afb5bd72158141bca870b7aa26e5c7dd2fe852842239374bdc5aed5d7abd5e8f

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a617f46deb2ef2c9c7e33653c3a7d1a0N.exe
Size

416KB
MD5

a617f46deb2ef2c9c7e33653c3a7d1a0
SHA1

feba50c74322761849ca88a6d00d6cd83566e788
SHA256

afb5bd72158141bca870b7aa26e5c7dd2fe852842239374bdc5aed5d7abd5e8f
SHA512

39ebaab90e4b4a7a68240752fb27dd9790f6e1e7e0fe8c3cd2a1719900b3bc30445e0d17e8cf2175fd095780b2759af039d80e631904573151e56a8793ce8ac3
SSDEEP

3072:bQSRALz/envUOJVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWP:bQSKWUOJRs+HLlD0rN2ZwVht740PP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a617f46deb2ef2c9c7e33653c3a7d1a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe

Executes dropped EXE 64 IoCs

pid	Process
4712	Jbjcolha.exe
3780	Jehokgge.exe
3788	Jifhaenk.exe
368	Jpppnp32.exe
3632	Kfjhkjle.exe
3936	Kpbmco32.exe
3560	Kmfmmcbo.exe
3576	Kpeiioac.exe
2940	Kmijbcpl.exe
964	Kedoge32.exe
2636	Kmkfhc32.exe
4196	Kdeoemeg.exe
1188	Kibgmdcn.exe
4584	Lbjlfi32.exe
4984	Lmppcbjd.exe
4304	Lfhdlh32.exe
3480	Lmbmibhb.exe
1824	Lenamdem.exe
1532	Lmdina32.exe
1628	Lpcfkm32.exe
3784	Lljfpnjg.exe
2232	Lingibiq.exe
1008	Lphoelqn.exe
2536	Mbfkbhpa.exe
2332	Mmlpoqpg.exe
4360	Mgddhf32.exe
740	Mplhql32.exe
4320	Mckemg32.exe
744	Mdjagjco.exe
2588	Mmbfpp32.exe
4124	Mgkjhe32.exe
1408	Mlhbal32.exe
3172	Ndokbi32.exe
4628	Nepgjaeg.exe
4780	Nngokoej.exe
3028	Ndaggimg.exe
2980	Ncdgcf32.exe
3984	Njnpppkn.exe
764	Ndcdmikd.exe
224	Ncfdie32.exe
1632	Nloiakho.exe
4556	Ndfqbhia.exe
4744	Nfgmjqop.exe
3500	Nnneknob.exe
2296	Npmagine.exe
2748	Nggjdc32.exe
1268	Njefqo32.exe
2320	Oponmilc.exe
4064	Ocnjidkf.exe
1868	Ojgbfocc.exe
4484	Olfobjbg.exe
4200	Odmgcgbi.exe
1912	Ogkcpbam.exe
3116	Oneklm32.exe
3132	Opdghh32.exe
4480	Odocigqg.exe
4288	Ofqpqo32.exe
1248	Onhhamgg.exe
2284	Oqfdnhfk.exe
4948	Ofcmfodb.exe
4264	Onjegled.exe
3684	Oqhacgdh.exe
2528	Ogbipa32.exe
4992	Pnlaml32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aepefb32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kedoge32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Jbjcolha.exe	a617f46deb2ef2c9c7e33653c3a7d1a0N.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lenamdem.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kmfmmcbo.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Lmppcbjd.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5448	2904	WerFault.exe	220

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a617f46deb2ef2c9c7e33653c3a7d1a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a617f46deb2ef2c9c7e33653c3a7d1a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 4712	2676	a617f46deb2ef2c9c7e33653c3a7d1a0N.exe	83
PID 2676 wrote to memory of 4712	2676	a617f46deb2ef2c9c7e33653c3a7d1a0N.exe	83
PID 2676 wrote to memory of 4712	2676	a617f46deb2ef2c9c7e33653c3a7d1a0N.exe	83
PID 4712 wrote to memory of 3780	4712	Jbjcolha.exe	84
PID 4712 wrote to memory of 3780	4712	Jbjcolha.exe	84
PID 4712 wrote to memory of 3780	4712	Jbjcolha.exe	84
PID 3780 wrote to memory of 3788	3780	Jehokgge.exe	85
PID 3780 wrote to memory of 3788	3780	Jehokgge.exe	85
PID 3780 wrote to memory of 3788	3780	Jehokgge.exe	85
PID 3788 wrote to memory of 368	3788	Jifhaenk.exe	86
PID 3788 wrote to memory of 368	3788	Jifhaenk.exe	86
PID 3788 wrote to memory of 368	3788	Jifhaenk.exe	86
PID 368 wrote to memory of 3632	368	Jpppnp32.exe	87
PID 368 wrote to memory of 3632	368	Jpppnp32.exe	87
PID 368 wrote to memory of 3632	368	Jpppnp32.exe	87
PID 3632 wrote to memory of 3936	3632	Kfjhkjle.exe	88
PID 3632 wrote to memory of 3936	3632	Kfjhkjle.exe	88
PID 3632 wrote to memory of 3936	3632	Kfjhkjle.exe	88
PID 3936 wrote to memory of 3560	3936	Kpbmco32.exe	90
PID 3936 wrote to memory of 3560	3936	Kpbmco32.exe	90
PID 3936 wrote to memory of 3560	3936	Kpbmco32.exe	90
PID 3560 wrote to memory of 3576	3560	Kmfmmcbo.exe	92
PID 3560 wrote to memory of 3576	3560	Kmfmmcbo.exe	92
PID 3560 wrote to memory of 3576	3560	Kmfmmcbo.exe	92
PID 3576 wrote to memory of 2940	3576	Kpeiioac.exe	93
PID 3576 wrote to memory of 2940	3576	Kpeiioac.exe	93
PID 3576 wrote to memory of 2940	3576	Kpeiioac.exe	93
PID 2940 wrote to memory of 964	2940	Kmijbcpl.exe	94
PID 2940 wrote to memory of 964	2940	Kmijbcpl.exe	94
PID 2940 wrote to memory of 964	2940	Kmijbcpl.exe	94
PID 964 wrote to memory of 2636	964	Kedoge32.exe	96
PID 964 wrote to memory of 2636	964	Kedoge32.exe	96
PID 964 wrote to memory of 2636	964	Kedoge32.exe	96
PID 2636 wrote to memory of 4196	2636	Kmkfhc32.exe	97
PID 2636 wrote to memory of 4196	2636	Kmkfhc32.exe	97
PID 2636 wrote to memory of 4196	2636	Kmkfhc32.exe	97
PID 4196 wrote to memory of 1188	4196	Kdeoemeg.exe	98
PID 4196 wrote to memory of 1188	4196	Kdeoemeg.exe	98
PID 4196 wrote to memory of 1188	4196	Kdeoemeg.exe	98
PID 1188 wrote to memory of 4584	1188	Kibgmdcn.exe	99
PID 1188 wrote to memory of 4584	1188	Kibgmdcn.exe	99
PID 1188 wrote to memory of 4584	1188	Kibgmdcn.exe	99
PID 4584 wrote to memory of 4984	4584	Lbjlfi32.exe	100
PID 4584 wrote to memory of 4984	4584	Lbjlfi32.exe	100
PID 4584 wrote to memory of 4984	4584	Lbjlfi32.exe	100
PID 4984 wrote to memory of 4304	4984	Lmppcbjd.exe	101
PID 4984 wrote to memory of 4304	4984	Lmppcbjd.exe	101
PID 4984 wrote to memory of 4304	4984	Lmppcbjd.exe	101
PID 4304 wrote to memory of 3480	4304	Lfhdlh32.exe	102
PID 4304 wrote to memory of 3480	4304	Lfhdlh32.exe	102
PID 4304 wrote to memory of 3480	4304	Lfhdlh32.exe	102
PID 3480 wrote to memory of 1824	3480	Lmbmibhb.exe	103
PID 3480 wrote to memory of 1824	3480	Lmbmibhb.exe	103
PID 3480 wrote to memory of 1824	3480	Lmbmibhb.exe	103
PID 1824 wrote to memory of 1532	1824	Lenamdem.exe	104
PID 1824 wrote to memory of 1532	1824	Lenamdem.exe	104
PID 1824 wrote to memory of 1532	1824	Lenamdem.exe	104
PID 1532 wrote to memory of 1628	1532	Lmdina32.exe	105
PID 1532 wrote to memory of 1628	1532	Lmdina32.exe	105
PID 1532 wrote to memory of 1628	1532	Lmdina32.exe	105
PID 1628 wrote to memory of 3784	1628	Lpcfkm32.exe	106
PID 1628 wrote to memory of 3784	1628	Lpcfkm32.exe	106
PID 1628 wrote to memory of 3784	1628	Lpcfkm32.exe	106
PID 3784 wrote to memory of 2232	3784	Lljfpnjg.exe	107

C:\Users\Admin\AppData\Local\Temp\a617f46deb2ef2c9c7e33653c3a7d1a0N.exe
"C:\Users\Admin\AppData\Local\Temp\a617f46deb2ef2c9c7e33653c3a7d1a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\Jbjcolha.exe
  C:\Windows\system32\Jbjcolha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\Jehokgge.exe
    C:\Windows\system32\Jehokgge.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\SysWOW64\Jifhaenk.exe
      C:\Windows\system32\Jifhaenk.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        37⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        38⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        49⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        62⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        66⤵
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        67⤵
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        74⤵
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        85⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        86⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        87⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        92⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        93⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        94⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        96⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        100⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        107⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        109⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        116⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        118⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        120⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        121⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        126⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        129⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 220
        132⤵
        Program crash
        
        PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2904 -ip 2904
1⤵
PID:5280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
416KB

MD5
a7e45c2cc605221e26e6420fd9e75327

SHA1
f11d05887e2fac30e6f2866080d8d3ee9e20e8be

SHA256
c678f918e1377b3738d0a5614ac45c5f76178de028070625040d36d8e48cec28

SHA512
56d298f4a701ab293165195d9e371957aba51b663623a54ee498d917e7b3d4d5f0e4938212b4a5be756d56f2be282b3a8c52911d9c5412ae0e232b83b34c25bb

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
416KB

MD5
d10936a22ac471d3a24ff190c86f16a1

SHA1
202b4de9899e4a8ad75d243b11ddce940eedc70a

SHA256
b3709b18023de509184dca6e4020729ebaad24385e454467b12893f7acac5b44

SHA512
11f7b8d93fd299708c5672dbc873e3366b1c225d9af8833cee73e3bb65b2a4a89b8471371bbcd97e1d0d3c7d6433cf746b70e10b368ff35619dc692616267a85

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
416KB

MD5
c400f7069aed2253fb2aca0a5021c642

SHA1
b7a16842a74e1fad6d74772be6d459edf2efcb5f

SHA256
47784427a8698d86b13853367bb5479c32ef9769d9f0f3c9fe4ef5c752bd8dcd

SHA512
01c68b0313aba38a783b8d2ad16cca07ca44ca17f2ce2fe10c72d69e57cfb9c1800d1bab5d2fa4390ede7125247f9b9a39464e7ed960c69373f4e21d8a52e840

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
416KB

MD5
8fc1b8576c93fbc92554138a6ed6d797

SHA1
8ffe556dd718f962b0c9abf1820a78d6a236f33a

SHA256
7fd246c9287cb774112ab0e8ff8e9e7faae1b09a095b6f6661dfc18275d3c856

SHA512
ed93c686993a85ccf379c2b8114a7c97224ae8bec083d8bf17fb4554f33d7d097177f44639edf0ad4e1dc464ca3b07dc9387c3177efd37476215b0dd1eddb31c

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
416KB

MD5
352632aa920daa1ce4f491000bcf797d

SHA1
34c1619b9099bb36677596b10ad9b6d16482a680

SHA256
2accc9ced9e08451a988b0dd500077e655266b7e3f4e07e2df85d6a5e6cd10af

SHA512
5e6d68e195209acb6ad76b78986cab53600c7faf1b63505418cd9036f369b9ffffefd3d362a175b275186573ef0b821cee4d16e9e449233885784e77a3763c8d

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
416KB

MD5
21ee5a28bc0d046cb481f4705aa2b40e

SHA1
83400c90ee398d51b3c01222ac0115ea4422669d

SHA256
bde781f2f2c37fc51562530c92296124e7094be77e759202503b8c18b284dd94

SHA512
3ca548ecb74d636d0cd25f33adfd27712561248e0f17b99117ed2ffa012c7d13e8f28de1dabe818481ef8a56f4ad1e747c0b519d42502845928d72bd4fcebea9

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
416KB

MD5
ff274960328efc0e3078b55d5064032c

SHA1
63e764583d2aa52bb7eda7fa6019b58c67cf0ab4

SHA256
b8945178bac9b1e732989661160200f34c4d60060c52ec7967e0a79b06010586

SHA512
0c87e9b2e96945d6da4b3c9c55eb13fc7166eb389fe1e3a0de4f8a80f34311e60d25f9e796b6955cfe8deec11e95fcf2af34468d3ac96cc32ef4d9c67d574715

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
416KB

MD5
a75699ddc7d8ae9d534e477055fc857b

SHA1
ccf60db000628deb8c77821fc32374fd90b7cbcd

SHA256
4f4b9dbe2aa2e47c2b98de4bcc012b8f531c02792227d67122d8edc9ff30ef69

SHA512
dc1103c0cc3c82a2a3cd10ec2d5c0d24f67b890dd6b3c1215ccb061465ea7331ba4fe2cbb09ca571f398bd1eaf51d42803eeae66822b1122590e2c0b5c435cec

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
416KB

MD5
b8c644580d4c21ad856ca386c2e7290a

SHA1
e4891819721d607d29e85cdfbc787adcbfa55dfc

SHA256
8916cc31b1283de831b2c61fd2562e270f2e6757c0f71a803b588da79fb46e63

SHA512
f16254724275d656b45ab3fc9d445295d6e1da1d02aedb2e12ab495bdf096cafc4e8bf8fd63a3a0397db6a9a7464f639d3712373f0a3bcd302942945e8b15a18

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
416KB

MD5
d4557b03d38c4544e228a7609f22d777

SHA1
21f12320b7b871640e52c3d18f8766dc04f8240b

SHA256
73dec13b1859d2d4d4c1ef4f6a72b2b9d99dbdb10010d3d6cc960f1d643a9a0b

SHA512
97f3c9430249c43b023813072ec3a6ac13b501689489401cbff5023dfc57d06ee1254b86d0fa5e653b34eebc468c01141fff6cbeda1aed149b4816180b8d6331

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
416KB

MD5
a8972396e3fdfd4b14c4ef6e53b83336

SHA1
50d9d7e0013e6346996a283a0532bb2cde88a8b5

SHA256
f491b500e1728ec5d9e9f8782b53f46623edd89bd77172f4eab6f8cb9a9c3f79

SHA512
05faa0e7a7376d34825b61c68c88e0987fc9f0aa43c1244d5156522d5d4e554eeebb95b282d4e46c83343e55e1f9bdd1d01a63186c5f52e8c2572721f7d5b8c3

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
416KB

MD5
aac61339dda419f3bafb63ffa5f5aeb8

SHA1
7a21c3df12dd8ca0736719515d425f7b483446b3

SHA256
c0c4287c3f9baa1557db825b90918a4074fb4d87fca451d338e57f09b3863091

SHA512
26d48299d1dae9f969a483a926d82a327de69a42c44f452f2d68457b0d14ca908ef24658ce6ec733a8b09ad9bbf2d7aa8900889c74a835e63e467f5e1ae2e513

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
416KB

MD5
e2be94d862e5cb2975eb75a717d814ea

SHA1
e84a121772033aac0935240511e1eda50779961c

SHA256
f5010a9d3bfe53fa34ef2aea652b35e9dfc93736baaf3ac4a549668046c24b39

SHA512
a11c6492e7ec73cdbf7bb6a2050bccd0363e88a2f4130855f64777c50918272c0cf17be96dc0901de557e265c97ef2c8596a0f0f4df6122778185f2674f0ae47

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
416KB

MD5
1a15f9f10fb4a54830a5c58cd161047a

SHA1
e7fe6296645ec0b129ed4a8c9e20b88dddf56245

SHA256
592060a270f077940446e63a6050c5c717403ca68b634a867d9e4df67c47c8b3

SHA512
bf179c2401d870d47c543559b7a827472355b3808edd995593ea6669ac890d43d86b2f96343ee651e0774e31d2e8916ba09c1258c836eb25e9bdcdb035cf155d

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
416KB

MD5
001ebe881a774533c303234dbcd9de36

SHA1
2636487cbe6cabd9057cc16dea70b1e6c38d2242

SHA256
1779d37cca5c42973ffa70c14c876b6192961f8e3fea7213c09b352f2fab7b98

SHA512
db8ec8f7e1fefd7552bc83ed73505f19d326591b8688a02dc44041c8f00147c04a394bd2cc95f986a7d216b3b04540f631afd132d1f2891cb7f2cca1b520c7e9

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
416KB

MD5
d46b5e08379d3c2577162bd871fe62cf

SHA1
c92b2363682b6b09713e4841e0561b62e5164c29

SHA256
8850fe04a71bcecba10c425f9da3372207f35aa475de7d15622fdcb94aa43202

SHA512
0719fadbafdc8a6b6f9b6263270ebcc44f9ee657851b70667d64b6ac5f15b049152383c58aaa25a598538fd1a781468787ffab92ca77e585bd5379f1e902de3c

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
416KB

MD5
656e0465c2d87695f0762590c0ae45a6

SHA1
7c73b39cc4c57d3c87f3ecfd4b99986e9eb48199

SHA256
ddbdffb830c8b3748059c3b8103e8b69f05e2cea7682e89bfa56d82b3af72bb2

SHA512
bf18574e43b4c9f1f2860ab74379e001d3a8efaef1e541099204b1d6275b6948ff2c97fdd6526fd86f8ea495bcc7e615479bd193969271cc972ab11600dbfb5e

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
416KB

MD5
2a972dae506ac3c93ad49839165e4b9f

SHA1
693df41d6c6cdb2490992f1451559ef7f16da1ef

SHA256
b20c54a05deaebda1ff7822ef91df3f3fbe257c898dd898fb0fbcddc02cf4add

SHA512
4a081bf9c33ae06581fe707a12e8c7c4f8ba9a7216ed2c71f56ecd4b85a3a780bdf1914e1a16af5d4a4ea1632a852a1cd1136b703c5cdb7e7867de823413d235

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
416KB

MD5
a2e919429de6a0c32c1b0460560f4c90

SHA1
75035b72c59788b075acf92c52f1fea61b79f769

SHA256
de1c8e1e345bc20cc1b26f456a4e3250ae48c0b9ef934d4ded0ed2c4c9d575c1

SHA512
f93106299c2216c09e104f4c3639346935df1c7b3b9252468f38800a7b2dd1bf21bb11315b8fe1b12b0cd6cb9a38ee3256660987e017bf73f818cadc7334a8e5

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
416KB

MD5
baf6490d308af9fd6bec33863f5f072c

SHA1
c79d1be11decf5ee8c7539cb406a97ff7ae5f18d

SHA256
93c4ddf197053ac1f3987cb501e7b1971eeef4a9820cd3f78f2a1eccb020090a

SHA512
454dace61941eaa5078c4b1ee9b24803461d5c5a58cd040ce096e11bad64b2c0af528a4d0c2ab38840259ba6dedb3757c2a0d443e89aa6170e67ed993ca686ea

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
416KB

MD5
59b671a1bbe91a77254f7a94769c7fb8

SHA1
5f7f448edb25db35386f2ce695e963ddcaaa40fa

SHA256
f87f265c3c61423f577445fc4b75d5b870b3007d0f65109a4616746729db15bb

SHA512
def6253e14e9e8b7542cf504a657a904d235d6a361b0c4045af17ca8c19dc4e3f15de4ab203d1ea47db0bcc6bc26d5b4d8e73012082f5e447e36493e5058d2f9

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
416KB

MD5
42ad9151c7063b5c20d82e23a7e4c737

SHA1
e8654fd8824de01c30453018789ceb88fdfc592a

SHA256
edfb59702033f9806a5080a7fa5d5a89f9dec15c964a0aaf5aaab82afc879a3b

SHA512
fc6e8b63ea77b442b381d905d906ed5b1a2ea08f4157c859b19821db2f250ff80c7e44dee9582c41ac4ca7680592368915f07ee6517a4d299e5a137f4f5caffb

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
416KB

MD5
094a5cb4ca85810047b34a9e2ab93415

SHA1
7bb1a8c78cf7a198d66311c10421875b0b953ffa

SHA256
5283ea6078a10022a1bb39435bc4b1249bb08b722e407e0aea24d5be1fce22f8

SHA512
6a59d642cbeb012bb5156e99d9faa2f2fd23c6f529cc0d25bc7e3a0e8fb021330b05dbfc058550bf1015b56c0bf62233f62c4bc856a2565f709c1ad170afe032

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
416KB

MD5
88115ce65026be15571ee6376204f53e

SHA1
d8bce0bfd333b95af578f7ecc525bb588424f289

SHA256
15a8415cbac83a0b86a60a10b8e2e165abaf7182e82fdc51f546605c9221da94

SHA512
27b84789b8eb79f534d1169f630d7f47422e0301028077775d6cd361fd4084286cdbaf6aaa2e7ee79593d964cc61a2a083601f3b4e817893f3c68c6e092811d9

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
416KB

MD5
f9e819b7fc2ee836824ef46b346a9a2f

SHA1
ee2856cdbd50b33de2c7d006a1240e6fc3bd8e97

SHA256
35400bbe6c6340e03eee86228397311bfb3e321d9b231824b8d64ed51731e4e3

SHA512
5ed78fb2c6c8f81e61ffa9b5acccc8a3dc9b59ea7e42db0fc1d64f60d767389e83018de6e4ec73e6b9a30a45c80d21f4ef1e24c376810c0e9c32911f2bdfb811

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
416KB

MD5
982dec54e580f578bb4a33a0f9420d6a

SHA1
402c0ee1fd1741ce561f61d0abf82f1fd45537f1

SHA256
32ec46be6fc68d9a6299693312e7ad4f175cc54e6048600103d5e19df100d42b

SHA512
44cb0a56f6b5f2f792df47583c4dd5771565e878e1b7ddf05e80e36fb45bb449f9fd7443b5710f729eebb544b619fa6c0442f72d77f5ec25e6c31d39a38be6e4

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
416KB

MD5
d3522527843baff8e2ccca70a835e54c

SHA1
901a0a74569c3a51a1ef3a5ab07cfde6e82ebab7

SHA256
6c16886b1192fde9d4231f8d848562bd7958820664c7dc74e26510ddad632c9d

SHA512
469ad16ae1da67f30d1f9222d065dbdd986689e86d84339ab9aac14b7d3fba21c07d264b00ccef747d83de3413d4a9a3493c53539e1f53db642c0c64a972ccae

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
416KB

MD5
3ce96a9aff1948fa41456764159956da

SHA1
8d2c59385383454b5f67ac144d189ad0bd064571

SHA256
0b3b78368c3fef3377c1d1b439debeda39da1d7bf762238828f2bc877a81a055

SHA512
808469b3a44760a85ce7999404247195d6512da8bc39aaece808e3cbd0b5ad6d06703eef8bfc842df414f06eebc4db1e461a967c4ab587b663a1fc215330345e

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
416KB

MD5
c7cededdb1a8538bf16c1d23db0bd9d1

SHA1
4baa1cbfd8352e3933423e764a68067dcaef319f

SHA256
7fe203b86f1db8ca8c47adbf6a969f1d21a3ca14e95798eaaa5787bc3da17a13

SHA512
434b45d8961fae65e87b6f2439bc0107fe21a1f1fb4dc3aa008781dac98b8cb82a255155196b237a4149a0c8d6dc2bd09cf35ac4d94a76b780d65636010249fd

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
416KB

MD5
b86e4c26a192a1ebbe95fb12c7494758

SHA1
dad58eb1f0cf1e9ccf66817a4de50ed3aea67b8d

SHA256
87ac1d600bd6959acfe750dbd569f79ebdc459abcdd88f6400380633fde88ded

SHA512
5ef6028f6f43254d0674a90079eb506d70fddc6451aea88fb46125df1e6494b0abaa3de2b20515c1bd23f2e58e2998c7f069bf20a0ad9aee32be167d3842d7eb

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
416KB

MD5
e656d0baaa5e5cdef321aca39044e8fe

SHA1
4e1eb4d8526c0415200d074d80fb2be496334afe

SHA256
c20c64a9e422bcb9be90887a51f1d06b1cf1326298f233a21ce418ddd32a9914

SHA512
2619fa9bb0093d32574e698e78e95e27befaeebb5df5629f45bf5340c54506385dc150e6bbd7586fe499d703ca0ffda8fc9e0edea359e2e72a433b612bafc83f

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
416KB

MD5
c0f6100d5d721c93fa9edb6c9742f8f9

SHA1
1d6e644d7b149631820edee417432125f49a43fc

SHA256
23c60ac798b93c48883e224c5ea4d58733717d4a3372caee79a8992af5b345d0

SHA512
c40b209341602d72c8c8c0d11af387e8385f8b22fa69cfbc572b5dc31269a426c2f425f53a18ded08dd7eed1848bd27f4afe82cb0d41f43eb15bbae3fc8897d2

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
416KB

MD5
a04f780b20349059846e9f88d49fbe0b

SHA1
ee9a699e7f4f12ba8fb3c831677944daea4298a0

SHA256
c1473c78aa8c5e8f982eb897154209b7c9ae36ddd2710928eb2a851c07a8d4f1

SHA512
9aaa25275f9c5c9fe9f930a5d27482c293308624bc535f629199c93ce4296d66afc7d408e219d173428e5b2cf6614dd3e80e5f722b452b01ec8abf56f29cd7b9

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
416KB

MD5
04eaa27910e7ff86530f031a622b2bbb

SHA1
891c73cbbb151270dad505a81e713605233d7364

SHA256
ff0fbfe54b7a3acef12c4905519b511690ede2799bfb92d144dfc5d33c0cf22a

SHA512
5cd427613c6c38d313b53ff59c526dc078728923b7168678c4ee683da9e845d7f57a156360ef2d8128db28c55f896cd70a1bd048f8f131954faee5f8d76c1fc3

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
416KB

MD5
e757829764eabb2083af5bc4530626e6

SHA1
4859716e6bffc10c5c97e89d7c77c37f23011ea8

SHA256
3b6f3d21da52293ff7486107bdfd78f80d5fd712a5cd4df0eec11a5eff4c357a

SHA512
f6b389891b995831ba46e03dbd53b62d48903eec9c4225a618439ad527470581ff243cbedcfab4caec841f43e03c62c493491e3de8218b7195026570d203a410

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
416KB

MD5
802cc1410020f78928493574185d3590

SHA1
beafc7b4b9148eb046168e590b25b3ed8590a79f

SHA256
128c52e2ef88fe40e6b9593a48a83ea9cef62f8a7f619938b78acb83b87c8bde

SHA512
d894ae48bab0d3d9781180520666340cca446721ed718a69d56ecfaf2fb0ddfa8be6896796c3f63f2892b6401252c3f97014ff92624771cc1313b2b91eab5380

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
416KB

MD5
450272c3b2dd8dffebdf4b1b9d2e95da

SHA1
314dca2fe8297aff749682d552b739e8a667e732

SHA256
04277659769859b3362c3c709c31c44598b316b23986c8c4603a3e6f1b132140

SHA512
c44f786b25d6762b0553d96e5f491788a4330f04b78b630d64b431b17c5fd2bc2c1e734d7a9587ef5e3476ec96010ed7c5ab7d0bef82fda5274b081f137eb7f0

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
416KB

MD5
82f722ed266efaf45a1f2d56e26678c0

SHA1
49a296c795e264aafa6f1033553120bc7f6013db

SHA256
4222b872419c7ef9285410ca79423e6ac5d3e2b903f4af9c3ca0c985eb090846

SHA512
338012446bf37eb5272ffd5e01df48af28e46b28956705d7f5969dd53b361d1cb6ae969cc59739b4fc413dd56c5d3c1448f19cbc53e55b8404d32709b6e83b73

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
416KB

MD5
74dd9fb286fa528c7a651c9477797592

SHA1
7a3e7f0af15e50a72c92aa1dab0d9ba40d2cab25

SHA256
d78b1163b6566a1343b86450197945d8ede7323b1aba48f82b2bad8b7eb6be5f

SHA512
ea7fe71c9e6720a5f5dc20f3563878c7a62dfc751452b511ea5b780f3ead578002915ce768ae005771a1491d77ff877558e88f90644565930c3c9b99a4c1d680

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
416KB

MD5
e6adb14b231a877620cd312acbf3076d

SHA1
c5c865020330e1347ce8287c66b3b2cf848110f2

SHA256
71145d3e4fede0f7e28ae23a4e5b7a0bac54e30bc85157c9fe68d671c56b38ea

SHA512
6eba425a9e0f591f2efe169afd9421d8dbcf252cbaa660fc510c4e4980cff97602afc605d4a06e3162bd2fbfaa914cd8c842e074409a6977b44c702bb30f4d62

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
416KB

MD5
4c4571d6ea79636cef6bdc5f8afdbd3d

SHA1
57f792858a51b70ffbf396bcab229bb1c45726cb

SHA256
3ac4c28be6def206448df5cb3e060146b12e47c1ffaa032ba03e2df296281971

SHA512
4ae5c0f75e7695e9d7aee87085be014a70d365060d6ddc6703128afa965fb7169078e37525c82f1679eedfab2478043c48d4dc8e550591e6962e4d31c55b0e20

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
416KB

MD5
98d79bfc750990a0cfb2f29267ced838

SHA1
ed809f5b311addea6a4a0f26d2ca16084e2b5ebd

SHA256
159a667294bd9850147dd104d11c026c7376c929c04fafe20b6acf82c8eb015e

SHA512
1218d4224a3f282f784e6028ee74f08277d2dfbfd1202c85a4ba16666e0699caa4c669985608414dc645ea462dae9a26b16f3a5cfa99166567debf6f6e6c783f

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
416KB

MD5
dd0b2a65ae6a2a869eb8217393eaa548

SHA1
f6739c9d446d8da1d38da2db2938f93c49c038d7

SHA256
43f843f0e2d2315b43794de7baaece5e830c20567bddf9d907f77d91f95e470a

SHA512
7781f5f40df42c623e0d2d55c941d0cb6c752f6ef779a295172c01d11100ce26d7200f475bd43f33649e8cd2e413ef3a5dab49872f5d55ecac9f84c7f2b36ec4

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
416KB

MD5
59df6faab6eb2aa19ee60380308bf872

SHA1
ebbaa5e74b522e71c4af257677ed5191b8d23dbf

SHA256
623053da9be63d4293b769feb245635f47d2da89a5d9c7dc423e5af003182310

SHA512
eac553ed4d467f41a48c5b98e7e0f06d62b25e1854cb01da47387d6730a239bbcaa47aee5d4d457b2c7a60eb508db431a8d742137a5504ba221b09eb52b9775d

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
416KB

MD5
6b61e8e87fd82e914dc4f998ec0a9c91

SHA1
cc2d049c2c1b350796b2acfb741ef29c189e482a

SHA256
c435b2fd290b0b406f1f9efcf696d549eb41b65fabf3152e1a0859ef706de77a

SHA512
ab34e78073b8bf817e92a34a5563e6ee00c1b2f7d2b644cd22a6424aa5cb7504bd4d898e456aa8a06f2c347b050deb424675d886c0f1d39f2a5bebf917eec168

Download Submit
memory/224-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2748-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-948-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5424-922-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5456-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5500-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6076-957-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads