0af1e7b48731de65a93dff56bda86f5f86b3809e073ef8df478cc4f208be01cd

Analysis

max time kernel
113s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf55a99dea7e90210f23afa0b46b1e0N.exe
Size

72KB
MD5

aaf55a99dea7e90210f23afa0b46b1e0
SHA1

1ef80bb6f80bc561ab46e4b6ea4c68a6ca02a6ef
SHA256

0af1e7b48731de65a93dff56bda86f5f86b3809e073ef8df478cc4f208be01cd
SHA512

6d6909b2b4a92e60653b942114288247c0d502fae28d0cb6741b34c62d9a2a76a3ffe2d1e4e7663767f697d3572b287828094b1e5d0f4f559c39e4fe3ad3cf99
SSDEEP

768:yZzT2VNrjguyo/7jkbzjCXaB+RgdswaBjuFoXilXJhM2p/1H5fBVXdnh4xg84xl4:4Q7yyZ3Xie2Lfv6+lWCWQ+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	aaf55a99dea7e90210f23afa0b46b1e0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe

Executes dropped EXE 64 IoCs

pid	Process
1696	Pkmlmbcd.exe
2644	Pmkhjncg.exe
2760	Phqmgg32.exe
2684	Pgcmbcih.exe
2572	Paiaplin.exe
2560	Pgfjhcge.exe
1964	Paknelgk.exe
1068	Pdjjag32.exe
1620	Pkcbnanl.exe
1736	Pnbojmmp.exe
1688	Qppkfhlc.exe
1480	Qkfocaki.exe
2840	Qlgkki32.exe
2416	Qcachc32.exe
2964	Qgmpibam.exe
2928	Alihaioe.exe
1640	Accqnc32.exe
1660	Aebmjo32.exe
1252	Allefimb.exe
1948	Apgagg32.exe
2412	Aaimopli.exe
2220	Ahbekjcf.exe
1468	Alnalh32.exe
3052	Aomnhd32.exe
888	Adifpk32.exe
1808	Alqnah32.exe
2912	Aoojnc32.exe
1644	Abmgjo32.exe
2724	Adlcfjgh.exe
2604	Akfkbd32.exe
2992	Aqbdkk32.exe
496	Bgllgedi.exe
1976	Bdqlajbb.exe
2520	Bccmmf32.exe
1780	Bgoime32.exe
1484	Bmlael32.exe
2848	Bceibfgj.exe
2180	Bfdenafn.exe
2196	Bmnnkl32.exe
1168	Boljgg32.exe
1332	Bffbdadk.exe
2940	Bjbndpmd.exe
620	Bmpkqklh.exe
1048	Bbmcibjp.exe
2264	Bjdkjpkb.exe
876	Bmbgfkje.exe
1908	Bkegah32.exe
2172	Ccmpce32.exe
2680	Cbppnbhm.exe
2868	Cenljmgq.exe
2688	Cmedlk32.exe
2804	Ckhdggom.exe
1196	Cbblda32.exe
1600	Cfmhdpnc.exe
1768	Cepipm32.exe
2036	Cgoelh32.exe
2832	Ckjamgmk.exe
2100	Cbdiia32.exe
280	Cagienkb.exe
1932	Cinafkkd.exe
112	Cjonncab.exe
1284	Cnkjnb32.exe
1260	Ceebklai.exe
1444	Cgcnghpl.exe

Loads dropped DLL 64 IoCs

pid	Process
3008	aaf55a99dea7e90210f23afa0b46b1e0N.exe
3008	aaf55a99dea7e90210f23afa0b46b1e0N.exe
1696	Pkmlmbcd.exe
1696	Pkmlmbcd.exe
2644	Pmkhjncg.exe
2644	Pmkhjncg.exe
2760	Phqmgg32.exe
2760	Phqmgg32.exe
2684	Pgcmbcih.exe
2684	Pgcmbcih.exe
2572	Paiaplin.exe
2572	Paiaplin.exe
2560	Pgfjhcge.exe
2560	Pgfjhcge.exe
1964	Paknelgk.exe
1964	Paknelgk.exe
1068	Pdjjag32.exe
1068	Pdjjag32.exe
1620	Pkcbnanl.exe
1620	Pkcbnanl.exe
1736	Pnbojmmp.exe
1736	Pnbojmmp.exe
1688	Qppkfhlc.exe
1688	Qppkfhlc.exe
1480	Qkfocaki.exe
1480	Qkfocaki.exe
2840	Qlgkki32.exe
2840	Qlgkki32.exe
2416	Qcachc32.exe
2416	Qcachc32.exe
2964	Qgmpibam.exe
2964	Qgmpibam.exe
2928	Alihaioe.exe
2928	Alihaioe.exe
1640	Accqnc32.exe
1640	Accqnc32.exe
1660	Aebmjo32.exe
1660	Aebmjo32.exe
1252	Allefimb.exe
1252	Allefimb.exe
1948	Apgagg32.exe
1948	Apgagg32.exe
2412	Aaimopli.exe
2412	Aaimopli.exe
2220	Ahbekjcf.exe
2220	Ahbekjcf.exe
1468	Alnalh32.exe
1468	Alnalh32.exe
3052	Aomnhd32.exe
3052	Aomnhd32.exe
888	Adifpk32.exe
888	Adifpk32.exe
1808	Alqnah32.exe
1808	Alqnah32.exe
2912	Aoojnc32.exe
2912	Aoojnc32.exe
1644	Abmgjo32.exe
1644	Abmgjo32.exe
2724	Adlcfjgh.exe
2724	Adlcfjgh.exe
2604	Akfkbd32.exe
2604	Akfkbd32.exe
2992	Aqbdkk32.exe
2992	Aqbdkk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Cofdbf32.dll	Pdjjag32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Pgcmbcih.exe	Phqmgg32.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Alihaioe.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Pgfjhcge.exe	Paiaplin.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Qppkfhlc.exe	Pnbojmmp.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Paiaplin.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Paiaplin.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Pdjjag32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Pdjjag32.exe	Paknelgk.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Alihaioe.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Khpjqgjc.dll	Accqnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Omakjj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Dicdjqhf.dll	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bgoime32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Paknelgk.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Qgmpibam.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
808	1032	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1696	3008	aaf55a99dea7e90210f23afa0b46b1e0N.exe	31
PID 3008 wrote to memory of 1696	3008	aaf55a99dea7e90210f23afa0b46b1e0N.exe	31
PID 3008 wrote to memory of 1696	3008	aaf55a99dea7e90210f23afa0b46b1e0N.exe	31
PID 3008 wrote to memory of 1696	3008	aaf55a99dea7e90210f23afa0b46b1e0N.exe	31
PID 1696 wrote to memory of 2644	1696	Pkmlmbcd.exe	32
PID 1696 wrote to memory of 2644	1696	Pkmlmbcd.exe	32
PID 1696 wrote to memory of 2644	1696	Pkmlmbcd.exe	32
PID 1696 wrote to memory of 2644	1696	Pkmlmbcd.exe	32
PID 2644 wrote to memory of 2760	2644	Pmkhjncg.exe	33
PID 2644 wrote to memory of 2760	2644	Pmkhjncg.exe	33
PID 2644 wrote to memory of 2760	2644	Pmkhjncg.exe	33
PID 2644 wrote to memory of 2760	2644	Pmkhjncg.exe	33
PID 2760 wrote to memory of 2684	2760	Phqmgg32.exe	34
PID 2760 wrote to memory of 2684	2760	Phqmgg32.exe	34
PID 2760 wrote to memory of 2684	2760	Phqmgg32.exe	34
PID 2760 wrote to memory of 2684	2760	Phqmgg32.exe	34
PID 2684 wrote to memory of 2572	2684	Pgcmbcih.exe	35
PID 2684 wrote to memory of 2572	2684	Pgcmbcih.exe	35
PID 2684 wrote to memory of 2572	2684	Pgcmbcih.exe	35
PID 2684 wrote to memory of 2572	2684	Pgcmbcih.exe	35
PID 2572 wrote to memory of 2560	2572	Paiaplin.exe	36
PID 2572 wrote to memory of 2560	2572	Paiaplin.exe	36
PID 2572 wrote to memory of 2560	2572	Paiaplin.exe	36
PID 2572 wrote to memory of 2560	2572	Paiaplin.exe	36
PID 2560 wrote to memory of 1964	2560	Pgfjhcge.exe	37
PID 2560 wrote to memory of 1964	2560	Pgfjhcge.exe	37
PID 2560 wrote to memory of 1964	2560	Pgfjhcge.exe	37
PID 2560 wrote to memory of 1964	2560	Pgfjhcge.exe	37
PID 1964 wrote to memory of 1068	1964	Paknelgk.exe	38
PID 1964 wrote to memory of 1068	1964	Paknelgk.exe	38
PID 1964 wrote to memory of 1068	1964	Paknelgk.exe	38
PID 1964 wrote to memory of 1068	1964	Paknelgk.exe	38
PID 1068 wrote to memory of 1620	1068	Pdjjag32.exe	39
PID 1068 wrote to memory of 1620	1068	Pdjjag32.exe	39
PID 1068 wrote to memory of 1620	1068	Pdjjag32.exe	39
PID 1068 wrote to memory of 1620	1068	Pdjjag32.exe	39
PID 1620 wrote to memory of 1736	1620	Pkcbnanl.exe	40
PID 1620 wrote to memory of 1736	1620	Pkcbnanl.exe	40
PID 1620 wrote to memory of 1736	1620	Pkcbnanl.exe	40
PID 1620 wrote to memory of 1736	1620	Pkcbnanl.exe	40
PID 1736 wrote to memory of 1688	1736	Pnbojmmp.exe	41
PID 1736 wrote to memory of 1688	1736	Pnbojmmp.exe	41
PID 1736 wrote to memory of 1688	1736	Pnbojmmp.exe	41
PID 1736 wrote to memory of 1688	1736	Pnbojmmp.exe	41
PID 1688 wrote to memory of 1480	1688	Qppkfhlc.exe	42
PID 1688 wrote to memory of 1480	1688	Qppkfhlc.exe	42
PID 1688 wrote to memory of 1480	1688	Qppkfhlc.exe	42
PID 1688 wrote to memory of 1480	1688	Qppkfhlc.exe	42
PID 1480 wrote to memory of 2840	1480	Qkfocaki.exe	43
PID 1480 wrote to memory of 2840	1480	Qkfocaki.exe	43
PID 1480 wrote to memory of 2840	1480	Qkfocaki.exe	43
PID 1480 wrote to memory of 2840	1480	Qkfocaki.exe	43
PID 2840 wrote to memory of 2416	2840	Qlgkki32.exe	44
PID 2840 wrote to memory of 2416	2840	Qlgkki32.exe	44
PID 2840 wrote to memory of 2416	2840	Qlgkki32.exe	44
PID 2840 wrote to memory of 2416	2840	Qlgkki32.exe	44
PID 2416 wrote to memory of 2964	2416	Qcachc32.exe	45
PID 2416 wrote to memory of 2964	2416	Qcachc32.exe	45
PID 2416 wrote to memory of 2964	2416	Qcachc32.exe	45
PID 2416 wrote to memory of 2964	2416	Qcachc32.exe	45
PID 2964 wrote to memory of 2928	2964	Qgmpibam.exe	46
PID 2964 wrote to memory of 2928	2964	Qgmpibam.exe	46
PID 2964 wrote to memory of 2928	2964	Qgmpibam.exe	46
PID 2964 wrote to memory of 2928	2964	Qgmpibam.exe	46

C:\Users\Admin\AppData\Local\Temp\aaf55a99dea7e90210f23afa0b46b1e0N.exe
"C:\Users\Admin\AppData\Local\Temp\aaf55a99dea7e90210f23afa0b46b1e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\Pkmlmbcd.exe
  C:\Windows\system32\Pkmlmbcd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\Pmkhjncg.exe
    C:\Windows\system32\Pmkhjncg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\Phqmgg32.exe
      C:\Windows\system32\Phqmgg32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\Paiaplin.exe
        
        C:\Windows\system32\Paiaplin.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:280
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 144
        75⤵
        Program crash
        
        PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
72KB

MD5
6a43ce65246be0b53b10ac534aa3a897

SHA1
401780fc9ceaa36add6897e9fc6c84ccf5ef553a

SHA256
73346c47c77578492267cf23aa95a454266fc855a87791a07539472c89e47ba7

SHA512
5bbec37b84886add319e4df1cd4416cc413c2a10916ce067be94d3b9189e30e0a18ff1bdc152bdf9fe8794da1852d27c5ba3b9eb940014e0314aa244292e4a4d

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
72KB

MD5
1c80ffe531492a7e0ef665b9c5acaab2

SHA1
c3a37f78147d78c2b75b4877900ec09dffbf68b1

SHA256
8287c4a66ab92e27060194f9d380e1480a158f45d9a8b47483cfe0ce9fa5cc9b

SHA512
aa23e7848ad4cc9ecf958a617f0dc75da299f118e1a069bfa77160bea4cb33af71475638ea657b1790488450255ab2971b9585a9ff0fc52c2a0c9b100897f0cb

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
72KB

MD5
9a1cac718ebc8ea945e47c8fe0f98efb

SHA1
855097c0a60b424b04237eccf633aa852a27801c

SHA256
f0e311097f50d3fcca4954dec90ed0b4abc0bba3036238a5cf73140a78d82ded

SHA512
3be942d63ec63b1358d132f96ed7ca7995c77aa9000bd9e5b3a949be83e99739685382d5bcb8a106b5cdcdee14f7939ed5ee2f38e0f4348cac000c29866c7880

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
72KB

MD5
c0dab3ad20d134a3aa4a2b77a72e7bc5

SHA1
5098e1faab4e463abda9c07be7a79a998ee01c45

SHA256
69fb68f02ee9e40d8782b0b94dbc4f4b31fbaba19fd434c6d99dfe7617cfc3e0

SHA512
ca93e998b772903e8349b4a69c580ee9b6bf1c1cc6cd524efd2a6d5ad4485352b9a0972032d47f93373621dc2e8a27952607f0c00638725e5baaa857c81e2aa1

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
72KB

MD5
3e44b1617e7ad35c440fe232424053ec

SHA1
bf8a8c208f2d48a0e4e0756fb72f5e05cf067122

SHA256
76e93e40bec6d3568a33c4b2088a0c57a1b187905f51f80d13de5c54979113ea

SHA512
ed014ddcc1c931775875a56f491cdb5c0a50f3f198f24e8b5cd948de58b8b58d87a163e7b46bcdb77f13659557487cf5192ab64e00ea18fe061b9dc563fc41cd

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
72KB

MD5
9942c98ccd096953f1a3869f007e42be

SHA1
160bb610856a7056de5c1aa38cb5cc9ebb6936d6

SHA256
522eca44b46e67a5626bbe3f412a89dc37cc1ae36f64d17c8b022acc2f0ce018

SHA512
2606dba2451c623a78b02fd5732196fa7b8bbbe18e3638505aac507521ff7d308d2a1a737a6f1d42acfa35c2a1d2333b52e636b2286337b2046ff36fdeb444d6

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
72KB

MD5
5f4f36ad70422ceb246acfe9e6505551

SHA1
37463925b3dcecdc60633fca69818a6aafc3db4c

SHA256
3db8e7ddcebdfcf8448ce21cbc25ca27ae4995d77d9a3dc9509a67d1bcdcce9c

SHA512
c46ff0cab47e51d9078695989020dd1d02abc893d06165fedc2847e621ff9eca9a9ab4058babfd7328f14a8a68ecca0c98075c1f886237c40cdf41eb1286a9d9

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
72KB

MD5
227684191eb2c5c823d38585176c4274

SHA1
b2b073b059991a954c410d14a7594482d8e29755

SHA256
43af2ad6de4a090d62b684d2a4c5235724ac82d8837359d6ca291c818c0e7436

SHA512
3c3f549395b6551f059bd193c25d669d1c6dcc94df0d47297ddd82de4ac237a815018b0c94fed7bfb8aa05209c8d2022fe366d2af303e088e927991b0a0e4709

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
72KB

MD5
d398f29611d5b6de6073b998309876b8

SHA1
28b2f73b9568cda53507c88ec48e346463bc6375

SHA256
b161b88d28ff5b1b5698cdcdbd65175976ea96876f60d1c836a23bc03e1a76fa

SHA512
8f6389887d72ba0eed4fa721f65ae1ec21f4701c4d34a29e632a08cd88e5e03293726abf0a1ec20d2c75e61d2bdc3964b530129231d76cbf2dfd986e0beddd02

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
72KB

MD5
509ca8a84b96e273b54abb1dcd20967f

SHA1
3add3dc3a52e1264dc3396e759b5a57263af6caf

SHA256
60bde5fca237edb7721931f024f97b6a4b6e0b043bf1dbc571e11d74938b750e

SHA512
ce6e783a40f2ffbb3c28073dd941c54036e95c1f3619bd1787f1337eff1f1bbba5099508f3e5923d75a112a0b35d0bc9c6ea141d3f294e2e8e09340ca8287d86

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
72KB

MD5
df1e14a4ccdc6c2b80912d486b48a95e

SHA1
611d1ec3d874b71d930b3945c57436c0a577767e

SHA256
d470804f4e149bccc9d4a2fd999ae4fbfb4e2d402e9a882450515bcd10e412f7

SHA512
d4931d11df7d298cc4392f032684aa943963f29379f560c56019e7bb931d43a680d3585d8de3675c067f9daa20a5fcd0b71badc92f6a5c2c136cb7dcae8152fe

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
72KB

MD5
19c60c135c02445941fe22754cf0b742

SHA1
afda0024dbfc259ca120e0efbbc17693dfec4d11

SHA256
e427e83bac3f5dd6610bfb03b004e27efe259cf903bf55f7426e761cf95cd019

SHA512
dd7e125d7fa5d07be021e9c916b68861524730799a87c3b1956e61bee55043eb0a1b5fc3c4bbad1082949c424efdc26df789a335d684d635b2049de1679732c8

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
72KB

MD5
d7a9a09e266d2673a8cdfcb8e2151fb2

SHA1
faac5dd78f4b901a024d24e7fbcd11c923f8791e

SHA256
e8b2f314e1a61b0404ce4152da918acc4482bfe315a96f99a25f4e39a645b044

SHA512
226f6c4fa6b1e53da914a3cc8f18514b478d908907a164f9805cccf3f6bd4f13ad82cfb2cb9b520e8034d1d8ed5fdfe7a4d9d1b27b1e3f6752a2993666837c00

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
72KB

MD5
18dcdbe984a88a04b07f94afaa106ab4

SHA1
c010e2b46ccc70a195ab7856e961b663ec70302e

SHA256
24ce8c08e01566e5ced441936b740da697c07002887bd0ba737a8548ccd71aee

SHA512
879c6eba3d6dfe03608183043bc23bced0414ac480091a66c9fe5871ee4b63071a77eac7ea2844a00c0051361cd318d1dcd122a5bc019c4e2549b158e0fc3cdd

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
72KB

MD5
1f3c790698c4d85b4721c64ec2bf6268

SHA1
825ed7824e061335a4f5c8c06b8703bf33b423f9

SHA256
15a7425a58b700d941362aa199c058f39e15b76603bf44fc6ba6bff9dfc03dbe

SHA512
05f0757597ec9ebf6ef6d96fbb0f9912d3d143cc73e71e6d4f779cdc29427dc939963a1ce19c6cd277f8366ab138b0e3c41d38b2465034decb8f75167a3f61e5

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
72KB

MD5
3db1778a1bdbb37a131263758ef70fde

SHA1
3969a00984d3682099ed7931e00a4f2894ec7eb8

SHA256
ce09fc80925851a1ae3a2605e091b84dc113f3ccf3fbfaf90cb183f11911dc6c

SHA512
52ba7b22942d0578663ab24a02432627a3c2bfd5aafa9a020ad5888467ed982848b3957d8980924d6089b801e13e7c857ab7000d989f86d4588f1e2b14fa202a

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
72KB

MD5
0d881934318787698b6810d96e8ae2a4

SHA1
d43d5f061ba5ccced625a745b076d3530b76b15b

SHA256
306d6044bf58b5d9f6092aaeda0d589e5176f4818dc848b2846d4a071ae0410d

SHA512
9acb07f8506fc7d2225c37b10a62918c53ce9ca60fdd5e28d121ed91b8ab4bd4ad199df5730c77e973f7e14559aab50cdb473b0dc178f9b6c8fdd64e492801c3

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
72KB

MD5
35e9b7da5ace03a1e1ba726fe0420895

SHA1
34defbc8e76ac8dd41ffa0384bbcbfe5415ee169

SHA256
4c3efa24ab15c4811eb653f3931936d9bef3b042ef3d551d6b72c6444c960c78

SHA512
7ee8a0635d744d27137893504f4f11e4ce77636f13742ad6af3f6969a7bcb06614e45e41fad66c93ed7c6a20ef5137a0af5699de3884b597d5191662ba3d4671

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
72KB

MD5
feed71ea05e4d9249ca4eff6c188c08f

SHA1
d75d75c943fe9bffd49f0326518aa8e71e2a5e0e

SHA256
d83f1538da2cf75577c1a510d9564bf1e116b1fda9b1052c61824f35662d7bb2

SHA512
84991b5c7539d3cceb525d4bfc1a47da93a067acdd1d053a9fa5fe3e9886ef851b21b121ad81602048f20c9e23809f8e4f3f056783af6aa427e6e1e42e169691

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
72KB

MD5
c94dfccbbb97849c35add3809619d70e

SHA1
5b4da111e55b450714878a2db2ed5ee2d3e03fc7

SHA256
cf3baca8969f4fdfb6842b586016dd629c1b9be41c1b1c7f863eab10e4f3cc59

SHA512
98947c11d78294f6a4514f52dadfebe316caefa21cc89e3b26baddd71a18a792388accd05f81f10395b8ee138b730942217d37688ec9b165fe6aa4460c383295

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
72KB

MD5
29d171e7cf1bfec564130142cb022afa

SHA1
4bc9f288c200e7aa85d97b069aa12951d417b730

SHA256
29949bdc0fabc315af82dcc003fcc461d83819b25090203b6f6922be8e69610a

SHA512
802a5eef627cc15a95dd0fd082e7d5757c7f2278e752c1f45a1bca31f829f6f118c33202651d317d21353cf06bc48d89b984175828f140987718c9857e3715fd

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
72KB

MD5
29b4dc3b63b9d040f04c0e536267d1eb

SHA1
282eed6e4f9c3c4432a9c137d26cbdec709da5ad

SHA256
7642a130374821a2c7e79d5f4ddaf2336be17e500fcfb59431263457d3554fa2

SHA512
0244bd011c2f8f6e12b304254b656452b36002c90a72db3179d2fbdd66db2ede6c516a41d15cbb752fb024dec65e88e6be3c628afed0a0fef06e9d33539cd418

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
72KB

MD5
f8af59d96b46a45376dc86107e98c10d

SHA1
d859ef3ac1b4d1a06909e99fe34e3432a1d2e5af

SHA256
b2d3cf80f7f061bbd609ec253f1d3b2e4d44ca8d2498920e4567233f616db4a6

SHA512
2935b538105c9ddb64e93fd076a7275916ca53d8b6411a5caab57ffc23e642f3c79fb3bbb91a8654d3a4117eaacf0d4bfbb62c99a4b1c4e13482d65855887162

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
72KB

MD5
4cc720ee63a245325f81826534c09f75

SHA1
15b4bf7ac30ff2a1e95bfb54b67656abbd922e88

SHA256
720649611329141083fbfa32952b9015c0402d5cc7bb25efdd96293216063b8a

SHA512
a0dab44f2b0d4b9f48f9a8333fba5dba7e23650750e825ced05d8bae61f2061a62a8dcd6c06b910854acd4041896770004f12e54bfcccd5c8f6d86a8f11c829a

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
72KB

MD5
91ca51ada20cb588d192a0f44a399b32

SHA1
bcce55ba44de648ee6d546db89f30e6ebd93fe0f

SHA256
802235f76b5c33a015cfd4ab6d84b6e128d31e45b6786cc3b3b1ef0e6fdbc62d

SHA512
254d69042d78ccb3424cf9d66983bac3150d00a4be37ea9152ac5d7499b74cb2cf80efdc15ac78aaf13dc0245ca8a7349f36cbc7aa5852d83692c24740d65eec

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
72KB

MD5
3e06a8fdd2a20a684f23d49d3f083331

SHA1
f2e9b2393560923575bbc74f771320c3cb2a0148

SHA256
b3229f9fadaa1665563739bb83b2a071dce2e1c6a1874bd2bbf0bea028201572

SHA512
a65e68a49b91932af407a30e7a04c93ed94df07cd11b9c26095fa6200f3f3f75c13611752942874c8bde74cf36b87f9dd4bd8623102273e6cb593f0d92760b94

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
72KB

MD5
648af93df91e74a8ea2d7181dbcd192a

SHA1
6e8a4652534f0c3c137977696bf7faac5712b72e

SHA256
65353e5f046f56dfb0a1e9f59e290cd553b64df0dce9bdc2416b79633e2a2e35

SHA512
3739169e955dfd6348b670adfc218755e4dd3a165456a1e9939f04272e674d20866d7e9e0e2526af38fe71079cb0a848656c7e4d02a9408209f54cab6a1057ea

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
72KB

MD5
6914cfbf3602dcac023ec446f46301d1

SHA1
462a7bb159b35c8c5c26c24cff77a0d9343e2d83

SHA256
40f9aa9dc720d1c01d05491f118f5d3864d794888248599817c600d82ada6869

SHA512
eda878b138a4c02b4beba464adced68aebd93ae0693defe02970c36c8568ed8a948c36bd878817bfbd1192999a46db4cea5757fa6e8b1e36b10514fa6e9c8fd4

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
72KB

MD5
de5cf23567cacf622b88a2079b8beb64

SHA1
2b1d6a8a4890fee34820518a31704c1af467dbb0

SHA256
657cae5007e80e6d145c2a7602967b72ef3753b14e8b6e7607af6675c982b700

SHA512
e9b66a31003f309a81d971aa67aab10e57be1f1e15d7437d64e28b21ab960cbcbb134b6b7f9acdc219e3f3ba1a5c571d0cf10ed7d26e2646e19cc5cbf473effa

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
72KB

MD5
da5675f126193a3b25e69421e879cd10

SHA1
2c9f37c0d18f32781ff1b9aaef1d9d176b3d1ab5

SHA256
20287907fa6597c4f80a9691ba9a173186103c134c1c005ec0ab4367360346a4

SHA512
6884ab3d72032ace6cf8e9437c68dd35caa176915f75b394315ec363080277091ca7cf11a7dc8f769ad297d37993f4b5c0def5ea0161f26f92f9ab5ddd53937a

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
72KB

MD5
7600c73e073e96d63ec57cc8f87bbcca

SHA1
1bd8388db79693374ca6eef9b2a4c0339d8fc4bc

SHA256
526136ca12d1bbc8ba6992652c31016a8614e17dd7fd9f5f635188116e074e2f

SHA512
abd30986aba6255727d1a86c244072cb9dd7ffe28e02cb351d898fa4c2911fdcaa701eca484dccdfbf4c4e13e870b6c8f85c95c0a8d142e81584bb23f5005183

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
72KB

MD5
a823f544f6faab2588b4d8707462a08f

SHA1
f3476e730065740bba37ec295df0a79ba7a55ac1

SHA256
f24dfed2d0d4acd3ed58a20ce3d1b647a81bf296089c36751e9a490e06428d90

SHA512
561d18fcad35ac0fba0e1cc60ce0008a15beea32d140f74724f7e62fa476dba5aa7a7d576d38b89f24eb0a82e50978d23729ff20ab43ea93620041d4e35caefb

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
72KB

MD5
ca55022bf86acd1b016dc6ecc7f84293

SHA1
659704f906a2d7bcae07e014ed02c2e4094b842b

SHA256
b4e62843de5b7dc7a30a4ff148cf32af00bfde8b5049dc05592d0a64891a51c8

SHA512
00b541a8cfc567f99ef49140a070030eb3fa0d9a8e19752a94def1de1fe2dc1abc3657a7d25fc72c2e5aecd8368b152c0d33cdc5b0c697d289aff77a5a49af86

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
72KB

MD5
a11b88ca9e963a595bfdda58f728ec71

SHA1
df8229dc836b956b58c7364e1c3794d04fc76d50

SHA256
93f47a38776ac08e06be7f7598cc05adcccd85a8410274e3b8563930499caae3

SHA512
4b87b01b078a992b4d4ea671263d7ef484e2a8be2e75a536cd309b07c07d91103b9811bb402a73ffcdb31df84e9de4065ec1201ecacc6a1776727de77196c03b

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
72KB

MD5
e57cfd1f01144e384501ad1c78b0eb14

SHA1
d6c6f51e8ee6461e29b63618b892c8010bd1bc65

SHA256
6e9dab75a87c1f2b20b36bed110718533157fca6394a9504ae0e31e56dfed93a

SHA512
1636909b2555782822ddfa0595a657b53e74e5200ecfd7a074656f7f7b094ef6b5ce3f860d1efbed64624b0eaa30a9199e7439995f0fc1a942dee14e48e86e8d

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
72KB

MD5
8087a70220d0cc3aae12dd6728c2cb98

SHA1
2a2f3f005d74456f7cb20737841c4d02a29509a8

SHA256
d1f40de8f605ced92b7cbc6b5519a9c2950ec21de598fbdc68c732f1a0a08262

SHA512
f96dc9d6a4f03502e65a4d6f8ce7e185d11dcfee1830c5628ad7866d5b650d9f3d0a2fc976a83cb7e87bf60d6ef7c5752d01e870e9d3fb8cf013180624974d2c

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
72KB

MD5
6f61978c835db8b203b51f3267eff637

SHA1
b7ed6414529cf2c66d10d908b22269efa4f8b5d8

SHA256
248e2868846949db152e0512073a0f91d45439af7a8db889b2c14b591ce59f1d

SHA512
638c70d7351ccd0d4711830e012998a1c67f938b6a0fe7a895aa121b0f53181dfc4929a4379376af015a73da9f9cba27fae99d86785e94b0646316ad62d472a1

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
72KB

MD5
f17320a72cf1ff8a631b63c588ae5de3

SHA1
f1935d58b87d780cb0a29bcb16e0097caf9ec887

SHA256
270bca915241bd3b5f682069e091b5202d69f266fdc6cbe28dd2478ec9231472

SHA512
4dbdb7c13e336729e84c0d6182cd9cac26e8b540012d62cc8f6de4340622e42875d201fa4fe3d01ffc43498ff75e4f9808ae44364de2619d658d05f3767f3780

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
72KB

MD5
7ea83d1e36a5859359462512e666487d

SHA1
7be46051a2cdeb025018de96faabebedcafb1b3f

SHA256
bf9372e1ff8a98bcd66b568a6aa27d8221a6575058b8a0da47427f18a71ffa0a

SHA512
25725d1fb890b6f5de83146f4344f0a37e8cdb5fcd566452a2ef98820291229c8606d35601792cfc98e8df9a9e5b7b343ddb29539c69fb70f0c568907c8b1455

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
72KB

MD5
08a1b7f1e7459a342622ffd116f9f637

SHA1
39ac8476daa27610f2197fe778844a675ccec1b0

SHA256
faceb12c52bfb57289ec8677b1e4b0ad25f073e804c7ebd522b227962529e97b

SHA512
902245d2ee3c81df207cf4eb91d746ea9ca78e02bf47996cc07be49f9b8b086b152b8d512c855cb1ebcddc5835b2a1c491ff3fc8d7038eb7ef971d97b8e3306d

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
72KB

MD5
79c776b2f900daa0dd0e4860fcb7ab02

SHA1
e18e09946ddfeba89ccef562adf11d362afc43e0

SHA256
be00f532bb432b089eb607186b90f3a59b524cad0bcc4b9eb2fcf50e5ecae15e

SHA512
653fcf1428d4955476c2c5a11365f9c1530d304be391c706f41033d4fa942f15d10271c69e119e926cbe3aa68cfc29fa123b484baa5c69ddf33ab748381820ff

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
72KB

MD5
638b2e9ba52c6789eee535abd9a1534a

SHA1
c01d6c104e293329a0480b6363603b851db7ef5c

SHA256
2b67678a1cfa59a96d96ff6c0dd6f5eace96e1ed11a8655f8d487c254770052a

SHA512
2ada91a27e8634834542027ba740a7805c09c80c8e3562744417040a18028e9c0f30b301131f88ddf7a82edc0d6581783b93c5aae723b0caec79de36f6490150

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
72KB

MD5
d10f27ee373e9f146c612322ef351aa4

SHA1
c21b652d39fe07cd3a8ba7c3564eeb2b563ab290

SHA256
23f3b11a9cb070dea3e64041d82db5d70a3b89dce3e765b70a20badd42e5f288

SHA512
e4b3c605f07972652a4cc84d8ee7df5556e8348af0f17d3f5d4e4d8c94795f2cbb318a17a67e01d3598b9c4862133c499d8ff92dd14403c2b7a784a2ae71187d

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
72KB

MD5
ead4f8840c776ac4e57d40e069fccea7

SHA1
f9554556b691bfb1a4a9487e3e787d37c99ce00e

SHA256
7362a8f24c460e7df5afbf2579b647ea6178afa6e71d8b71e80944b143502852

SHA512
4c778d0ea2a0133763a25f38fa1d87056505c8418f7085957f5e982ed1c6c82999bf28aa1d06f9afbbc98ce921752db47cb5090332ac9c5e31625503ddefc3fd

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
72KB

MD5
f5d5846fc95e0119867454ccceeef4f6

SHA1
cf367f9e55c199752e5f4f6010ff6ff632a73db0

SHA256
0781ecf597adab8dbe2f2a2362af30540668a3538cf023efd5842ca43be5ecb4

SHA512
e0d41cc40b9edc9f9e8e9d3cabe062e8061d1c243c7f256146754b37278b7be21196c7a730c6c39daee5b43b944e7a11a7512d97771bb9e2ff31df6842a2bf43

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
72KB

MD5
31c33d272df59ea050b6542d6786cd90

SHA1
f06559af8556160f4632e4007d233605d602f1da

SHA256
8263296679518dddf10004f5b3e7229d447723925e77c3c15529d53e03c36aa4

SHA512
9898310e23157c4f868ec0cd9f57fdc4f392987c3a212cfdd0f110ca4b415205ea825d34ad7a7a17b337d9cada8493eb9bece64638686b698409d1f5bbead3b1

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
72KB

MD5
b8c61c506e95d6b691a36e973370af17

SHA1
c19c4cf3fdb967a0e4653dc96cdc1582026aad3c

SHA256
453618239352113ad44890b3aca75c9d0e248989f754b12d18e2582c55c9fd17

SHA512
69665f17a9f1969a836468f0f7db9d55798cb4ef59c9418e456f165c4c73f58cf2e8783803c868f564a1259be0fede162adad8c57fb025baf243f88990842161

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
72KB

MD5
3e8f7860703be2156426f6b3aa33b3ad

SHA1
7684b5eec2fa6e3f6ca03d2aa1a016c751af3941

SHA256
1cf64ac348f3a84cd4b0959144558d27b0852c2f2869973b5d8665152c948e2c

SHA512
f5800809a639e40fb33757ec2b79b076591e6bb6f453c8bdd304ea097d2245de309997614c9a29286e856eb8a41c0195a23411280af47e99b9e3583a5a3a71fd

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
72KB

MD5
89db144db3df559aba1d3458e5328b5f

SHA1
17f56d6762e870721b4b75ca81ab33f78f96245d

SHA256
c9677e9f9bd6f1e2f736d48868d3d5fce54ce44b4faf91a290635a3e7a9e4165

SHA512
3dd1a5d3a30eb880b1f55692e6557bb66607bbdf50a0c451d07b0e0a2669f8dd4de3ccb844bb9d5a9f6425e0a19651faa0f818e074e392bcf7bcddf4d6a84c6d

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
72KB

MD5
bab68e596703c9c11f2280187cc10c0b

SHA1
ff34b3f44dbcfa8ff8b5d83e623c8d5982681ad8

SHA256
e872895a75e0681a3b3a6ec11bde22efe7e80c96b3f0c23a4e9fb04fd53eeee6

SHA512
a5db447b5927d61e4f3cbef5f73e5ee65430d6a0b39fd7b3b72fb0a5d2a62519ebfa8022ad9c3cb20d4074cf6fa1c2101e819219daa86acd38300aca9f618e5a

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
72KB

MD5
9b5c164a2e544c1940500e348fb49a42

SHA1
ba266df8feda39a94ee2256d24c61f138b9ae20f

SHA256
5fb44c0903acb27812081e95b23be389218681cf6cafe06c1047852449e44c63

SHA512
278f64907d84780a24f1888f7839e87e75ec8ceadb8c1a8a47e14bcad54ad987d07377f61fd9026741efe5c467584db0cec4e15817686bbe0e67b56344467f23

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
72KB

MD5
ec53ea603401418f766cff3906f985d0

SHA1
a577a87e55c01ba46a18d510d4043d0db74aeb04

SHA256
4ae6df591aec1879ffe113a0c7e7c0c73c0f5b0d88b5ed5b56edbfd2c0b08b7e

SHA512
78fb5d7217b469e6282cba0c14f7d08ea9b8baf4497accd0f2e2c9323e285f3371a55f7d541eba646df7dcb27e2eb8f7272ae4da782208d92c844fddc6068289

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
72KB

MD5
5c76ddc7e9a4ca81fd7e595d1a672940

SHA1
f780af45585a7fb15343548708016ecf78e51bd1

SHA256
0d36c6bbf9f2ff6c93903c4daae867ce26dae64a7cd5ff6882cf853c1e960e0a

SHA512
5426e26f92a372d36edd6a60c4498a50457369b122cd70dbe5f15a7381cf4f5af4ba38a5b2c205097612206816e683ce6d1d02296a04397d40c52d4d5466ea96

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
72KB

MD5
79d6396dcb952f3c5d3d89d82f552fb4

SHA1
be0048a579d45f1c4213c85003b2ec628cb6fb3b

SHA256
c93abb23ead07e0396acd105fdb7762b8c8ee7b6015abd601c49c4c865c3b29b

SHA512
2b34c2d2d7f70c2edca2ab0423d0316fc38f6847670c953f8704542d5d85c1ea2c40d510f715d7e34a8e603cb077d3e6a33f5e955dda8a67838fd0a62eb28374

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
72KB

MD5
5441e75398e9c45f14ffba3902efbb35

SHA1
05d8406dcd9b825f2cfe97b0c78fc89a0f097666

SHA256
72882d9d70c17a49728fd5760b5b03ca18ac9ad09d108f0bf23addd6da55b4f8

SHA512
c82d342ef9e92405b1a03e6e763077e22ab5e6dd526c7b96c0583fbf979dc576792b2538321617f00c76914e0c511651b89dbde3eed302e9c09dccb6ad64c8e1

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
72KB

MD5
8ff113c73582479e4c346e7ed20a71aa

SHA1
9b4486a3c24073367d71f30f885143166b6b89ec

SHA256
6e603e8e2c641ed2898730e341ac407d07de79e2ef3558b4bbdf89843b29bacd

SHA512
2c55d781eb833a755f31bf79b43620fd84580816e2ac3e939559e589b9d4833f127c126096689a35ae3eeb2c7bd9706f6bdd7a95a3d42a88438f42b7d9e517da

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
72KB

MD5
c983feaf3b403c38b27420dcdcd95566

SHA1
2821f5fdcfc086bcb2e5f725193cdb3e7eeff5f4

SHA256
756bb1d4fcc6192b076cb3c3a06b697c9a29b6506390a52a8c9dc6088d562e7c

SHA512
dd4cb89bbd1103002a62a7ffc47f10bcd72c163f39210c30ccff07f237ae77d733ff8d867c8e0ca05742a8b57eef00eceffa50d8694c168ee3d9344931cf66b1

Download Submit
C:\Windows\SysWOW64\Pmkhjncg.exe

Filesize
72KB

MD5
24968a8ad333cc11cfe6fa62f25d898d

SHA1
fdce957b5894a138a6bd481cf9086f55c4256123

SHA256
2097e284bd75830bd889731ded0a26f4fa0b32204fb1d3fe7f79a8465654a376

SHA512
c79379acb33933d7f4f36040901caf53889eb33666eb9c6b4edc6768a6259c692b1575b996865caaa858eb38902d37328a150e58dced66b23c2dcf95925ca756

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
72KB

MD5
6332309b2a872d09889deeec115eda8f

SHA1
8f08685d52f687e50074df0d8127183247027517

SHA256
312a8e404dd719454eb9def74a77ee1078dde531ea76df04a86b5a1d5434b2aa

SHA512
e9cdf44cdbb359effa83db66a661dd387722d3fe3c85c785ba8a8b2f75647ae0279326c9fc17c1272f101d027a650d089de163ca07141c552b93552d4185fec2

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
72KB

MD5
87f562e98b3991f5541d14b2babade2d

SHA1
c9d90df1062475b3597776d51997990efc144b70

SHA256
d943348bf1089790cf742e653cc13ca34e5a69e50ccaa7bfebc94801e042dd4a

SHA512
aa506173c47a723558c71db1c672e107f0db08c87887724f9c3357767965fba7a85260c6d6e981a7f51f6b8172811feb72874bd88e75c85aae344fe0dbb564b1

Download Submit
\Windows\SysWOW64\Paiaplin.exe

Filesize
72KB

MD5
f98512704d62cae7d1d49db24e42177f

SHA1
8c46bc9af738fce2a41caf2a333559fb7342999a

SHA256
5fe1a90e6ffac91e108a16b30bd639b105eb62ea73077ad10de3a27285e8389e

SHA512
ec6947e00f81ab59b0e7f626abb48b982e8620778322e7fbb638df279b11edc2b3ec4fac72b288351f6ad7c432f5d0e199e30ad39f943141c95ea0ab0748eea4

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
72KB

MD5
3c1a3ebe80cfd2cee44c18794469fd67

SHA1
b2bb397185cd518a3c455b12bd307539cc76a2e1

SHA256
587045aa48b7ddf20efaa3e13e31a1180819b995cfdeddd390ca0ab599346af6

SHA512
3a305e926232d5d3ea482ed55fc8561434f2c88bef276feaf683d94f82b0d3b65776e9cf6119c31517bdcb3408e3b0798cd232062ff6207ae7f0c1a50cee0d58

Download Submit
\Windows\SysWOW64\Pdjjag32.exe

Filesize
72KB

MD5
b6c6946a7d774206e4ba18ef6f5e328c

SHA1
b064fec7e40e5f30ca61a5ea0af85993edfb447e

SHA256
8aefbf71e15212328021e01e7be8261fb470536be990270bb31fc191554398c3

SHA512
b51030af2b873b7b3d0bce41bae10ac321af9dcf91c57c2d06bb5f1418b10f6ea1b877a82ce51d8f5742c5038767b446e2469eeeaae7eaa3c7b48623ddb9463f

Download Submit
\Windows\SysWOW64\Pgfjhcge.exe

Filesize
72KB

MD5
4cef75fafbc82b9a44f4f119c950fd17

SHA1
4035d533a1a4c9f91388be5f4a5f490036a9eec6

SHA256
f65f06d602bd60c5196357a085180f8ef328c33440ac6b04e60fb7bae51e278b

SHA512
de3e7fb5275af076bb169de300524e14d0a0713539f3382118b7458b6e3c7d13f9dd9214d034907dd7593c5fca8786357fce5da239f3b3607fc3eacf7e323892

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
72KB

MD5
91a21591bab6029093d303d092f1994f

SHA1
48f9b647fe404315c7fce570f7db5af10b2151bc

SHA256
a00246e481285afbccec43d07ab4cfc243510a5a9f63f33594f25e9dc612c949

SHA512
2706a613838eaacd63031b35480a439fe103995018740b0a40a7476a4aca04eac54e09418dc3b138700ec4c4a36ecc9687856d4265f75f807c09ec8967589ef8

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
72KB

MD5
480aaf09c82ce2985ef68941e4f60452

SHA1
d3495ee32ec82b78a88d27f347fc276287528411

SHA256
f5e968e52d5cfc650884d8a04feb413bc706fce3bd1b6d01352c809cec304540

SHA512
6749e4d65b3386eec84c9cf604c87d9e11753950be69cc9db1edf998d50a3ce6584a8045b2e976871dde277ecf0ae36aa5239b2de0e45e4f988252c626e588a0

Download Submit
\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
72KB

MD5
fa8168dc3078737c0c952bcc286f486d

SHA1
dd2f4f0f52ef8a8d110884735def9b807a45a387

SHA256
e2dd47f63d611cb571f1c6f7c53bca3d1c0379117ed61c943da38a02942e0ae2

SHA512
3917ee62c0e18a988226fea33c62a14f1da50e91844aeb246fdf12701706791af38cdba53528a8316d77b80149327f0323c8e7cf773b60f506f10652de53b605

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
72KB

MD5
fdc1a33175c47660df022b9ec76fc843

SHA1
79b7efc4d1b0c52c4e7b85b628dd9d81537c5a85

SHA256
cbbf5cfc2c95ea2d267e8a5694b71cba1eb26b1e8b549acfee4b77f5723a9022

SHA512
44ac30e9afcb1ea15d8f0d2b514b3d894ab606d460ec113bcf891c51e2bc6f25643cfd1481131a56f206b21250aa81d0f10fbcfc35f30410c25515bba3e3f1c7

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
72KB

MD5
6f489e99555f682354cdd6842242815a

SHA1
9c8d91540b38dda502ffff328da698e090973205

SHA256
639b39141328c054bdf890ccb9ed01d9ee349d2f90276d838da5d5c9ad6ca14f

SHA512
01889ef23025bc25469f31a0ba67361e192013d56fb284f3e7585ec41e09ec093041d9c03848f9dad1ae877c093ecaf8de06db480f3c08b7e7d8281d05619103

Download Submit
\Windows\SysWOW64\Qgmpibam.exe

Filesize
72KB

MD5
eb43b46215b544a6cf5a7133fe81ed48

SHA1
c13dc3fe154be86232a49785f8e54784e9463dc6

SHA256
9c5dfe8d039abb8c6149c750f2b13652120743fcf51223ec7a54b21da51b5bba

SHA512
6058cbc8711f067f800dde2ca9fbbe4e27838a64057474d2668e4714374351f9529ca26c6702dda0fa60881700e0b903366fee98d3e8980580b701835dbc6cae

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
72KB

MD5
f35604f3b2f209e8fc7ccdb42b431d72

SHA1
1b73fffb70ec79e1370b8c949967eea4186a065c

SHA256
3a77fd5be3a616ae8b358dd971f1a0dc89ff0be7fdc0370844ccefce767a694e

SHA512
6b7126f886184489c96ce2cb904beda7d769b7ae629267278af981f49ce84f96b6a2c3567ae1e4cb733edeadfaacf78db4dc235186722cd76388b9a7103d6956

Download Submit
\Windows\SysWOW64\Qppkfhlc.exe

Filesize
72KB

MD5
431b2476d9070eb13c90384a12ea716f

SHA1
4c1a1d7e65dc81732fe317f9aa76757162711473

SHA256
e2e3057e334c89cd42f1e0bc3d342e02f872f1cc266244d84a33add8dec1b3a3

SHA512
6fb94a7c7ed4d65e14883b825e13baa646af66648a2b5e7b4069f4fceb6538dca4b081a270d7dddd5d6c10e7bcfe98d36bf055e59ecf6309502134f5fdc54baa

Download Submit
memory/496-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-394-0x0000000001F50000-0x0000000001F83000-memory.dmp

Filesize
204KB

Download
memory/888-319-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/888-320-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/888-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-119-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1168-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-491-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1332-492-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1468-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-298-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1468-297-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1480-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-494-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1480-177-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1480-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-436-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1620-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-348-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1644-352-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1644-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-248-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1660-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-146-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1780-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-333-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1808-334-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1948-264-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1948-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-268-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1964-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-406-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1976-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-460-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2180-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-278-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2416-199-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2416-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-94-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2560-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-84-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-395-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2644-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-40-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2644-39-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2684-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-418-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2684-69-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2684-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-411-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2724-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-362-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2760-55-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2760-407-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2760-57-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2760-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-337-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2912-341-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2928-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-226-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/2940-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-374-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/3008-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-12-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/3008-13-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/3052-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-309-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3052-308-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads