670a898da027979b2cdb9dcfd838025b55b8073bccd9aaf9e3ae395bd2f1cc95337946b66cdad0cb192fb9f193a15241543acf47176e

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
100KB

MD5
0367f0fea85a57aad0c3da622f771e1e

SHA1
c68ceeca84d54831aba535e7c332f8b52a831b09

SHA256
1b5acd6fccca1f26f39c709e5ac22c7d28e4f28ef7634d6606680ec5a4227d8a

SHA512
124a05ffef10124e6b4e9792d62a4f511d768286c23bffc6a5db5879c42afd65ba76a7b359985b5dca5639bb16c8cea0d2673f02d406d6a7e17aaeb4da316e75

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
100KB

MD5
7301967c1dd34335b7e20516838e90cc

SHA1
133469a9da06399e2397e191a9371615d672a3f1

SHA256
3fb9273708f755a1ae77139c445aa5a617d7cc8b809ce88cfdb8292fd1654367

SHA512
37b7c5d464d453790a7e30be13ec7cfd3148ad4eb29d0795ec9a94d114fb8aa8af1855fe2ebfa0fc7d7ac1833c04bae54368eeda39d7443cbf5dba08249681eb

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
100KB

MD5
a02b0c40853d12254e28425e6521274a

SHA1
87c335410cbca5e023f275dcb31e6f931fff32da

SHA256
516bcd4ed00957b5640032b7d75d146c15545c0c5598a7e0f5a268bcb2ade15f

SHA512
7597c839741ff6b815edea0cffd3db241a2130e5a9f69291c9e735251bc3a7ec0cc47351b0525133260f05bafa126106245b7e39960f0a60ed923e7d4a498a82

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
100KB

MD5
d3b919c2df5deb2715f76237aa5b64a1

SHA1
391f7ed6579433263c7b2d07ca0869843567eca3

SHA256
3688d562ba69c6e429cbadf13109984672e0e887ebaa17a302bcfebaecf56169

SHA512
57c24dfcae46a10e60d0d831da1e232e50a7abfe7f12371c369e8fbc8c6366909c0bd1581c72e66692f22bd188f54e18019694514fd6520ce01bd37e0934ef9b

Download Submit
C:\Windows\SysWOW64\Ogibpb32.dll

Filesize
7KB

MD5
f4a2cedf689d5584d7d90da0021294e8

SHA1
4e6556e8ef91443eaaf5082607a4ffec97e7f613

SHA256
646006f055a5b082b3d281b55f863883888b487f0af43cd59be606100acaf14c

SHA512
23d61b8c3219b0831f445a7799fec44ba8dd9a993fb4a2393b435410a1b359b92eff7883af028d0da34f92c8728e76b711638ec07e3233f353c2e207f7667fb4

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
100KB

MD5
55a87d949730f00c59cb1c749126430d

SHA1
8becf746cf9520b9b4b76b9adfda121bb90394b6

SHA256
f89a60d761c347283220cca93e74bc49af6d26cc89b13e0e388c0dce424de43d

SHA512
19eff2f9e385d3fa21bffde51fe177cf57f92421e90a4c3d058f884ebf5459166136fefffb4403dd1b80c8a4ba8b9def15ed0358019018625381accb52270d6b

Download Submit
memory/100-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/444-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/444-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/460-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/728-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/816-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/988-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1008-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1332-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1576-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1664-537-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1680-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2068-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2200-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2224-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2520-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2584-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2804-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3160-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3316-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3396-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3632-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3700-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3812-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3816-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-501-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4192-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4280-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4312-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4388-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4452-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4456-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4732-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5004-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5096-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5160-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5204-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5248-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads