32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe
Size

64KB
MD5

0885a96f5924b4cec39acc70076d0dc0
SHA1

65edae6830170a5200fb492ae0c50058938ed9eb
SHA256

32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7
SHA512

dd4f65b45a6dcdd5b002a66c3e260c28a367d08b767053fffd304601dbb4206b2b19d2f180073cb53d1e08b418f8391c275dd92f246ac8fae4747d2b4224e540
SSDEEP

768:u8y+Nh+bWqdaVidzCbbwShKegTzqUxCXu0+92jhydFO3yqTAr8/1H5qXdnhgl72M:u1bHdaV5fKegXqUkO92EOi2A6SgNtn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe

Executes dropped EXE 64 IoCs

pid	Process
4200	Lbjlfi32.exe
4308	Leihbeib.exe
1244	Lpnlpnih.exe
908	Lbmhlihl.exe
1788	Lekehdgp.exe
2128	Ligqhc32.exe
3560	Lpqiemge.exe
3528	Lfkaag32.exe
3536	Liimncmf.exe
1120	Lpcfkm32.exe
3944	Ldoaklml.exe
1860	Lepncd32.exe
3236	Lmgfda32.exe
436	Lpebpm32.exe
1816	Lbdolh32.exe
4796	Lingibiq.exe
1592	Lllcen32.exe
4948	Mdckfk32.exe
2788	Mbfkbhpa.exe
1328	Medgncoe.exe
4264	Mlopkm32.exe
1800	Mpjlklok.exe
3940	Mibpda32.exe
1332	Mlampmdo.exe
4964	Mdhdajea.exe
1880	Mckemg32.exe
3088	Mmpijp32.exe
1136	Mdjagjco.exe
2624	Mgimcebb.exe
3948	Mmbfpp32.exe
4124	Mdmnlj32.exe
4848	Mgkjhe32.exe
3716	Mnebeogl.exe
2896	Npcoakfp.exe
4192	Ndokbi32.exe
2012	Nepgjaeg.exe
3532	Nngokoej.exe
2884	Nljofl32.exe
456	Ndaggimg.exe
1864	Ngpccdlj.exe
1248	Nnjlpo32.exe
2148	Nphhmj32.exe
1532	Ncfdie32.exe
4744	Neeqea32.exe
4772	Nloiakho.exe
2392	Ndfqbhia.exe
3376	Ncianepl.exe
3456	Njciko32.exe
2936	Nlaegk32.exe
2160	Ndhmhh32.exe
3372	Nfjjppmm.exe
3264	Nnqbanmo.exe
4564	Oponmilc.exe
2188	Ocnjidkf.exe
2056	Oflgep32.exe
1156	Olfobjbg.exe
4524	Odmgcgbi.exe
2384	Ogkcpbam.exe
3364	Ojjolnaq.exe
3516	Opdghh32.exe
1124	Ognpebpj.exe
1728	Onhhamgg.exe
2172	Odapnf32.exe
760	Ogpmjb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Liimncmf.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Lpnlpnih.exe	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7036	6948	WerFault.exe	241

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmlocln.dll"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4200	3192	32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe	84
PID 3192 wrote to memory of 4200	3192	32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe	84
PID 3192 wrote to memory of 4200	3192	32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe	84
PID 4200 wrote to memory of 4308	4200	Lbjlfi32.exe	85
PID 4200 wrote to memory of 4308	4200	Lbjlfi32.exe	85
PID 4200 wrote to memory of 4308	4200	Lbjlfi32.exe	85
PID 4308 wrote to memory of 1244	4308	Leihbeib.exe	86
PID 4308 wrote to memory of 1244	4308	Leihbeib.exe	86
PID 4308 wrote to memory of 1244	4308	Leihbeib.exe	86
PID 1244 wrote to memory of 908	1244	Lpnlpnih.exe	87
PID 1244 wrote to memory of 908	1244	Lpnlpnih.exe	87
PID 1244 wrote to memory of 908	1244	Lpnlpnih.exe	87
PID 908 wrote to memory of 1788	908	Lbmhlihl.exe	88
PID 908 wrote to memory of 1788	908	Lbmhlihl.exe	88
PID 908 wrote to memory of 1788	908	Lbmhlihl.exe	88
PID 1788 wrote to memory of 2128	1788	Lekehdgp.exe	89
PID 1788 wrote to memory of 2128	1788	Lekehdgp.exe	89
PID 1788 wrote to memory of 2128	1788	Lekehdgp.exe	89
PID 2128 wrote to memory of 3560	2128	Ligqhc32.exe	90
PID 2128 wrote to memory of 3560	2128	Ligqhc32.exe	90
PID 2128 wrote to memory of 3560	2128	Ligqhc32.exe	90
PID 3560 wrote to memory of 3528	3560	Lpqiemge.exe	91
PID 3560 wrote to memory of 3528	3560	Lpqiemge.exe	91
PID 3560 wrote to memory of 3528	3560	Lpqiemge.exe	91
PID 3528 wrote to memory of 3536	3528	Lfkaag32.exe	92
PID 3528 wrote to memory of 3536	3528	Lfkaag32.exe	92
PID 3528 wrote to memory of 3536	3528	Lfkaag32.exe	92
PID 3536 wrote to memory of 1120	3536	Liimncmf.exe	93
PID 3536 wrote to memory of 1120	3536	Liimncmf.exe	93
PID 3536 wrote to memory of 1120	3536	Liimncmf.exe	93
PID 1120 wrote to memory of 3944	1120	Lpcfkm32.exe	94
PID 1120 wrote to memory of 3944	1120	Lpcfkm32.exe	94
PID 1120 wrote to memory of 3944	1120	Lpcfkm32.exe	94
PID 3944 wrote to memory of 1860	3944	Ldoaklml.exe	95
PID 3944 wrote to memory of 1860	3944	Ldoaklml.exe	95
PID 3944 wrote to memory of 1860	3944	Ldoaklml.exe	95
PID 1860 wrote to memory of 3236	1860	Lepncd32.exe	96
PID 1860 wrote to memory of 3236	1860	Lepncd32.exe	96
PID 1860 wrote to memory of 3236	1860	Lepncd32.exe	96
PID 3236 wrote to memory of 436	3236	Lmgfda32.exe	98
PID 3236 wrote to memory of 436	3236	Lmgfda32.exe	98
PID 3236 wrote to memory of 436	3236	Lmgfda32.exe	98
PID 436 wrote to memory of 1816	436	Lpebpm32.exe	99
PID 436 wrote to memory of 1816	436	Lpebpm32.exe	99
PID 436 wrote to memory of 1816	436	Lpebpm32.exe	99
PID 1816 wrote to memory of 4796	1816	Lbdolh32.exe	100
PID 1816 wrote to memory of 4796	1816	Lbdolh32.exe	100
PID 1816 wrote to memory of 4796	1816	Lbdolh32.exe	100
PID 4796 wrote to memory of 1592	4796	Lingibiq.exe	101
PID 4796 wrote to memory of 1592	4796	Lingibiq.exe	101
PID 4796 wrote to memory of 1592	4796	Lingibiq.exe	101
PID 1592 wrote to memory of 4948	1592	Lllcen32.exe	102
PID 1592 wrote to memory of 4948	1592	Lllcen32.exe	102
PID 1592 wrote to memory of 4948	1592	Lllcen32.exe	102
PID 4948 wrote to memory of 2788	4948	Mdckfk32.exe	103
PID 4948 wrote to memory of 2788	4948	Mdckfk32.exe	103
PID 4948 wrote to memory of 2788	4948	Mdckfk32.exe	103
PID 2788 wrote to memory of 1328	2788	Mbfkbhpa.exe	104
PID 2788 wrote to memory of 1328	2788	Mbfkbhpa.exe	104
PID 2788 wrote to memory of 1328	2788	Mbfkbhpa.exe	104
PID 1328 wrote to memory of 4264	1328	Medgncoe.exe	105
PID 1328 wrote to memory of 4264	1328	Medgncoe.exe	105
PID 1328 wrote to memory of 4264	1328	Medgncoe.exe	105
PID 4264 wrote to memory of 1800	4264	Mlopkm32.exe	106

C:\Users\Admin\AppData\Local\Temp\32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe
"C:\Users\Admin\AppData\Local\Temp\32ec743ce10b8c2dc90556b0516579d244127d51a85c1f9b7f771e0d23a19ca7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\Lbjlfi32.exe
  C:\Windows\system32\Lbjlfi32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\Leihbeib.exe
    C:\Windows\system32\Leihbeib.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\SysWOW64\Lpnlpnih.exe
      C:\Windows\system32\Lpnlpnih.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        31⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        34⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        38⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        44⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        46⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        51⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        58⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        66⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        67⤵
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4368
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        71⤵
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        74⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        76⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        79⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        80⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        84⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        88⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        89⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        92⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        96⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        105⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        116⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        126⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        128⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6156
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6328
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6372
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        149⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6900
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 396
        153⤵
        Program crash
        
        PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6948 -ip 6948
1⤵
PID:7012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
64KB

MD5
83c8fcb677565f07264dd3402c06c9cb

SHA1
f8ce43ee5b316a93fb7aa59d7551ca3ca7a099a2

SHA256
f874e6bf04ce108f5979a310dbcf09be8184fa0638dfa5663c8526bab0eb29aa

SHA512
97b09123899bc119a1882c947a28a89da9beffafacd669d1c5097b724940f0bdb93c201ed8198b08aebeeab056d3e02fc0d8285ef46db51e17505155c59a4955

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
64KB

MD5
438665459d77fdc1aecfbb600b91bffa

SHA1
c4653d35a5ab836e22f6140da29f161c6f0a0358

SHA256
b433030ee1131e15a768de038ed4edc2d2fcbef468f2ab08ef7fed2b6050c99f

SHA512
8eee6612c67d4e3f2ef88685e92a95566cac47f41b9d1761232b77d9412e0fcb0057edf4dd25cc6b1e1b74bcbf70be1a0c99294efac786aaca35425446d148e2

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
399f6cfab6396c9cf81f369f6c5d666e

SHA1
108829addd8b1bdbd170c656239848af4921d59f

SHA256
e9ba191f2222c9ff014cc69c9345ca9c06cc576f75d6eafb40af743e96b75677

SHA512
5886a0b553cb4cd22f3531c685118f149d72e3daea7c8acdb911f8b6184563affcfd70dd304d53a9ff352b80ffd869bf21d04d014dabfa0cd4e639ead5dca14b

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
2809e0215132e40b99d869aaa1120552

SHA1
3c3ee3a4b3331a1ed206f2977d5cb760356daa80

SHA256
8a252aeebd6fd5e738e0269cfbdeb4ea2c0b4015c32f1da0368901a70825f35b

SHA512
ab04b6e2b91f7f9734fb775f43274e2bf5492ddb1d26d67a808167442fdab02964c58def9856c5c1bdd3394a460cc4365a2bf9aa330d0cbff1880386256b7bd5

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
828c239eda6ad57c6aaa8fa66eefba82

SHA1
342c628061d046ec1f5c328e9161091bd6096114

SHA256
423cfdc4ae17d978246e44cf510b581f2af5277bd5dda808804daf0fd7816fc0

SHA512
cb8acf892b9168d7b9179f455892294dac7cc8ab0fbc9b8dd745f3fc8875382e53254cfde63e816b836b61c163194a591246ff9518abd90b834049daba8a2de5

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
f14e1721173b464c1f69df05fd77ddc0

SHA1
6b0c8727b619947affd644bf3db0246d461187d7

SHA256
2a4cc14f179e1f9483a5524e3aa47fa8786ac5bc46749c25451c2e041681315b

SHA512
58f73f10d63a698863c4a9eafe032a970e0abcd151f1bc9c8983d3e894d7da3176ecc42692205fe06f3fe60aaa3d09f665acf3faf563c1537095920f8625613d

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
64KB

MD5
ff5b2638d4f36ca3c7141e752d8b44c6

SHA1
3df4574aac42b7138c0abb97e94f600e6b06dac1

SHA256
383be7b29377f6354b26fe03785693513b0d63bf80a9edb34b505267c16e4c57

SHA512
427b7f93f0f8153024d543e1dc450718bda2a97858a57279a0c199c82fb60910fcc241db1f5649b0a5b3863c800783c327f6e76cd19ffca9db6bf82331209813

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
64KB

MD5
f93ee4099f5f615a9d426c5e79669a3f

SHA1
8e81fc59f38022c3de7c813d45a27433f5b47658

SHA256
f50ad1159e0de13d067afe8d1776465e0ac7f71050c69e83fa883e0a754bd240

SHA512
dce193358cc1149ed9b4962174dfdda97d95a3ec873438f4c5ff453fb9cf75ec26726d2fc96cdf5e398dcc30fa04698e6de8368e84fdb403362796ad7ae852bd

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
64KB

MD5
03062f9b1228869a9aab0dac96518aef

SHA1
58c46cb7bffef6417bd2c63ea9bee9c433996ec7

SHA256
ec0e64070b51a31b9a91b4faed8e27a02a904a155a45f9b0e47a3454dce31f4b

SHA512
b7e625b328de522afe8b4d75e106132ae8177f41a3c16a38f282ae188fe4d283f8dbd3507145237c1321e7cb4d84a114dfb6fd34995aeaac9708cdb6c6ef8904

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
64KB

MD5
1c3fea9c7622c5a4381ed8a164fdd901

SHA1
29d582681d851adf539057a08f64d7554a5c6cc0

SHA256
4adaead64d1eca87e34d255cb5c4439d2112327786c33d28b8ef41d2124caf82

SHA512
f83059dee084231734c3407dcfc81ad7bbbb2c587dbcc179f89ae03eaaf10b89c7ed96b44f8f1f3e9b78c0a98ce0119dda7179315e2dc37b28ee0baffb2779d8

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
64KB

MD5
5af250d6bae1cc02dbe8f6caea737410

SHA1
1ea0a5780af03c14950d01238ad3e522f1a56358

SHA256
285c8676c480962f324480364782095a21ca6b16370eb0a93663491ea912b150

SHA512
0f0752972a53330c213e1a0f2cf7a9e2275d1d1754684610b8343c74a54cf17c411daeabbd2c68e3d1592656f363f5ed2f0d761f85704f05bf2d847365f6ac75

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
64KB

MD5
4a2725c444e1166dc06b79090dae1d7b

SHA1
a8406ef3f8e406a3aafd1af3d8e41cf91162776e

SHA256
645e38373b69da55b022f03146db04a067cc5378d17dae16ffecb211561d8231

SHA512
dfa268bcf6761ed429b1fd6ebea85d7253157836768f183b911e6757e652d9119aa2b84d374b10ff5d3e396b2df5904d22e8035af5ef66accc98c4df922b53b1

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
64KB

MD5
776f10f16a112c35a6105380f87bf24b

SHA1
88dd94b27f588aae183d57e49a0604bf75a25d13

SHA256
0643f1d67f5f7ffde39aa429391d066593687427a4267d71bc33d9489ffba4b4

SHA512
3992b5c3195b6c6799dc5bca604d0bafed9bd3fff5a7eb46b3896c8bff54d8ca9da5a61a1b73e416d5d2407b9d686d4b481fce0ee8abf456863d83500710c4ff

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
64KB

MD5
c918d25820bf7f2020efb41a922530cd

SHA1
52dfe237311c52f8f77e81b00902403f14102df4

SHA256
c1f6986c10da9e5c16324e193a1468461ec08308760ae2eb7eaf372262abfcd9

SHA512
bed693e7ce7d9fa65903eeab9bf4bf04c227eb2b8ce457e9c670dc147fdd66e35eb8fb9ab6fabc2f5ec9577d405ad68a4c4269b860b941754aa96bdeb0e82dbf

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
64KB

MD5
e28e96461c2c0b6ce4c100125496dce9

SHA1
44350bda6ddb7d28276800073cf6eda968e587b9

SHA256
2f52afb07b14733bce180fb806b608d427beb194bf6fae09f986c35617129efe

SHA512
276ce4b830549a08d2546be9a98d1d6a0f45b2ee07a71433c1bfebe3f8d4d9c66ad0a8df6bab816ea286f3f87fdcfc53082023c6bbb0fdf6a3132c5c84b900e2

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
64KB

MD5
09d6e484685b55f16bfa240843aa9152

SHA1
157ced17501308d8c4e81b3a3804d9a3d50a1dec

SHA256
4061fc19a6c8ff92486b6428fe983e95eef15570f0db0763ef0c73eaf2f8c69e

SHA512
5cd14595d53ffd23538999f49515bb5b2981b7861d489946ca69aa55f659b4778f75d039658ac18d76f2460d3a923bb87ce79576a3b9cda3de53632fff9e1634

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
64KB

MD5
13fdf298736131cc1e415900adf99847

SHA1
3ef471f83cb7364b216367afab581a7eaa87aefb

SHA256
d3ea7ed6cfa95f5dd2f3b3f53fdba6f62b2d2089b8ad68c50d23bb044e2ccb4d

SHA512
c00e07ea82870017bed3fd7f9bbd9fca04fa4a4a011e99f770499ad5531bbcf4a18cc2b00f8e8d8b9b20c5a89d8f0ba6b6ba6f04ce588c2943d7e942a54e400d

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
64KB

MD5
3d13737ae5c44fb5c45f84d8399c8fd0

SHA1
feb86b06eacee2c8ea4a1a583f34e97e55bc15cf

SHA256
a1d010eb26106132a78813b39563c6cf13520b89717e2c37bca47ce3d830b617

SHA512
e8ddb81cc186b3b6ea5728f679876b1a8e43ee29a8200df648b76eb8da15457fd9ca6858e644030aaa24a572c99b13da4fd37fb91084996569e496b41d35cb57

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
64KB

MD5
d753150e383ec95ee812e83e1b7a9e5a

SHA1
5d2789dadd78f436b639588f44e954482bccf5cb

SHA256
15b0ff40f6539eedb9eba56072aa8790814a3fec69458805f196438c8137d191

SHA512
b9817742e9e4677c0288e7514755f42d1b06405b8d691f7f204b4a5f257284131f77f325f31906d57a7608cf02fbe8e9399bb4d4ceb9c40898fb87814e1a72f3

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
64KB

MD5
b3d14519236e70803d7bffa245592f43

SHA1
94a7cdfe4fe81e803b913417e8a841cedfe91c14

SHA256
143dc0186394b95dec73ef99441a031f22f124cd8c9d9c4cc73a6365457ca6cf

SHA512
1f2024d86109bf642762c20c4e69d886b1f2b18b7fdc16b7a9791ca8d303a486cf8a259b19c9ceb2f5a46fabbba677390f5a8641e8dc260673c997a14f10601c

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
64KB

MD5
295869daae9da769bb2eb6137dcc2fbb

SHA1
5bd446875049156b58ad278468e99da9e36e98a5

SHA256
c92d2c70d75d88c1254b3995e60fc5e1b501f83295f576b194e781738b66ffc9

SHA512
ebee42491f2eef3bf5c2460b2df279c7557db628107715794aa5f6da7c437e2beaa3826a330b3613630cdc0c57ac350f6091fdaa0aa2530df06c1d22ebe9f2bb

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
64KB

MD5
67c6272a037e74a891d09567787e4be5

SHA1
68ac7c7010b8258a9df282ee1db96fdaadd160d2

SHA256
58de1e899ca7943a2790983c595d93f6a6ac4bbb1104e46089a40606b01d51e8

SHA512
47b8664c0aa0b0646d282d291d6bd0ed6640bd8ea1842c518328a34caa46589f72755022057b901158df7922d6ff66b5784ef703dd46ab52d32ea2daf84540ce

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
64KB

MD5
214a5c4e114039231b7d4423ab7b4ee2

SHA1
45a7f529039bd9f8d9854ea598c50996a132800e

SHA256
fdcdfed4be9c30e9f794f402ca12f842797fccd77a0a6c36a3570a24d6737bd9

SHA512
877cd3b8f4e2f952b3edb750c10dc718ec19a6fa67a5e4e499716fbfb2f269c12b87dc47ab298d318b5eae39699f63b2222fb3c5c2451b67b996d0aa1837014d

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
64KB

MD5
f6a1741aaf932645d28761d677543a93

SHA1
daf94525b011d359c1cdaef73631384dbc1f0e4b

SHA256
688ac2ee1d70c512f99b724ce1532acc2c723e70c7cbe607042433f1c246cbec

SHA512
e8426cdefbc74079e1bb9d6c9c01c55b2982ce303cb0562c3f87e661e9a7cf07452d68056342908893d8c58c921d2e6663495fa6b1d7f5636090452136da94c4

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
64KB

MD5
f5118378f7eeeb98449da70294c8df25

SHA1
69bdd02e299b228a9a746ac7d95e0904508e4493

SHA256
8f4cbd7d62c247b9d67e18282beb1da459972378b19c9d104398713c37f01031

SHA512
7df6522e0b0dce99172f5e01835f0e45a7becf99edd465220ba294f1a3af65c7ad878f11fa0db304ca6802c08b0c3030791b7383b5eb43ed0db686e910821318

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
64KB

MD5
7aa1ae9c001b4056f9b68e6156e98dea

SHA1
488fac94eb2e65d2908e3972e12022458abe6708

SHA256
36e69d2d45876ef136e0fbb75b3745deb91c2b333467d7897582498fd10d19db

SHA512
62578262f9b47f6cb2e0a50fce198e3f870d05f8576014ee25649e47a889e8a770f32170de37bf98cfd2aa1d4fb553dc32da801e3c24aa8af4ee5790098a8e78

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
64KB

MD5
3f6032e2b653f5c2a5395ee57f38db65

SHA1
48bcf0f37fc4c7db384708ed9c3aec83b118368d

SHA256
2fd3dda7d8491ee170dfe9aafb7c17a8e5f21d8c9e78726405ea3356ff080f82

SHA512
3f3858a24d2805c5968dcea1487b1d3cfcec94b4f5a5415353f15a27e910f781bb6c2083fd56b2d33197f025c1c0fc6cc962ec5f64932c03dab60b6ce6c97a06

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
64KB

MD5
9d3e711d2bfdf6761004405b4709dcaf

SHA1
970810be12f5f84ce4230d1ab4db58ed3e05a3d5

SHA256
35d6851848697a0bf89422215d32fc059b438fb0d50dbc633f783b7568ed51c1

SHA512
4a541ff1c98f8aabefb0ea44ea68af3a8ae410afd9174a98a1226c42ce295f1679a912403ef5b1a5662951715e487a4f959c7d3cb80bb88b3cb6ffb8c08447d8

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
64KB

MD5
655e11fa2e8cbf579c3a35cd8b083b0e

SHA1
429443b8fd50c7e9939df76999eecfc22a89484e

SHA256
d601b7e7d698c6db08dd0da311978acf1508f57f5f2f69f04fcdb633ca4c07d2

SHA512
4704767692b9c12baf8d8f25e2dfaea2939887e6114fd443dcb88e481439f23ac9b866556371242ba1dc5b83235f97b6458ad64d4fb413606951fecdbefb6a23

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
64KB

MD5
e41e24e092e4b6bb1dba0912aa25d870

SHA1
84e3d4df50b3c75d90569e8b2e8d575059530ce0

SHA256
8cc1125aebe7a5f398baabd9e67016ff01829908f2ca1f70761fccf251c045c4

SHA512
cc2532c4beaedeacdc0dedca466b307df25a45148a9416b5d428e88ae599ee0a762438cca09e64c1389b55808a7c88dd054c8d00f914e144b5092ab275cd7cd2

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
64KB

MD5
89cd30a34d9f2556b4e68c5af1f0cfa4

SHA1
7467a29e3de2a2c48dbb112244b7201c2b6e6d46

SHA256
7a6acf331483231dd879670dd1add662e48fa04d8db84929669328aa13054bd6

SHA512
40e85ed43ce4e2ec2dacd4203337c7c31a19bbe80e21b17beee38c40eb93f9a83c3e61692b7627a1cce3c947b80438e88c60a93d119c22aba62ac5fc770a141f

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
64KB

MD5
cfb55f54ec7e4e384fbdc0d92738d4c8

SHA1
ab940774640a367af83587094b617fecab03e35c

SHA256
4e7f7d334cd818eedf16d2e86f88700a5237fe2deb0ff4d79c9c00fb03b68a5d

SHA512
021653aef016970a3dad80002faf86010b7ba4d078beb7b809987cfdbb74b79e3a5d3c4a6f5b76bdfe910df0e6959c68be0a03e81bf252e10c6d1d1fb6d603d3

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
64KB

MD5
64c351fa00ca1eb5e29df54cc4eb1ce0

SHA1
657f73bc1f9ac06bf232942b679986bcf80b204e

SHA256
069d41809b07144e020dfd313e5aa9bd06b19d724d4832adc9cbdd3955aae9b4

SHA512
c201946bb61bfc81016f0f63b13010e2c0f1c3e15689b4fbdbc1e092cd0ea0b1ff07fbdb80acd4d14a64c9805eba05f3a160f6bfbbfed0267ce72e65c80f1001

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
64KB

MD5
59e17d174f7ce738bbe06623c5fb97c7

SHA1
aa231ce64480669af535041fb68f17eef05dcfea

SHA256
2eab2159dd13b6cec1f197e85bbf24a0f3b5ec53b0cfcc80e1d3ce0dbb8006ae

SHA512
945a90f4cb4b13d0be787718e7d4bc4de5ea43dc2e601c8c86f9978ce388aa25dcea0616686c239aebc5a9a9c5a4c276c9d099d1d0864960d97e00088e0d2ff1

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
64KB

MD5
f263dacecffc9fa42debfc7501914c1a

SHA1
71ac510f4e343e1dcccf890c3fc473ef5df8c092

SHA256
42d338929727e62a36974c73a33b253bcad80704343210bee79eba3e5ec7f015

SHA512
13116ecff0832cde66a81b7c6b29d60d7970c788e3f6158ba2dc0a5300e82b7f6de92ab9e359a85a546a7db2ea04ba43b3d7ebe4772297b3b1c7e3740de92cfd

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
64KB

MD5
2b5257783701699ccd187a4954825d3d

SHA1
74e1ffd5098ef131be5323107137afff7c3863d6

SHA256
127e7a2cb29b91ceea730ba1efbb72a7a49192f8b94d928c43f72629058500c5

SHA512
6bc3fcc160be9994d577a415f08c90307dec326dff690f74b28b118730abdabded6ab3762e4727500811a58f66c550c4de80e9561009693ec506142e4cae3982

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
64KB

MD5
fa8f995c07362b84a7e8517d68a04e94

SHA1
17a2331f723818422befc8ae8e77da3afaca41e6

SHA256
2a31eef35352fdd740fb12bf1032271991c59db3776d4ed7b94d2ae2c2410104

SHA512
db7b852d6a43243e231ed32d1f9305a40280cddc05b775aad5ad3ceaebe278184156c8c3673c38f9c02ef773678284d90f2ec3ee053f0936bf67e2cdc438fa54

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
64KB

MD5
46b67a75f3be51f81347fcf719749f1e

SHA1
d5b324fcb3e4f2a26ad77f95433d5094f46b4a1c

SHA256
98acb5b67561d272151d25b4b20ab1c367e05bab87cb8c4e3ca2252640dcb195

SHA512
09e1dedefd4683f56142e9814347b61b0c9085330ced415b67a85dfe55e9c7f1e385e75b167a6acaedc51753d68801116ca0f5d3a589068f531bb0a783369429

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
64KB

MD5
f632badb20e26cdf67bfa51d5a6a92a9

SHA1
72e2a50caf7e0ffb79124a8f5c8147002950e06f

SHA256
3d3cbbcab890328ca2ba9b66e0a31b73eb3e0aa82b070b7e2280cf3b73015d15

SHA512
3c8893fd19baedb7bae9c7668647b5e9cb3b3111533824789c89e0eee60c79207d2ac6ecfd462cf14d96089b0845ffb65a5225311a299a7350eb4246d8afc52d

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
64KB

MD5
78a41378259a8753746e8ad86f28eae7

SHA1
160efb99769f8c6ca5f1e9ffdc090e3aed0daf53

SHA256
a95b90becf85e503f7ca8d17212de3b7c07395500ff475e6c2a8f15bbddf5286

SHA512
f69390f107b912c60a20619f7e1fb4249174a51ab1a7c4838c5d53246eb7e2da06c43ef38a18207a5b650ecaf59e2e8eff91092818147528775e1109b2fbabf6

Download Submit
memory/436-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3236-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5240-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5284-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5328-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads