175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc

Analysis

max time kernel
105s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc.exe
Size

361KB
MD5

d0181649f897fbebee1538e1957393aa
SHA1

4804ba1f52e74141f037bfb3cac4dd29cccee474
SHA256

175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc
SHA512

2e4f700f9a7678b74ee7d8527cc3dc9ab7d6b477614527f8a04762038fb7aaf7ddb3d311d3925307be24b8171d8f0d573e45caa3d1ae240689fef53ed168b3a9
SSDEEP

6144:Obz8ft9sVQ///NR5fLvQ///NREQ///NR5fLYG3eujPQ///NR5f:OEfMw/Nq/NZ/NcZ7/N

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe

Executes dropped EXE 64 IoCs

pid	Process
5016	Kplpjn32.exe
460	Lbjlfi32.exe
3036	Leihbeib.exe
2568	Lmppcbjd.exe
4500	Lpnlpnih.exe
1440	Ldjhpl32.exe
2880	Lekehdgp.exe
3372	Lmbmibhb.exe
1692	Llemdo32.exe
2224	Ldleel32.exe
1596	Lfkaag32.exe
1892	Liimncmf.exe
5060	Llgjjnlj.exe
3460	Ldoaklml.exe
2816	Lgmngglp.exe
4084	Likjcbkc.exe
4840	Lmgfda32.exe
1152	Lpebpm32.exe
1948	Ldanqkki.exe
4636	Lbdolh32.exe
2484	Lebkhc32.exe
5104	Lingibiq.exe
2340	Lmiciaaj.exe
1228	Lphoelqn.exe
5052	Mdckfk32.exe
1768	Mbfkbhpa.exe
3280	Mgagbf32.exe
2712	Mipcob32.exe
5072	Mmlpoqpg.exe
1528	Mlopkm32.exe
4572	Mdehlk32.exe
4480	Mchhggno.exe
432	Mgddhf32.exe
4044	Mibpda32.exe
3564	Mmnldp32.exe
4244	Mlampmdo.exe
4464	Mplhql32.exe
4476	Mdhdajea.exe
2840	Mgfqmfde.exe
4112	Miemjaci.exe
4424	Mmpijp32.exe
2376	Mpoefk32.exe
2456	Mdjagjco.exe
2948	Melnob32.exe
2360	Mmbfpp32.exe
3560	Mpablkhc.exe
1220	Mdmnlj32.exe
2812	Mcpnhfhf.exe
3940	Menjdbgj.exe
3540	Miifeq32.exe
2244	Mnebeogl.exe
376	Mlhbal32.exe
2704	Npcoakfp.exe
4692	Ncbknfed.exe
3224	Nepgjaeg.exe
4128	Nilcjp32.exe
4448	Nngokoej.exe
4268	Npfkgjdn.exe
2420	Ndaggimg.exe
1664	Ngpccdlj.exe
1448	Njnpppkn.exe
4088	Nnjlpo32.exe
4612	Ndcdmikd.exe
732	Ngbpidjh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6952	6856	WerFault.exe	255

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkfmkdc.dll"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 5016	2628	175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc.exe	83
PID 2628 wrote to memory of 5016	2628	175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc.exe	83
PID 2628 wrote to memory of 5016	2628	175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc.exe	83
PID 5016 wrote to memory of 460	5016	Kplpjn32.exe	84
PID 5016 wrote to memory of 460	5016	Kplpjn32.exe	84
PID 5016 wrote to memory of 460	5016	Kplpjn32.exe	84
PID 460 wrote to memory of 3036	460	Lbjlfi32.exe	85
PID 460 wrote to memory of 3036	460	Lbjlfi32.exe	85
PID 460 wrote to memory of 3036	460	Lbjlfi32.exe	85
PID 3036 wrote to memory of 2568	3036	Leihbeib.exe	86
PID 3036 wrote to memory of 2568	3036	Leihbeib.exe	86
PID 3036 wrote to memory of 2568	3036	Leihbeib.exe	86
PID 2568 wrote to memory of 4500	2568	Lmppcbjd.exe	87
PID 2568 wrote to memory of 4500	2568	Lmppcbjd.exe	87
PID 2568 wrote to memory of 4500	2568	Lmppcbjd.exe	87
PID 4500 wrote to memory of 1440	4500	Lpnlpnih.exe	88
PID 4500 wrote to memory of 1440	4500	Lpnlpnih.exe	88
PID 4500 wrote to memory of 1440	4500	Lpnlpnih.exe	88
PID 1440 wrote to memory of 2880	1440	Ldjhpl32.exe	89
PID 1440 wrote to memory of 2880	1440	Ldjhpl32.exe	89
PID 1440 wrote to memory of 2880	1440	Ldjhpl32.exe	89
PID 2880 wrote to memory of 3372	2880	Lekehdgp.exe	90
PID 2880 wrote to memory of 3372	2880	Lekehdgp.exe	90
PID 2880 wrote to memory of 3372	2880	Lekehdgp.exe	90
PID 3372 wrote to memory of 1692	3372	Lmbmibhb.exe	91
PID 3372 wrote to memory of 1692	3372	Lmbmibhb.exe	91
PID 3372 wrote to memory of 1692	3372	Lmbmibhb.exe	91
PID 1692 wrote to memory of 2224	1692	Llemdo32.exe	92
PID 1692 wrote to memory of 2224	1692	Llemdo32.exe	92
PID 1692 wrote to memory of 2224	1692	Llemdo32.exe	92
PID 2224 wrote to memory of 1596	2224	Ldleel32.exe	93
PID 2224 wrote to memory of 1596	2224	Ldleel32.exe	93
PID 2224 wrote to memory of 1596	2224	Ldleel32.exe	93
PID 1596 wrote to memory of 1892	1596	Lfkaag32.exe	94
PID 1596 wrote to memory of 1892	1596	Lfkaag32.exe	94
PID 1596 wrote to memory of 1892	1596	Lfkaag32.exe	94
PID 1892 wrote to memory of 5060	1892	Liimncmf.exe	95
PID 1892 wrote to memory of 5060	1892	Liimncmf.exe	95
PID 1892 wrote to memory of 5060	1892	Liimncmf.exe	95
PID 5060 wrote to memory of 3460	5060	Llgjjnlj.exe	96
PID 5060 wrote to memory of 3460	5060	Llgjjnlj.exe	96
PID 5060 wrote to memory of 3460	5060	Llgjjnlj.exe	96
PID 3460 wrote to memory of 2816	3460	Ldoaklml.exe	97
PID 3460 wrote to memory of 2816	3460	Ldoaklml.exe	97
PID 3460 wrote to memory of 2816	3460	Ldoaklml.exe	97
PID 2816 wrote to memory of 4084	2816	Lgmngglp.exe	98
PID 2816 wrote to memory of 4084	2816	Lgmngglp.exe	98
PID 2816 wrote to memory of 4084	2816	Lgmngglp.exe	98
PID 4084 wrote to memory of 4840	4084	Likjcbkc.exe	99
PID 4084 wrote to memory of 4840	4084	Likjcbkc.exe	99
PID 4084 wrote to memory of 4840	4084	Likjcbkc.exe	99
PID 4840 wrote to memory of 1152	4840	Lmgfda32.exe	100
PID 4840 wrote to memory of 1152	4840	Lmgfda32.exe	100
PID 4840 wrote to memory of 1152	4840	Lmgfda32.exe	100
PID 1152 wrote to memory of 1948	1152	Lpebpm32.exe	101
PID 1152 wrote to memory of 1948	1152	Lpebpm32.exe	101
PID 1152 wrote to memory of 1948	1152	Lpebpm32.exe	101
PID 1948 wrote to memory of 4636	1948	Ldanqkki.exe	102
PID 1948 wrote to memory of 4636	1948	Ldanqkki.exe	102
PID 1948 wrote to memory of 4636	1948	Ldanqkki.exe	102
PID 4636 wrote to memory of 2484	4636	Lbdolh32.exe	103
PID 4636 wrote to memory of 2484	4636	Lbdolh32.exe	103
PID 4636 wrote to memory of 2484	4636	Lbdolh32.exe	103
PID 2484 wrote to memory of 5104	2484	Lebkhc32.exe	104

C:\Users\Admin\AppData\Local\Temp\175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc.exe
"C:\Users\Admin\AppData\Local\Temp\175c5a13673af4e719245ac13486d277caf4a114d6ae122f4705d4a7068d78dc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\Kplpjn32.exe
  C:\Windows\system32\Kplpjn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\Lbjlfi32.exe
    C:\Windows\system32\Lbjlfi32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\SysWOW64\Leihbeib.exe
      C:\Windows\system32\Leihbeib.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        31⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        32⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        38⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        45⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        47⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        54⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        56⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        62⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        70⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        71⤵
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        72⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4832
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        76⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        78⤵
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        79⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        81⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        82⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        83⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        86⤵
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        87⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        89⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        90⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        91⤵
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        92⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        94⤵
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        98⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        100⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        101⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        113⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        114⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        115⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        121⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        122⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        128⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        130⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        133⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        134⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        138⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        142⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        143⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        151⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        152⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        154⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        156⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        157⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        159⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        160⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        162⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        163⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6552
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        165⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        169⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        171⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 396
        172⤵
        Program crash
        
        PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6856 -ip 6856
1⤵
PID:6924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amgapeea.exe

Filesize
361KB

MD5
25afc9bff79064c39998c67aaacd52f7

SHA1
28cf43375a8aefe6989ea4d4b5970002a0aed6b2

SHA256
b491e6e6ff5129982d80cba4b18bb6db7639b902a37cddd95234c35052d1de51

SHA512
fdc383534c8b980fd610b8d7f02d33993f01d1680a88d9ad70b89f3cc8b745bd56c11c158a5d36c6ec0cc18cf10cf81c4aeabb6c76c0be3e49244dff68da5fc1

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
361KB

MD5
a3be9bc2e7073e4449323c4d796082cd

SHA1
566b898caacbe210aaedbea4cd16bfe3c1efc6b0

SHA256
67da9967a37162f7862d112ccdb119e270246db3243a51922e16874a3d139123

SHA512
37c9d9f2838b24538b7357d238e43ba761083eb2deb1ebcc0e4c201e23b757a85f834e3cc2455d72c51fb447a8c30a6239bbad6a991e6328948e4620e55aa33a

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
361KB

MD5
2b51f4dae670ac0fbf6845d3e6715d36

SHA1
b00b85310df60e27e2dfb7f88309f8ea62e33925

SHA256
46dda53ba30d70948a01a1d2e0459b2c3b3e83f02e8b768a72964cb0ce4a739a

SHA512
7ad89806f6158969de742265108c21f820fa5c18c2b3b0a7bdd46a306e91e9e045a9bc8d2f6da52c796942d31aa040c8c9e6cb67b91e6786a4787daa87174fd3

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
361KB

MD5
4737fbd674ee0efc9211e8913ff29bc6

SHA1
c79b78a2d37ee643167942a8cc1658247c9a26c4

SHA256
eb6e673000262891ee48b3530e6da08c221a3717e25040460cbe7161f6639e02

SHA512
26ff3940c83b2b7dc1943be8b7c521163f51afb10da9e75d0c80f92bfdc52053fe591b1aa682013323cbaa074f7484bdf3fff33f3f0288192d2747d89777bdbc

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
361KB

MD5
de48a16e1e548210eefc548c8de43c8b

SHA1
dc37726b141f08d170a9fa62752176cb4cb8d41c

SHA256
35b4106db1be19c49ce5943ddb2599ecaf7fcdb0a0d07472900a505cbc3af631

SHA512
d68bf26369442cad341cd001d3a3dc62fe2effbb873187058d921d9f4a259e17c138dd2c41e1ea8c7b8406153bf9ba7c32af0d10173540a5d4803a8b593708b6

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
361KB

MD5
32429ec409e866b764decec6d5a61217

SHA1
4ab485b395fbe5173a3a167759c85abdabd47cb3

SHA256
df414fc68aefd8c16881fedd9e986b66f315c0016ffa492ddc0e80d32c831901

SHA512
78df4a0293a2e0916e52473d7bb6a6fe317c4442ac34500b3ec257e929436ae752fb7891e58c2e55a021dce4ce8f468fff650b59db6cfa878c0bb41401f4f4b6

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
361KB

MD5
07d8b543b83791005e3dc2c32c7ff1cb

SHA1
c79641d75894802f73bead24e69cbb5a4cdc97cc

SHA256
a2d8bf97c1abc1623091938da76140a2dd644f8e4b03d2987e0b3b08d154e755

SHA512
a698675f8d3cfe596e78fb7b60288a39dbd20501d737dfd85dad16edff39690c7c8ae03b0f2bfe538839ac1407a2183de9c2dfaa593dd57e908dfa9a4699a2b3

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
361KB

MD5
4a52f2f49f0877ee67b58c3758bb6549

SHA1
d49dd49ed48d05a47d5876c1ea6ef76998a63b3a

SHA256
a149685e312eb4e442f025fbe8361f1671a1df3d58d8171eb877dc6f549fb754

SHA512
c236ee07ad5e0b64d6b762171f37754d1a37e691732d4ca7f609cb2000e16e8a3c99745f08739f39f8e59346fdd4a82b1124bb988130266f4395cca9b5d44375

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
361KB

MD5
7d5b0810dc3d385f2598674d3c1b8f46

SHA1
1642737093f3bff41182c8b3635b7adee49e2025

SHA256
1aefe8af804928c6c7581a6d352f7ef928c7e108a2b8fd37ba0deb2b43869cac

SHA512
20e690191ed7d709a4c6c93624fe39a737f595249c2d3a8e1a96410ffaf79f724e0db19595f1f0fae9fc2a65585446e7125c98fbfa42c9c09659953ba96c2344

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
361KB

MD5
9d050456198dc42c8616881414c9d929

SHA1
8ac26d19eb6b15d883f396ba3fa8bfa27cab33c5

SHA256
9ddc9bcc947baf364e695de833cfc399b582976e70a598732e98b44f7a0e2f90

SHA512
3075d4db322d9edb2f9a0cb34bb30c065da1aa224293db06bd095aef4b3aea83e0e0de8b4b30eaae8423e6026ab7add408b4e7a147e98d451b601e0c78ca0846

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
361KB

MD5
4e75e85c618aad007bb55832ac7ae5fd

SHA1
6833b94a531c203b44b88a37d29449a546fa512f

SHA256
5e7423bb160653be522ab9bef5e5514195bc34b79907061dc37c9bc65af98005

SHA512
cf0d2db9d87678f4312db62a4105d153e18c6939dc3a6ee94f38be80ae51e3682d6f15c6b8dff79bf0909f22b69ff019088abf5bf7ae9b2c3f3b6dcb7833e529

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
361KB

MD5
d03005a618975e1d7c18a99978984c3f

SHA1
8748f252c8462272dbefe53e390ede263a708d85

SHA256
5fd9b49bdaf87d9f5e23ff7e255f10e3df247290d130ede53a35afd08885f4b7

SHA512
6054a0e023b51892aabc1c95a2636e39fbf72ea7c49b7a7e9906f2a1791fe9e1489883cee5c4b879ae266d0d196c74348c62692b24301c3c2a443271ef9addc8

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
361KB

MD5
16fe7ba0fcff084e35149a97d849dcb8

SHA1
f1273c707f16dfe4b080244233bf8207d492f844

SHA256
c76355bb1a7dd94b3cb8a64d6d75320438d0db786e0088efdf19d263a1b342bf

SHA512
14afc80c66f92f53f5aae7151510473afc4153e9e1333fcdec74428da0deaca077c85bdea35386d0be3fc5be51f06b59f7986c2b11187055bb179f23f724f3e5

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
361KB

MD5
b797b77434788edeb4f29d4045be043e

SHA1
532d059fb4e6464f91baaeebfb656713dcd9ba32

SHA256
2a092808356e5dd48d17b8e39dad97c1b8a0419c7983c7e63e3ac70d3cab3e64

SHA512
bf002f6814f8179158e7e58bca195f76d6efc54f900677ec0e978ab853dd5c7b2053ddc9713cb0416272924415a86237f62467155ac7251ff111e716bbedba5d

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
361KB

MD5
045576b13c1b419fcd47ada6ac2bf868

SHA1
3ad7ea7d324cf280953909ccf361487a6843e2e1

SHA256
8fa898426a83873381932fd799fd97c735d3baa40955aecf196271a2c657386d

SHA512
d707295de9e5a109ee7270230ba896082cb2bcbf4137d6c9d7bda25aaff259f3b50d6697e12f2d080d9c696a4dee84566c82b3e7a0b12bdc2d39a0a1d60d9692

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
361KB

MD5
0864b67b18fa9ef976ac7e6c356ce5bb

SHA1
f8850226da4211ffd80ac80d5fd3b8a2f4c47096

SHA256
63d504964e644e62098e92fedad188e7c86559766957028437fb95023579f726

SHA512
0941a9cf120a7f28df6d870902fd00c4eed43fed001daa903a6acf5d2623536c651e188506570415db832f2b36ea3cf3881cb1d0811f376ebeec28c0c6471b48

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
361KB

MD5
039b18f57a311474a3ccd04d1d10ed00

SHA1
103999e138b631ee4df6e8b9494269feac9a15bf

SHA256
a610009b3b1ec0b0ec7a288f207ac594dcde0b7fb487a37bf41864d88e5c85f2

SHA512
7abf92e0d4e878019571722548ce2cb2e2f2ffe5b63f22550d0ab1fff7edd7995346ae6242da8b271b6af4faaafcdf128ca840314a4b3afd45c8675f82a53ce9

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
361KB

MD5
83c90d8b053e98dd5bc9ce1d902a3774

SHA1
007a1e7a5d51680b3052c7fe82c4fae61499e418

SHA256
de1ede6f83cfd0787faaae952215ca3dacd27108f0855e1b648fbb9ee473856b

SHA512
ff08393791539e1e204875f2eb6641b2b1cc052ca42532fd406b319b870de4b9370bc3fb6ba561a52ed8eb84bc3a4acb1d1084b21bd67e8bd65e297dd6404536

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
361KB

MD5
2838acfbf579783814e7f240321241f5

SHA1
f5a8a44cceb63f2b0126da46aa6682400e86033e

SHA256
2b76c96c07f3aa0b54863230df0d4214f04a2b42e8563a5e75d2f1a2df86b734

SHA512
0364aefd165d0bc2f0e830a1b1875de7102d5ee7c0d41c12b942391eb470f863057dcbbaf3b205eafd160ba495d842a14c2808490a8ffeb666cce6aa503e0b7a

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
361KB

MD5
e2efcc0ef4577efad0aab1fd6678657c

SHA1
cf277afb9c04a8efced520401b73d0e54ed18c02

SHA256
b1ea01bb576bff42aed22fde8c1965c3e7c18d80e3e661401bf9a546aff89745

SHA512
2a4ef20eba4d767fbbfb7a85fcba1617b0f7e2c7905935dda9c8370b9661aa2b46b73763cdc7c8517a4a1cdd08383f361e7b66c1b609f68fe89d612774d02db3

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
361KB

MD5
ef49bd0e9b98c4cf43637d99f57f3f42

SHA1
ee8c350e7209bf72e7f1e4511133742c99b0d3f1

SHA256
8fdff24e879144f653546bd524a18d03b20018781e69379b40cd3d6208f5329d

SHA512
93787a57b7a174bb0f42ebf3e22567eb6869878002bf9d79164b864fc65e54bfe1e98f3ee83fcfa64e98e0f5253a51da792aa66e1a4b701462a4862ca55df2ca

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
361KB

MD5
d6270b65518a25527dfd5c96bafbf613

SHA1
d72a69f35ae604e41bb578e8bad78ad9535d2985

SHA256
442d581b43e93b81fb5d39ddadbb0b3b9e3cefdb9d4af71d381318bbb9504e0e

SHA512
6375cea896b9ac6506af7295a99b43c225c6069d80e14c6f54dfc4beafae6eebcc82a4448818f03574490c5348f93af28448c1398c2e0727cb0531083964ae7e

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
361KB

MD5
a81fdc1b2eee053a7b35e5f48120b1fa

SHA1
316b2a1bf99157910efc95de66500cc1bc081e28

SHA256
546ac2c3e47314311c53cfbccac82ed347d9bcfc798507582288507eff3cc296

SHA512
3470783caeb2288fed5a1e4ce83b0d53d203af56f00299a4e1f0fbced6dd42db7e158dd749f6c5071f617f119859833e5fc5ed8c8f56625b35694a20272f8f3a

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
361KB

MD5
44e97b0260cd77a526b9f41361aa86f0

SHA1
668dd5959d7c3bbd7fa3f1711e780ecb2f2ffc41

SHA256
bf8544ec6d4fbd6e006829ba2629e647b38147f4418239a32c6da587e277fbda

SHA512
e0afc51d07ac5980ca09b6842725cc8b3c1825e8ea9b4bd823994d948b98a1915b131bcdd734b9a55739b51754d3ac7ebd9a42f312847846a4bd1184343a5a1b

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
361KB

MD5
973ef3abb11e0fae862108df16002665

SHA1
3b9c58f4c02196918f027d5d80406e8f329a3197

SHA256
b16de657129f4f735c53e6e900fa822e9391a3ffbd16c7c345124468ba4998c1

SHA512
6c4c7e35b7590601cdcd95cfc04aae86923703d3e051ddc20f2e1c49b86e86359c0b395a7876fc7cf465f1652b6c6fda220a36a2669b8987ffa6eb3fafdc9a7b

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
361KB

MD5
caf68a34512a587ce83bcef3333796dc

SHA1
f43dc14e7426744343c9a128ab02469be4195eb2

SHA256
fb566278cd0bf322a58f67bd5565e6812abc6b290676971bd974ff4870f90354

SHA512
cec4f6bf545acb387898567c8eab7884da4cf0cf3a8680d1e319fc94683db3c6fa577ee5c7284ac9b34772dd53396a83a9e4f4be177dcf7218758ad14723ce19

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
361KB

MD5
910fd9f802195e0656c2d4cd3b97e478

SHA1
a3b1861f2ae539821520f5711b28c81e26ecbeac

SHA256
b5370cbdaa148816e325b6702a726e579d5a210614a4d4984f7a6717f29444df

SHA512
726eb4bb6ae5e968bd777de53e379bdac28e4287f0352f09b87be1b908a993b1e62a2be16a8c7da280d3acdd4578d1586ddcdd87f1df5b5324bc5e729c3b3f7a

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
361KB

MD5
9e2f71e8d181113a4a2922b0c24ede4d

SHA1
2eb72c1ae181febc84e84b385457dc5e8c08cba2

SHA256
3f950a822bf48ec580c37d8c6d201608d129826d1a12cac9ebd92c0fceb05a6c

SHA512
cd14391f8195ae92f70db9701a2ba1befb7bdf2052fe5b3108dff690a7bbe91e94435d962ccaaf797a8d440b16fb01afdcda821c89dbf6d5c83ce7939b2beee1

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
361KB

MD5
8be742da7acc821c2f4b50ecfa7dee98

SHA1
ebe4f77edd3a447f93b1c7fb55d5e96791ffda0d

SHA256
033b1ca37fa6955c6a0f54d0943c8839845c2433d345c5cb5a9a06d0379bf234

SHA512
cd5c485ec1bbfe0ad1c357171117643df8b820ac7665def890020acf8f57adeb19996f472538ed41e5c3e476b796ca3d687efa9690e2dd77b6455fa7183be46d

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
361KB

MD5
1374c8d181c92a17c2350777a6ee9e9c

SHA1
917349380c9b8e61e858f46982b72d1da8f86e7e

SHA256
b341f74c74589b6f924c3257b80786cc28e6a5ff2d113e3fc9eadd2fb721b924

SHA512
f144f9e8d3beb5841574d007995bc344e95184356dc62f058df2ca737e98d901e7e842c2ef79509d2d77508088190b5bcd772ac34c5b386c45fc0bcdf44005a4

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
361KB

MD5
556eea0804caf587957ce0458734f98c

SHA1
bdb4dba95667063ace8e15298af5bce2f9adb031

SHA256
bd4f0a865ecac32cd38a07c78fb4e3e85f54d7a29fa0d8599107e7e2b9833014

SHA512
083edae48e6f57db6afb6daa8ded553c5a665585d02ad38cdee6412d848bffef86f9535e79964390433a16f659f4678d42caba3a9a1c31b5b57d46bf35ba33b9

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
361KB

MD5
ac986575ff5caed7121336e6dbc7ca69

SHA1
27a2c46114bd3f454d13559e5b266c8a0e6ed734

SHA256
6a4710ed23db68209de30727336b18a5cc5b6c55651bb3550504dc604c35c45a

SHA512
8561db9d7090308c5a6bc70b52533c61d5dbbd00e66298bfa04e5c778cdb25a161b2e39602bfb2b631cb79bad077680253cfaaa0b11faa8bcc090c17a248bd2d

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
361KB

MD5
5380d20559bd71aa7b1a1190ff66e6ca

SHA1
3a6dcfd7ec42304a0c904b811556bac393bbbf1b

SHA256
472550218249f4160106decff0665e36f2ca2bb055efb24db0eda508bd4b998b

SHA512
908c469e9a4c035cbffd689c1716790d148bd0589138990ca32a59d08371612fc084e6f6181349209b090231452b22feabef4353fc9b80b8e797514a97472e5f

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
361KB

MD5
df678821b09b415d742d5f0da36871cb

SHA1
177c413e6ca55db7382ee613ab97a8e351120fea

SHA256
a64eccec0ac650e6342a51d16f428df6316cfe51a0107bae3f9d8340e185806e

SHA512
27a647fb0a3c54dbeadcbb45f43f67556991f52a2ccb68881e712c3c6f8b8a5798c114c7151e052c7c3245b85d1538d2a8934b2c79e63f213a80c2c9019b4790

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
361KB

MD5
dfd88b365744a8cda7186acd5ba0c2d2

SHA1
acee57c9881b94e9fc1a968095cfdcf036586d23

SHA256
81f045b6f72372d6d5ad2dad2529060fff7dbdc370f9eb3eac54b143dcc38fe8

SHA512
9dc83cf8aa9944f4afa83c40096cd1dbd0eb1778ded2dce920754de1fae7ba3dedcc96c6cb09e2dd410bc7cbbc57c32759162158b8e682798f228e3e6840bf20

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
361KB

MD5
c77ba3c089c52e9e877ef594cc88c9bb

SHA1
1fffe8e016aba0d56967f49862da51e9424069be

SHA256
ebe9b59f7a258983234e0bf611aae6cea155373bb5a71b93e672b6517d36159b

SHA512
58b0d1a5c44a63d0f90c037a856d004c847f4d437c0e82ce8ecf41b47bd9681a47983f6b8b0484e436fa72a7155daeb31ecd8ad1d4c7a7831f0ab9f598368ff6

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
361KB

MD5
a2f533a2d5dfdbf3442b9ff71fd0352f

SHA1
3d46ca0a3b592cccd0711866ef4fa75f1fbe862e

SHA256
8a52c1b9b313d6f334454219f45c3a2c0a3454ea0dbb1a74f6968f99861e59da

SHA512
2c27d2c5372a39c817921354931d321890dbb636ecb0a8b62448b0c2e4d6a313d9a62060f2260fbc6349f35c313d9b3d56536cec1ee4d94aaf1224c49b40287c

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
320KB

MD5
20bf6cedf58d4d30d557c5af1d3d50c4

SHA1
f5f1aa3b5a1ec92d8f5713f78feee39b587d676e

SHA256
b0d5be3476eedfe98c697cd5fcc8f14d916def63e305ed53e4d422a8b380cf69

SHA512
6aed191e25b3eebc6514e6e11b5ce9b942502e503b999ec834a2301b0e16b733e0aded3a9ff7153478467a0f78be0bc7f886c101b871d5dbd503f52892f6832c

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
361KB

MD5
06d33d58dfd09f9903108e07224e6832

SHA1
d126f4aebdd5cd584dfd087401c2b369aecd82b9

SHA256
1b2f6eaab0ec88b79646f83e987557e84e27ad2e9f65d25ff9c54805c455a738

SHA512
2f5c6d411ed33cb34bfdaecf6a6c0debf49239e0be01634a2437586a008746255a7a20d60dadcb06a02eab5073fcf6644acb12769f24ac5b05fd999de854a560

Download Submit
memory/404-540-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/432-1383-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/444-599-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/460-21-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/732-438-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/780-587-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/892-1299-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/892-488-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1152-389-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1216-1259-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1216-605-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1228-396-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1440-48-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1448-430-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1500-597-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1528-407-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1596-379-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1692-76-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1768-398-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1892-435-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1948-390-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2112-470-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2112-1305-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2244-418-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2252-528-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2296-570-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2340-395-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2484-393-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2568-37-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2628-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2628-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2680-500-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2712-400-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2768-511-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2812-417-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-382-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3036-29-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3044-476-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3112-546-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3188-522-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3236-564-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3280-399-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3340-458-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3352-494-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3372-68-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3460-381-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3468-576-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3476-439-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3564-416-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3600-452-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3828-434-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3996-440-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4044-415-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4084-385-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4104-538-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4124-464-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4220-558-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4480-409-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4500-45-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4572-408-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4596-446-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4612-437-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4636-392-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4832-483-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4840-388-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5016-9-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5020-552-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5052-397-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5052-1399-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5060-380-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5072-406-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5104-394-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5132-751-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5172-616-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5172-1255-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5208-762-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5224-622-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5268-628-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5296-763-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5308-634-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5352-642-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5400-646-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5432-774-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5436-1163-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5476-661-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5524-667-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5532-1145-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5536-780-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5580-669-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5612-786-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5624-675-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5664-681-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5672-792-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5728-798-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5740-692-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5784-698-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5808-804-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5824-704-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5864-710-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5908-720-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5924-1168-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5948-1219-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5948-722-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/6000-728-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/6040-734-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/6052-1153-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/6080-740-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/6116-1182-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/6196-1139-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads