98731d418caafcf87e5a0e6362504f092918b7bccde9484dcc0037c9ff6db889

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d2322d0831d9b544ddad5bed9e8cf00N.exe
Size

71KB
MD5

4d2322d0831d9b544ddad5bed9e8cf00
SHA1

3c7893fa1b055d1a7127e7932ea5104b266ab0b6
SHA256

98731d418caafcf87e5a0e6362504f092918b7bccde9484dcc0037c9ff6db889
SHA512

7d18ae5bf3d546699beb383b663105859d3d132957506eaca2c13ed7bde87ae321519af238d8c5b38e3cc83bd2aecad48df4a3979ca13e918ef4f8c3cdd5367d
SSDEEP

1536:8NM7RsHmB0ToYftuz/L7LLp9a6U4C1/DEyVRQTK1P+ATT:8NQyHXsz/L/Lra6fePe+P+A3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe

Executes dropped EXE 64 IoCs

pid	Process
4408	Lmbmibhb.exe
2556	Lpqiemge.exe
1908	Ldleel32.exe
4236	Liimncmf.exe
1084	Lmdina32.exe
3700	Lpcfkm32.exe
2028	Lbabgh32.exe
4780	Lepncd32.exe
1732	Lmgfda32.exe
4832	Ldanqkki.exe
3728	Lgokmgjm.exe
2768	Lebkhc32.exe
4500	Lmiciaaj.exe
1756	Lllcen32.exe
3736	Mdckfk32.exe
1624	Mgagbf32.exe
4060	Mipcob32.exe
4644	Mlopkm32.exe
3304	Mdehlk32.exe
4076	Mgddhf32.exe
2140	Mibpda32.exe
4784	Mplhql32.exe
2332	Mdhdajea.exe
4544	Mgfqmfde.exe
624	Miemjaci.exe
1724	Mmpijp32.exe
1904	Mpoefk32.exe
392	Mcmabg32.exe
4040	Melnob32.exe
4312	Mmbfpp32.exe
2916	Mlefklpj.exe
5084	Mdmnlj32.exe
5004	Mgkjhe32.exe
1468	Miifeq32.exe
1960	Mnebeogl.exe
3784	Npcoakfp.exe
1972	Ncbknfed.exe
1716	Nepgjaeg.exe
3444	Nngokoej.exe
864	Npfkgjdn.exe
3008	Ncdgcf32.exe
4712	Ngpccdlj.exe
2584	Njnpppkn.exe
4692	Nnjlpo32.exe
3496	Nlmllkja.exe
2564	Ndcdmikd.exe
3748	Ngbpidjh.exe
4612	Njqmepik.exe
2368	Nnlhfn32.exe
3168	Npjebj32.exe
3040	Ndfqbhia.exe
4920	Ngdmod32.exe
1536	Nnneknob.exe
912	Npmagine.exe
2420	Ndhmhh32.exe
2208	Nggjdc32.exe
4276	Njefqo32.exe
4932	Oponmilc.exe
716	Ocnjidkf.exe
2136	Oflgep32.exe
572	Oncofm32.exe
4508	Olfobjbg.exe
4808	Odmgcgbi.exe
744	Ogkcpbam.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Lpcfkm32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	4d2322d0831d9b544ddad5bed9e8cf00N.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3796	5972	WerFault.exe	231

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4d2322d0831d9b544ddad5bed9e8cf00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4408	3512	4d2322d0831d9b544ddad5bed9e8cf00N.exe	83
PID 3512 wrote to memory of 4408	3512	4d2322d0831d9b544ddad5bed9e8cf00N.exe	83
PID 3512 wrote to memory of 4408	3512	4d2322d0831d9b544ddad5bed9e8cf00N.exe	83
PID 4408 wrote to memory of 2556	4408	Lmbmibhb.exe	85
PID 4408 wrote to memory of 2556	4408	Lmbmibhb.exe	85
PID 4408 wrote to memory of 2556	4408	Lmbmibhb.exe	85
PID 2556 wrote to memory of 1908	2556	Lpqiemge.exe	86
PID 2556 wrote to memory of 1908	2556	Lpqiemge.exe	86
PID 2556 wrote to memory of 1908	2556	Lpqiemge.exe	86
PID 1908 wrote to memory of 4236	1908	Ldleel32.exe	87
PID 1908 wrote to memory of 4236	1908	Ldleel32.exe	87
PID 1908 wrote to memory of 4236	1908	Ldleel32.exe	87
PID 4236 wrote to memory of 1084	4236	Liimncmf.exe	89
PID 4236 wrote to memory of 1084	4236	Liimncmf.exe	89
PID 4236 wrote to memory of 1084	4236	Liimncmf.exe	89
PID 1084 wrote to memory of 3700	1084	Lmdina32.exe	90
PID 1084 wrote to memory of 3700	1084	Lmdina32.exe	90
PID 1084 wrote to memory of 3700	1084	Lmdina32.exe	90
PID 3700 wrote to memory of 2028	3700	Lpcfkm32.exe	91
PID 3700 wrote to memory of 2028	3700	Lpcfkm32.exe	91
PID 3700 wrote to memory of 2028	3700	Lpcfkm32.exe	91
PID 2028 wrote to memory of 4780	2028	Lbabgh32.exe	92
PID 2028 wrote to memory of 4780	2028	Lbabgh32.exe	92
PID 2028 wrote to memory of 4780	2028	Lbabgh32.exe	92
PID 4780 wrote to memory of 1732	4780	Lepncd32.exe	93
PID 4780 wrote to memory of 1732	4780	Lepncd32.exe	93
PID 4780 wrote to memory of 1732	4780	Lepncd32.exe	93
PID 1732 wrote to memory of 4832	1732	Lmgfda32.exe	94
PID 1732 wrote to memory of 4832	1732	Lmgfda32.exe	94
PID 1732 wrote to memory of 4832	1732	Lmgfda32.exe	94
PID 4832 wrote to memory of 3728	4832	Ldanqkki.exe	95
PID 4832 wrote to memory of 3728	4832	Ldanqkki.exe	95
PID 4832 wrote to memory of 3728	4832	Ldanqkki.exe	95
PID 3728 wrote to memory of 2768	3728	Lgokmgjm.exe	97
PID 3728 wrote to memory of 2768	3728	Lgokmgjm.exe	97
PID 3728 wrote to memory of 2768	3728	Lgokmgjm.exe	97
PID 2768 wrote to memory of 4500	2768	Lebkhc32.exe	98
PID 2768 wrote to memory of 4500	2768	Lebkhc32.exe	98
PID 2768 wrote to memory of 4500	2768	Lebkhc32.exe	98
PID 4500 wrote to memory of 1756	4500	Lmiciaaj.exe	99
PID 4500 wrote to memory of 1756	4500	Lmiciaaj.exe	99
PID 4500 wrote to memory of 1756	4500	Lmiciaaj.exe	99
PID 1756 wrote to memory of 3736	1756	Lllcen32.exe	100
PID 1756 wrote to memory of 3736	1756	Lllcen32.exe	100
PID 1756 wrote to memory of 3736	1756	Lllcen32.exe	100
PID 3736 wrote to memory of 1624	3736	Mdckfk32.exe	101
PID 3736 wrote to memory of 1624	3736	Mdckfk32.exe	101
PID 3736 wrote to memory of 1624	3736	Mdckfk32.exe	101
PID 1624 wrote to memory of 4060	1624	Mgagbf32.exe	102
PID 1624 wrote to memory of 4060	1624	Mgagbf32.exe	102
PID 1624 wrote to memory of 4060	1624	Mgagbf32.exe	102
PID 4060 wrote to memory of 4644	4060	Mipcob32.exe	103
PID 4060 wrote to memory of 4644	4060	Mipcob32.exe	103
PID 4060 wrote to memory of 4644	4060	Mipcob32.exe	103
PID 4644 wrote to memory of 3304	4644	Mlopkm32.exe	104
PID 4644 wrote to memory of 3304	4644	Mlopkm32.exe	104
PID 4644 wrote to memory of 3304	4644	Mlopkm32.exe	104
PID 3304 wrote to memory of 4076	3304	Mdehlk32.exe	105
PID 3304 wrote to memory of 4076	3304	Mdehlk32.exe	105
PID 3304 wrote to memory of 4076	3304	Mdehlk32.exe	105
PID 4076 wrote to memory of 2140	4076	Mgddhf32.exe	106
PID 4076 wrote to memory of 2140	4076	Mgddhf32.exe	106
PID 4076 wrote to memory of 2140	4076	Mgddhf32.exe	106
PID 2140 wrote to memory of 4784	2140	Mibpda32.exe	107

C:\Users\Admin\AppData\Local\Temp\4d2322d0831d9b544ddad5bed9e8cf00N.exe
"C:\Users\Admin\AppData\Local\Temp\4d2322d0831d9b544ddad5bed9e8cf00N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\Lmbmibhb.exe
  C:\Windows\system32\Lmbmibhb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\Lpqiemge.exe
    C:\Windows\system32\Lpqiemge.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Ldleel32.exe
      C:\Windows\system32\Ldleel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        38⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        43⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        55⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        60⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        67⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:64
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        71⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        75⤵
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        76⤵
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3924
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        81⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        89⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        90⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        92⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:844
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        112⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        113⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        116⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        118⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        123⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        125⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        130⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        131⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        132⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        135⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        136⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        138⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        142⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 216
        144⤵
        Program crash
        
        PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5972 -ip 5972
1⤵
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
71KB

MD5
b6ae68c375663f1eb38007926251f077

SHA1
27182a4eb8a62b0e67c24241a1a980aa0320d7ee

SHA256
cf156834cc9d6e17626ffe5325bee95ac97e31281f8a0a4e694353688ff3cfe0

SHA512
29057833b8c850b6dff424d229f4c512cc7b90fc30b8f3ea347f3537d4c6886a46e506d2d45fc0bc339a5ecc2d4809439ec75d49dbc88bb2a04b3efcdb503bb6

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
71KB

MD5
f2c19af1c26229564d0f058d870a550a

SHA1
9b2de5767e8989d744bc6bad19de266a38c7b253

SHA256
283a56ff1ae2deba74bbae8ea4eb5a7a2f8b7a9382efd94ada00277629319e02

SHA512
ef4f4039656c676ef322b0cd4d6e4eb296c92346292af34d8cf7d989bad3cd8d99d0a382bef26d2b46872bf5a36b335f0a429628e2b998d81e236779f116e990

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
71KB

MD5
71c2b8c6dcb80de15aa74b45d9d53fc4

SHA1
bf4de4e93d63247e42daceacc9b4f085ddc26939

SHA256
80ed4d64f927c9a32096b7a2df134ced6e853e0d409bfec7479ae07feda75897

SHA512
ae336de64f702d7230a9909b8589b5c558e1a7c180bbbad725b7951c9405097f0522b2313a8d93c546c15463780ae16e733c2cee268bf33a916ae806add1b9a7

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
71KB

MD5
8b03a3507b8fcf970e9ec15d592927f7

SHA1
3cfeff2538b5d9d77622be20fa2c18f872d0d296

SHA256
64708f98e077d1ad20ae31384892ad048a3f583557003f8f12e5d09e869da499

SHA512
1abec5587659de117d5cfa8a22cdb9feb2e2dab471495bd383d345c6aee6ce584c68892c93b74310560964e7286f21132bce723a792710f2315df64e2a748dd6

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
71KB

MD5
2fde61fbc21c14ad26500644f978afd2

SHA1
7495cea751f88516a679e7ec50b406ed0c9ddedb

SHA256
dd8d45d0ef06c7cdfe8f1d1160d03044c948c403b25f89228a781e1494d0eb23

SHA512
90a3413d07848be3eb7bf18bc40740599682591ad804c5b2ca8351adca5025e2175a69a40789fbc897c9e484a5dbb0133e3d5841c8b136ed9967cdff056516f1

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
71KB

MD5
66106b6204c9f18fb07433c65331fa41

SHA1
75bc6f3e11945842638c2e24dc93e1c6ab62b24e

SHA256
b75f8895f87447f136da77f8cc09a65a7ae0d671bbf3a0067becf6a2e6c3963d

SHA512
10f51c935f967ef57b197af096c3e1943aa0e6e67eafa81cc08cedd6f922ae9e1cc771d4f1910d1b1b14e882a5bf5458a3191bc911cff1dcd3c0d1a7e470885f

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
71KB

MD5
16cb1c49e5bd928ff61524967c06d335

SHA1
eb084a66692f1eb9da0261f72f9d2e7b1d128d6a

SHA256
c7e7fd0ed70551dc5549fb74317efe5011ea7d1b4d7b91ccd6623e7c38761b08

SHA512
06b34e9d8e93d84ffd25f58d66b472009cc2739b3023f4691be0505ac9ce76bcc107be67c43a110bf6f2515581cb0740cfc49aacdd7b57e772d634e41b199002

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
71KB

MD5
8f6197ce51f267c23f51585bc376abbd

SHA1
9c48cdb95d25695d23ff217a0be8c49b559681df

SHA256
c6371868368f564323b573e49357c28443c18d01c1b16f16f6b8b44f2f3e1c82

SHA512
b5494bd58c075d986be1b332a6d1ea0cedfae0045e797dbd4c453df3c48438394b5b05e31b78f6b114ae718a09e03b7896a240d5dad749c8804ff98a9d03e1e8

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
71KB

MD5
65d0b71fcd3aed095730fb393f573469

SHA1
7d89b5c1a36fca43eac9f6c53f2f1fccc7711a17

SHA256
3f724ace86ae5c4635ddc4ee724ce6e5119c6dd3ccf7e245508bf03ceac345de

SHA512
a27db0adc5ac344eb00cffc8b18838a92cbab8fcc6c95143b7252bc88aef4d29a2d27a473b73d63311c7b41ea4acd436e93d2108e3b923db06f86523fa992997

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
71KB

MD5
2c8da5b70b0b626817ec1328a19ba6f5

SHA1
6527ea345131186e56b0c1f28db14e167713a5e4

SHA256
3e7cbef640a8c853bdb8712208efe3dea2155d77b11f86bc7aba45536ac1af3c

SHA512
b2be6942a281047d9be1c32034e816cfeaa07f227a8f5b57792dff95e0ba4ccc81ff7c94f613ef8aabe0390cfeae16c22c8bd945bd5bf433dddb2e5deb777f90

Download Submit
C:\Windows\SysWOW64\Iihqganf.dll

Filesize
7KB

MD5
41818de2d097b49611ff9ad5db4dfed5

SHA1
ee30dabc55a4a0234bec675f457d85c8c00b90e8

SHA256
99ffbffff85315f468303684602611d310ffb6f67158659fa69f742c1c450ec8

SHA512
6bbeba0f5f358c6e425e0a3be6472dd06b2405009852776b45445b4565ad33ceb00856fb55b8c2465d48978e28228a277fbb6a210db68899ebb6be6f775378ef

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
71KB

MD5
d2c4b8b0d3a23cd6cff53a9eddaddfaa

SHA1
fe6f3a1bcb7aea96ca957372c45df98d97ffdcf0

SHA256
21841771b31f1fd8458d16f4cd0475158bbcd0568d2b565d90011e6bc93453ec

SHA512
9807e0742e889887c3b5863ee50caf9220817946ad9d6ce2bbbeb784b9784309459e8011c8f2b97bd9ffb9af25bf560c5c3798db4026d6a2245640745abef8b8

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
71KB

MD5
0b4b459de9984f86d0863feacb8077c9

SHA1
1602a85088629dade58e867bc125bed981338071

SHA256
f0db625235db3b3506085934b89b7d9ed67540bfd750f7c5d66fbd24a6283dc4

SHA512
113a278e177775196a21e9bde28b96c0a13e5ccc6b59cefa36e7d229f2dfe985a9168efed23a6a9333f9ea0497a981d90366855efa210affec062c7899b44f24

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
71KB

MD5
da06e4f1a66e5b101daa27f345fa3c51

SHA1
ef27b45f020f6a5b592ef4668293ab13eaeab206

SHA256
ac52169e6d15fcc20fce78a54c20c673abcf31df49af812587c147540b0086ef

SHA512
b1c7f24b8b1e6384b2d43751a3dfbd13325ed2a1877371fbe0022b00283f491379f7ec4a8ae398a792662d41862b45de3e774889c979f473484b4b564cb0effa

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
71KB

MD5
e294b36c6f066a3d95fab332f6d8d16f

SHA1
e0dd314a19200096b47acec9629a2a44ff03b14a

SHA256
7bafbb2ff2dd89feeab32bd9c6ace75760d16fac2aa7ac3d36b84b51c83c4f25

SHA512
75dc4f46bd9d24dc3e471b82c1f443c5216937651b593e921eb74858a9639b707c41fcf1af427ccfe02e0e9c6cbe37f41a7660decc7d8b7b22eb715aeae5dec0

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
71KB

MD5
117ba14b2861df0ddcaa55761e3572fd

SHA1
290568a5ea65c68fd4f76c8765ede48f2bae7915

SHA256
2e6fbe6bda3859d359b2082dc33a4564c44240d22d8b9dc2d0d2d7457e92c420

SHA512
a6fdcc118a8c6e18cda392698845cd3b08787ae9ee9047e25fca4f021aa43b2e4877cc6849de6ab8c60f68afa96277cf7f61a8532138d5b631dabb8de694d795

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
71KB

MD5
c75d82d737759eb311f98eedf08c858e

SHA1
16998575225f95b7017e8037b29f44ae0beb6cac

SHA256
48e048692037a80816246da5dd5c5a7fc2111ec2707dfba789d8d0685090ca76

SHA512
3c49473d3a9846306994cedfd2c4077c65f520fcb18de01fac5189fd7b12e5aed1b810eeca47d41df2acd8d86298402311be7a3c2e1ac8962d7e2f496433868c

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
71KB

MD5
e618474828ea6d6f825700719a4e4f6b

SHA1
9849d8216df17f1c73fdd8615eb7d0f801544716

SHA256
6083823e0fd61b47630951cefcc280a205e26c2a611d911aa9f2b02159fb504c

SHA512
5b79a0e36bd7e0b247beb898225a2ecc2a69a85ea9b018276f1c9f79dcc4af1f8e8f210c17f71587708d1aee706c746c3eaeda3355dcf625417e09529d96ef23

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
71KB

MD5
fc848f15a51e1a7f359a67ad67586821

SHA1
5a60ae766585daefb1335b34e0e2356820ce25f8

SHA256
501ac63bebb9cddde0517e9dbe0a06f6b7d92f90f1a93f7cdd674ffbfc50d83c

SHA512
b221cb174ebbacd5042f8eabc80588847653125c6860e457b17007bfec593ba50fde36cbdbc905cbbd1d44e43b1d816a3e057d9b4140d6317095e2bac2a1a34d

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
71KB

MD5
e49afc09e7d4b1c676aacec55b3c6125

SHA1
66014f1a52864518cfb80c6cdfb9ca67f31ebc75

SHA256
10a78aa9735f323a35844b51f8100d8101a272a6dfab216d7b9feb868bedcd76

SHA512
152d06dcf1754bf50732a368f44e2419dbd94cc6e5cdd28ad233a6f401adfad5514d0ca32af8280400e1bd8acbbea584137cd5476f6b358fa9c106b3089e5e78

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
71KB

MD5
d3d39d0ceed31f3d02c1de898c5cfecc

SHA1
b1ef7cb896f08b11b57be0c4a7774c528a039064

SHA256
3671fe3854bee190743032efb19360f8a676f084a44e6af8572c5f8aff44a879

SHA512
b43680412d813d152a90eebc801ce9a5202c0a19b338bd28f1ec6b6e08cec93d2227b15c8a867cb45eb331d4d8e23f2d1e272e90c69c741f80aada32e8aa257f

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
71KB

MD5
4df7a8dbe92453d47284e5d07321505a

SHA1
ba8d22d794c714ac0268cc2d295aaf2a1169331e

SHA256
a293297ad2f1dbb8343f0053fb02c878caf3edd0f9a1f3b7fd06ea0a5cfc5b7e

SHA512
b0d0112ff1cb4468c99090da8ae73c465f69c3c37e4359b95443b81504cae7a9cb5d410cd2ea3c608241dc7393d833e704b2c59922ccc61952a10a122cc5e224

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
71KB

MD5
c7e488662ea99f49056c651d185bc5e7

SHA1
3c835887e1cc21375520851b88d8e6531c3d60a9

SHA256
c8467a63954dfe83fc39ea15de383e5277c190343a2ffba9f2d77ca310fb524b

SHA512
bc428da98227278fbc8d006c036b547cfb29d92ab8ed8160d5cf11d81baf7f6a6799be3a5d3be347673ac5b8bd897005686c7f5c6e3039d6422a4f06119254d9

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
71KB

MD5
d9f0f3a107e79fd8dc14c9efb51c263a

SHA1
ee12c33c929bff27ce0f80126cabec5353f5381b

SHA256
39145f8677ac0325fb980b3c8267f043e77fb9e70404b44593f4cbc735927f88

SHA512
2d16f7576899339ce1e65455cc29892de31bbf469f3402c37105d81ce6387a661747c41c0f80b16fc2de7c54d70bb759769f146a5d10771df1947b7117a3aafd

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
71KB

MD5
ece4a193a6ec5692c20948673695fbbb

SHA1
e7d114847bf64cc7ca8162ce74687a637bc80f2f

SHA256
107ab62b16f9987f22be2fd931ac767e9ffe2b234de127415be2c7af6b55b70e

SHA512
d670f979a44e9defb3e7ea3024be360ab448165bfc925b42e8a2357cb144555625beabbce63a545bbb2d40af03797ea48c6fb2141b50ae86a11186af04393bcb

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
71KB

MD5
4d3634c087e83723f08ac113ee6b90d3

SHA1
6b9b770833db2f216836c560c2dfcd062a75a8fa

SHA256
554919b2f97e9ce04765e6749a4b4b6868bc529b38552be4ad78e5c090138e85

SHA512
88ee784d9e4019e5d08154789ec5c7d0199ff98afec1416d2a6b97feafca6fb3d6ba5968c46a61ebf52ce218c3272970da3660376df469edf6a0dfa110f91843

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
71KB

MD5
3dcce1448e2727294334275ba81c29e7

SHA1
29310f19d468a34521dc1c921de4fd2124339733

SHA256
6eb55736040c0195715092883db013de2e6cfece96a986d6d76a6e8141a61907

SHA512
eae3cca43913edddb51cc8b50cfc964104aec1526e89e6ba04e569f70b81553b3c29b7789365b164747332b25f187483b3a1f9099fc16895ee0935bbf8fd7c2e

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
71KB

MD5
1d35c22b0538d0946cfcebd02c0080fc

SHA1
662bb816e345c37f942113e3be12b8099ddaace6

SHA256
3fb26143776b0dc8347a5ca1e2226a03215878a880f1ab451229a6dafb6bcf5c

SHA512
0d4ad876cc3edaba12d3ad90776c1c4c473719b340485bb59ce4eb9dffaa1dd4139e6e55ab84c9dcd65b5decf5a26e05f8b98c7adfc356fb9caabb4e60b58b34

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
71KB

MD5
12b7a55fd228985a7d9be5594ce2cde0

SHA1
614c480d0f340214333a1cd525dd193c4b040b43

SHA256
04ff77ed9149817b01236335db3c95805f4815a18a59c2eb50707b90c97a8ec0

SHA512
5af4bbe05f70c1c78522c42c03aaa3cd04d74d9e9ef12f54acee02368c30fec44da4af0b24bf33ff9536ae068e516083db3aa161df7e83969781df786f976f94

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
71KB

MD5
b065d73ee97a96d4117ce91eb608952f

SHA1
a3f4420d7db1202179e5cf2e2b2d0ce9726b67ce

SHA256
1480d503745631ca61543728ae6b80da1b968b6ec42b870e7ff2220c2798383a

SHA512
2a501718e8baaf1ec687d2ebddc1c305b12ed9222c650dd989cfd1efd74983d6cb861be6d6829a75238acf4b9860ae0c3e6478ff476458d45c40c5143c7fbf0a

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
71KB

MD5
ede31803ab9b405e6523a0b66e72ddac

SHA1
88e14f12478fd8ce7657cabe7d68933bc2f21b3d

SHA256
7d7e67c45564dc554970c03f64bf1a7303bad944817c1fcea896b278046b5968

SHA512
88bbde38c37d45cd6ca1f749264696ee4c5e5ffc381c3a174f51c6136bd1d116438232ac267f740f566ae37de8a491d8dd47b52a002ca5f13503352598c6bcfd

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
71KB

MD5
ff4cfe78c9fbc376af051d54272ab0af

SHA1
a7566b568a305f4173fd1888e91d61d3e8907083

SHA256
b22949cc9873585be7d4b987a2a3c0882834e87733882d8b68b878eb1271b36c

SHA512
4c742a1fb39d73b5df38012e6f43f0cf53bf561b13cc94c670bd4d6915fbe6cfa2dee4b36260c3b7820dfc12a8e409dca70e1dc2ddd6d4c5bc309d494b592d8a

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
71KB

MD5
c01351a98c34e26263197cdb024eaeb9

SHA1
5cd1b6b4b08b604590e1a871118f5484a4c07b26

SHA256
afbf73d116b72c2d83aa76c799f23d836b4d7111add456b77203d207f9f3c482

SHA512
efb404cea0ca7664512f03cdcf0371c0d16721f68a180da944cb2dd0b134a3fca9834a4ef24b2b74cf3f1fd4cc4b4d03c83021467d052549a11a229c15ecc104

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
71KB

MD5
2874792604bf962606779700e059434d

SHA1
e497065e6c4ed7c64cbd94f5d25056ea0ba4b1be

SHA256
834f98f0b0302f0a6455628b210d38b843159ce02f80ca27ba3bcf74954012c7

SHA512
775911bc674c2749f1995ec3f4a1120882fbba35ee0f303b6522ceebde5e114956cbf3d1f4ccf1f3fc296e34af9c5d4e95000ebbf53a50530e9ffede9b06bbbb

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
71KB

MD5
2a171569147135853041a256f2eaa863

SHA1
239d2f14b14bc5a004618728192f7d7f7dddc6a5

SHA256
3bd64bcd0f7a01f21d8f3d360a570905c7e7764d180e46d1661fc3d7099873e1

SHA512
e10cdf7764a0c79b18c16bea8c9b579b408c925485845e252e851db224ca90058ef94df1b40789fe3b76db04f1797398e0f14af8cef145b768a3670f657cd92e

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
71KB

MD5
874cafa31356a716dcbcb85f13174112

SHA1
1351bd81dca978afb61b0aac5536c28284b51fe6

SHA256
62f97c51c14d3537f23fa806ec4ac8afc5acb30ce2490fcdf6f2154c8631cabc

SHA512
205a51822f56381f4131822c159a27f9257f8d1c2953644b191707a64e9844cfcb65ed8abe0b17b7c3ef27d330e84d60073f02d60c1ff80e62154a62b4fe0986

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
71KB

MD5
b78ee00a2ad350071f994862b4635866

SHA1
89d1d29a82e24cc47b69db236bc949de25da6b2a

SHA256
5425e5b66e6e75802a45726faadf54063f927547ce19e4b6d91c747336d768c7

SHA512
25b0fc85fdc9a8e5773884e5304d62801dc37bb1e4b65b6a3048df1de383ee5232798f2fe31830a1f355487a0030e3fbd51d07b755580489091311465f0766ae

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
71KB

MD5
0c24e685a3354536b1658614da06c60b

SHA1
9473d10040153936bb4034697f2918949ca363ba

SHA256
083995b3df899c13a763adbae98bd227b3da799c0fbe58c0501f4a020be8ca9b

SHA512
d1f036d046194f8cb4bce171e2e2768c92f395fdeeb06795297e6e2163d9f9a5ecad3a76513ce66e7eb8c8b2d8d4680ca0556daef61a040a2559f24de8cf9a47

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
71KB

MD5
1d0161b0e18d67e6fd3cf28e464b9f3c

SHA1
c4e21a78f36ec9c0ec5cdd45b0621084d767937a

SHA256
47735db45dcac258475ad6991d9ef13f02bc8241bedfe39f00af438bb72617a6

SHA512
56dfb222d6ccba39d6185bf92265a19f9d7f3bd76df0b666c7a19834a1ef9d5ae696bca30f196cfc99174a7fac2966ba489db75caae74b7d3db6b80e1e8711ee

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
71KB

MD5
4e25e13fd2a942e4a4fdf817408fd215

SHA1
babed9d90ffb589f343bddfcaf1488b764e8dfa7

SHA256
6b198226d340a1609c2eb1adbc0066af2a17ea9dfd4254d237be18aa4183e85e

SHA512
ac5b6ac2748e4a80df4dc33b39d928d766a3dc1debbfa261a629f2f5ec4af01005e7236ce07a7edef090b056ec2248577282b265169f61ff9654d389b3d395f4

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
71KB

MD5
eacf4aff07f3393399e7ab45aa2bde51

SHA1
3400660c65dc5518dd068a10b2e4f5b9b514589b

SHA256
6159dd2a1d15bf0244cf17641c1f98bd8f5d9bc0bff5bba52e29401e8512b63a

SHA512
5efa9cb81d4438cabe9389ac53f2cd5c1dba782cff7aaa39369a594485cb3a5b973e25173917edbac32d696c0113a119f57e3ee539e02a2cd7807a1c43af0faa

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
71KB

MD5
21f81859737b029d7cd73cefa03611a5

SHA1
cbe5b25443233c2077dbf035b5b88f0732f6f7d3

SHA256
68ccf62be92113b895fd1fbf1026b3a365d8d86dc8d91e650c668934ce37de47

SHA512
cf94ac9050656ea67349092bc0e6e90debe74496053d2045a3be7ea3dc60a32af0fb85723b7d8aea5203b434d56928083debc47dbdf434f75dc7bbf3f665453a

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
71KB

MD5
64aede71735f35dc65b06b229cda4a43

SHA1
6c36871c1e4ae309ff4cef9b017d3fe2f9bec337

SHA256
a0b7f59e45ce9080155fdb62236de323b9c6855f9f60d64f1bc377ecb4a73a80

SHA512
7448f028f9a0ea76b4f23af6eaea375e299e12a344a3bfa8bc29d8759c1d5a4e1f805e39c4f46e8368883e11a203d5feca9f19e98e3ff15fc5326794461eaa70

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
71KB

MD5
248e6b9071b60cfff071b1cacb8622cf

SHA1
9137deb39852c991ac6b8e9aa55721505d83b90e

SHA256
12dca31642b089dc5cba46c15c72d24c235f3c0aed9dcc8265be60bc54a79506

SHA512
fbcbba9546988fc29847e5d5072b15b9f6172c29584e9775b673f40790d07b88c297c4d8202aa0cf32cf8d3082acb188e050c2def8ced449409696d0065f18ff

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
71KB

MD5
319875d9d3d2557d8c289cbbdd1c0bda

SHA1
d5828fa1a24990acad243cdcb932a8e952ab8356

SHA256
866ea6bc2e9af593c971bb0edde8443b5b3814745fd2ac6e199c612d63a41bf3

SHA512
02c5befd79df2344a89caef43902ab83a7d9b42aa6b3698e1b5368960452f4db6f875bfd89c619c7a7c8e9a06be5a9ece64f025cb6f3113b87ef265c65421f61

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
71KB

MD5
b43448303ed06cc6ad14c57769a06dea

SHA1
e135b083cc6793dbdc02c1048e14fb035f410f8f

SHA256
3270f767d7b25fabc572de9098d23062d1e0c7abbdb1509f4fa9f876b36b9585

SHA512
f48ea389cfe8e94747f7ec52a4b10552ece4e7c184a88da0c5acce0d603d8fdaaf55986eadefac1f5aa5db3c2c863a8f25b58337864a0327803017c293bfc5a0

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
71KB

MD5
5953255b1df82394652dbf7f8d53fe7a

SHA1
3bf8c8d4c4592fa259581f5fde80adc77e103207

SHA256
ffa407b972dc02227e80f86d71f6af36e4c5fefd1a37d99c53bae7f4a5b32dbc

SHA512
5c197b89c5475cd263821adf73fff8f41b12e034d1b2c084f0138409adcfba29da066a5ebf8f4d1b634df26df93af969ebaba9521d598bf2a46597b5e96f1e1f

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
71KB

MD5
a1c4a460cbd16910ce0754b25aecabd3

SHA1
dd646ee1f2e37288e741b6d3844813feafbc9255

SHA256
1bb89167d9adbbe6f1421174e9759c118fd2e03314e27f922b86296fd27eab26

SHA512
1b9474a808aad243c7384b3d6afb07533852db9b9ccd60e49f98b221babf3351d665964f4122d3f8204ef25700c5267b82cabf618e9ed313c9b871e9cc3314f5

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
71KB

MD5
0bcf9e51935131f85ac6e146fc157fb8

SHA1
a3e08096edf8c518df755154b27408161e7c0ecb

SHA256
37957b180498d771d3c1f7afda95daaaee88a34dc3306c30c81f525b8aacbf78

SHA512
6e2bddbe2b4acfff5ebdb4e78d4245bb1d4be2654492d4e44f9f910554ee2efafe29afdb3091539a6b4049027fb618024d4ced436bc987460b390295066a50e3

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
71KB

MD5
9ff3d3c41aba70bbd78a2cac2781a200

SHA1
854a476540e8f5d190a3842a267c5f8b5e94f510

SHA256
c118da4b6183fe821c3cb81a67dbf8930ca7ec8da21053a625fe6166f60031a5

SHA512
31b8b160316a27b443b766d273653f0dd33c059b63431ac4181ec9dacfdf0ff10132650c06099bb9b4602485b8962bd73d0a07f9ab6b193ce231c1f926bb9759

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
71KB

MD5
d8a41ad6d31bb845114d4b30bb009c9a

SHA1
29fcce38b179da7d35e2bd6442e4e08e18db9593

SHA256
7394f4a4871aa8d0f7d3980dca942ebdb6207b2b27908cc98dfdb65662526c62

SHA512
a8c7dd3c03ded21b410975bc3857c0ac50c4f9e53cce4669da9a4acaf84e1dab751a0b6f94aa5a0f24effbbdea9ec198e8b6dd563748474211261915fd8684fe

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
71KB

MD5
d2711aefc58b610a64e699db1d2bb719

SHA1
84f14bed7cda9cdd17206c37eff8322a5b5db52c

SHA256
af91273e413d5510235be5d3ab8e6d1bf4132a800634bf86185e3643881c7b0f

SHA512
3bf314c136cf3d494c2bba62bea3a74be3bc02616b93ec4ff4fd93a1ea5407d820808c8dd9ae3aefb8f129049015b1a97575a49f8b626616f3bade5f2b6d3790

Download Submit
memory/64-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5912-1002-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads