8fc90034ef4fba31261b641e5ae5815bf8af5d82d6045715497ffe7378b43450

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb2c8da06386bdb0ea8ce55bfc0708e0N.exe
Size

57KB
MD5

cb2c8da06386bdb0ea8ce55bfc0708e0
SHA1

752da87a99024c6d3aba932c5a9109503ad99f0f
SHA256

8fc90034ef4fba31261b641e5ae5815bf8af5d82d6045715497ffe7378b43450
SHA512

e31cb1dd6ff3db75fee9c6f276e1af86af22d47a6d241599cdb4272e5104562be818db798fa5326ea1d6b54b045886487b8ca0112ebef1324caca066f9824ab6
SSDEEP

768:BstuxUOPHz7y1IKhDj7k4ALhImYrH9g63KkXOgiSi+uUFZ7nhJY8CoHHHHHHHwhr:G8xU6azhLJchImYjGNOiSixUH7nHZcG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe

Executes dropped EXE 64 IoCs

pid	Process
2916	Klgqcqkl.exe
4264	Kdnidn32.exe
2728	Kepelfam.exe
1356	Kmfmmcbo.exe
816	Kdqejn32.exe
3476	Kebbafoj.exe
4168	Kmijbcpl.exe
416	Kpgfooop.exe
1800	Kbfbkj32.exe
540	Kedoge32.exe
4248	Kmkfhc32.exe
4088	Klngdpdd.exe
3444	Kdeoemeg.exe
3676	Kibgmdcn.exe
2508	Kmncnb32.exe
1308	Kdgljmcd.exe
1516	Lbjlfi32.exe
1532	Liddbc32.exe
3712	Llcpoo32.exe
4500	Lbmhlihl.exe
4836	Lfhdlh32.exe
980	Ligqhc32.exe
1408	Llemdo32.exe
4872	Lboeaifi.exe
3620	Lfkaag32.exe
4640	Liimncmf.exe
4676	Lpcfkm32.exe
3652	Lgmngglp.exe
208	Likjcbkc.exe
3048	Lebkhc32.exe
372	Lllcen32.exe
3320	Mdckfk32.exe
4420	Mgagbf32.exe
2060	Mmlpoqpg.exe
2424	Mpjlklok.exe
1204	Mdehlk32.exe
1956	Mgddhf32.exe
3392	Mibpda32.exe
3780	Mlampmdo.exe
3372	Mdhdajea.exe
1364	Mgfqmfde.exe
1084	Miemjaci.exe
3692	Mlcifmbl.exe
3700	Mdjagjco.exe
4084	Mgimcebb.exe
3164	Melnob32.exe
1876	Mlefklpj.exe
1752	Mdmnlj32.exe
3052	Mcpnhfhf.exe
2172	Menjdbgj.exe
2544	Mnebeogl.exe
1368	Npcoakfp.exe
4568	Ncbknfed.exe
4356	Nilcjp32.exe
4632	Nljofl32.exe
4436	Ndaggimg.exe
2884	Nebdoa32.exe
3980	Njnpppkn.exe
3860	Nphhmj32.exe
3956	Ngbpidjh.exe
3720	Neeqea32.exe
2456	Nloiakho.exe
2904	Ndfqbhia.exe
8	Ngdmod32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdqejn32.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kedoge32.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Kmncnb32.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Miemjaci.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6240	5052	WerFault.exe	255

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2916	2908	cb2c8da06386bdb0ea8ce55bfc0708e0N.exe	83
PID 2908 wrote to memory of 2916	2908	cb2c8da06386bdb0ea8ce55bfc0708e0N.exe	83
PID 2908 wrote to memory of 2916	2908	cb2c8da06386bdb0ea8ce55bfc0708e0N.exe	83
PID 2916 wrote to memory of 4264	2916	Klgqcqkl.exe	84
PID 2916 wrote to memory of 4264	2916	Klgqcqkl.exe	84
PID 2916 wrote to memory of 4264	2916	Klgqcqkl.exe	84
PID 4264 wrote to memory of 2728	4264	Kdnidn32.exe	85
PID 4264 wrote to memory of 2728	4264	Kdnidn32.exe	85
PID 4264 wrote to memory of 2728	4264	Kdnidn32.exe	85
PID 2728 wrote to memory of 1356	2728	Kepelfam.exe	86
PID 2728 wrote to memory of 1356	2728	Kepelfam.exe	86
PID 2728 wrote to memory of 1356	2728	Kepelfam.exe	86
PID 1356 wrote to memory of 816	1356	Kmfmmcbo.exe	88
PID 1356 wrote to memory of 816	1356	Kmfmmcbo.exe	88
PID 1356 wrote to memory of 816	1356	Kmfmmcbo.exe	88
PID 816 wrote to memory of 3476	816	Kdqejn32.exe	89
PID 816 wrote to memory of 3476	816	Kdqejn32.exe	89
PID 816 wrote to memory of 3476	816	Kdqejn32.exe	89
PID 3476 wrote to memory of 4168	3476	Kebbafoj.exe	90
PID 3476 wrote to memory of 4168	3476	Kebbafoj.exe	90
PID 3476 wrote to memory of 4168	3476	Kebbafoj.exe	90
PID 4168 wrote to memory of 416	4168	Kmijbcpl.exe	91
PID 4168 wrote to memory of 416	4168	Kmijbcpl.exe	91
PID 4168 wrote to memory of 416	4168	Kmijbcpl.exe	91
PID 416 wrote to memory of 1800	416	Kpgfooop.exe	93
PID 416 wrote to memory of 1800	416	Kpgfooop.exe	93
PID 416 wrote to memory of 1800	416	Kpgfooop.exe	93
PID 1800 wrote to memory of 540	1800	Kbfbkj32.exe	94
PID 1800 wrote to memory of 540	1800	Kbfbkj32.exe	94
PID 1800 wrote to memory of 540	1800	Kbfbkj32.exe	94
PID 540 wrote to memory of 4248	540	Kedoge32.exe	95
PID 540 wrote to memory of 4248	540	Kedoge32.exe	95
PID 540 wrote to memory of 4248	540	Kedoge32.exe	95
PID 4248 wrote to memory of 4088	4248	Kmkfhc32.exe	96
PID 4248 wrote to memory of 4088	4248	Kmkfhc32.exe	96
PID 4248 wrote to memory of 4088	4248	Kmkfhc32.exe	96
PID 4088 wrote to memory of 3444	4088	Klngdpdd.exe	97
PID 4088 wrote to memory of 3444	4088	Klngdpdd.exe	97
PID 4088 wrote to memory of 3444	4088	Klngdpdd.exe	97
PID 3444 wrote to memory of 3676	3444	Kdeoemeg.exe	99
PID 3444 wrote to memory of 3676	3444	Kdeoemeg.exe	99
PID 3444 wrote to memory of 3676	3444	Kdeoemeg.exe	99
PID 3676 wrote to memory of 2508	3676	Kibgmdcn.exe	100
PID 3676 wrote to memory of 2508	3676	Kibgmdcn.exe	100
PID 3676 wrote to memory of 2508	3676	Kibgmdcn.exe	100
PID 2508 wrote to memory of 1308	2508	Kmncnb32.exe	101
PID 2508 wrote to memory of 1308	2508	Kmncnb32.exe	101
PID 2508 wrote to memory of 1308	2508	Kmncnb32.exe	101
PID 1308 wrote to memory of 1516	1308	Kdgljmcd.exe	102
PID 1308 wrote to memory of 1516	1308	Kdgljmcd.exe	102
PID 1308 wrote to memory of 1516	1308	Kdgljmcd.exe	102
PID 1516 wrote to memory of 1532	1516	Lbjlfi32.exe	103
PID 1516 wrote to memory of 1532	1516	Lbjlfi32.exe	103
PID 1516 wrote to memory of 1532	1516	Lbjlfi32.exe	103
PID 1532 wrote to memory of 3712	1532	Liddbc32.exe	104
PID 1532 wrote to memory of 3712	1532	Liddbc32.exe	104
PID 1532 wrote to memory of 3712	1532	Liddbc32.exe	104
PID 3712 wrote to memory of 4500	3712	Llcpoo32.exe	105
PID 3712 wrote to memory of 4500	3712	Llcpoo32.exe	105
PID 3712 wrote to memory of 4500	3712	Llcpoo32.exe	105
PID 4500 wrote to memory of 4836	4500	Lbmhlihl.exe	106
PID 4500 wrote to memory of 4836	4500	Lbmhlihl.exe	106
PID 4500 wrote to memory of 4836	4500	Lbmhlihl.exe	106
PID 4836 wrote to memory of 980	4836	Lfhdlh32.exe	107

C:\Users\Admin\AppData\Local\Temp\cb2c8da06386bdb0ea8ce55bfc0708e0N.exe
"C:\Users\Admin\AppData\Local\Temp\cb2c8da06386bdb0ea8ce55bfc0708e0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\Klgqcqkl.exe
  C:\Windows\system32\Klgqcqkl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\Kdnidn32.exe
    C:\Windows\system32\Kdnidn32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\Kepelfam.exe
      C:\Windows\system32\Kepelfam.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        42⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        49⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        56⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        58⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        64⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        67⤵
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        69⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3332
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        73⤵
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        74⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        78⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        81⤵
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        85⤵
        
        PID:472
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        89⤵
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        102⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        103⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        111⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        116⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        120⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        122⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        125⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        128⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        129⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        135⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        137⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        138⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        145⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6276
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        148⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        149⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6492
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        152⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        156⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6764
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6892
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6936
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        162⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        165⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        166⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7164
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        167⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 408
        168⤵
        Program crash
        
        PID:6240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5052 -ip 5052
1⤵
PID:6224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
57KB

MD5
4dc4e1fa3a7223760cdaaebf77b1ba5a

SHA1
b1e7ee491de230aaa445715a29438f22f0e621ea

SHA256
2fd8f923a08e7e855962dee8d9eb9f5120c87b6d40641567cc8359b06e32c380

SHA512
a2200964477f905c75afcd61d2cc445bfc93dbd630b568187cfec7fb62cf5cce7e202a4d336530f464178cb585a253f5a1cf363e35e53f7fd06d5a9f53f37216

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
57KB

MD5
52d8373dc604ecc3108e80bff00304f6

SHA1
4e4a8f7cd3066403728bcdeefac708a43d60be5e

SHA256
bd60c785a0089eda4dc286c6dc6cba3355aa7f887225b071519f5672eea920ed

SHA512
addb1fc0b4d90f8444f902034ebbdaa91abc9041116d461d6c4fa597f2f9d43f122d9f1825802701f2cb901ce565b38b98b330121f15e5742b2bd4124f42ea30

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
57KB

MD5
ac34b80e59c1bb1d25266ed6f81756db

SHA1
1131278d580d7d289d10a946e33407bdf14bcbda

SHA256
62c52133ddb5eef87d06e2b337642404a5918173b3f9a4e53d4f3a6966f0694e

SHA512
89e1057b5d413c41e705d9c35df1088a364a8d26d2051304a3c1e2537a93ed335b4bbda84896d77c1746c1293c53e990332d6ea229e34529e04e1cab28f2634f

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
57KB

MD5
00df3981f74c686088c7517895007737

SHA1
ddcb90a250221aaae35bcde6d948cb5aeab78b8e

SHA256
ca610fa565f30eb09e3415b9e38adb71f5d7705093eb5b9b37c8147d13c28365

SHA512
e1db2b9273d3cc918dcc00456883dbf37a0900add461df119b3c02800054de4eb4aa8b27f26fc49040f7f6a9a20a73f540578794b87ff16133a73fced9b010c6

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
57KB

MD5
76992bb157c31a68080f18ee7fa73e58

SHA1
eaa14f58e5a5a9178f38d992f3b4e7f9203cabc6

SHA256
53677a5842f38604dda1f8b16426b08dd09d968e233b21e5827ab79155df4ca9

SHA512
eb184f5677db6d171372a37379f54d8184fe3e364beb06c0852af35f24f9d8dd621ba1fdd09d5d586460779f2347e9c01f4786b7e63c2b6faa7289c13762a61e

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
57KB

MD5
ed13adaa1e73a6abe83fcef418083102

SHA1
76941c3c287c2cd893dd7bcd71a6fcd6ec4b0982

SHA256
0acd05c1ab93802a49d7673d5fc63656c373dbce8931628570206736472101ef

SHA512
6167a165d2704562835326fe0a87db11a776e993817f43582c8fb935587821bab1a9d5f4dd7fbb246c366dac992915fd0396101e88c65cc610efa35746cdef6c

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
57KB

MD5
d3db28de07d537ae623314e487a76dff

SHA1
6c454852a3f1b72fe4c945a8663d95784ee7e3e3

SHA256
624528f6b8bf8ba59f826dbc099f4cb7c731acfe5d5ee1c27c7a446c50779158

SHA512
dbe748608942fa2cf3d9f3b3f43c6b1166b20b5e6cdaed4fac7ee8a7439ae41d5212ef700a67651952a9f110df49d4c8a66f8a7f3769c342f0bb4e72903774dc

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
57KB

MD5
6197920ccd83d2adafa4407f1a8fe305

SHA1
356a78f4bcc90897c9151360a92af198a4c9ab81

SHA256
f4dfa32788d9d70a96806f55a9f41ca2a5e878bed2c329cf7176e7ff407d7b4a

SHA512
61e027363f40dd7cd8ca6155763a67328303888f491e2825cd68158ff486bf7774882421051afc66c33d5cd62c08ab459c3f22397900862d1645903fba05ee24

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
57KB

MD5
d009e36ea2ce1a35f1d4533c2ba6573d

SHA1
39bb2eae882edafd06ee2066a381ccabb8a46ca4

SHA256
7397835c1952c23535ac2cd2c4dc4331daae79378581ee9b2a384480bfb928b1

SHA512
f8e73b7e7f28f88e6b8746811d8f2088c7879045cda0fe1461243595c5d6681eb4e9c0915b8d0c278db0cfb745c4b8bdd56468cbee9dc8fdb5e5a89699718ef2

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
57KB

MD5
841d51c8cb3a3516191fe59c76a8d234

SHA1
c2c9750bfde166ca1614011c8d5a02540bff12da

SHA256
f05a51d3d3f876ab484212442aba2ca8ceff148cec1fc1b24bb4228086c780d2

SHA512
25cbb3142a3526861d714e045bc9db03740954c6c659c46f244b0fe393e0d89acea591433896eb3db79734b89b94d02ba42d8651ec7fdca6d1f5c74442120afd

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
57KB

MD5
e09cf9e635786b7de4770ce4c6608bc8

SHA1
1039595105829c61ab0eb7691bbd1ed476a93bfb

SHA256
0cec1460dfc41c50d04f775904c492e69ea1f124bca233d8c02cd3a56b31d1bc

SHA512
205d5b91f2c3203012433a8da40e2f496265e1ccdb22c3ab1b4beebc82af94fa0643d312875f6e15b44687d1ec4ea78fd810206514227730692ef59280d259c1

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
57KB

MD5
f296f9908263408fcf213488d3cb3fb1

SHA1
2516e3a86687654b92b9e32891a2bdfb2b25b468

SHA256
2f6baa94d04a1eb45d8f7246d062e60f17a6700cb5fc5c568f4d50e5778182cf

SHA512
1d0cba78c3115a72f4a1c1b220df9c645a0fd97b8238a507ce3ea8cc8f56380052c6e942541649abc6cf7502b6217d52154f4fc4a6dd7383a0b7a4f9bca0414b

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
57KB

MD5
601da0697e54d1f608d5aa93ff5b880c

SHA1
3e3dafdda5014f6638d901d4bef8c171739fa8a5

SHA256
75103032d9d6c40883704603f4bb5934eb325d46b5ee605e7548be24e6f56534

SHA512
bf374112a95558d6aa3fd5d949e341262149568db13b4764c8ee8c3f71233296aa39f3d295e9b0dfb7b0e9ff0ba7fa3a15b0308a081fa0448116b4e813ee159b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
57KB

MD5
3d82c6d0092a42f9d315ea35e520921f

SHA1
10e80299e9a1f567ef7e6fc72e45b41dce14a254

SHA256
60ae139c0adef6961609b9758f78b51f9db5f1b866bfcf1df61caabc1a5f1d33

SHA512
837ede393ac02fd2e9ae69047456bf24a574aa79b361d45a9916a5895cc2f81f95077397632e7517a890e0546b8500e4122ff54626810df8ab84c27bc45a4dda

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
57KB

MD5
0c19ba3440121a54c1de789ba4e0073d

SHA1
fec9e4b52500a37ecbf71643019a7f199707e820

SHA256
153341d0d3b80fd8124ca2836d7184457f4f8fce1a95595dbc6fefc07d3bb0fa

SHA512
12ce53ab32a39dd7d0179c536b9231d2ecabf12bc5cf9e0bed33050417833d230541babb7cd52c4ebb5fd09d0fe9875a3813b7713095eedaf7d1bcaa6ce973c8

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
57KB

MD5
f8a7cc6ef7d9c2b6d07bf5c4422957b7

SHA1
6a6d5866ac98aed5a09745a77a20ad3ebede77cb

SHA256
6221d55c5c77008caf3b9211b9e2866410db23731a61df5cc50e633d26ca6604

SHA512
09767fb38e3c142b5f0c359755bf8f90f7872481230360871ea6cdf97275ebe979803b18e8e0405b4478407de4c490b2dc0699c1e426a02c3a69afe078728306

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
57KB

MD5
f3bad8dfc4ae72f21b1d606d51c3c02d

SHA1
ffe6c2bb6ee8f67a9dd7964b391b8eee5e093c52

SHA256
70e59c541ae778a6fc0c366e4b47a7b3e94847448895c010c7b8949c83110580

SHA512
d40fe4902ab70feedf9850cf6c757b9354800efbfcc9ab9560d0abbd8beb9d59f57daee7977161ce2adf26e740792d2a6c3ed23bba54c30a588324dd24015a15

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
57KB

MD5
1619cd38d6cae26fad03a5bf6b7e97df

SHA1
716657506b532da854c289e27ef73d369586d0ab

SHA256
223330283310e62d066913dcc07f96ec8b61fcae1e7adb6c103c2d87f632a061

SHA512
c9b93d4855e4785ca39c0ca917e2f477fe54ed7026c169f7f286f3d063d2f9390ae69575a52140946cc737da4f7abf0e88c451c93846bfa0f2c706abc5133ecd

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
57KB

MD5
dbcdccad8cc20c69925674beaed8b9e5

SHA1
eab1af5fdcac9685c234f163c9dc14a38d2f0e93

SHA256
1a9d67a5235778b332be00d75cfb7417f08620b33c89a6e5afc046572a2fd23a

SHA512
1b7c69344f72c3d2b10fcad22505c1c5766720267fa3526d29906820d8173be2b26e20a535aa20e1ca53ed336958b8f7ae96bcbf501ade144da4100330b52d78

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
57KB

MD5
3f42163dcfa21a1fd400c4b2b1c66b9c

SHA1
8ba2c88fe28994a4d9da48d9c6ff2ce3eb7aac24

SHA256
7c014977495bebc4faa59cc4af6889021f691638f4ad007ed349b334c70d772b

SHA512
77122afd1240269c246dec54c76a24e07f01e3a1d095606f42c3e6ddafa2e3a1b73bf76d31b9ea3e3c3a1a178504a562d8ecf8a8d091fc8049f10b340b7ed9e9

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
57KB

MD5
fc56caa9e1d6ccf1c12669c3c7ee8842

SHA1
a8e919a942c3d07ee1ee255ea9c18c0a34088896

SHA256
ac1c6b361e424c85931cd93749f3e0618e4967052ea7aed686f57500feca39d5

SHA512
9dea76a62e68ccd86dd404da4c761803b0f08cd9cd053507bd7547c77c0ca55f86c036651e5246c2e43d1cd0168b5e845057403ba3d2f5b0be49ed615e7c42e2

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
57KB

MD5
75b45ceba21cec72e38b107023758c76

SHA1
c98645a162392ed2ed11eb256e421cc225dc0317

SHA256
210bb587b0762b2d44f7adef712b6358cb584ee15b2eeace4860d2dd2a01bd4d

SHA512
9dc51a96111fbd37c2ad8685a8e8abf519eead9a2173248fc05d4e50c522f348eea9d9ce150b7cc279d92760b27d0aa5541c4c00b2078096ee050d0bafff0319

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
57KB

MD5
4f2c0906a70082c500bdec9c84905eec

SHA1
3b9b4e23d93bbb2d80328f9461fb673b6e0bf02a

SHA256
c8cbb4315023c192fbf998ef9f381b5d4069b50a82ef3d318ad9929df9802d15

SHA512
2b6a0879bfa5e1346d518d393cec0e03c13dd97a84387a533fc9bb5a76e7057f5f82c7cc7fe6a1acb4f1a4f240a63db06d11f72201e88d0c7a54dd08ecb3faf6

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
57KB

MD5
24e49d2b8eeaab97235a94d79b03f6a6

SHA1
4ced46405961e2a69b01b162228e66c2df6a3109

SHA256
74e9b863a822a549918cb449d588bedfdf2b20d2e5805c12efabd9635cd23b19

SHA512
7d7563a758e725b8a08ebfe7586fb07784521c251745614d6920cda3dcb22348792d28b00177e8bb590389595ca89d9ba06d960d392c79c8fbf3860a0d9a882e

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
57KB

MD5
9b6657eff6cc490faf2ae3eba74bbfa6

SHA1
0928eb1f05266f013c5a077acb729a6b1dd42047

SHA256
bc37f5354b9d103fb3b4574445487f91cdfe08101f6ec34de0c82884729e348f

SHA512
03033b479db18fed0b999eeaa16428afeec3bc9902940d49b87bd0bf672c070a8e8b30d1e08676967853f649f3901a64c793902a7ecbab09931195108c4ff5f0

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
57KB

MD5
6f9e769a42028e89588ffec05f353bce

SHA1
bfe00f3244eb5f85a4251a2e2e88103f0551aa50

SHA256
379bbcbfea222fb58e75d02d2dd619d54463c4a8dd265d8f74003b8479494cd1

SHA512
386cebe5ac8c3f97728b6ea5b90a0762b33faa358324a173cb085b50a575cec333b1934eceb32eb220a7bcec7a048b3dcc692c560f39cf54d76c14890c11aacb

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
57KB

MD5
778a15a72fe9fb20fa5e51688026977a

SHA1
086c07f438847295c187feba70f2c91dfcc1de0e

SHA256
a7e726ee4dd294702b85ccf9a404012866778b1b49c3c00bff3a2819842494cc

SHA512
98b530f432f4e8d744f1d161fde8f84600cfb3f92e049572b7133d1e91cbd35f10de3da35a3469218b60c18386f55b01eece546fea3a6cf4f8921b87248ef287

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
57KB

MD5
e5a7923025661a4f9463f1f4cf6afcf9

SHA1
5984bee7407ffa44bd6f61b043792fcf1c34b12a

SHA256
9230b85019625acf37e4ba870806b7483aa396c5769234f867ac2a84336069ae

SHA512
858147758f334e304930574740bdeaf9ed3ca884ed66959ccb761e6a930226dc4524a89245dcaa67eedca4b3c695d1817dbecae2261a503d4b3091911b840478

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
57KB

MD5
7f7a5d6e562d598370809c1b544d8bb2

SHA1
ec4473ba9d1c84c1a7610cbcd0f46630ed726462

SHA256
f07f27234f5db5c0d808cb81d8500135a106fb6129d7a05672af7e4e6584b39d

SHA512
6232533bb7a79f05970977b798de7acddbb7869b20562ac51e84c6b45839ff76b2cd0936951c97e807fd8500f59d1a9949a37e206e199a8132b6256874fc4fe4

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
57KB

MD5
0f16ff764198b62d861fbdc78d4608df

SHA1
ca4f6d52f14102f9fabed0a36988b8669d242d97

SHA256
8a68a3599ce8cb4525b0880ec15610ea7e9dfe450ae8238f33a571efa96c9a78

SHA512
18d3a94e1389779c3d5beacce81a74c9f75c4008fb5a98c3f096c11972968e50b323bb59f0af51b77f7c26c1b80ae00216fc0dff14e1d5d77f4eac02ef8697f3

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
57KB

MD5
da02ab072cd4849f17c7761df81c6e5b

SHA1
2bbae29f1798ccc61ec54517e617ab6645464681

SHA256
c03bfa5371746f1f054d8794eccb9429bc2e95fc4273bf7178026fd8eeadf51c

SHA512
a8a622d77e7c9179166ec7299ca8b29ad40d5fc9abcc6238aaa6b26097cc8b368ad9bffdfdc2bef6dfd7e43011391c8afd455ed457716ce5683793a979bf1ffa

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
57KB

MD5
1ff2fcef41abbac5851901261aea2e4a

SHA1
d55cc0fd2c32e4b5533e9fb464f2199f4e53cadf

SHA256
9628b069a8c2fc6185f388000bb40b55590fad0d28eb836df915ca1fbd368937

SHA512
42f0f74d27f56dc2df7a7adfff42ca858ccdc92dedac4f63983ab1b6f28d0bcdc26bc22f638b75bcb48db9b48bc5dd8e467a4970fa63d2f11d1ca23c754ef932

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
57KB

MD5
259f5431a89d5f6df161a69150fb49db

SHA1
f84e2169585d5fdb99c0304f94fe8c4c9b76c64f

SHA256
a40f75cde1e7dcdb784ad54dc99af49eb601f9685c7fc528b102ecb6504d172d

SHA512
8141581c90c486bd1ce855b153d35c08d211a9de8dc9704615e0f6e9f88ef9632669ad6023814d146661bb956fd03cd5211bd33aa8c4ce7460bb6167b57ceca6

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
57KB

MD5
efe0cbe75cbd170ecd3c7a5b84c6993f

SHA1
5b132dac73dd9ced6c321f9dd26baf05f4cd2dc3

SHA256
0a960d10e6548474390ad8b1520c5931ecdb0a12c3e308e800a285093b5de3c0

SHA512
f5a0dbb93227c4ca0fa7cd3af1dbec101b4a08c728dfed73872311dd5a1742fa34daa9a1ad3beb388d05280128f5867a6b703a9ef0673855cb54f2f291ff5557

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
57KB

MD5
aff3d60cd0866b9da8c7130f0c951520

SHA1
426fe21a0c9af7f428b3fad161941b8c2b0f5c13

SHA256
f4f6739e59a1a8ff4505886396301f2366a2b44639fabe03eb42d61ab7a2fac5

SHA512
27adffcedcd19c02e894c441261754a14e752a5072ea5162ecfde1ffde8695e829f2c927e68ed24ab8073f8f21f34fb018f4fc265afee2a31b5c653deaa0cfe3

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
57KB

MD5
0689793d3f05e3f46f19fe48ce581f87

SHA1
78042c4b8bdafb0bbdc9f35dee09f121222d869c

SHA256
d941b6b48dc7e981cae02061b6a91874d0fba31c35aa3318770b2b496f1e2a8e

SHA512
243c71f8c8089c7c06de5e9cb502b95cd6ecd9cfd36cbfb0d148f707a0b3db925844d9179c28b3cbf0853e96dce5dc5413e4f12203dae9abc728d3b841617a87

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
57KB

MD5
2caa80c04c9e364b4bee63b04588791f

SHA1
5c7a41f02fc2c6fad39bae858169d6c56c34570d

SHA256
d76cb6f74a34464bf7a997446432099856508ac96c4ee58313469cb94a7b433a

SHA512
a17d9ade2ee99adda63bf0e8fe7d36743fc98ee13195214b9551945b60294c3ec998153be9b75fd895c67834a8b6312db3498f2f7c1d3fa139daddd474e8e47b

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
57KB

MD5
e9608fac3fe5a98dacf2fcdf5fb92d16

SHA1
3c61f172a64b1ec1631710e8e8b3d334eb7caae3

SHA256
1c0a833dc04e27877ab0dbf1ef757efe1846a132a5f90360a0166ecb748e0c90

SHA512
5531fb99a70dd05def91ce70aa5b263984b4393c486fcaea4065e55a48b2d852a042f2341bb829436baa39f570a63d2e721a21eb0849bd4e92106fe08a68b716

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
57KB

MD5
6999d7d40553dcc18d9b937479ba5eca

SHA1
f890a010b605961403eb46687f078a562808dcdd

SHA256
073936c14cfbe5a5ff868ffe5d6604d250d4e45adc7f96bdd1b86c3c743d36d0

SHA512
d9a0116950cfe34d3246b1f07a86b41237af1056c85478db0ceed25c21387e59a481f66e117dd23bb60c1c43de90ad342bea280ec5fb18220139c266de870af8

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
57KB

MD5
207c660bb17f61dd07096462ee7838f0

SHA1
3d0db8139c1e51ec075b55cba3d5ce245b2a497b

SHA256
e2ccd23bc88aeabe50d82e3e2a917cf675c311c04053e39dfd4f4a2163cdf027

SHA512
95b962c0fdae79d71ee85eb1be0ca0d2cb9fadf04bcd2927914b1deede77d9be9710472703f09610d72cff0d733c621c1f492179352d560c588cfc993748bdf1

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
57KB

MD5
fe1904111f28f6c3c9b88c5b5f074e73

SHA1
f31b51aeae8ac0658b35200e546b8bb08d97e8a1

SHA256
6a2dfe1233f1420f4ed5d9f56850ffdcc50df05592d4f2908df348196bec47ee

SHA512
394d772f6f6912c0f709ba58b57a5d8d5f1ff0b6bf4d55c777d3f646611efd9b38fb4d9bfa9a694013947ca43a7aca1d46588bf946d86b8cc98b2fab23ffb271

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
57KB

MD5
0983681089f0ea689cd7d821e80d468a

SHA1
c53384b3d48c4336751ae21e319e68086063ae75

SHA256
43bae4bc6e408e0cc23d2283e51dc17b3703fd52338917cc0d1a7119d9eacfbb

SHA512
61da889350843aa3d12a2ea731618abdc1a0c7c9392a82221cded11d399cf0875d81924a33d279707cc322567f990ac50d6c7195ffde0b4ef7255d609eea835c

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
57KB

MD5
982429860dd82df791b3f586e84c8b82

SHA1
537084966bab50ebfb5b7ae62f82aec7d0a5a359

SHA256
3dee00d6c45b52c10ff87799ba58d9b4aee221b871fe57962f9d367aadf2f1cc

SHA512
f543537077caf20dad3bff5ca0f7d57d40dc2e221996c4abd7fe46d137e9a8614f50f8aa0e35afac36768514b6f47305052055a2b131eaec3b9d95aa4d85ff27

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
57KB

MD5
9b755178e0ccb0a8bf6054135ec182fb

SHA1
8af5671ee66aa6c5d32e703e5ba6f95a907e1d2d

SHA256
e0e1db02ecebe001bc5f1e18f6f6f1d0032a9adb84403837bd133ca88edbe83a

SHA512
6ada01dab7a55d4fb0d57febf8572bd29b0e955e1557b369eb019033a6691e6cc76da285d339b693de02707caab77a939584a32f63093da765b908033c090254

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
57KB

MD5
e6dbc6e8749a42732d0eae7fdc1807e0

SHA1
197ad5af848683b4f5aee96fe56526fcc2c91fcb

SHA256
9bc24bb960ec1e81452374cd7add0d61c2bb526a3fd8b39b864df645b1a985ad

SHA512
06d2566073fdf9f395c7c210d94810fba7d689e3e9d71aebfdd15682dee32a894c10429fc41e08092c7ed70b4116f8ab8c06647b53db3d00bcf6676bedd31621

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
57KB

MD5
06fbb2b08027f87136558369ae597c18

SHA1
9e692e2fc5d3217a5be3934166d4f75a7859bf74

SHA256
0c8cced1ab132886c5de120081605e740fc69cfcf69dcb083965078f0f9c002d

SHA512
336f1ff32687b295b902a5bdf6165b6d65a240a36eb7a9c71d5bea03e04da78a811b43346fcdc3c3b0fd4abe52ed39ae71d35adecaf0764069b8cf6e86191a57

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
57KB

MD5
6f491219f076a274d633373e6b17044c

SHA1
2c644c573247124b8d67af9afe47711fc0aed805

SHA256
8d51bc2068b61550112418b1651dd15d70db29d5b39c495674fcdaf82264caff

SHA512
c9539db5c6472bb63a400fa147ab7efb9afda93362b8c4f3be9601254f932bbc6493fcd0418fd2ae899503beae44590f156f318d706cc95c7c889488738efc47

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
57KB

MD5
cfd7fdf2fa24332b09ef4cc429330b50

SHA1
399a52dc708b1bb6fd846e22c3a1e8d4f6d31519

SHA256
eaf0796eb7d1bd083a0ac0257f6c6754365ce4162411c8bfe6fb31f1be5cd18b

SHA512
adcf732c8be549551336c47d64ddda957c443c46eb4b92b9fabf63894614bb5ae40c2f03d54514ee53fc27fc74a53c0457b4e748d9b2cb012a4516195ebe4f41

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
57KB

MD5
2e841fa369cbdaad16f36d3366836d1d

SHA1
75ecc952e0cf7140ed8d0d3018efd516b9293ee2

SHA256
7648e763d0b3605b9cad52b88660383c3f964cb03da08650d3609dcbf985535b

SHA512
a65ac4a2cf0af2ac418e8b02c0f77f49f2549d2a16a5763a071ba70437e5fd3a4a8cf52619f516d1402318e8f2fdf155f821daffea044a6a7afad17299fa050b

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
57KB

MD5
8bc6fff53884c1222c20a0297c436bee

SHA1
12b3360b6c8dc4dd80d7e99936a39e25edd04f65

SHA256
3f31c4895473e0d90f448b599146b494de56fb7f5913988683158d2b310a9f63

SHA512
7da5ea076648837564e0ff3f55644de551b52c80ae7c08016f0b9e02e0de8549efeff134171fdd2b7f83d9efdc312ef82c043c9af34b9ced5ed36e755d94c124

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
57KB

MD5
ee464234aa5c46b92ffb7534b81fc478

SHA1
26a998fb04b73791467e631397fb128163e65f0f

SHA256
df7aed28fdd7727cdf772b29fac79ac285a133135bc0e77f64be9e4f5c787d6c

SHA512
984191ae51e2ff789a36114919f1cb4197600e2a062c77c72d1ca69e3fac2dd2ecaff24faa1bbd18537d9fccd368c977feda626c81c356bd369490f04442c108

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
57KB

MD5
4060e88aa0b0e469a1a6fb5ff0961c7f

SHA1
fcccbf9d0a95a3b956c164421a7e89dd20a6363e

SHA256
a95fda5fc124c0fedd8b6c70b59e380641b13e34c88a43ef6dbc26750a10ac24

SHA512
61bc1eccff0d641b86f7a94518ef5431ea30eee3c09866f7865082964f7becd6d385feae75cb4e82aa60cedd6265dc2f3b183a5d9ff1803e6f839678606043ce

Download Submit
memory/8-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/208-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/372-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/416-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/472-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/816-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/816-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/848-522-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/980-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1332-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1356-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1356-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1364-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1392-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1440-498-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-576-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-535-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-541-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2908-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3392-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3652-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3676-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3692-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3756-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3980-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-528-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4084-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4248-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-562-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4500-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads