c0b537887441bdfd13f66715d76df2f310f66fc65a237261e545f55798cf55ff

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8abc29149cadb622929f26f1435b77b0N.exe
Size

128KB
MD5

8abc29149cadb622929f26f1435b77b0
SHA1

6a113817ad5693338d1b575d490ea47a07f2f08d
SHA256

c0b537887441bdfd13f66715d76df2f310f66fc65a237261e545f55798cf55ff
SHA512

94d63f35b6d01642f539b66b6d02ebc82352e44f90d5b6ecd36a2da834bc71e63636d7b8142e72d18ad7f50c288f2929c53c6af03f9538fe8ac7d6cb21c58f4f
SSDEEP

1536:9eVkz0nwwcA/m8S9CSdD/tz3VRQDsRfRa9HprmRfRJCLIXG:9pziwwtHuBjVeDs5wkpHxG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe

Executes dropped EXE 64 IoCs

pid	Process
216	Klqcioba.exe
3496	Kdgljmcd.exe
1652	Leihbeib.exe
1556	Liddbc32.exe
5064	Ldjhpl32.exe
4992	Lfhdlh32.exe
2456	Llemdo32.exe
424	Ldleel32.exe
2556	Lfkaag32.exe
3284	Lmdina32.exe
452	Lpcfkm32.exe
3608	Lepncd32.exe
384	Lmgfda32.exe
4288	Ldanqkki.exe
1152	Lebkhc32.exe
4880	Lmiciaaj.exe
4060	Lphoelqn.exe
2680	Medgncoe.exe
3504	Mmlpoqpg.exe
5052	Mlopkm32.exe
628	Mchhggno.exe
3064	Megdccmb.exe
4772	Mlampmdo.exe
4640	Mdhdajea.exe
3424	Mgfqmfde.exe
2736	Mmpijp32.exe
3016	Mdjagjco.exe
2652	Mgimcebb.exe
372	Migjoaaf.exe
4460	Mpablkhc.exe
444	Mcpnhfhf.exe
2108	Mnebeogl.exe
4568	Ncbknfed.exe
3348	Nepgjaeg.exe
2880	Nngokoej.exe
3092	Nljofl32.exe
544	Ndaggimg.exe
764	Ncdgcf32.exe
4072	Njnpppkn.exe
1228	Nnjlpo32.exe
3224	Nphhmj32.exe
3476	Ndcdmikd.exe
4904	Ngbpidjh.exe
1312	Njqmepik.exe
4656	Nloiakho.exe
4572	Ndfqbhia.exe
5116	Nfgmjqop.exe
1232	Nnneknob.exe
4932	Npmagine.exe
1112	Nckndeni.exe
4560	Nfjjppmm.exe
4500	Nnqbanmo.exe
1440	Olcbmj32.exe
4216	Odkjng32.exe
2036	Ogifjcdp.exe
1500	Oflgep32.exe
3920	Oncofm32.exe
1380	Odmgcgbi.exe
4612	Ogkcpbam.exe
3684	Oneklm32.exe
4908	Odocigqg.exe
1944	Ognpebpj.exe
2592	Onhhamgg.exe
904	Olkhmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	8abc29149cadb622929f26f1435b77b0N.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nphhmj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7068	6976	WerFault.exe	254

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Njnpppkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 216	208	8abc29149cadb622929f26f1435b77b0N.exe	83
PID 208 wrote to memory of 216	208	8abc29149cadb622929f26f1435b77b0N.exe	83
PID 208 wrote to memory of 216	208	8abc29149cadb622929f26f1435b77b0N.exe	83
PID 216 wrote to memory of 3496	216	Klqcioba.exe	84
PID 216 wrote to memory of 3496	216	Klqcioba.exe	84
PID 216 wrote to memory of 3496	216	Klqcioba.exe	84
PID 3496 wrote to memory of 1652	3496	Kdgljmcd.exe	85
PID 3496 wrote to memory of 1652	3496	Kdgljmcd.exe	85
PID 3496 wrote to memory of 1652	3496	Kdgljmcd.exe	85
PID 1652 wrote to memory of 1556	1652	Leihbeib.exe	86
PID 1652 wrote to memory of 1556	1652	Leihbeib.exe	86
PID 1652 wrote to memory of 1556	1652	Leihbeib.exe	86
PID 1556 wrote to memory of 5064	1556	Liddbc32.exe	87
PID 1556 wrote to memory of 5064	1556	Liddbc32.exe	87
PID 1556 wrote to memory of 5064	1556	Liddbc32.exe	87
PID 5064 wrote to memory of 4992	5064	Ldjhpl32.exe	88
PID 5064 wrote to memory of 4992	5064	Ldjhpl32.exe	88
PID 5064 wrote to memory of 4992	5064	Ldjhpl32.exe	88
PID 4992 wrote to memory of 2456	4992	Lfhdlh32.exe	90
PID 4992 wrote to memory of 2456	4992	Lfhdlh32.exe	90
PID 4992 wrote to memory of 2456	4992	Lfhdlh32.exe	90
PID 2456 wrote to memory of 424	2456	Llemdo32.exe	91
PID 2456 wrote to memory of 424	2456	Llemdo32.exe	91
PID 2456 wrote to memory of 424	2456	Llemdo32.exe	91
PID 424 wrote to memory of 2556	424	Ldleel32.exe	92
PID 424 wrote to memory of 2556	424	Ldleel32.exe	92
PID 424 wrote to memory of 2556	424	Ldleel32.exe	92
PID 2556 wrote to memory of 3284	2556	Lfkaag32.exe	93
PID 2556 wrote to memory of 3284	2556	Lfkaag32.exe	93
PID 2556 wrote to memory of 3284	2556	Lfkaag32.exe	93
PID 3284 wrote to memory of 452	3284	Lmdina32.exe	95
PID 3284 wrote to memory of 452	3284	Lmdina32.exe	95
PID 3284 wrote to memory of 452	3284	Lmdina32.exe	95
PID 452 wrote to memory of 3608	452	Lpcfkm32.exe	96
PID 452 wrote to memory of 3608	452	Lpcfkm32.exe	96
PID 452 wrote to memory of 3608	452	Lpcfkm32.exe	96
PID 3608 wrote to memory of 384	3608	Lepncd32.exe	97
PID 3608 wrote to memory of 384	3608	Lepncd32.exe	97
PID 3608 wrote to memory of 384	3608	Lepncd32.exe	97
PID 384 wrote to memory of 4288	384	Lmgfda32.exe	98
PID 384 wrote to memory of 4288	384	Lmgfda32.exe	98
PID 384 wrote to memory of 4288	384	Lmgfda32.exe	98
PID 4288 wrote to memory of 1152	4288	Ldanqkki.exe	99
PID 4288 wrote to memory of 1152	4288	Ldanqkki.exe	99
PID 4288 wrote to memory of 1152	4288	Ldanqkki.exe	99
PID 1152 wrote to memory of 4880	1152	Lebkhc32.exe	101
PID 1152 wrote to memory of 4880	1152	Lebkhc32.exe	101
PID 1152 wrote to memory of 4880	1152	Lebkhc32.exe	101
PID 4880 wrote to memory of 4060	4880	Lmiciaaj.exe	102
PID 4880 wrote to memory of 4060	4880	Lmiciaaj.exe	102
PID 4880 wrote to memory of 4060	4880	Lmiciaaj.exe	102
PID 4060 wrote to memory of 2680	4060	Lphoelqn.exe	103
PID 4060 wrote to memory of 2680	4060	Lphoelqn.exe	103
PID 4060 wrote to memory of 2680	4060	Lphoelqn.exe	103
PID 2680 wrote to memory of 3504	2680	Medgncoe.exe	104
PID 2680 wrote to memory of 3504	2680	Medgncoe.exe	104
PID 2680 wrote to memory of 3504	2680	Medgncoe.exe	104
PID 3504 wrote to memory of 5052	3504	Mmlpoqpg.exe	105
PID 3504 wrote to memory of 5052	3504	Mmlpoqpg.exe	105
PID 3504 wrote to memory of 5052	3504	Mmlpoqpg.exe	105
PID 5052 wrote to memory of 628	5052	Mlopkm32.exe	106
PID 5052 wrote to memory of 628	5052	Mlopkm32.exe	106
PID 5052 wrote to memory of 628	5052	Mlopkm32.exe	106
PID 628 wrote to memory of 3064	628	Mchhggno.exe	107

C:\Users\Admin\AppData\Local\Temp\8abc29149cadb622929f26f1435b77b0N.exe
"C:\Users\Admin\AppData\Local\Temp\8abc29149cadb622929f26f1435b77b0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Klqcioba.exe
  C:\Windows\system32\Klqcioba.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\Kdgljmcd.exe
    C:\Windows\system32\Kdgljmcd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\Leihbeib.exe
      C:\Windows\system32\Leihbeib.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        27⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        32⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        48⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        50⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        53⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        61⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        63⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        64⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        68⤵
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        71⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        75⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        77⤵
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        78⤵
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        80⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3884
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        89⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        90⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        91⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        94⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        96⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        103⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        104⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        105⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        109⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        110⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        114⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        119⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2800
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        144⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        146⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        150⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        151⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        161⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        163⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6884
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        166⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 416
        167⤵
        Program crash
        
        PID:7068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6976 -ip 6976
1⤵
PID:7040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
128KB

MD5
af5964dc40873bde62a2660699ffb0bc

SHA1
ec42302694bc68fca8425f1b846ce08cd474d2db

SHA256
7736c4c61aa33d7158da081da24bec2f212c65fc26712641be4609d8fd1f546d

SHA512
11bcf1f1efc3a0d4b280acbbc1de31522d618fa13daaf7a6f4de683bb43c13b36f0843884bdbcce053c1f609e524421f349df9b875cd0b150cf1f9397df97d4a

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
128KB

MD5
ed5ce4ddf41456bf2f65d75c998016a9

SHA1
d98591406df1393c6b63d7dcda45a890f0bccccd

SHA256
ab3a5f397d9557cb587132c503e36319f0796525f34b84a78c110361c6ac664b

SHA512
48854b2485563124c8806b8eac41c10eaa82533d0adfe63ad087ce6833778dd44caa1507990b8bfbaec19307591ce279dfa0d86c4a7fee223619fb71ce16becc

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
128KB

MD5
ec09bffb6fa38b468e4a87e7dd47fd64

SHA1
b47b0c04592aec8148656663d7ad996d3271d55c

SHA256
075f07f1e331a5171b8bb4a1053c6e5e4ff545ad94aa33eeaf2004829d05f29c

SHA512
d4620a6e3f8097f5d25747df5df775be99c32fbca92c2d46d19a0a01030465bdf771fad555dc95fb22c4dc75fc6c2215ecffcce0c2421bfe21ca0e384f94e949

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
128KB

MD5
8b39fd04c39bfae4dc268b51a39a04f1

SHA1
267838a9484ab90bb05e2e6d0bafc8426e7db23b

SHA256
8ffed2bd66e128034777564be0dbf6f8186fc96e0fa265804cc74a1c0837d8c7

SHA512
64be19e41287fab35bd18bfd22d46d5dfb8c2a2cdf36fab545a4d131880b8f1717fcad01ab5c4e1b88ba1438f436deb7de0dd71cd71ada1b1778141a42848b5f

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
128KB

MD5
03e0e675fbd5ee653732e7ecd4f7c844

SHA1
3305dacb0471d1ba3ef87f618eeb0a3091b84868

SHA256
3751a8a6e16bda28ba80b9b87759c2202bd16df94e73c89b0c056d2868ed0552

SHA512
089b6e276faf5acbc5604a453ff49f6e639ff2df34ca2f072012d74012b5cbb063fba4791ad8ae34765695a993a98f286ac3cd7ce76f9ea04673dbd6b4281bb8

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
128KB

MD5
2ff655de206fcc6e53150f4bb874b2dd

SHA1
c5ff1f5f1ef650f57939c293cc7679eccf3c86da

SHA256
ab9c719efcff90a7a366ec979794d92ef5ee4555bc910974292a7656a3113a49

SHA512
1b3b4602f7b01a3989a475a20a936a16f18bfb14f52f518a855e020dcb459605454f7d01a6abad114c12ed035033dc23b743e1c6b4eb7f9f4c72c88ab9fc58b6

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
128KB

MD5
6db5efb68d9982caa6b4c35bc614c721

SHA1
3f7905d553e6e774811e609feb4af8b42907ffde

SHA256
4e143032e62d915dc7b4829f62984042c3f17ae812146bbff1f9cc5e66011d5d

SHA512
d46c218417f1d3c0884f3c5fcb85a64f708b4b272b9d3ca850280a8261ea3a799a77c6cefbd7cf35c41e697826dc354210df03ce62b1ec09cb8664823feea3ee

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
128KB

MD5
e451c9d446ec6045d9c1cbd4206ae091

SHA1
c5073ba8a8c31597d6a77b0609cfbba144639818

SHA256
5bcac257cfba600f99d63361abd0f21f1cc4ac43ed68f360e6f64984688f8ab3

SHA512
46de2a15a7ad3bbcf589de813ee4c4d73df6cdd8d6d53f6dd67447a996007b1ef1cfa8130553e9fecf0ed1c84a16626bab3403bed62d869a21566d7cd59ce096

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
128KB

MD5
c3eaf7aca7c4e9b154071967b44f3809

SHA1
84edc0ade0451290604c686d5bfa3f3de236a0d0

SHA256
f3e1813f5bd4eb5a7297562ffcbc5bf73125bf08a4cdb10d9bb752582c629b4f

SHA512
dd6aa67cc50b7b373efff430f5d35ebeab5f690567c1d8920137379b15af48b298a7a8fe1866b163fb65c0c4eeabe9c6684ecf8e3904d0c1f0255be6df57aa95

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
128KB

MD5
316156b96e3b5023513a5b90b8602a84

SHA1
97ec368c36232b36a3d4ea414f78f241dec44dab

SHA256
5612d22305c294b5ff7493e8c6e48b02ac8aaaab070b37a64ba5ccfcb0bd45ea

SHA512
8c87df978eaa1967ec19fc7480a8b7fbec5dd3b66a124599976deaeef4124f24a1b62f25d0d4f9d689a51cbbbe2457c52c065eab306b78ba2a3c1bbb70373aa2

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
128KB

MD5
e51574a0bc89ecad73b22869f44ea481

SHA1
4f1c0bdd4ca5029ed75ccd06afaf9e8db7853364

SHA256
e57a80837a848828ef0b9ad687fc38f59a4f60a2f259adfdae66c075d87ec413

SHA512
6d8284579bcd971151a593aa2c4c471a1cbef456062d97cf7cfdcfd5267b4bb0721aecd51697cacb998e0da1860569799bb280ce0f66602b443a01e14496e06c

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
128KB

MD5
a8dccef1024a2165dfc624a5c32d08bf

SHA1
58075cf0429621f92f27c99cf872bda4fbbcb0cd

SHA256
9188de9c225bccc1a59b1c3b2f97c8868af406da53750e53236e0c263c23f739

SHA512
3a356e8a15db7c66718158831f8c990f1ebe9aa1358ba6410a985e2fce283128c04841350ce6cd95d8f5cf7562d46b1069be575e514cd1b7164f55bd466c7715

Download Submit
C:\Windows\SysWOW64\Jlineehd.dll

Filesize
7KB

MD5
380282ca23d5377a0641c2e1224bcc34

SHA1
efc2cf9f46dc618e4185e00beec9971c8d110da1

SHA256
1024d1c01a155a032dad54064f9005460039e52390cc4c5a08d72e7eb800a94d

SHA512
fc20ca0add1bafa3a0cd25f9cfd7888e0bdf2fb289f1b6dbe68b8c562c765898c974d8783b6ff2a5c5db8078fe1d557680a209953dfdfdb81c89d48cddaa95bd

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
128KB

MD5
cb5d63f28215b5ad1c22c0ce5f989c76

SHA1
7dce3ef1d57528823e92bd8ff334382dd5dcf8a8

SHA256
61fda6d9c06d47090893079f7ef3de67601207bc685aa5acfdd52b22735e660c

SHA512
b7a2dfab99d019b02b3a7671f864a26d840f2d02bab4ed93e252b83af2356b09a313143e341d2604fbbf246306ecb4d3d444fcdcae53f65200cb995b56eec579

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
128KB

MD5
b92d792c28b6ccf16871ef051ccf69bf

SHA1
f9875bc778afcd40e04f8660e4703a685db00076

SHA256
c888b7e2b8bc578d55d900c2f32d6e4a42fa42046e23ebdb1c4d9ea38dbcddd6

SHA512
e1f6e182423b2e7b2d9df47c09e4ebbd191c15c2edd370ed1fde316c7c5ca5424f3e214c84bfa60b7a2fab7fd4ec27b81ba4ed58575710e9726dbfc60dcef906

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
128KB

MD5
08ea97ba7cd1824045c497f913be9213

SHA1
7e1477dade8df812a1d0e829f5885ce1ef8934a9

SHA256
f02c3eb440dc2d80a43c81031b41fbef3aefab69fb3481a7317f09e6ef080376

SHA512
e7dcd88349cfd63797d55e5bcf9ea12cc205137221abf53699d63de179c703481cb0255d2c54495cb00a7cd9fa320f2e911ee60f40f3bb989699f48da80bb7b4

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
128KB

MD5
38ce5db53fbdc841044d3edcd2aba9b2

SHA1
f757f0ca6d3d87b65a6b169d56a5c6d5575b11e4

SHA256
5b8f456420df9b7d876af57d12e489b63e4aa9a875377adfae113d8e952139bf

SHA512
2b0fd7c607203c0a5bbad6793c40182f26cda5fcb72c859122d4d1c5bf42e5c8b5c07ec339b3064f9f8c8155a0685d671350911f01e1799a4c7467d4f866bbe3

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
128KB

MD5
f8deb82a93646a5372d46edacf112d94

SHA1
45d5f71122f44b1ce47a19f704212bd00578fc8c

SHA256
35c2f8b53bb4e159a138e4d7d7721260b378f6153cde8d7c3c7122750cec7b98

SHA512
96214bb884d89b7517251a600acc8e6adcda6627ddadf9a1424d2f25cf8054c89ffae2a6a2dc42213c0d449c01d49420555146052488a7c6710a5fa67cebdf69

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
128KB

MD5
cdde97c8e385d604c3309134a006016c

SHA1
9d787156d9ba7b48fe36577e85596eca7bb4f14e

SHA256
41de2a94fd2f280587781d121ccf97c1a8f6a338b8c299b55adba6ef11ef0e1b

SHA512
50f7e6a84bd1c564ebf83ee29de932f9467e48238c2dddbd2f4084577231d85f5ea542e2804e9d946e360895ffbcd176103651ce048175ce66934e04b896849f

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
128KB

MD5
a3a6298d942c3eba7c068b32cd359196

SHA1
c54c38a268cc2736ca99f07ec056027dc01be83d

SHA256
2441f3dca12f1d51567862dd40d22198fca842865c3c57be945ab5aa0a6f0039

SHA512
75d8def1c87d29cb3b4b4e0009752be2468260083c64d6cd0b500c26e343729d82493a7b481406f8194dcdc9a9540018ddfffc20665be0f48d3b3e4fef8028b2

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
128KB

MD5
1c0fc4e16173098b20434f51c685f37a

SHA1
6d3d877bcc3947a07f65cee895f424e3c3c62825

SHA256
15a56d5a93d9a5aa5fba4c21a471f125a071a49cfe647b5889973e90faa73abd

SHA512
e796556144a7138921fc289ec7c4ddf35ed480d4ff072b6a71910f04c1e2e5e54ea0533c93582f989cfbdc6f1771190532eec3530f2f94bf1831220205b0a35c

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
128KB

MD5
73174400662763f09cd7ce33c371a414

SHA1
09324265dbaea38c4610120aad047b054e272e85

SHA256
cd55e4e370e7770d37491ee77278981045e9caeb5ee218c1235dfa32d9851b8a

SHA512
a3a055f686a08be86195700fd0e3e819c3f6e327d1f5aed34956134769817204f035efca010b9369f3f8434785b2b8deb45e4cffec03523de6f999d6bb5a9b19

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
128KB

MD5
222da259dd5b786c5b6258bda1c2b417

SHA1
369243b726d2246a5562720cb98387cb9cc5a852

SHA256
e72b672ebcf26bf537b30be0caf632c31861b282ab60b87a7be5d3501f8a4a38

SHA512
a83f3b9ded3bdaecdd66f0843e290537064a8e4099b08552007b8e46f920a66db17e32f22cb5441b115469852dfbc3bd85781b13d8f35fe8aa8ae033f9c0b8f5

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
128KB

MD5
d1713c27877935509400ff4371db1258

SHA1
0566adbb5bcb33a4f36ce0ff8c3504b67c04d897

SHA256
69914ad7a305877e3de78a5c1e8c1ca9a1a8cb6fe21ddb802d46c230845d15cc

SHA512
a5294458bcf928c38b868d36c12147d80c6c1d9db93eaad72638b76e2cb8e61dde49cb09867eaafabec8bfc273b6ca2e882f79a070f429f442ad5cf152ff6364

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
128KB

MD5
70631db3845d5b53147ea1d2f7b63a56

SHA1
852b8fb806395ac6820bb5a56884ff8881cdf107

SHA256
a463abf614ddae496f6f4c6bc79385a0511c0dc4ee5bcac4af4cda196b6efb9d

SHA512
e9bcebe6326aff55206e668f7c6fe7d71dd7caaecab4c93be2cca87ae11409a5da870607b59614eb69cc49db74a51801841c73c709e521bf996159d41e5b5eee

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
128KB

MD5
4c70589c3144f84369396eafce578f89

SHA1
1c50ada0fa2b493f29be726f46f340cefd494a37

SHA256
a909b9abc88f0703e7577ccdaec14fb5221a12a205687ef4a500b0489f9b0485

SHA512
af6a7813da2707a912b64c767d21d98e2f93980ecf74f9f352a0c45878caa3a93f3ca54a1f22807c3dec928f77e1c810ffa17e7eb9fc31efb16c48ef58f3887d

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
128KB

MD5
b8648a7f88514cb100296d96116996f8

SHA1
1345c4cf571d49f94e34442fa79ded36c1e08f95

SHA256
abaee6bf8730dec7600bdf5b0efcfbc2fcb0599ddb43c867b9742366c7291383

SHA512
401c477643dbd9f32987f5efdefc2fd3ebbd7da48409383d4e1d978b4ea891c83fc199506bec9daf42df9931051e79ef9a5c7b122e4096ffdae7a2dac2020b34

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
128KB

MD5
526ca03f98ecfcba46a5933d54772792

SHA1
d0d4cb4e49c4552e30a8a50ba8b56c17e63b6d34

SHA256
34d29a13222671d8d5e74470e0b4aa9aedf0263b9da06a1886e876d5d6bd1ca9

SHA512
8cd4e48652dbad3a00e4d54c4b7e026528a3d7c95d89ed46a6b70868c48578cff9a7a6fb56559c188392b8890f3a42e64f824be621646d406cc7bb5f8b882c96

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
128KB

MD5
523cb726440a5ca38bcf825e3696e1ba

SHA1
48d4a83122ce15e06d42c1075901a7eb3213b920

SHA256
3777e5c760eff3143fcd785fd3232f820ef3d9413cfc46a2430abce80701c2f0

SHA512
cd5d87d538323c3821f60b1a1f6be52ed03e9e04f870e4b3756f614e32d0028abb646b31b1e97da2f97bc4063996804010e739b09cd0456cb60cc89d198ea41b

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
128KB

MD5
4aeda011d8620c7c7a3ca9c7d487eb03

SHA1
25b2e75ea735eeeb3b0d712bf1fd3b93af0a6e0a

SHA256
5ec8193083b98830e326b71aaef88357a1fcbd8ac197ac32b08316600f234ee5

SHA512
e01964733a55fdfb5ccbf2a24582b8e4e8f870ec7505e739c7f1fcd43cd15f4a93c7da8c88f09412b1fa68c7db5eadab421d912f88bdeaddada1cb562e07a089

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
128KB

MD5
1e60a804f6187d4ff9ef630bfd4a252c

SHA1
07adbb1262fa172ae92508ecc0847a6978898e6b

SHA256
20c7666d23b89a89633d6ad6ac1a5221817d9fa64a3b31f75eb9f4c4723aabaa

SHA512
12c69b910f5c9537f6ed6f9e27fddb687841abca4f2b3db57e785192f0cd2bc67263966a8dbc92383b08099760fa4b4996f77a97557630dc5edf2e0e755c803c

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
128KB

MD5
47433aaa516514e11c70d57fe8a28a5c

SHA1
3b818e5766af177f6156651abd7c05bbe7438b6a

SHA256
b009cd0868c0a86b0fbe90cc9e0ea7d62d2c1856a5c150edeb6205254bb585a5

SHA512
4fa4697ab36dd16d7cf1bc5a397b499f70dd6bc5cad9debf82a867576b3cbbdbcfb07cc26e6b5f45c5b1166ce8a421b09bb11309488ddfaa6a5ff1c048b3de1d

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
128KB

MD5
4427c38fd1457c17944dcd680744a34d

SHA1
109720c319ba4ce2f964050d0dfcac8a5fb1fd32

SHA256
b3a31820ca35cccbf11746c9d7baed631267d58dda0e98e0382bf5dae16df16b

SHA512
a9f0d472ea83ff04bdba49c7dc4ebe110c0e92aab56c234bb09882fd7a2b0dc6fa05dd9a06bb417ab67b93ecd1314ed591c53a24a02ab7130d5936cf00b9622a

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
128KB

MD5
4cc2ae7d88c00021cbf399e140139f3f

SHA1
37e3c12beb8b664bf5504a63cb5cdf08893a889a

SHA256
e1dc4b0b5a7e48699b1ff4b5dd2583cd215f20c34d54bf8dc4f2be8f38d6f249

SHA512
fa094e2651a291d911571ffdaa439641cb0eeea502099fa55ae753243aecc398e29385b535bbbf968101d6a4742a6240b689d6155d4302e55bd9f80a5d86f6e5

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
128KB

MD5
747d785ca027c7f353f2996bad080313

SHA1
cfd98f345830ad4410173fe2bc1db0d1daf16224

SHA256
b82de82b5a4ae7c83676547b97c4dfaf9e78d78a5bcfe326dbae08f670899964

SHA512
64a1ddc7190e5a7f6548ef4c5925190526fc6438ea571375fb682f45374742f17fb5f7fccc1510652744bfc52ef53a7fdb07674e1cd1bcb87bbd9b844471fff6

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
128KB

MD5
aa8512d698f5d1391c029e1ebae4348b

SHA1
89a22342e730df9f071237b6e69c4ab7395bbc8a

SHA256
ca46ec7bb74a00ba3a9a87f1c71ce4589bc62e63574ffebc006876f9e8071f7e

SHA512
b1d2e26f4f2d9c1bd75ca6989647ebdb6f24cc451fc6500dacd1547525c820783c02a7a22f19f08268edfecdf0b66666bb1eec58422ab9281b5b8981c477b2ac

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
128KB

MD5
1f20c2d040cfd109f22bbcfa530a61d0

SHA1
1c1ec001e62ab95da04449dc000ba9b80c785eb9

SHA256
10341c2b869248cff16a6ae51d75ef3748ccb7ace95345ee4474c17ed3b5d786

SHA512
0a81fd2cf685e851305369d71fdeb3b474f058f2bc47abe668354bb2e15540762613fb9306c207007ca7083f10bbdfc828cbfa3ddfd90fc6e4f4dcd9c8575102

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
128KB

MD5
79f9c38d9ab76e5013a80e0f63872655

SHA1
ea10de449e0634e59f3f888dc5ea685d9097b288

SHA256
0caaae99d709b945da75ab9905ff646c42675c5ea8e009926f68ad12a96122ff

SHA512
df37a3adfe095ebdfbfd0fcc86fba7442cbaa14863c39e41f7515db666eeec4a73c93c40172d9e47794ea957bc657b5c0ac7b19e1121a46935a6343675980278

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
128KB

MD5
97aadec1e32c12fe7d119891b5dc6f47

SHA1
7df4e0c50d20d9dd3a655f60083f53c8ce5a9c04

SHA256
a075740d5a0fed0c994b03f56c3e49f2ff447da3086bba71ea937f4dd3efe3ed

SHA512
573edaed7dcfffcf5b80a020067d600b83866cda99f267823d3fade3f7b2311199f324bdc94ecd843374c42acb3e4534522fe7bf248e651c68f03b313a339794

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
128KB

MD5
03ed25f07add532a773dedf9f3020ffd

SHA1
8f94216ed0bbf524bdee33835062dc083966c78c

SHA256
d237dfa3cd6c09f600296668831da328fb182b16124b9c7b12ba323bccedf2c1

SHA512
acd2e48289e011bfda3ca484f568b8eb0fe31891dcdff407862da402f44b25f6f51df017315e6fe716e3bdf7da9d87285aefd1099ac641a7a60ccf61357b8e34

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
128KB

MD5
457b574a4c38c541fedbb1706ae15dc8

SHA1
98df3885c2dfa2e142eebc2e846c4b728aa4bf11

SHA256
6df944c2ce63ecf13e571a6eacc14ab7b7cff86e2f5a7e5067254d1c51ae27a2

SHA512
85769f7dc8c403b0dcde27a4b73372bdf9fcf0767128c039f36ec7e8a9ca8866b7e879e06b1d4419d5372321147ba733d3bfa65a95ed0967b08d1b058fadba25

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
128KB

MD5
a429b64847a65ef8dfb94a47cf146fd7

SHA1
d1f52cd5e231448d5df6978e643d3f8fc2323fa3

SHA256
8c560b489332921ee0b3aa57e0e1a6449a3bc5d6b5024d3f0d29b239746c5f42

SHA512
8c715a80813c58a379c1a0259a80860a146b2163a6ab4be97d85e00e47da8f452bc983b7749c588cd1ffa903dfbb8981b39c3fd9a03213e1e32be6f6943be9d5

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
128KB

MD5
d45bf44920d49cf07824fc74113bb98f

SHA1
dd22f926714b65bb179c8a79201c2f00d844c5c5

SHA256
6a81fcb36bdc1988f679a2b73fdf31c3894d586c8fc93243e42b60b0f2891d7e

SHA512
297d89fde6663ca60893c3c7f59a699b81e6751bd3ac9b235ffba0e9eee768cc203abaf8c389f9add337bd0cbe696a27eccafccba72ff54f8baf15cbf21531d4

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
128KB

MD5
bb6a48d488bca0fa691dff0d4c05aa97

SHA1
4d867e1a89b87d4e3ebed1a20a956a9038d96e84

SHA256
cb6485ecdf8e698d84f48eea1839f677b545194632349d203a17af417d50672d

SHA512
7a88cd9cb18200b3a29139640ea863daad34597616f54699bb74f256f793296ce273bf218655558b7a34d1c5d224b7783437513deac13e8bf3050e6edadc1d94

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
128KB

MD5
097f190a94215fec15933329b11de1ee

SHA1
cc72f155faa9db8efe8953e0ec7599244b0901c8

SHA256
bfe6cb0f065aa2983b38a6f2012a11df74eed15cd89a147059cf9c22466d8861

SHA512
9d8439ad928ae9f1432a5f8ee0116068c3bfa068341b15460f5b24877aca89b7adea08b6ab87245a3d1689db9f5afb8878d5fd2081f3fde97d197e25d45f2d73

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
128KB

MD5
41200ef4fc0fa891ff6b233139917954

SHA1
fbd2add6a00f3080c03f13cd86ac8e170e98d387

SHA256
9c99a39431737fcd1488ec6f997d39b0c74bdf6e7695515e9233a44d573a8d87

SHA512
85d62f44b5bc56a46e2396795ec1b232efa61593a529f96bd32412ec31339d33484280ab691666085dc2241d49047b77a3e83c350e74ebc8bf79235c354a8922

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
128KB

MD5
1ef56ac31d10e9fbac10b3dee12f6201

SHA1
1749f1b56e165f8be88f90da6a523eb276cea502

SHA256
9ed5d976d90c9897c776e92432239646e0e94e43b3d421ce37060630b686c755

SHA512
2a755021ec6eeac1f683071a89e0d009c1c2f5434d84571542c7f12d9bfdedb1dbf6951008fbc31f2b79a3c9d5438622238b2b4980d24339cc120264c80e5490

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
128KB

MD5
0d985f9d0101f1092939449d0ddce701

SHA1
6686ffdf8d8ee1b67ee46476fc750583f4253fd8

SHA256
fb643d7056c9a731b9e476a8208e9315021b06a65ce9f05fdd3d6b5e5d0e733b

SHA512
b59f9945babb4e6640af1bed434da96c6a79af1284bfaf2586cc4aea00461f67315874eb749c70fafbdb2195c55dc85a13e51b7737d209e97b3c9dff7c28f4fa

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
128KB

MD5
c2988348faab3e5fbb6382530e1aa26c

SHA1
c2c2b8882e5f743848decc9d7b3a91e241ce4e72

SHA256
f7066ace17297b556f98042f68b64af5e61c395173da2fb85f99627691848dc6

SHA512
89fd4555b0c1439b0176da88f9db12d0a4ef7014d8b805d902b85da7468c1b04a1058030460bff6b15c4348f5627ea249fad0a7e7f12a3d61940ac7ec1af7aaa

Download Submit
memory/208-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/372-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/384-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/424-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/436-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/444-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/452-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/764-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/904-452-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1104-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1152-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1180-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1380-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1452-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1912-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2036-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2108-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-477-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2236-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-588-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2652-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3184-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3224-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3884-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3920-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4060-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4072-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4288-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4656-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4932-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5072-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads