060177eb2ae3f11c647e0f82bd131769036ff24e634b34ba3e22c2daf06bb553

Analysis

max time kernel
108s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbf31311befa9aa4e633d7c453e9d440N.exe
Size

55KB
MD5

fbf31311befa9aa4e633d7c453e9d440
SHA1

05ef7faae0f03d48eab22c9fa249ea7ce95fabcb
SHA256

060177eb2ae3f11c647e0f82bd131769036ff24e634b34ba3e22c2daf06bb553
SHA512

506a6701c40ffc77b28580e922039365f43ea6030fc892ae419922251df0a256fb7271baa6f2783d4088976c0fc14e2c8395513b8494035d48141013b67aa7ac
SSDEEP

768:kOv+abfPfd0SP2RxpFXyr9HNS2ZAGnGgwgG9R6DR8ImnG3sVeBnU2p/1H57oXdnh:f2aTfdTP2xFXCZZAdl6DOImsU2LZ6

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fbf31311befa9aa4e633d7c453e9d440N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe

Executes dropped EXE 64 IoCs

pid	Process
4280	Klqcioba.exe
4112	Kplpjn32.exe
4828	Lffhfh32.exe
3468	Lmppcbjd.exe
4372	Lpnlpnih.exe
2860	Lfhdlh32.exe
3444	Lmbmibhb.exe
1880	Lpqiemge.exe
2332	Lfkaag32.exe
428	Liimncmf.exe
4032	Llgjjnlj.exe
4016	Lgmngglp.exe
3696	Lmgfda32.exe
800	Ldanqkki.exe
1944	Lebkhc32.exe
1220	Lllcen32.exe
4668	Mbfkbhpa.exe
1480	Mipcob32.exe
4808	Mdehlk32.exe
2076	Megdccmb.exe
2240	Mplhql32.exe
1056	Meiaib32.exe
4044	Mmpijp32.exe
4752	Mdjagjco.exe
3284	Melnob32.exe
5016	Mlefklpj.exe
864	Mdmnlj32.exe
5000	Menjdbgj.exe
4316	Mlhbal32.exe
4244	Ndokbi32.exe
524	Nepgjaeg.exe
3208	Nljofl32.exe
3692	Ncdgcf32.exe
3184	Nebdoa32.exe
3776	Nnjlpo32.exe
448	Nphhmj32.exe
2180	Ncfdie32.exe
1976	Neeqea32.exe
2824	Nnlhfn32.exe
212	Ndfqbhia.exe
2500	Ncianepl.exe
4960	Njciko32.exe
640	Nlaegk32.exe
1504	Ndhmhh32.exe
884	Nggjdc32.exe
1752	Nnqbanmo.exe
2320	Oponmilc.exe
4088	Ocnjidkf.exe
4520	Oflgep32.exe
3364	Oncofm32.exe
4768	Odmgcgbi.exe
2464	Ogkcpbam.exe
3132	Ojjolnaq.exe
2376	Opdghh32.exe
4144	Ocbddc32.exe
3292	Ofqpqo32.exe
4508	Onhhamgg.exe
4796	Ocdqjceo.exe
4060	Ofcmfodb.exe
3716	Olmeci32.exe
4788	Ocgmpccl.exe
2808	Ojaelm32.exe
908	Pnlaml32.exe
1192	Pdfjifjo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5248	5864	WerFault.exe	225

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 4280	2336	fbf31311befa9aa4e633d7c453e9d440N.exe	83
PID 2336 wrote to memory of 4280	2336	fbf31311befa9aa4e633d7c453e9d440N.exe	83
PID 2336 wrote to memory of 4280	2336	fbf31311befa9aa4e633d7c453e9d440N.exe	83
PID 4280 wrote to memory of 4112	4280	Klqcioba.exe	84
PID 4280 wrote to memory of 4112	4280	Klqcioba.exe	84
PID 4280 wrote to memory of 4112	4280	Klqcioba.exe	84
PID 4112 wrote to memory of 4828	4112	Kplpjn32.exe	85
PID 4112 wrote to memory of 4828	4112	Kplpjn32.exe	85
PID 4112 wrote to memory of 4828	4112	Kplpjn32.exe	85
PID 4828 wrote to memory of 3468	4828	Lffhfh32.exe	86
PID 4828 wrote to memory of 3468	4828	Lffhfh32.exe	86
PID 4828 wrote to memory of 3468	4828	Lffhfh32.exe	86
PID 3468 wrote to memory of 4372	3468	Lmppcbjd.exe	87
PID 3468 wrote to memory of 4372	3468	Lmppcbjd.exe	87
PID 3468 wrote to memory of 4372	3468	Lmppcbjd.exe	87
PID 4372 wrote to memory of 2860	4372	Lpnlpnih.exe	88
PID 4372 wrote to memory of 2860	4372	Lpnlpnih.exe	88
PID 4372 wrote to memory of 2860	4372	Lpnlpnih.exe	88
PID 2860 wrote to memory of 3444	2860	Lfhdlh32.exe	89
PID 2860 wrote to memory of 3444	2860	Lfhdlh32.exe	89
PID 2860 wrote to memory of 3444	2860	Lfhdlh32.exe	89
PID 3444 wrote to memory of 1880	3444	Lmbmibhb.exe	90
PID 3444 wrote to memory of 1880	3444	Lmbmibhb.exe	90
PID 3444 wrote to memory of 1880	3444	Lmbmibhb.exe	90
PID 1880 wrote to memory of 2332	1880	Lpqiemge.exe	91
PID 1880 wrote to memory of 2332	1880	Lpqiemge.exe	91
PID 1880 wrote to memory of 2332	1880	Lpqiemge.exe	91
PID 2332 wrote to memory of 428	2332	Lfkaag32.exe	92
PID 2332 wrote to memory of 428	2332	Lfkaag32.exe	92
PID 2332 wrote to memory of 428	2332	Lfkaag32.exe	92
PID 428 wrote to memory of 4032	428	Liimncmf.exe	93
PID 428 wrote to memory of 4032	428	Liimncmf.exe	93
PID 428 wrote to memory of 4032	428	Liimncmf.exe	93
PID 4032 wrote to memory of 4016	4032	Llgjjnlj.exe	94
PID 4032 wrote to memory of 4016	4032	Llgjjnlj.exe	94
PID 4032 wrote to memory of 4016	4032	Llgjjnlj.exe	94
PID 4016 wrote to memory of 3696	4016	Lgmngglp.exe	95
PID 4016 wrote to memory of 3696	4016	Lgmngglp.exe	95
PID 4016 wrote to memory of 3696	4016	Lgmngglp.exe	95
PID 3696 wrote to memory of 800	3696	Lmgfda32.exe	96
PID 3696 wrote to memory of 800	3696	Lmgfda32.exe	96
PID 3696 wrote to memory of 800	3696	Lmgfda32.exe	96
PID 800 wrote to memory of 1944	800	Ldanqkki.exe	97
PID 800 wrote to memory of 1944	800	Ldanqkki.exe	97
PID 800 wrote to memory of 1944	800	Ldanqkki.exe	97
PID 1944 wrote to memory of 1220	1944	Lebkhc32.exe	99
PID 1944 wrote to memory of 1220	1944	Lebkhc32.exe	99
PID 1944 wrote to memory of 1220	1944	Lebkhc32.exe	99
PID 1220 wrote to memory of 4668	1220	Lllcen32.exe	100
PID 1220 wrote to memory of 4668	1220	Lllcen32.exe	100
PID 1220 wrote to memory of 4668	1220	Lllcen32.exe	100
PID 4668 wrote to memory of 1480	4668	Mbfkbhpa.exe	101
PID 4668 wrote to memory of 1480	4668	Mbfkbhpa.exe	101
PID 4668 wrote to memory of 1480	4668	Mbfkbhpa.exe	101
PID 1480 wrote to memory of 4808	1480	Mipcob32.exe	103
PID 1480 wrote to memory of 4808	1480	Mipcob32.exe	103
PID 1480 wrote to memory of 4808	1480	Mipcob32.exe	103
PID 4808 wrote to memory of 2076	4808	Mdehlk32.exe	104
PID 4808 wrote to memory of 2076	4808	Mdehlk32.exe	104
PID 4808 wrote to memory of 2076	4808	Mdehlk32.exe	104
PID 2076 wrote to memory of 2240	2076	Megdccmb.exe	105
PID 2076 wrote to memory of 2240	2076	Megdccmb.exe	105
PID 2076 wrote to memory of 2240	2076	Megdccmb.exe	105
PID 2240 wrote to memory of 1056	2240	Mplhql32.exe	106

C:\Users\Admin\AppData\Local\Temp\fbf31311befa9aa4e633d7c453e9d440N.exe
"C:\Users\Admin\AppData\Local\Temp\fbf31311befa9aa4e633d7c453e9d440N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\Klqcioba.exe
  C:\Windows\system32\Klqcioba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\Kplpjn32.exe
    C:\Windows\system32\Kplpjn32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\Lffhfh32.exe
      C:\Windows\system32\Lffhfh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        25⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        29⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        43⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        47⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        57⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        64⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        66⤵
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        67⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        74⤵
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        78⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        82⤵
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        88⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        89⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        94⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        103⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        105⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        112⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        113⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        115⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        116⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        118⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        123⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        124⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        129⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        134⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        136⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        137⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        141⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 404
        142⤵
        Program crash
        
        PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5864 -ip 5864
1⤵
PID:5160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
55KB

MD5
70005e0198b443e425b832425171c21d

SHA1
055f080c56f8902732d97afc2b1936e76b6437de

SHA256
a820b5b08e53c023275c4790b733b4c5cae4b2ff32043232aa9e9ac9d898a47c

SHA512
142a65aebb16abd2046cc89a7be955afd8fc3409e3cf7ce3e596782ce26d1f591eb4caa95e99f3ae5f4f47cf4907eb84702c52b9da34fa037eed9e5914eba86f

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
55KB

MD5
d6207ae458525030cffd89fc386a5f5a

SHA1
5d0fa2fcf5f638c7131ae6e93a948b6171958bd9

SHA256
16591f5b3056e21c1daf1fb0205bc79f31cccd4ff9a33eee48f42778270bb345

SHA512
81d11d57815f1465b024d3561f37eca3e792500691f66d077294139b78358b1342b6bdc5a06b8dbaf47f1fd739f5c606ba8138d5f6a0140c87210a963890d52e

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
55KB

MD5
1d261a5e856e49beba8588689e90bc8b

SHA1
b931190248777d910aedac0f800f2ac6d852cf05

SHA256
842948789d99212dd03e90734499d094d8b1715892ca71004daa10ffe3753c8b

SHA512
a5050fadb37ecaa2f98b26771630abec70aeea9ea4ff889988cb1d9f3cb14ba1285f7dcffb0006aa4e124904dd86a371f647237f3c5be925ba949c1c8e1b4d66

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
55KB

MD5
11d501db1fe860cf289f1e236ed87b31

SHA1
5257f5d43f7a67bf00cce021390c22bf609779a7

SHA256
385d24275273172aa2443f0a47cb3dd28777d7341d8900acdb46b113d8957ffb

SHA512
5ef81e88f349914a11402faf9a879788460e7e48d79e6cc34526844fc1c825a0bbb6c449ddaaecc63aa0e87cd7489c4843f68d78ea2bf356767b51988896db2b

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
55KB

MD5
dbaa0dee112114edca7975b5e37a3f0e

SHA1
ef5935c57ac32d0147746ffeb78242723b128e75

SHA256
9a4975c02d89ed4ee6f2160670efc121e2a1e33e6335cdb2338ddb2619a42804

SHA512
57591eab4983ab2be53d9ca2bea0b8e2c6f6a901f89dab54bdd51c22933d09043596d575f63bdfbcdde2009798335e2817b128fcf02e936942b2ae088ada6480

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
55KB

MD5
498ba0ae320ec3c6923b573ee2388b4f

SHA1
28b74d0d42965bd5e60c26569a83ecd86fbe5520

SHA256
5ae654c551c2d81ee3bdfd28dfdfa7246c1d4093a867cc25a5476588a0473c13

SHA512
a59d1954d7e3314f837b1c4769683edf02fe5bb9273452c0ba2d71a15e31ae5853a7f1883dd219f1102460160f128bce74a2aa141c1b0fd031c6e56925003788

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
55KB

MD5
00b0911b44a2ff6f44cc28d3cc4b10bd

SHA1
c39f9dd0a8f572c6090224e332079cad39dd280f

SHA256
f2f1b971df07c8440cb4bff2b1357d0b607ca391aac14c82d90682f738d0cdf8

SHA512
aeb4f9723ec2a7715be2bd4e85e1df783f983b8b493b23a237cd962c3f31e7b8c80815547ce92cc1bf53a183482cf97c9615abbb849fbb5efe85abcdc1b078f8

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
55KB

MD5
2d576aa61e4419f7d39476c685673d1b

SHA1
6def4ede03ed5d5d9fa9f23d4be15deb563863af

SHA256
58eeca35ea2ca9df75567f7bf2139063d73e9322f5afad7ee71a2ee10686f0f5

SHA512
d61d235b3669994dd2c8dfe2a5f802bbd5ee36901c837210e5381870ed2e16bf7aea6602c89185e8f206d064633c7cfeabeaca8df8dc928d8fe421a1a3094aea

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
55KB

MD5
7507de61f4274776ff7877398e87b0da

SHA1
ec8d8b4f4562d2b42a72deb998c542eb46f3cc0e

SHA256
87d8390d9fc91fef5888dfa0b79bd0bdff1d627c6cda647a3d553dd32a744d81

SHA512
d4fde92f5e1f619de26df82735a03be63ab1d887ed3afab5f11af42db2449822df105291f615db2c86da3010cbc2f4a6f41b751abe5b60a30cea6b15c54d5a39

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
55KB

MD5
0b384039b87bac1bafdaecf5343b7023

SHA1
b5feeb9a093319845163ac0dd1126e8a8e7a84a3

SHA256
94d9195907543c9593d06635beb9df8e3850e29609926b272c54f8deabcd3c0a

SHA512
e979cd388f3e2cdefe37fe4cd17277af82ccaf05a5bef4c0f26a5d3f6d027b24a388f37ba454441ecad9b30c8a4c03bfe4e89c9f3bf6354013cc2389cfe2484b

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
55KB

MD5
5340d4caa5effcb25588f77cd1700f58

SHA1
03d4c0461fc4237f873ffe57ff2b117cf0e3bfca

SHA256
e15270bb3018d60908d2df71a239a65ff5304ce7d69ff63fd07bc3535d93eb9e

SHA512
9107857fc2ea78e6603ca364979a901c81f44a07a3ac0df0c50439652e40092402459512e9e1a59422417bffa7f2636b4f26a91b53a4fe58e058b6d1f275cf1f

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
55KB

MD5
4286671d366c0135c22c4338b4bfd8af

SHA1
68d8cdb4e1bdd5eeaf7b113a51e88b0d0fe5522c

SHA256
ed7418552fcbcd7b53716eb88855679633f750b6df16e58ca91b6834e7dd0f69

SHA512
3d845f7b5de02f4380833e512f1e1443f69da8779121de4861612e5546df8dba912f118fc6362e20c92f87b6e59ada0dc7456128ae126263e37b94ec86d80f7c

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
55KB

MD5
f71b151ec4ff58217684fe06627f7321

SHA1
8add83f2c6ce01b21c0b7ac2ae4983df41caa655

SHA256
874cdf6e99c147552a8011706ebf87117f3689ae6b366d699866d380c16b500c

SHA512
42f55fcf3723757546c76dfb4b3d4e84629fb968f0e4824a62510593cb2b41a4209bcf8df8e1b2c937cf653d7381eaa808fc822b20502d400af17bdddb04b319

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
55KB

MD5
ac636caad17d532610c1921ae70faaf4

SHA1
e4c10214ffd1efd8d2a33b0a87e134728814f42f

SHA256
16bb59416778eee490da94a4b2db215e550bc8c4c79588ee7a5c1fc0265d105f

SHA512
c9070ed86d4e64d7983f707b2c571a778df638746de50db44be6f7acc68c2d3c1f73d7f65b7349432ce220b6f4571d1aa0084c550c10063b2cd5a7bf87dbd078

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
55KB

MD5
911f84e565e9bf6e0a7e70f1c55b11ed

SHA1
178ba926b898c97afa0288702855d5a5f1ff1d47

SHA256
b1d45ac8d30864f08e7dc4e7c05dcf1157a031d903cece2bfb85de21e4d406da

SHA512
d2ef2f36242c81ce951e588450676d11889806980459730c9fe1bb385e3440f45e47dcfb25aa3c3916bce3d533b19011e4f2edfdf83d6345fbddb154c27b7c49

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
55KB

MD5
38cb238a6b49a65e44bc6ed4202f5ea1

SHA1
fdf9c4a1a24bbbae37c7c26883b6d9d866fd082a

SHA256
307d5b918637f09feed316c273a8c3a8694c33f08c68a811c9dd7d4124b35db7

SHA512
f5fd300339c1b4d5eb93f7cb49f1d89bb07c0ecb980cab62502c3ac3341684b6e7883b586b43b13aa14a329040e2369e1b877be3f4bd12377731b385ecd5c7ce

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
55KB

MD5
391e17192036faca05aa526d64f4eb95

SHA1
ff3f157737a1473c5157fc4c43ba2da9b0c663f6

SHA256
10e3174aa04c2c17f258f2a8708d377367da276dd1d67c40a882e23cebc94548

SHA512
959538c3236d7aff1f08e88c2e84c621c206eea67419b375daa5a67937e9ced93138e559583c185362b39f3d95b767310079ae0ce1a4025eb019a68564b65dbf

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
55KB

MD5
aff55394894e48eb55c20e34c4708779

SHA1
5c59c5aeaa51df5be3c74344ba13868cf814ca5d

SHA256
803ec5b43333274d6445bb3283a72bfaeb4884305bad0e672bd7642733570aad

SHA512
4bf57585416c0a3da6067e7ac5120a34e6c9e25e0ecbeeb97d33e0c60040af6fa36e13e887fad29c7762c344c397f293df51928fafb5aa7f56450dbf57eeaa6b

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
55KB

MD5
e556499ad4b1672029a647ef894fc491

SHA1
30a4e9f428bb0839d6b19b68867a015d1d131907

SHA256
2c1bc081883263ec8ab1396aae464fc629f87ebd846d7a6f2ea05ff83e1b7998

SHA512
9565acaf5d11f3e82e7ddaa0bc376347aca3b701f8fb87bd5167cbcfb4358d97fc1231ec35bb901fa8e4f4d77bb226bc680b719adefbe864dbca02f7567faa28

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
55KB

MD5
dabf71e296b3658cc0489f501db365ab

SHA1
faf5d55154a24b86d9f5e38195ea266b350c2628

SHA256
843ac339e279dddc2511d51a1febe47f5a816ee0ed3b871912e582a99d8bd9b3

SHA512
6fc7898595787f6cc79b3b6d534df9ab19617b35bec3f93d7832176cd53d4d007eedf7c1517ecdf6d1c0f045cb1e5636bf0a25678aa3ba91380f3b430a469091

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
55KB

MD5
885928c4188ab549e13800b2f497e6f5

SHA1
d9c011933c60cb492526ff28cb4a777dd2c8bb8c

SHA256
78ffc3027d618c37f92c1bad10b8f8326b3bab9964abb0e859ad568a9aae47f2

SHA512
bd8090bcdf96c782ff3f6bdf4ef77638ab21180bcc591cacb095f7fd4af7057ce7c7c9ab179806a9a06a381c2a1a05899cc15f9acc6535d98553c962e92884fc

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
55KB

MD5
df1df20d8d39d496173b68e50e5b3609

SHA1
a7db536947dfe3c533e3d7bed5e6b59b2808d5ec

SHA256
1a1b9e0a8467697147ed3e38cabec7ab63af7cd790a8af2e3b46743d452f4d44

SHA512
9041740e64a85d07c8985206407241fa0b09c38e85aeb8ce8150d1b61bacf86e19b7147342bf8477de29ff23629a01d6d3e2dfc88daca888a8e8c688382628ff

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
55KB

MD5
ad5320fd44f2a450e1ed6ccbb75eb6f8

SHA1
2c55afe4b5db0460a65a4379f40b5c666f8c49f4

SHA256
5d5e1b2911239c57e37be91a1e517e993abd67780307fb8da16fa2d4e64c4079

SHA512
ed17df3f483c9ce87f6aa9a7953405658bc71bdf5ad7d2fccec5a7eaa1c133f231d9e4fd83171a0a3a217aaa933efd64b08f45cbed90315c01c4b8ddf55b1cf8

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
55KB

MD5
82adfd056b4c626ea9a12a8a02d22f15

SHA1
1ed395a8ba6b28becb2845607198a702231f7334

SHA256
045a2d2fc646516f4276e3d616c9375c6d716844e713cd72f765bfdbb131b11c

SHA512
ad48e85a62d9269147243b548a9f69ec545dc0633f6471750f3af6e9e14fad5c51f68d730392e9af9ad241b464d19e9921f26f27e4903b57f6e30c4cc5aad83c

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
55KB

MD5
3e1e4a7039c41ca3fb6539f8107d0bff

SHA1
b7db273e2af580a6a6c251ed626f71f49c7e2d48

SHA256
349c3b55165689b41db07d30e32f52ad7d4b119f8b769cf62f9b33b8de1080d2

SHA512
306a5cd3ad44c0dd8842338e863a97fa4b7871a8a0d9723a99b7df72ea38695ccfbd7864cbb6d60760645fb24272a06a44a43be7032ebb5f2bf2c11731430fc5

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
55KB

MD5
46719451e3b2d2344378ea80e43459b2

SHA1
424780e5142c8be36cd4c1662b2f9a729a02a8da

SHA256
1aff101aa748f04ba5f984fa7f50722e91d8d75d56ffefcfcbc85e69caa78b79

SHA512
6aca67639c988c64be8f4d0135da637ee507e793ad927916e8330d8ad5e7870737ea4d80b037fe1ceb28fba036d1e0f4c4589281fadf5e74ac402e49e4dd3e9f

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
55KB

MD5
0e3509d82b34d83d08e14033ef876860

SHA1
ec80864bcf8efd88a53ca4e251a0f706fee89354

SHA256
ce93bb832c9ba14cc4058e031b0bef953a846b79ef38d7ae2df2d5d15d5dae2a

SHA512
b3606c8204e085fdd89dd5cac719469fd53541da95fed0682912cd0efc4577cb97a0a12b0956c85c9dc40659e064c0c5d165fb00f732326f8031f21b9a5b2371

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
55KB

MD5
7cd53a14527adddb16ce66b573f75f18

SHA1
f7d9f382834be6bd61f7fbf5c5663ba00c448b14

SHA256
d096981cb1b9acfbc9eaf2602e14d27a4ce463b830f754e8e574ea13f5883fcf

SHA512
8aac7e7446b09055d55a829a942a2966c9429bf24da3a1613534dc3a5ae33d2e3df77a9068baf530c06b8470fde9feb1951fd304953a660f450e7c2e2f7fb41f

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
55KB

MD5
5f8b8ecbb1777f46826fec83e51924a4

SHA1
96263da7faf880df803f68e66197124be428640d

SHA256
d4db1f13b3237d7dda6c4981df4cadb6be2b6cce38e0f793dd1ce95f9a5c9b79

SHA512
2d355cefbe555a1d2ce2f42b7e07147ae352fdc83409cbff309fe8179982b84eb3c4cc37ffdc2577346120adad415121141953a1a36b90e02e5b8c901d98490b

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
55KB

MD5
56e000642fab02faff05c02993958101

SHA1
09ad3be0af31787221986e21e0207b1cb732a6ed

SHA256
35e52df9d3986c8d13a38f5592127e2d346bcbe270b36e0a3c142d1e0799e9e0

SHA512
332d638504df0a6887dd6d41aad2305683c884d6a33e08a2d71f4ed00620dbc28abac379c24a476eca306db737bdd4369efe1b050eded0b8fb7eafc9e19a7958

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
55KB

MD5
67faf4a8a4dfe488348faa9d76b8c1de

SHA1
e369d34dc6d06b0fb6fa0a6d5eb7123c0aa6ab84

SHA256
09eba89dee682a00739ca35c6cc75fc07115c09c3afb90665e2b279f89d934e8

SHA512
8f74f9ea42a16fa47b4877cffc5e6ec3201ba2bfa862c7d9ecf02318f5bea3d66d62bbca4c98d5a2fb645f89548932ca48c8a4309c64d6041734c1a75708e12a

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
55KB

MD5
ebd839865dbb2f11dfc2b83e9e1f0203

SHA1
370f213ab4290f176c45be7f9e9974dc398ad4c1

SHA256
f6eb135e2fe204179ac8069e3d4d42b52f2616ada7b7b975eb50a13290f21d63

SHA512
944e4ae1cddd942966359318ef4d9673a4770a8f959ed218ac8a6a07016eb70fcb3136e310f92a368262fa40d902ba1e7ef5dab851521d0bc9abe9f7dc5b09aa

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
55KB

MD5
2b81b7acdf7146a2eb9a738cb3554d80

SHA1
93b1684e15890a81c10c60222297cdf0790c8d6f

SHA256
380ee2376e6ff6841025dffe3d0c8ed52fb7f211141c9c1542e0698f54cec9f0

SHA512
7307239e71b3568eb91e7aa2e2cbc987e587a5d5ac8c868674e09365b3acf06ff0576c3b1dd868903ad4ba93e295b32f3ec73072160d1595f039407fbaef05e6

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
55KB

MD5
252be872b3342bae9cdf7b73b200aa25

SHA1
1f141c2f38b1ac89b385d5ed08cf63fc6576cc59

SHA256
30db16dff9fa0d6251b4ee72dc86329fd8196ed4a39eeb00510b5571622a7ce4

SHA512
0c188b8490c4291c7c3029236e6282b1a4b9c5ec98a2c605c6afd857c5c26fc374bc6bc8ab57408a288c001873a6f08d77d7c1614b893d53f38bbf5e49e76df2

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
55KB

MD5
2e33a8b534c5b28a67f976b91c6bc70d

SHA1
838c2fce7b3dc4d18c986e8518998c345faf3358

SHA256
326540942cfd2b55dc9159601bb9e9af4ede7cf25b3df1fe4eddbfe1852d4b24

SHA512
0943cce28e5328fadc9513ab135e41ef7d6af550c003d6e091977437a67952325dde8666308fe2bc39ab5cab404e8cb80fb274c2d00998c2d126d9025f00e2ab

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
55KB

MD5
953644b163c22f9f9f49c8e99d26e895

SHA1
d734c0abf98ecfdeae73ffceb0e6dcb8657cda32

SHA256
9fe9fcddd60cc3e94cfa4ed4452b03b374cd1338187a82423b320128acf16c5c

SHA512
b7a25817d95a5f4f783e0ff0966528a9a5a5a8b6f69d35312025a2add36b861d15f4ac93bb3028553b1feb8f7e68181502c9be1038364f5bdd5637a5be217179

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
55KB

MD5
192d6f383ae436375853bc6071845999

SHA1
6fde2de7e2b7159137303708c20bdf76d2788e54

SHA256
4dc85e697105eb99d4654b24b2413b40bce807bcb3a217367c3c3e491911a086

SHA512
a855900910ed6da705dda77b91011106124205ab7e0d9c8021ab543ff7e3b4624bf2a2f5c026789a32a32996fc13d23bb616c0e1d1c36e35f08919f30096a730

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
55KB

MD5
17a1df4522a76957cdb130f2f7dcbc54

SHA1
98bec7dc3276678f985ed35aa0f9304274719b68

SHA256
8bebaeeb44e4c357103dbd02efdad1388693aa7524db124edd4682332976c492

SHA512
481878d38f135e0911342cabb8ce607419cf0b31d4421652191f379bef719c45e440deb6f3542bd0b06e6ff1ece9bc56764f47cc18e2c96880f2a585ce34514f

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
55KB

MD5
9bb2cba728b5acdda3728d38089e650f

SHA1
3d5b6d4e7f11bb46e974a29eea0f823403071279

SHA256
a90e8324d9e686752ea3b4ad18452d13116258df40a290b374bacb26c7b7f4b4

SHA512
58e392215f693559360c572841bf0fe28f44da9d2e86b896511d4a22b94acbaf25a3d2f331c6dfdcdf6e9761583a49f32bc3f2d5fb6d3f47e71974dad9eaa3b1

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
55KB

MD5
c6768de591ca3bf7aca66df706a82cb9

SHA1
aec8e837d3cd303e4990436d17049e2e0c11da1d

SHA256
7ccfb402e1da2d1c5305ac476583e46fac397dbbc306b574b80949201d71b2d8

SHA512
46a7e28d93c573f37589cb74172f402235723c68880573e7cf7f4f343161984a4d344b40cff62d4b4f87a3631602dcc0fac7f4f2c647f202d2e4d583bdc9b41e

Download Submit
memory/212-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/332-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/524-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2336-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads