80730bfa56833c1c88c426405e88fe84d829b0c39f40abd817650f74f14c38e2

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e629738f2332f220a5f6e23c0c220c50N.exe
Size

176KB
MD5

e629738f2332f220a5f6e23c0c220c50
SHA1

0351b3ea64a0f804750ebe93f6365eaa840780be
SHA256

80730bfa56833c1c88c426405e88fe84d829b0c39f40abd817650f74f14c38e2
SHA512

4525dd6978713e117633422c009b75adf80aea03d41a8117d7b54e8a83f8212ff05ca74e778455e677e8adbb661796059eb57f7d92d116d1f67fe2829eb03868
SSDEEP

3072:n4+RtlXvOmb+j6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnReP2+x7b:/RtlX2mb+j6MB8MhjwszeXmr8Sj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogdmkdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbphdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmcghgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfgcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccebdpia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjlooel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjddlimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokphf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goghkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmfmid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acgfca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhjjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eejapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpppc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onneho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfoeel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjefmgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncbfppg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmjbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mepnoecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckbljo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neiaeckg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnpifalj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onneho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbmbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgdfbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebiae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmkfddnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpcegnek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhlao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caicndhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjfqaikf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgokihke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afqidnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajledl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcopkie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmgbhen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eelneoli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgckni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmeook32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmkfddnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmgbhen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpcbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjjjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbimb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olllhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflfbqkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfcopkie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkfahig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjfqaikf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcabcido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnbelq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqjeok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ancgjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehmggjij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eecdfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokhodmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpalgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndlnikad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acgfca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdqnml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgkclc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajjhom32.exe

Executes dropped EXE 64 IoCs

pid	Process
1448	Klbgdb32.exe
1432	Kblpalgf.exe
2636	Kpppkqep.exe
1776	Kemhcgdg.exe
3024	Ldniqolf.exe
3868	Leoehg32.exe
3652	Lmfmid32.exe
3568	Lpeifp32.exe
4968	Lfoabjih.exe
2620	Ldbbln32.exe
2532	Lmkfddnb.exe
1504	Lgckni32.exe
3252	Llpcfp32.exe
3372	Lehhof32.exe
3416	Lmpppc32.exe
3360	Mghdiiam.exe
1056	Mmbmec32.exe
2836	Mdlebm32.exe
3916	Mcoenjfa.exe
1688	Mpcegnek.exe
4344	Mcabcido.exe
4992	Mepnoecb.exe
1640	Mliflo32.exe
1148	Mdqnml32.exe
4804	Mgokihke.exe
1028	Mdckbljo.exe
880	Nlnpgngj.exe
552	Nchhdh32.exe
3424	Nplhmmmp.exe
4368	Neiaeckg.exe
2232	Nnpifalj.exe
4984	Neknkcie.exe
3780	Nnbelq32.exe
788	Ndlnikad.exe
4092	Njifaapk.exe
4408	Nlgbmmoo.exe
1964	Ncakjg32.exe
1764	Ngmgkfoe.exe
5000	Ongogpfb.exe
1644	Ocdgpgdi.exe
4776	Olllhl32.exe
1556	Ocfdefbf.exe
4004	Ogbpfe32.exe
1472	Ojplbq32.exe
1824	Oqjeok32.exe
1944	Ogdmkdhm.exe
2316	Onneho32.exe
2832	Odhmdigf.exe
3860	Ojefmpen.exe
4860	Odjjjh32.exe
3500	Pflfbqkb.exe
1744	Pmeook32.exe
3872	Pgkclc32.exe
4712	Pjjoho32.exe
4340	Pdocehao.exe
1684	Pfppmp32.exe
3308	Pmjhjjoj.exe
2320	Pcdqfd32.exe
2040	Pfbmbp32.exe
3776	Pnjecm32.exe
3160	Pqhaph32.exe
712	Pgbimb32.exe
3612	Pjqein32.exe
5128	Pqknehcn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aidfbkqo.dll	Capinc32.exe
File opened for modification	C:\Windows\SysWOW64\Afcfimgg.exe	Aebiae32.exe
File created	C:\Windows\SysWOW64\Mliflo32.exe	Mepnoecb.exe
File created	C:\Windows\SysWOW64\Oqjeok32.exe	Ojplbq32.exe
File opened for modification	C:\Windows\SysWOW64\Eejapp32.exe	Dopicego.exe
File opened for modification	C:\Windows\SysWOW64\Fokhodmb.exe	Ekpmoe32.exe
File created	C:\Windows\SysWOW64\Fgncdede.exe	Fneokp32.exe
File created	C:\Windows\SysWOW64\Mdlebm32.exe	Mmbmec32.exe
File opened for modification	C:\Windows\SysWOW64\Neknkcie.exe	Nnpifalj.exe
File created	C:\Windows\SysWOW64\Fneokp32.exe	Fkgbod32.exe
File created	C:\Windows\SysWOW64\Enibbjln.dll	Mliflo32.exe
File created	C:\Windows\SysWOW64\Qgdfbb32.exe	Pdfjfg32.exe
File created	C:\Windows\SysWOW64\Chckjn32.exe	Cedonb32.exe
File created	C:\Windows\SysWOW64\Aldbcf32.dll	Mghdiiam.exe
File created	C:\Windows\SysWOW64\Iaeqmp32.dll	Ddcoenma.exe
File opened for modification	C:\Windows\SysWOW64\Pjjoho32.exe	Pgkclc32.exe
File created	C:\Windows\SysWOW64\Lgckni32.exe	Lmkfddnb.exe
File opened for modification	C:\Windows\SysWOW64\Ocdgpgdi.exe	Ongogpfb.exe
File created	C:\Windows\SysWOW64\Anmjpj32.exe	Acgfca32.exe
File opened for modification	C:\Windows\SysWOW64\Cedonb32.exe	Caicndhk.exe
File opened for modification	C:\Windows\SysWOW64\Debkpqdd.exe	Djmgbhen.exe
File opened for modification	C:\Windows\SysWOW64\Fhdmhicb.exe	Fokhodmb.exe
File opened for modification	C:\Windows\SysWOW64\Ndlnikad.exe	Nnbelq32.exe
File opened for modification	C:\Windows\SysWOW64\Odhmdigf.exe	Onneho32.exe
File created	C:\Windows\SysWOW64\Qnakdl32.exe	Qckfgcpo.exe
File created	C:\Windows\SysWOW64\Ancgjl32.exe	Acncmc32.exe
File created	C:\Windows\SysWOW64\Eejapp32.exe	Dopicego.exe
File created	C:\Windows\SysWOW64\Ncakjg32.exe	Nlgbmmoo.exe
File opened for modification	C:\Windows\SysWOW64\Afqidnij.exe	Acbmhbjf.exe
File created	C:\Windows\SysWOW64\Mghdiiam.exe	Lmpppc32.exe
File created	C:\Windows\SysWOW64\Obmfaajp.dll	Llpcfp32.exe
File created	C:\Windows\SysWOW64\Nlgbmmoo.exe	Njifaapk.exe
File created	C:\Windows\SysWOW64\Obhlja32.dll	Ocfdefbf.exe
File opened for modification	C:\Windows\SysWOW64\Pdocehao.exe	Pjjoho32.exe
File opened for modification	C:\Windows\SysWOW64\Pnjecm32.exe	Pfbmbp32.exe
File created	C:\Windows\SysWOW64\Cmdmndjj.exe	Cnambg32.exe
File created	C:\Windows\SysWOW64\Dmpmib32.exe	Dffdmh32.exe
File created	C:\Windows\SysWOW64\Ldniqolf.exe	Kemhcgdg.exe
File created	C:\Windows\SysWOW64\Ngmgkfoe.exe	Ncakjg32.exe
File created	C:\Windows\SysWOW64\Fdpklemf.dll	Odjjjh32.exe
File created	C:\Windows\SysWOW64\Bmkjgebd.exe	Badibd32.exe
File created	C:\Windows\SysWOW64\Ekpmoe32.exe	Ehapbj32.exe
File opened for modification	C:\Windows\SysWOW64\Ldniqolf.exe	Kemhcgdg.exe
File opened for modification	C:\Windows\SysWOW64\Cmpcbe32.exe	Cnmcghgd.exe
File created	C:\Windows\SysWOW64\Ofblkghi.dll	Ceihibmo.exe
File opened for modification	C:\Windows\SysWOW64\Ddabpnod.exe	Dabfdbpp.exe
File created	C:\Windows\SysWOW64\Bfdjha32.dll	Fokhodmb.exe
File created	C:\Windows\SysWOW64\Gaiknm32.dll	Qqmjkhqk.exe
File created	C:\Windows\SysWOW64\Chhdemlb.exe	Ceihibmo.exe
File created	C:\Windows\SysWOW64\Fmhadcbd.dll	Goieqb32.exe
File created	C:\Windows\SysWOW64\Mepnoecb.exe	Mcabcido.exe
File created	C:\Windows\SysWOW64\Nnhlbp32.dll	Qnonolag.exe
File opened for modification	C:\Windows\SysWOW64\Cdjlooel.exe	Cmpcbe32.exe
File created	C:\Windows\SysWOW64\Eomhpn32.dll	Chhdemlb.exe
File created	C:\Windows\SysWOW64\Mdjklcpk.dll	Djmgbhen.exe
File opened for modification	C:\Windows\SysWOW64\Pcdqfd32.exe	Pmjhjjoj.exe
File opened for modification	C:\Windows\SysWOW64\Njifaapk.exe	Ndlnikad.exe
File created	C:\Windows\SysWOW64\Kpmeml32.dll	Anmjpj32.exe
File opened for modification	C:\Windows\SysWOW64\Mdlebm32.exe	Mmbmec32.exe
File created	C:\Windows\SysWOW64\Kbqhlb32.dll	Qckfgcpo.exe
File created	C:\Windows\SysWOW64\Iennhkdg.dll	Bflhplom.exe
File opened for modification	C:\Windows\SysWOW64\Cfcopkie.exe	Ccebdpia.exe
File created	C:\Windows\SysWOW64\Pnjecm32.exe	Pfbmbp32.exe
File created	C:\Windows\SysWOW64\Leoehg32.exe	Ldniqolf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6792	6576	WerFault.exe	250

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbimb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcopkie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpalgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpppkqep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpeifp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpcfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehhof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbdhgnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgncdede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbmec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebiae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflhplom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmgbhen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmjbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimbfdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhdmhicb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldniqolf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdlebm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplhmmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojplbq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknehcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqmjkhqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnonolag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajjhom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdefbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpdcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopicego.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabcido.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjjjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhdemlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capinc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goieqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgkfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlooel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbphdll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goghkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mghdiiam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpcegnek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjagfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndihgal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfoeel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjefmgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e629738f2332f220a5f6e23c0c220c50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgokihke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njifaapk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbpfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfgcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aefbmdmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eodboe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhcgdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqidnij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deehepba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmpmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncbfppg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncakjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogdmkdhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojefmpen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnjecm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgdfbb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbhna32.dll"	e629738f2332f220a5f6e23c0c220c50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckbljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ongogpfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojefmpen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibmdonk.dll"	Pgkclc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjhjjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjjchhf.dll"	Afqidnij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmpmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emjopaha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mccpop32.dll"	Nlnpgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaecmf32.dll"	Ehmggjij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdjha32.dll"	Fokhodmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihapke32.dll"	Kblpalgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgkfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpiiphdi.dll"	Ocdgpgdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgdfbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmimbfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chhdemlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhclhdl.dll"	Ggbmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknehcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaijgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iennhkdg.dll"	Bflhplom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgognd32.dll"	Fneokp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfoabjih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlgbmmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekacb32.dll"	Cjfqaikf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caicndhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Debkpqdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcabcido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neiaeckg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ongogpfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olllhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnakdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjgebd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimalcpi.dll"	Cfcopkie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmafjqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcdki32.dll"	Ehapbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajbhik.dll"	Fgijif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mliflo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhmedni.dll"	Aaijgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odhmdigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphlmbpj.dll"	Lehhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnpifalj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnambg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joghjo32.dll"	Dmpmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealeappp.dll"	Ldbbln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmkfddnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgkpe32.dll"	Lmkfddnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bflhplom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhadcbd.dll"	Goieqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpaiglq.dll"	Leoehg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdlebm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgeabg32.dll"	Ojplbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afqidnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picefn32.dll"	Cjddlimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgcck32.dll"	Fdmjbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olllhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgmaig32.dll"	Ojefmpen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fajipa32.dll"	Bfoeel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmcghgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmbmec32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1448	4816	e629738f2332f220a5f6e23c0c220c50N.exe	91
PID 4816 wrote to memory of 1448	4816	e629738f2332f220a5f6e23c0c220c50N.exe	91
PID 4816 wrote to memory of 1448	4816	e629738f2332f220a5f6e23c0c220c50N.exe	91
PID 1448 wrote to memory of 1432	1448	Klbgdb32.exe	92
PID 1448 wrote to memory of 1432	1448	Klbgdb32.exe	92
PID 1448 wrote to memory of 1432	1448	Klbgdb32.exe	92
PID 1432 wrote to memory of 2636	1432	Kblpalgf.exe	93
PID 1432 wrote to memory of 2636	1432	Kblpalgf.exe	93
PID 1432 wrote to memory of 2636	1432	Kblpalgf.exe	93
PID 2636 wrote to memory of 1776	2636	Kpppkqep.exe	94
PID 2636 wrote to memory of 1776	2636	Kpppkqep.exe	94
PID 2636 wrote to memory of 1776	2636	Kpppkqep.exe	94
PID 1776 wrote to memory of 3024	1776	Kemhcgdg.exe	95
PID 1776 wrote to memory of 3024	1776	Kemhcgdg.exe	95
PID 1776 wrote to memory of 3024	1776	Kemhcgdg.exe	95
PID 3024 wrote to memory of 3868	3024	Ldniqolf.exe	96
PID 3024 wrote to memory of 3868	3024	Ldniqolf.exe	96
PID 3024 wrote to memory of 3868	3024	Ldniqolf.exe	96
PID 3868 wrote to memory of 3652	3868	Leoehg32.exe	97
PID 3868 wrote to memory of 3652	3868	Leoehg32.exe	97
PID 3868 wrote to memory of 3652	3868	Leoehg32.exe	97
PID 3652 wrote to memory of 3568	3652	Lmfmid32.exe	98
PID 3652 wrote to memory of 3568	3652	Lmfmid32.exe	98
PID 3652 wrote to memory of 3568	3652	Lmfmid32.exe	98
PID 3568 wrote to memory of 4968	3568	Lpeifp32.exe	99
PID 3568 wrote to memory of 4968	3568	Lpeifp32.exe	99
PID 3568 wrote to memory of 4968	3568	Lpeifp32.exe	99
PID 4968 wrote to memory of 2620	4968	Lfoabjih.exe	100
PID 4968 wrote to memory of 2620	4968	Lfoabjih.exe	100
PID 4968 wrote to memory of 2620	4968	Lfoabjih.exe	100
PID 2620 wrote to memory of 2532	2620	Ldbbln32.exe	102
PID 2620 wrote to memory of 2532	2620	Ldbbln32.exe	102
PID 2620 wrote to memory of 2532	2620	Ldbbln32.exe	102
PID 2532 wrote to memory of 1504	2532	Lmkfddnb.exe	104
PID 2532 wrote to memory of 1504	2532	Lmkfddnb.exe	104
PID 2532 wrote to memory of 1504	2532	Lmkfddnb.exe	104
PID 1504 wrote to memory of 3252	1504	Lgckni32.exe	106
PID 1504 wrote to memory of 3252	1504	Lgckni32.exe	106
PID 1504 wrote to memory of 3252	1504	Lgckni32.exe	106
PID 3252 wrote to memory of 3372	3252	Llpcfp32.exe	107
PID 3252 wrote to memory of 3372	3252	Llpcfp32.exe	107
PID 3252 wrote to memory of 3372	3252	Llpcfp32.exe	107
PID 3372 wrote to memory of 3416	3372	Lehhof32.exe	108
PID 3372 wrote to memory of 3416	3372	Lehhof32.exe	108
PID 3372 wrote to memory of 3416	3372	Lehhof32.exe	108
PID 3416 wrote to memory of 3360	3416	Lmpppc32.exe	109
PID 3416 wrote to memory of 3360	3416	Lmpppc32.exe	109
PID 3416 wrote to memory of 3360	3416	Lmpppc32.exe	109
PID 3360 wrote to memory of 1056	3360	Mghdiiam.exe	110
PID 3360 wrote to memory of 1056	3360	Mghdiiam.exe	110
PID 3360 wrote to memory of 1056	3360	Mghdiiam.exe	110
PID 1056 wrote to memory of 2836	1056	Mmbmec32.exe	111
PID 1056 wrote to memory of 2836	1056	Mmbmec32.exe	111
PID 1056 wrote to memory of 2836	1056	Mmbmec32.exe	111
PID 2836 wrote to memory of 3916	2836	Mdlebm32.exe	112
PID 2836 wrote to memory of 3916	2836	Mdlebm32.exe	112
PID 2836 wrote to memory of 3916	2836	Mdlebm32.exe	112
PID 3916 wrote to memory of 1688	3916	Mcoenjfa.exe	113
PID 3916 wrote to memory of 1688	3916	Mcoenjfa.exe	113
PID 3916 wrote to memory of 1688	3916	Mcoenjfa.exe	113
PID 1688 wrote to memory of 4344	1688	Mpcegnek.exe	114
PID 1688 wrote to memory of 4344	1688	Mpcegnek.exe	114
PID 1688 wrote to memory of 4344	1688	Mpcegnek.exe	114
PID 4344 wrote to memory of 4992	4344	Mcabcido.exe	115

C:\Users\Admin\AppData\Local\Temp\e629738f2332f220a5f6e23c0c220c50N.exe
"C:\Users\Admin\AppData\Local\Temp\e629738f2332f220a5f6e23c0c220c50N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\Klbgdb32.exe
  C:\Windows\system32\Klbgdb32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\Kblpalgf.exe
    C:\Windows\system32\Kblpalgf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\Kpppkqep.exe
      C:\Windows\system32\Kpppkqep.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Kemhcgdg.exe
        
        C:\Windows\system32\Kemhcgdg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\SysWOW64\Ldniqolf.exe
        
        C:\Windows\system32\Ldniqolf.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Leoehg32.exe
        
        C:\Windows\system32\Leoehg32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Lmfmid32.exe
        
        C:\Windows\system32\Lmfmid32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Lpeifp32.exe
        
        C:\Windows\system32\Lpeifp32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Lfoabjih.exe
        
        C:\Windows\system32\Lfoabjih.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ldbbln32.exe
        
        C:\Windows\system32\Ldbbln32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Lmkfddnb.exe
        
        C:\Windows\system32\Lmkfddnb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Lgckni32.exe
        
        C:\Windows\system32\Lgckni32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Llpcfp32.exe
        
        C:\Windows\system32\Llpcfp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Lehhof32.exe
        
        C:\Windows\system32\Lehhof32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Lmpppc32.exe
        
        C:\Windows\system32\Lmpppc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Mghdiiam.exe
        
        C:\Windows\system32\Mghdiiam.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Mmbmec32.exe
        
        C:\Windows\system32\Mmbmec32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Mdlebm32.exe
        
        C:\Windows\system32\Mdlebm32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Mcoenjfa.exe
        
        C:\Windows\system32\Mcoenjfa.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Mpcegnek.exe
        
        C:\Windows\system32\Mpcegnek.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Mcabcido.exe
        
        C:\Windows\system32\Mcabcido.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Mepnoecb.exe
        
        C:\Windows\system32\Mepnoecb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Mliflo32.exe
        
        C:\Windows\system32\Mliflo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Mdqnml32.exe
        
        C:\Windows\system32\Mdqnml32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Mgokihke.exe
        
        C:\Windows\system32\Mgokihke.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Mdckbljo.exe
        
        C:\Windows\system32\Mdckbljo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Nlnpgngj.exe
        
        C:\Windows\system32\Nlnpgngj.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Nchhdh32.exe
        
        C:\Windows\system32\Nchhdh32.exe
        29⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Nplhmmmp.exe
        
        C:\Windows\system32\Nplhmmmp.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Neiaeckg.exe
        
        C:\Windows\system32\Neiaeckg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Nnpifalj.exe
        
        C:\Windows\system32\Nnpifalj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Neknkcie.exe
        
        C:\Windows\system32\Neknkcie.exe
        33⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Nnbelq32.exe
        
        C:\Windows\system32\Nnbelq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Ndlnikad.exe
        
        C:\Windows\system32\Ndlnikad.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\Njifaapk.exe
        
        C:\Windows\system32\Njifaapk.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Nlgbmmoo.exe
        
        C:\Windows\system32\Nlgbmmoo.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Ncakjg32.exe
        
        C:\Windows\system32\Ncakjg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Ngmgkfoe.exe
        
        C:\Windows\system32\Ngmgkfoe.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Ongogpfb.exe
        
        C:\Windows\system32\Ongogpfb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ocdgpgdi.exe
        
        C:\Windows\system32\Ocdgpgdi.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Olllhl32.exe
        
        C:\Windows\system32\Olllhl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ocfdefbf.exe
        
        C:\Windows\system32\Ocfdefbf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Ogbpfe32.exe
        
        C:\Windows\system32\Ogbpfe32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Ojplbq32.exe
        
        C:\Windows\system32\Ojplbq32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Oqjeok32.exe
        
        C:\Windows\system32\Oqjeok32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Ogdmkdhm.exe
        
        C:\Windows\system32\Ogdmkdhm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Onneho32.exe
        
        C:\Windows\system32\Onneho32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Odhmdigf.exe
        
        C:\Windows\system32\Odhmdigf.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ojefmpen.exe
        
        C:\Windows\system32\Ojefmpen.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Odjjjh32.exe
        
        C:\Windows\system32\Odjjjh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Pflfbqkb.exe
        
        C:\Windows\system32\Pflfbqkb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Pmeook32.exe
        
        C:\Windows\system32\Pmeook32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Pgkclc32.exe
        
        C:\Windows\system32\Pgkclc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Pjjoho32.exe
        
        C:\Windows\system32\Pjjoho32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Pdocehao.exe
        
        C:\Windows\system32\Pdocehao.exe
        56⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Pfppmp32.exe
        
        C:\Windows\system32\Pfppmp32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Pmjhjjoj.exe
        
        C:\Windows\system32\Pmjhjjoj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Pcdqfd32.exe
        
        C:\Windows\system32\Pcdqfd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Pfbmbp32.exe
        
        C:\Windows\system32\Pfbmbp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Pnjecm32.exe
        
        C:\Windows\system32\Pnjecm32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Pqhaph32.exe
        
        C:\Windows\system32\Pqhaph32.exe
        62⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Pgbimb32.exe
        
        C:\Windows\system32\Pgbimb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\Pjqein32.exe
        
        C:\Windows\system32\Pjqein32.exe
        64⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Pqknehcn.exe
        
        C:\Windows\system32\Pqknehcn.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Pdfjfg32.exe
        
        C:\Windows\system32\Pdfjfg32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Qgdfbb32.exe
        
        C:\Windows\system32\Qgdfbb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Qnonolag.exe
        
        C:\Windows\system32\Qnonolag.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Qqmjkhqk.exe
        
        C:\Windows\system32\Qqmjkhqk.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Qckfgcpo.exe
        
        C:\Windows\system32\Qckfgcpo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Qnakdl32.exe
        
        C:\Windows\system32\Qnakdl32.exe
        71⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Qqogqg32.exe
        
        C:\Windows\system32\Qqogqg32.exe
        72⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Acncmc32.exe
        
        C:\Windows\system32\Acncmc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ancgjl32.exe
        
        C:\Windows\system32\Ancgjl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Ajjhom32.exe
        
        C:\Windows\system32\Ajjhom32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Acbmhbjf.exe
        
        C:\Windows\system32\Acbmhbjf.exe
        76⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Afqidnij.exe
        
        C:\Windows\system32\Afqidnij.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Ajledl32.exe
        
        C:\Windows\system32\Ajledl32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Aebiae32.exe
        
        C:\Windows\system32\Aebiae32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Afcfimgg.exe
        
        C:\Windows\system32\Afcfimgg.exe
        80⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Aaijgf32.exe
        
        C:\Windows\system32\Aaijgf32.exe
        81⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Acgfca32.exe
        
        C:\Windows\system32\Acgfca32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Anmjpj32.exe
        
        C:\Windows\system32\Anmjpj32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Aefbmdmd.exe
        
        C:\Windows\system32\Aefbmdmd.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Bnogfj32.exe
        
        C:\Windows\system32\Bnogfj32.exe
        85⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Bclpnaal.exe
        
        C:\Windows\system32\Bclpnaal.exe
        86⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Bflhplom.exe
        
        C:\Windows\system32\Bflhplom.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Bfoeel32.exe
        
        C:\Windows\system32\Bfoeel32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Bmimbfdg.exe
        
        C:\Windows\system32\Bmimbfdg.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Badibd32.exe
        
        C:\Windows\system32\Badibd32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Bmkjgebd.exe
        
        C:\Windows\system32\Bmkjgebd.exe
        91⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cebbhc32.exe
        
        C:\Windows\system32\Cebbhc32.exe
        92⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Ccebdpia.exe
        
        C:\Windows\system32\Ccebdpia.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Cfcopkie.exe
        
        C:\Windows\system32\Cfcopkie.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cnkfahig.exe
        
        C:\Windows\system32\Cnkfahig.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Caicndhk.exe
        
        C:\Windows\system32\Caicndhk.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Cedonb32.exe
        
        C:\Windows\system32\Cedonb32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Chckjn32.exe
        
        C:\Windows\system32\Chckjn32.exe
        98⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Cjagfi32.exe
        
        C:\Windows\system32\Cjagfi32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Cnmcghgd.exe
        
        C:\Windows\system32\Cnmcghgd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Cmpcbe32.exe
        
        C:\Windows\system32\Cmpcbe32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Cdjlooel.exe
        
        C:\Windows\system32\Cdjlooel.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Chehpnne.exe
        
        C:\Windows\system32\Chehpnne.exe
        103⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Cjddlimi.exe
        
        C:\Windows\system32\Cjddlimi.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Cmbphdll.exe
        
        C:\Windows\system32\Cmbphdll.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Canlic32.exe
        
        C:\Windows\system32\Canlic32.exe
        106⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Ceihibmo.exe
        
        C:\Windows\system32\Ceihibmo.exe
        107⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Chhdemlb.exe
        
        C:\Windows\system32\Chhdemlb.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Cjfqaikf.exe
        
        C:\Windows\system32\Cjfqaikf.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Cnambg32.exe
        
        C:\Windows\system32\Cnambg32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Cmdmndjj.exe
        
        C:\Windows\system32\Cmdmndjj.exe
        111⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Capinc32.exe
        
        C:\Windows\system32\Capinc32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\Cdoejn32.exe
        
        C:\Windows\system32\Cdoejn32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\Cfmafjqj.exe
        
        C:\Windows\system32\Cfmafjqj.exe
        114⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Cndihgal.exe
        
        C:\Windows\system32\Cndihgal.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Windows\SysWOW64\Dabfdbpp.exe
        
        C:\Windows\system32\Dabfdbpp.exe
        116⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Ddabpnod.exe
        
        C:\Windows\system32\Ddabpnod.exe
        117⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Dmific32.exe
        
        C:\Windows\system32\Dmific32.exe
        118⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Ddcoenma.exe
        
        C:\Windows\system32\Ddcoenma.exe
        119⤵
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Dfakaile.exe
        
        C:\Windows\system32\Dfakaile.exe
        120⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Djmgbhen.exe
        
        C:\Windows\system32\Djmgbhen.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6580
        
        C:\Windows\SysWOW64\Debkpqdd.exe
        
        C:\Windows\system32\Debkpqdd.exe
        122⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Dokphf32.exe
        
        C:\Windows\system32\Dokphf32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Dmnpdcbo.exe
        
        C:\Windows\system32\Dmnpdcbo.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Deehepba.exe
        
        C:\Windows\system32\Deehepba.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6760
        
        C:\Windows\SysWOW64\Dffdmh32.exe
        
        C:\Windows\system32\Dffdmh32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Dmpmib32.exe
        
        C:\Windows\system32\Dmpmib32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Ddjefmgi.exe
        
        C:\Windows\system32\Ddjefmgi.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6892
        
        C:\Windows\SysWOW64\Dopicego.exe
        
        C:\Windows\system32\Dopicego.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\Eejapp32.exe
        
        C:\Windows\system32\Eejapp32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Eelneoli.exe
        
        C:\Windows\system32\Eelneoli.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Eodboe32.exe
        
        C:\Windows\system32\Eodboe32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:7072
        
        C:\Windows\SysWOW64\Ehmggjij.exe
        
        C:\Windows\system32\Ehmggjij.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Emjopaha.exe
        
        C:\Windows\system32\Emjopaha.exe
        134⤵
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Egbdhgnb.exe
        
        C:\Windows\system32\Egbdhgnb.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6192
        
        C:\Windows\SysWOW64\Eoiljdod.exe
        
        C:\Windows\system32\Eoiljdod.exe
        136⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Eecdfn32.exe
        
        C:\Windows\system32\Eecdfn32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Ehapbj32.exe
        
        C:\Windows\system32\Ehapbj32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Ekpmoe32.exe
        
        C:\Windows\system32\Ekpmoe32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Fokhodmb.exe
        
        C:\Windows\system32\Fokhodmb.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Fhdmhicb.exe
        
        C:\Windows\system32\Fhdmhicb.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Foneec32.exe
        
        C:\Windows\system32\Foneec32.exe
        142⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Fgijif32.exe
        
        C:\Windows\system32\Fgijif32.exe
        143⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Fncbfppg.exe
        
        C:\Windows\system32\Fncbfppg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6832
        
        C:\Windows\SysWOW64\Fdmjbj32.exe
        
        C:\Windows\system32\Fdmjbj32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Fkgbod32.exe
        
        C:\Windows\system32\Fkgbod32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Fneokp32.exe
        
        C:\Windows\system32\Fneokp32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Fgncdede.exe
        
        C:\Windows\system32\Fgncdede.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\Fnhlao32.exe
        
        C:\Windows\system32\Fnhlao32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Goghkb32.exe
        
        C:\Windows\system32\Goghkb32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6236
        
        C:\Windows\SysWOW64\Ggbmod32.exe
        
        C:\Windows\system32\Ggbmod32.exe
        151⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Goieqb32.exe
        
        C:\Windows\system32\Goieqb32.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Gdfmii32.exe
        
        C:\Windows\system32\Gdfmii32.exe
        153⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 400
        154⤵
        Program crash
        
        PID:6792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6576 -ip 6576
1⤵
PID:6736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Badibd32.exe

Filesize
176KB

MD5
b388be0b0f5b242911e4eb445bbd3fba

SHA1
ce0ec57a82d71020b1b46856480c59f055cae7f6

SHA256
042947fdb138a21cbb944bc1bfd50b6b712912577851c2641f2d68c8b5b496cb

SHA512
c2734fc8639dae3d1daddf336007cdd77555955b00585e9a29adf479697ce8e67190a6af76beaa789b0e581e0127496c29c866bcc6757afa0258d7e5fd46aa75

Download Submit
C:\Windows\SysWOW64\Bnogfj32.exe

Filesize
176KB

MD5
66567a799ff74211c51eb3f596a5e910

SHA1
8db68f150b51cdfa09af43a09fb10c161c4bb048

SHA256
4be5a2f69826b9ecb2adf895bf8bc3b034aba38b714eb223e443d89698ed322f

SHA512
636d4aa9583efa4be169f2174893cc7fcb4bab339a7665f41452fc285c9844c5b10fa31b359065cf4a9fb5f679e6ddbe243c8c5ba40947e0d1c1c507f92bd748

Download Submit
C:\Windows\SysWOW64\Ddabpnod.exe

Filesize
176KB

MD5
59a27d58db1fbf3088e9cf5cb89ded2a

SHA1
8f4b4d0168175cb88c851fc6503629eb1641b37c

SHA256
98248ad05b9d5d76baea9a134dd20821aaa68fcd433db0faa87d018da3448965

SHA512
f27707d6acc0c07b24338055d858a88fccd32b753fb5caba16253dc11127c1dab3bbdd358256910d80847e4f04d70533a90fd32dd626f7f35413f736c1ec7142

Download Submit
C:\Windows\SysWOW64\Deehepba.exe

Filesize
64KB

MD5
fd8c9521e0145114c5c96921f722d34d

SHA1
00504e3d0a91fbd61d6f0a88672903b3d98143d9

SHA256
a6777db88ddc8697e3c79833ea8f581c469fdc43a6c497c34341672573fbafec

SHA512
d63c58d2e697e23658113713b0d63def2d03414ef89fe72f867eea83fc02aba64071f4f2389fb084bf55d91a642d8781886bf8bf0fab9ad646a0e57eb1dc44a2

Download Submit
C:\Windows\SysWOW64\Djmgbhen.exe

Filesize
176KB

MD5
f79ace73c0eb041774e43836d2fc94cb

SHA1
b5971860d972aaa9957e1e7593a17f30e21b365c

SHA256
1426f0a9a6809957db7bb489b015ee6963d862f628eba183e87f634b2624f012

SHA512
fb1d2dfbeabe61614846c731a1e1d7902caaa8d3fb2970974a2e43a35878ba620ee53ab96a2da32fe6c924c6411e40d188d48114f4ac5f7b4a8a61c43ed4fd07

Download Submit
C:\Windows\SysWOW64\Dokphf32.exe

Filesize
176KB

MD5
314f8e62cb0fbe9fb6d260daeb453648

SHA1
54ebef5a3078da6bc2cad6676865a58e372a2a67

SHA256
37b3f81322fab0d452a3a88c8628992673c1729f16de8ba208b423882ee48654

SHA512
07cdc42c7f1e8e2cfb8d6a964c8ec77b01a9ce2076deda023456926a2cbb3f41d24c2fb49c8339f37b467fc10ad70fa2dde4249df20e7c3413fc9f9f119f0a97

Download Submit
C:\Windows\SysWOW64\Fgijif32.exe

Filesize
176KB

MD5
60825cdfa48e69a3a5eade6eadcae34f

SHA1
ce881e51afddd7a77be654ec4456eed794cbf057

SHA256
e5dddf8497041c095f0dfbe441bdddfe2198350b0ffa4f2a5b107b7627686282

SHA512
c61103c001f99e1ed54787413369e4370d23036cd88a89fcb3c48dfb5b3bfda1ab2168b3d7bd900aff4e04167b7a6d7958b6a1449a85568148198deaea1a5b58

Download Submit
C:\Windows\SysWOW64\Fkgbod32.exe

Filesize
176KB

MD5
af7381fb7cf3170d438458f26a1bb487

SHA1
74639519bc6eeb82e196d3b53ee13372d707e221

SHA256
fb5037fb4c2f5f9913998fa94e43c90ca58a3ceb920bf9e81c4fc3688f36b78e

SHA512
e4a60f79c6dbc77abad562b151cab52bc6004dc026c1e6bf35501169cff505727188698fc3c778653be78fe77811498648143ced48d870ab9f85d114414111eb

Download Submit
C:\Windows\SysWOW64\Foneec32.exe

Filesize
176KB

MD5
6fd3ba89360efc685c2a0dee8c1bfef2

SHA1
3c2a98ffc442a92e20f828097fcbd5b433dbc160

SHA256
1b6c75a4f3e91058f97cd8a6319cf2b83f20b05c9e8d6d4a402099b7ddd1b7a3

SHA512
3872ee40834849a63a10ddb00f0bf664b82ee39bacdb36ecf0a3b179eef02d62000d352aade15fed5bcb26a3a1d2f5ec1f0ad6f31bb819d8a84152b2726fc181

Download Submit
C:\Windows\SysWOW64\Ggbmod32.exe

Filesize
176KB

MD5
f219927daea90a641033e6642dd814fa

SHA1
6ea2bfeb79b1d2e0f76ebd462111467a47bca414

SHA256
2ffaea96ee773f001da33580e3d45da0ed505a5438001d5a2fb75dcb8b7668b8

SHA512
5c677c67713fc0d6d27d20f1242b40012c78d1f85a23fc62a6929091af77a086ea0894474c94b022cbef5527d916c07f70d17ff7a10335975fdc7c53be848980

Download Submit
C:\Windows\SysWOW64\Kblpalgf.exe

Filesize
176KB

MD5
05f93b472c1f5518d1e6dea380d258eb

SHA1
c623d1d2433f8b999274d2f3bd468a03788d9fbe

SHA256
18d19c1bebd1178a2cec3a0866b22e58c3ec1c2ef76b9b826ef01fe450dcd53e

SHA512
3d7286d606df4ff9e709e7a33071574af5f70391cb2565e8bc8ea4bbc42c8c5a980f4ee88e8fe27e34e2e11c20004e0cab285483729e802ae21a4028b24f2ecd

Download Submit
C:\Windows\SysWOW64\Kemhcgdg.exe

Filesize
176KB

MD5
f77146fefdb6d064531470c948fe3070

SHA1
38b2af78ce996228037dd1aa80af04bf6b2efe56

SHA256
c9794b7d04f6a43372f97722fefad4abd9675a09f26032f126f7497c39818681

SHA512
dcd300f0d7d4adbe68f1d79b6e9285b2680ca92e2eb0568303236c5576e6f508d05122d6a63768a82e632720f53d33e3745daf916b46849e3316076baabfd982

Download Submit
C:\Windows\SysWOW64\Klbgdb32.exe

Filesize
176KB

MD5
437965d4d2ecbcedc347087745c503df

SHA1
9c4556456d8f89a9e2b50fe3994d291a28c160ee

SHA256
0b250d76644c8ce2f39c7fa274dbaea429baaa3a73769df0e529823eb67cf4a4

SHA512
184f3952f60a7f0edb58cd66ecf7c27526ed9e457409330fa723c66e530c82ff5eee400c448149544eff55da31f334a8cf47a51ad677a33fc998e1d01976cfe5

Download Submit
C:\Windows\SysWOW64\Kpppkqep.exe

Filesize
176KB

MD5
a54c8c056182a0794b71373b81aec36e

SHA1
1a2aa7a785a110ee2caee5d6a5b46916c6cf6fe2

SHA256
a4d928178d8d2d8698a6c34af1dd70f52723063fa02c9375ea73be959699f6fc

SHA512
19d8baa0e284708e3d2862b4ecf22ffca9267d69a87c61a653d14188c0574fac02d7870c59fef3913aebf7902666986ddb9c3a87cc2282c99ed4dcd78e036d26

Download Submit
C:\Windows\SysWOW64\Ldbbln32.exe

Filesize
176KB

MD5
d4eee5c13021ec9bc85fcca98315fb2f

SHA1
6b8653866cb759463d9e6d85026ccb0e8c12c169

SHA256
06a10282f1514a4e4f34e3fba14e25aa6e7fa02913aa4d6bf21e6aa6a79264b0

SHA512
beed83222d6925ac0b34e81d4d0a2c797084e4ca6481ee8e0157fef95bc642b3d2e5f9c5a5b5f90f3bd7862f021284947023148710360d04f861806582f38251

Download Submit
C:\Windows\SysWOW64\Ldniqolf.exe

Filesize
176KB

MD5
c2e920478c6a80e08ca00274aabff241

SHA1
70c8b7ea69ad6a485ed3c84343f25a2f4bc15d46

SHA256
c51bb884dcabc10e6fe089f529cb07b4f368da1641a716fe83218810d007f42f

SHA512
76bba4838c0b5c1da9827026d53cdd44863dd57a5e67a01e6910d7f2b86f89ec404177689645e8bdbcec5070f155ee15c899e2b4b2e5d2192ee1a034ac49c715

Download Submit
C:\Windows\SysWOW64\Lehhof32.exe

Filesize
176KB

MD5
702d51497f3f0f298343734990de3e7e

SHA1
8eab2f443763f3b8259b930238d121491bf1b89b

SHA256
920768c02298dbe0b5f11863f83be0731b4c35f313f248c0b8b6dd4a4330c87b

SHA512
62dc311eea47f8c6931570ef370d7fba56549016a353d2d2bd99c183846e30507e87c0a0c7ec52296285548d2580ecfe1bf39e1721746c0c616a72bf042a2e5f

Download Submit
C:\Windows\SysWOW64\Leoehg32.exe

Filesize
176KB

MD5
bc0202a39b34606dd2afdda0fa79e36a

SHA1
7ed1540c8da8bc7a19734fe2efb6f7085b99063a

SHA256
eed89a5b03079e0de67f98d9b8e0bb0b142999d473378ab4a262415395a20bbe

SHA512
98191d2bff63602f2e899b43c33954075c9154708c666e9e9b9f09b474081813f6c29df23c4a12b5cdabe0285047c661f8910af5994110d84e649ad89eb5e3a2

Download Submit
C:\Windows\SysWOW64\Lfoabjih.exe

Filesize
176KB

MD5
89ddbadb11553dfd18350670a540775e

SHA1
ac1ba0a756b1eb057acbf55b953639e9f557a2c0

SHA256
34f956d0694c6d0a8b678778057e85dc9b45198a8fcba8840464e7a7d60beb61

SHA512
13c0dac39eeb687d76d9c1eecc0e4ae8338b245250a01f713c8d775db251e2f203ba87ca340be5f1fd7d078aa9453c1b448b39cb780c67b9baa091b1f2284a3d

Download Submit
C:\Windows\SysWOW64\Lgckni32.exe

Filesize
176KB

MD5
04f6236dcfb7c61904cd9dece68ef026

SHA1
3e19292a99a5fceba45757233a3306295923fad4

SHA256
a37e2078fbef2047a7161d6cf634f7ac94871fb2df2a9bb7d6c3eb115c9cba57

SHA512
0adb6e296437f1a799c927b1bc945a5f99013e047231eedb66aacd2b4e47d86592bc313b5a711ac1a96653e324611a4004125e19e85a959313906e3291db4083

Download Submit
C:\Windows\SysWOW64\Llpcfp32.exe

Filesize
176KB

MD5
6388396d7228615d6608ce719ae7e5f1

SHA1
31cea09483dd53e679d22e3a5a85007c06092204

SHA256
154b77eff700b028f17c6ef2bbfda318e4bf98f240e74eb63620eed37979a0d1

SHA512
f8b6e5525abdd1709df03001d1d7662f3d9d2d1978bf3ba3a5d1ec8c72c2c57ccff9dddf26f190465ea8bd91cd7b03583ee36342c4afe12bb7d4e9f7bbd415eb

Download Submit
C:\Windows\SysWOW64\Lmfmid32.exe

Filesize
176KB

MD5
dc12e2b3d87aa09aadecbff60f15429c

SHA1
37f2e24e527052dc9b82ee0f254e795a34779d98

SHA256
b6b6b1ac2eff95d62b26a852994a3014475acda492a977822e0305343cc83817

SHA512
03651458952741cfab0c7e94019ce51a68fcbd07f128e5482501fcd2f81afbb9d1cab7345ba551a636a00ed6716acc6504f870d4fe9e239cda532934b423dc9d

Download Submit
C:\Windows\SysWOW64\Lmkfddnb.exe

Filesize
176KB

MD5
eff2009554db935ec293a4b5794ea9d3

SHA1
74c45b16b65a776a396b2a1976cd43442e88baac

SHA256
1e7e7333eeeb75c6f856ce8f7b6bafb3c51d47488480cfee5ce04a3fbcd865f8

SHA512
e903e671ed9076b1d13038ff122172338541f3016e0434c7527699d7387ac4912d38d6a1b63cb7a4c1c32b70ba1fb08e26539a69e9851125d5cd753d881f94a7

Download Submit
C:\Windows\SysWOW64\Lmpppc32.exe

Filesize
176KB

MD5
cbcd3554389c5ce9d69ae2ee8cedc78a

SHA1
6cb48eefa257da61881a35caeb0a2dbbfddd2326

SHA256
a414d0596a07970927afb611433ec5e62ab2e9140849daf11eeb0e6b7f85f8fc

SHA512
140a7a631516e37856b61c77a181cb0fe318e6d941d4a543cb0998e8bfcdd1d52e9c37ce23d132ecf3227179b8aa0a263fce3f25790c4729b70dfb42e3425251

Download Submit
C:\Windows\SysWOW64\Lpeifp32.exe

Filesize
176KB

MD5
4544621db19fbd898a48930aed1687b6

SHA1
b2c0406a72f62c3cc1971cdb01128f7f049c7886

SHA256
b042f3d2303ae574e24dbc17b32a823569a834cc6f4ce1efa689c85fd945f4a9

SHA512
4725ed8a0e50940e6bdd42944f6ae4f4fa9cff18373119f7096022b93c37605e223ccadeba1fc4d72e6ec790080ab8e2d867ed3fba467149735a8450dce36b48

Download Submit
C:\Windows\SysWOW64\Mcabcido.exe

Filesize
176KB

MD5
335476da46397070e4162e7efc440e83

SHA1
098e1f6b158d3203d85cbb00b295c33237b0c6bf

SHA256
201fc836caf4a5d09953c286f3dec55f36a211f37fde43dfa89fa1c73d337178

SHA512
69e915dc5f077d07cb58511949e7eaee72304799042653374cf1bee5582b8d36e98664493d93bbe200c1a844e6fcbda1c6a61e10e5a04c97c05dcfcb660392c0

Download Submit
C:\Windows\SysWOW64\Mcoenjfa.exe

Filesize
176KB

MD5
439ed475dc183c774b5d888cf1f24137

SHA1
5f01a063cf33446684e5be2bb89661fa68668b27

SHA256
cb952514134aa58318f720120af4201ed83cd7e1f82545c6a5293870f3dcf9aa

SHA512
06c8f267f966af6c2f23f1d9c445ee2c7f23f389a2de76f3fad39a1372ec3a8852df0b21b43cfe0b61cf0cef7d1476506b8150e287fac60f26212f2f5ce62c3f

Download Submit
C:\Windows\SysWOW64\Mdckbljo.exe

Filesize
176KB

MD5
46d4b1852700bb4e1c836572f366a365

SHA1
49bbfb50fb472560739edf81f1442d4e67c095e7

SHA256
e6d03a129af462c5075eb63bca42cdedc6e42f6ece3cdb4f2f3243cf5313a0aa

SHA512
3ec5efe7240986308b5de2aa68922f2192f800a0d8b76be8d36d834765a4f8c2ae00cdf18e380d5f3fb17f07815e6e82f5614a33c2ec7b257b453b42b001f57a

Download Submit
C:\Windows\SysWOW64\Mdlebm32.exe

Filesize
176KB

MD5
f1d6bc01a100e19acccfeb836a2d3530

SHA1
a29df26fe3516224c0d127f97cdc01ef1801d2b8

SHA256
56a007e8831ebfc429c0de6bfacab80f81446a628573584f1a6af8e8c757c2cf

SHA512
cb756aa74232fd84b3390286d1794ec7d239640c7d3db309dd952858479b7868f5a2bddbf7fc84c97e9a67d09f00e8476a135076a143547b9ce57c6c2f1160c1

Download Submit
C:\Windows\SysWOW64\Mdqnml32.exe

Filesize
176KB

MD5
fcbf932d864908001793a8297ea630c2

SHA1
fda4d2d68c619f62f0d3d343942cfb9c49c18547

SHA256
46307a042a88aaa3eb1c3274dd8fccc53c56b0adf6096d9dc05af952947ab48c

SHA512
0ac4ff87756099b6125b67d144ae14d9662b5b70fd19f531a0d94bc26a0465398d5a8526bd0207e98b90b5620ab70c5e77bee48ac9412eadfe0a58063627474a

Download Submit
C:\Windows\SysWOW64\Mepnoecb.exe

Filesize
176KB

MD5
6608439cfc6feda182f08d2683c80c87

SHA1
2374411d67d787ee6b00e4e69629f3fa9ff44fcb

SHA256
1a0f359d56e5c759cd280e3d2fa0a6cf140ab61317561459ed079de8a3fdf740

SHA512
8c80150b083e66e256b39d9b158dc0bb03ecef88722550540a276010da0091a8ef6e653cb7fc278d7cbb2a79e05ea92dd313788d6c5c91d5f0ed3c4b70e8efa3

Download Submit
C:\Windows\SysWOW64\Mghdiiam.exe

Filesize
176KB

MD5
a8d02824e47e230882d65a68ea9d957f

SHA1
e0061269bfe8d0eff3fd730924202a7c4ff613d7

SHA256
76a2bc4ffcf9f07690c26d9e986f334b6e16f5878c09df73cad2928f8bfc08e4

SHA512
4256048bcb36173a684a77e7cdde0c077b1ac7085a6fcc2cb6c4e1927b06875b80431c171ad1088a62abb386ac3b37241dcfa1fc3d625f11ca355a2092243c94

Download Submit
C:\Windows\SysWOW64\Mgokihke.exe

Filesize
176KB

MD5
862db38c7521280e778f6be9437fa0cf

SHA1
c18c7b767bd8129f1de998b564b1c456a9957df2

SHA256
a960c573a08647ca6a084b6bc3e97fbaffe7cecf8d1a8d2baac47253d2bd78b5

SHA512
d6267c2b5317f4e59d818594219c08fdea74e260357e38456cfc172efceffccfedc19e6e4f616d73d7c16f7719e900877cf81037eeb8d4e1dad79cd64e46b83b

Download Submit
C:\Windows\SysWOW64\Mliflo32.exe

Filesize
176KB

MD5
d9a088d0532d076e98ed44e7cf4963d4

SHA1
d89abf42ad90e15289c2c58a1f197c04eff527c2

SHA256
312c67f1cf224da7ec9276ea7d3c3bd917285e33abc07915ed614798a945525a

SHA512
5c3bc2b54418c61a610190083589d75b3a2cb5a3fb1c483dc4d0f0274a4461d4fdee21e073907e8760e7d9819bed5501ae25b5ab40d47835a2430bc8d27d0b99

Download Submit
C:\Windows\SysWOW64\Mmbmec32.exe

Filesize
176KB

MD5
7317000d30105a480dc85474d17bb0e1

SHA1
53dd8ddde57d7d3ee04e4b831be9bc15f5700b61

SHA256
de7563af52c6808a69aeaacb7a53b50eb867523bed470a398185fc4c8d3a816f

SHA512
10124ef4e28aa37b917c9b3d9392cc021382922d1a9ab6d129e77071cc957720bb9f793379a7fa56374bc947f629859a3c1524677c65a42d6fd3224b1488254d

Download Submit
C:\Windows\SysWOW64\Mpcegnek.exe

Filesize
176KB

MD5
e27d8bafe82af6e31e99165302a3af9d

SHA1
98e90b7e53c51dfb69c2d834b21550926cdebeb7

SHA256
d562ca7fe87887d567e38e817d9d77b592be4d911b0c6d237209afedeea86a9b

SHA512
4d2b07e31a86502481d02c3d4d5f0ddf94abbf4ec351ae15aa44b8faed40ceacdb75316f86c5af6fe24bacb998b6e8e642b72b089b3d787f12506154e76a700f

Download Submit
C:\Windows\SysWOW64\Nchhdh32.exe

Filesize
176KB

MD5
4784c4cd96db70eb9df05662a9ea016f

SHA1
c0cc1d96358d4924c664421add4f24d8252b1693

SHA256
5ad0383ea6e8fe8d2abaac10cf76e300c0817d7183cd745a1d39cf6db55eb1a2

SHA512
59376c689170bf4c55b0083697c385fea2eddaa2041d5d03434f367347f4c21b3621a0df9aa0d32f0911d3534f2b9d75a5177ec96a40eec109a1da33c140d35a

Download Submit
C:\Windows\SysWOW64\Neiaeckg.exe

Filesize
176KB

MD5
8a052f979d9d5d804ad47e0824660113

SHA1
15f15d6c18dead8ea5869176c3deed2d7be8f129

SHA256
9c310456ceab42f2f07fe32d057e73eb49db19c866d02fb8b29116f305e5d4e0

SHA512
5770d20af9f5927d83654b05ab3ccdfee28bd2825104c2a14411877ca99820a847da6ea9b7a80aa9937bead3fc65fe98ffb7544d419c1d26f80f46f9c872a311

Download Submit
C:\Windows\SysWOW64\Neknkcie.exe

Filesize
176KB

MD5
c5875a05df8b8b9d44b169032219dbb5

SHA1
55586dff9b65e8e9c5d8b9c9295f1abfbd507e1d

SHA256
a53a3529c44375d938ceda2ad3dade453a88fd78e4fc3841e0d222f7535334b9

SHA512
370f079a5fba105d37d8853420143424eadbb26e8e06cf80af25ff51f343d26496c8c4e46b2af913ff536fd5233cffd1b1913593eebaa1eb4f828dc4188ede2c

Download Submit
C:\Windows\SysWOW64\Nlnpgngj.exe

Filesize
176KB

MD5
2d6048fae64217c5b74e2a370c3443b1

SHA1
f5425939cab191ff4c39a302c0a27e4165dcd92e

SHA256
9655c8810e89d26b7cb1bdb3aae92dcc3ca6be4ebd1c0deee8c948a6b4643f90

SHA512
bd13cb48ce197bef55d54dd85c94b829461997ec8ed99803d1ef44a76b9580eda8aea58af7b1c98991940480f7a7cb750eb821aca83a4324a5f31c3dec1c6533

Download Submit
C:\Windows\SysWOW64\Nnpifalj.exe

Filesize
176KB

MD5
f94a8feda0bc0d4226776065e74232d1

SHA1
a6c01fd45ebbb8758013677019502cd12aa46f7f

SHA256
f43ea4a6d08dbfa2659e7b0747e21353e50753426f5a078a2d27346a7c1130fc

SHA512
03bc90b419af226ee33ec3aeff8405610a36630718f996e8b77bbbe0e38180f3d08192fed4ec65965b2d19ca659b25c58152606fb019a46dcd569cba2f9240c4

Download Submit
C:\Windows\SysWOW64\Nplhmmmp.exe

Filesize
176KB

MD5
f56aa198342ca21e8cb6fca49d9e680f

SHA1
b764ee359a373c463e54a4836f30a01d0fb877da

SHA256
fd80c827238e3540d944e15f27b099a99b99f0d52905429bfd8c1c33ef4720f2

SHA512
83591d0d76d594e690804390d5a80d8012c9551f4fe56489e889c636e6c51ed6781a6624ba71d7ea6bf36903c58889f653e9e90edbec3d47f7f93e7332088f6b

Download Submit
C:\Windows\SysWOW64\Ojefmpen.exe

Filesize
176KB

MD5
2658f2d600f3db5a4d4152e3ed73fb14

SHA1
571b103442d0e19f497864a789ecefa3fad80d24

SHA256
b342126a3b17c3fa68cdb165b70dcf209b5fc80b168aa4b3b50a951bf6938010

SHA512
055eea85a2ca232e19098ec5c7916f874ba32bbf77968f6b22cd082b158869b8dc105f89d4b495edc1098aed481649f8ef550063331eb345e83764e6d00cece6

Download Submit
memory/552-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/712-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/788-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/880-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-141-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1432-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1432-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1556-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1744-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1764-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2832-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3160-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3372-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3424-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3500-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3568-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3612-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3776-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3780-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3872-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3916-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4092-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4340-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4816-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4860-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4992-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5128-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5168-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5208-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5248-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5292-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5332-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5372-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5412-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5452-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5496-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5544-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5588-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5620-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5664-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5752-534-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5796-540-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5836-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5876-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5944-560-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5988-567-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6032-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6076-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6128-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads