5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49

Analysis

max time kernel
126s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe
Size

96KB
MD5

8e6e4e25b20f27b9a402ed4d2a9e7cd1
SHA1

30d14031150814e7d9ca57ec8dfdcc2e8b5f51c6
SHA256

5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49
SHA512

45f350553004f9f0baced03b88fc74874584e70eea6c15e44ab99bcc1ff82e30cededf1c32ef432ee2f721358a50dcc12d2cc77f8b8ccede53747845ee0412b9
SSDEEP

1536:tqtEgcVOIo1mdO2X6Jzi4BZ3lWQzBize9MbinV39+ChnSdFFn7Elz45zFV3zMetM:0tNj1m4Vi4BZ3Mi4AMbqV39ThSdn7El3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debnjgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfodgeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchhfild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhhbngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icachjbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlemcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maoifh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflfdbip.exe

Executes dropped EXE 64 IoCs

pid	Process
3948	Hcjmhk32.exe
4052	Hkaeih32.exe
2520	Hbknebqi.exe
4276	Hejjanpm.exe
452	Hkcbnh32.exe
1912	Hnbnjc32.exe
5064	Ilfodgeg.exe
4656	Iabglnco.exe
2320	Icachjbb.exe
4156	Ibbcfa32.exe
1624	Iccpniqp.exe
2792	Ijmhkchl.exe
948	Iecmhlhb.exe
1300	Ihaidhgf.exe
384	Iajmmm32.exe
4520	Iloajfml.exe
1328	Jbijgp32.exe
2180	Jehfcl32.exe
4112	Jnpjlajn.exe
2328	Jdmcdhhe.exe
3004	Jjgkab32.exe
4928	Jelonkph.exe
4232	Jhkljfok.exe
4984	Jnedgq32.exe
4992	Jdalog32.exe
812	Jjkdlall.exe
532	Jeaiij32.exe
740	Jjnaaa32.exe
2316	Kahinkaf.exe
3184	Khabke32.exe
3580	Klmnkdal.exe
2456	Kefbdjgm.exe
4108	Khdoqefq.exe
2608	Kongmo32.exe
3416	Kehojiej.exe
4016	Klbgfc32.exe
4416	Kopcbo32.exe
4808	Kejloi32.exe
872	Khihld32.exe
5076	Kocphojh.exe
1796	Kaaldjil.exe
4564	Khkdad32.exe
380	Loemnnhe.exe
4932	Leoejh32.exe
2512	Llimgb32.exe
2584	Logicn32.exe
3832	Leabphmp.exe
4772	Llkjmb32.exe
2992	Lojfin32.exe
3888	Ledoegkm.exe
1804	Llngbabj.exe
3744	Lolcnman.exe
772	Lajokiaa.exe
4832	Lhdggb32.exe
2480	Lcjldk32.exe
1512	Lhgdmb32.exe
1676	Mkepineo.exe
3240	Maoifh32.exe
3064	Mdnebc32.exe
2104	Mlemcq32.exe
2024	Maaekg32.exe
2232	Mlgjhp32.exe
4580	Mcabej32.exe
4716	Mdbnmbhj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lcjldk32.exe	Lhdggb32.exe
File opened for modification	C:\Windows\SysWOW64\Ilfodgeg.exe	Hnbnjc32.exe
File created	C:\Windows\SysWOW64\Nfiagd32.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Gdokakcj.dll	Acppddig.exe
File created	C:\Windows\SysWOW64\Gpngef32.dll	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Gcdfnq32.dll	Odedipge.exe
File created	C:\Windows\SysWOW64\Jnpjlajn.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Hkidlkmq.dll	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Icachjbb.exe	Iabglnco.exe
File opened for modification	C:\Windows\SysWOW64\Iloajfml.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Daphho32.dll	Nlcidopb.exe
File opened for modification	C:\Windows\SysWOW64\Ohhfknjf.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Lndkebgi.dll	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Okolfj32.exe
File created	C:\Windows\SysWOW64\Hbfhni32.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Balodg32.dll	Maaekg32.exe
File created	C:\Windows\SysWOW64\Nconfh32.exe	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Acgfec32.exe	Aiabhj32.exe
File opened for modification	C:\Windows\SysWOW64\Kehojiej.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Idjcam32.dll	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Ocfdgg32.exe	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Bifkcioc.exe	Bcicjbal.exe
File created	C:\Windows\SysWOW64\Ehepld32.dll	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Khecje32.dll	Kahinkaf.exe
File created	C:\Windows\SysWOW64\Emnhomim.dll	Mlemcq32.exe
File created	C:\Windows\SysWOW64\Okceaikl.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Dpkgac32.dll	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Lhdggb32.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Aojbfccl.dll	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Jjonchmn.dll	Ndidna32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpgmf32.exe	Pkholi32.exe
File opened for modification	C:\Windows\SysWOW64\Hejjanpm.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Ffmnibme.dll	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Maoifh32.exe	Mkepineo.exe
File created	C:\Windows\SysWOW64\Codncb32.dll	Nofoki32.exe
File created	C:\Windows\SysWOW64\Bmaoca32.dll	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Leoejh32.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Mcabej32.exe	Mlgjhp32.exe
File created	C:\Windows\SysWOW64\Hkcbnh32.exe	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Kchhih32.dll	Maoifh32.exe
File created	C:\Windows\SysWOW64\Caekaaoh.dll	Mcabej32.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Pdqcenmg.exe	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Aiabhj32.exe	Aioebj32.exe
File created	C:\Windows\SysWOW64\Gcqpalio.dll	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Mdnebc32.exe	Maoifh32.exe
File created	C:\Windows\SysWOW64\Kncgmcgd.dll	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Obkcmi32.dll	Aiabhj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidna32.exe	Nchhfild.exe
File created	C:\Windows\SysWOW64\Nkhfek32.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jdalog32.exe
File created	C:\Windows\SysWOW64\Kehojiej.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Eilbckfb.dll	Khkdad32.exe
File opened for modification	C:\Windows\SysWOW64\Nofoki32.exe	Nhlfoodc.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Ddhhbngi.exe
File opened for modification	C:\Windows\SysWOW64\Iabglnco.exe	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Aedfbe32.dll	Ibbcfa32.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Pkklbh32.exe	Pdqcenmg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7092	6956	WerFault.exe	245

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbefln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhbngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkcbnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkaeih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccpniqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgbgpbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alkeifga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibkohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejjanpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlncla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icachjbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdeb32.dll"	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balodg32.dll"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpiidi32.dll"	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimdleea.dll"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdnelpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfep32.dll"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdkpe32.dll"	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caekaaoh.dll"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omclnn32.dll"	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhhbngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblnengb.dll"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccebdmn.dll"	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibkohef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnjfh32.dll"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmonod32.dll"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Dlncla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcjmhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeel32.dll"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3948	3372	5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe	90
PID 3372 wrote to memory of 3948	3372	5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe	90
PID 3372 wrote to memory of 3948	3372	5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe	90
PID 3948 wrote to memory of 4052	3948	Hcjmhk32.exe	91
PID 3948 wrote to memory of 4052	3948	Hcjmhk32.exe	91
PID 3948 wrote to memory of 4052	3948	Hcjmhk32.exe	91
PID 4052 wrote to memory of 2520	4052	Hkaeih32.exe	92
PID 4052 wrote to memory of 2520	4052	Hkaeih32.exe	92
PID 4052 wrote to memory of 2520	4052	Hkaeih32.exe	92
PID 2520 wrote to memory of 4276	2520	Hbknebqi.exe	93
PID 2520 wrote to memory of 4276	2520	Hbknebqi.exe	93
PID 2520 wrote to memory of 4276	2520	Hbknebqi.exe	93
PID 4276 wrote to memory of 452	4276	Hejjanpm.exe	94
PID 4276 wrote to memory of 452	4276	Hejjanpm.exe	94
PID 4276 wrote to memory of 452	4276	Hejjanpm.exe	94
PID 452 wrote to memory of 1912	452	Hkcbnh32.exe	95
PID 452 wrote to memory of 1912	452	Hkcbnh32.exe	95
PID 452 wrote to memory of 1912	452	Hkcbnh32.exe	95
PID 1912 wrote to memory of 5064	1912	Hnbnjc32.exe	97
PID 1912 wrote to memory of 5064	1912	Hnbnjc32.exe	97
PID 1912 wrote to memory of 5064	1912	Hnbnjc32.exe	97
PID 5064 wrote to memory of 4656	5064	Ilfodgeg.exe	98
PID 5064 wrote to memory of 4656	5064	Ilfodgeg.exe	98
PID 5064 wrote to memory of 4656	5064	Ilfodgeg.exe	98
PID 4656 wrote to memory of 2320	4656	Iabglnco.exe	99
PID 4656 wrote to memory of 2320	4656	Iabglnco.exe	99
PID 4656 wrote to memory of 2320	4656	Iabglnco.exe	99
PID 2320 wrote to memory of 4156	2320	Icachjbb.exe	100
PID 2320 wrote to memory of 4156	2320	Icachjbb.exe	100
PID 2320 wrote to memory of 4156	2320	Icachjbb.exe	100
PID 4156 wrote to memory of 1624	4156	Ibbcfa32.exe	102
PID 4156 wrote to memory of 1624	4156	Ibbcfa32.exe	102
PID 4156 wrote to memory of 1624	4156	Ibbcfa32.exe	102
PID 1624 wrote to memory of 2792	1624	Iccpniqp.exe	103
PID 1624 wrote to memory of 2792	1624	Iccpniqp.exe	103
PID 1624 wrote to memory of 2792	1624	Iccpniqp.exe	103
PID 2792 wrote to memory of 948	2792	Ijmhkchl.exe	104
PID 2792 wrote to memory of 948	2792	Ijmhkchl.exe	104
PID 2792 wrote to memory of 948	2792	Ijmhkchl.exe	104
PID 948 wrote to memory of 1300	948	Iecmhlhb.exe	105
PID 948 wrote to memory of 1300	948	Iecmhlhb.exe	105
PID 948 wrote to memory of 1300	948	Iecmhlhb.exe	105
PID 1300 wrote to memory of 384	1300	Ihaidhgf.exe	106
PID 1300 wrote to memory of 384	1300	Ihaidhgf.exe	106
PID 1300 wrote to memory of 384	1300	Ihaidhgf.exe	106
PID 384 wrote to memory of 4520	384	Iajmmm32.exe	107
PID 384 wrote to memory of 4520	384	Iajmmm32.exe	107
PID 384 wrote to memory of 4520	384	Iajmmm32.exe	107
PID 4520 wrote to memory of 1328	4520	Iloajfml.exe	108
PID 4520 wrote to memory of 1328	4520	Iloajfml.exe	108
PID 4520 wrote to memory of 1328	4520	Iloajfml.exe	108
PID 1328 wrote to memory of 2180	1328	Jbijgp32.exe	109
PID 1328 wrote to memory of 2180	1328	Jbijgp32.exe	109
PID 1328 wrote to memory of 2180	1328	Jbijgp32.exe	109
PID 2180 wrote to memory of 4112	2180	Jehfcl32.exe	110
PID 2180 wrote to memory of 4112	2180	Jehfcl32.exe	110
PID 2180 wrote to memory of 4112	2180	Jehfcl32.exe	110
PID 4112 wrote to memory of 2328	4112	Jnpjlajn.exe	112
PID 4112 wrote to memory of 2328	4112	Jnpjlajn.exe	112
PID 4112 wrote to memory of 2328	4112	Jnpjlajn.exe	112
PID 2328 wrote to memory of 3004	2328	Jdmcdhhe.exe	113
PID 2328 wrote to memory of 3004	2328	Jdmcdhhe.exe	113
PID 2328 wrote to memory of 3004	2328	Jdmcdhhe.exe	113
PID 3004 wrote to memory of 4928	3004	Jjgkab32.exe	114

C:\Users\Admin\AppData\Local\Temp\5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe
"C:\Users\Admin\AppData\Local\Temp\5c677d7280f2c4b655fe58179eae1848808d7feecc12278b4be4128cb9650b49.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\Hcjmhk32.exe
  C:\Windows\system32\Hcjmhk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\Hkaeih32.exe
    C:\Windows\system32\Hkaeih32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\Hbknebqi.exe
      C:\Windows\system32\Hbknebqi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        37⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        38⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        45⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        52⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        56⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        69⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        71⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        76⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        78⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        84⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        92⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        97⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        100⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        102⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        105⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        107⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        109⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        121⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        123⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        125⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        128⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6860
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        131⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        132⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:7040
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        135⤵
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        136⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        137⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        138⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        143⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        146⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6956 -s 400
        149⤵
        Program crash
        
        PID:7092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6956 -ip 6956
1⤵
PID:7060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acppddig.exe

Filesize
96KB

MD5
ee95247b2827ad724019c3c268a264c9

SHA1
79e763c6edac16b02ff1982126dbd1ba9d6dd719

SHA256
0182ae3218a44db419f7c91127e5794cee450f0aa395ebea77dfab7370581250

SHA512
9aa3f2f12e2c7716abe98f73736c7e77844c52743c063feafe09b3557e44ae38c3b4aaafe3f7f243341b84a3aa6b4982af30bc638cf817db8933d0b0be8ca8c6

Download Submit
C:\Windows\SysWOW64\Alkeifga.exe

Filesize
96KB

MD5
70116f860f42795095d0b7451f0773e4

SHA1
ee6d6ad2e71452a304fade2a85953e43db68586e

SHA256
2065db5c79678b2294097ffd68fbd438e9657d30cc4e808a5d6236f4be55f5dd

SHA512
8f46ebbb3d766bdc1cd39f8c11d2d3b173eff90ff166fa098cff68033c729344165347c91bc632724016c36d87f5787ceb5611670ef9acb1564a9389adf4e0af

Download Submit
C:\Windows\SysWOW64\Bbalaoda.exe

Filesize
96KB

MD5
00b291c2971ef75894180dfee63f3a69

SHA1
4cd8f78f5d8b50903801b8e197fbb85bb0c1818b

SHA256
03dec3a8ce113c470c045d1944eb4da67a00d2b7e891f2d3438f5afcb9cefd23

SHA512
0ffb2fe779befddfe2f5f54097b3a37ecea3403638e717c50bba84aa74b09057279eb391739df3dee31846a11416071a97e1edd0d633a7118ff2f418674fca7d

Download Submit
C:\Windows\SysWOW64\Bifkcioc.exe

Filesize
96KB

MD5
403d29c0071b660d6b4fd79d143304e2

SHA1
ea7bc47d073d848f0ef98a9ba0b4a990904416df

SHA256
c3a963a91d7cc112f3900e965062d64e59361ba8c590693dbaa6419313166385

SHA512
c1336d0340d04da0dc9a566a291dd5dcf208167bf1b2f991fd8267110583dfe98817e97f2a77830e9e5d0adf47652e98085d90c8c94f8a14ae5ed05d18c0a1b6

Download Submit
C:\Windows\SysWOW64\Bmimdg32.exe

Filesize
96KB

MD5
c8b5fa834874428aba1f91f043a2defa

SHA1
4c5a8d5a3d47116e1fbe09d1be6e3b46869f567c

SHA256
4e3b0f872b68832ab4a613230259d9e28422527f376cf1a9c40bc2a2135f7e77

SHA512
9e073be289dacafd3d3f324f7e46385d555c617b6925099792fab3b1149062835d9c40d55bb64df5ea96e2c4a10ecb01f7cdf863362fb9aaa7ceae0355b84934

Download Submit
C:\Windows\SysWOW64\Cdjlap32.exe

Filesize
96KB

MD5
d94e8ab135e8ff4631a925682a158c7b

SHA1
97b067ff47274cffef23b2b0d05934a04397fd96

SHA256
6484cbf3ff63bcc793dd7c57984c8a23c9f47e964a0f9608fb9cce5c8e039327

SHA512
3a97f4eef78431b53d0a980d9aa3f8bb91db961ddb5932b13c38b77da0ffa07f78148c92a3c08dadfec4144f2335312e984320be243b4324422a0320e8026e08

Download Submit
C:\Windows\SysWOW64\Clpgkcdj.exe

Filesize
96KB

MD5
498784988b0609593853161f46b3e776

SHA1
2341fb95fcd82dbbdbdee8e7e8a46a670e8779f5

SHA256
8a2355af4233beafc3c07b4ed8e8e45d2bd9bb9ec2968bd74630d0badfa1f921

SHA512
6999a2b26fc5105c5bbc15c90a06f6f6a6dbed8816a9c636c90308a160059813c2ba45962894c89f03aedbe76fa647cb07fb5643bd055cdbdddc328598be1c97

Download Submit
C:\Windows\SysWOW64\Cpifeb32.exe

Filesize
96KB

MD5
2c44df5d38ec27668d3b6dc4b924442f

SHA1
f4d0074ed57e1911c1199e42d754dbb5210e1421

SHA256
b303d0ef1f0eef07ba757b9973b56c87596f4222ff0adeda6c56d85d0f644b64

SHA512
1b681b4493af8dff8536a0f7db928e6c6693934c043fb2be28f239ccfe43f2b58b91bdb000c70429891cdc2e176898f51e4b178d15834c82008f2f66ffad9db8

Download Submit
C:\Windows\SysWOW64\Ddcogo32.exe

Filesize
96KB

MD5
fd9ae95e802c92c240930d750cd232ca

SHA1
d26d7826096cf28033de6c5a808b5664276ce82c

SHA256
1ceb4ee14c428f7b68bed5404d92bca6014335dfd4f5d853479383d118d00be6

SHA512
57e1465260acb79819dbdb4a5afef77e1af05ad13f4dcbca4d0f5f65056b8017dff13e3fcf2ae2105b550752c1af5675a7eda0f6d51335b4b9621d6a2a281c0c

Download Submit
C:\Windows\SysWOW64\Dmnpfd32.exe

Filesize
96KB

MD5
ab2f9237ef346afd835458dbc1b10ec8

SHA1
7dc7716e66930b7406c0cd9e56a25fd2b36fd411

SHA256
b5cd827d2fc5b57a778b37e4e9c0eb1c0ad369c08b982959b65bf948fd21847c

SHA512
bbcaa4329d319c1a59f12bce906295ddd3899304fd6bfdaec9fbf7d4c241ed835676316bc59e9be7500fa6ab1487fcf39026719725d7661f3cb45faf00691360

Download Submit
C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
96KB

MD5
2241b0465712a8f5e05c0804fecec7f6

SHA1
755082266a909460b2dca21694b2b8c135996c72

SHA256
73151ef0ae62eb946671a982558577b4eb3e7f569eceeb76921c1a854b230b45

SHA512
9791a6c688345b1e7b4b574956436c5d857f1f450ae08348578ad36ccecd92f3a980f082b72082efe094d0d1542937db6c5566b73e99e973c87b75e8fe84935f

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
96KB

MD5
6660aafbbef98b34c760debcdd9bcf8f

SHA1
d690946f5018ff6ce630553b2abd84e9847ba05c

SHA256
e5a9e0f73ad79c9afdc88b99af1ae0ceb885359863ee589b14c674f3d33f0834

SHA512
52f8ed8fd3eafefb90870c90264ffe3b581fa1338ea7972dcbcd2f3f4d8eac0e199f23b19ed94bd66cc22b7b2d617e37473aed6698555dc9ad8d4d8704bc12f4

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
96KB

MD5
152d05c73bd20cd71ea3c0cd243f6dc7

SHA1
5163dce2fa4cdd582fe1df39b8e9c859207db061

SHA256
854476d9933e9d52686da2c503697ecb083a683d798c213908d2f654e6667b45

SHA512
8ab38acc6527477ada6d2c5e09b8f2fde9f5bdb91cdc091f06b84b03c91c828903c0d8714756d040a9b0bd758aa307d99da92b3678b695dc9fd8816783e869f4

Download Submit
C:\Windows\SysWOW64\Hkaeih32.exe

Filesize
96KB

MD5
145d571d555850651a43968c3838209e

SHA1
cb8c5569508e92c636341efb389075e2122b591c

SHA256
e593997b260373c57d24f26fdd5a9db9e4ee19a5d8982ec5698d47023556c89d

SHA512
48ba5ef4c681dfd21d65005d4de6cb974324e3ec7dc972e03b04aa0d94bb04906f2e29b3a33ea3e908eac6240a5cd668ae19d332bb0bf975979a4664394e3de6

Download Submit
C:\Windows\SysWOW64\Hkcbnh32.exe

Filesize
96KB

MD5
1e9f7797fafa51a141a2f044d10c27b4

SHA1
0f1b77ebf4427c0e93907ecd9ff39f253a6471e4

SHA256
75363ee809858eb091a05752fbed663534619ffa9dec91c56378fc6f28f2f5c8

SHA512
1868c2d1bbd99a0aa1aefb9b4b72edbd7ca6c6e722d36492a35b9d0fc78b626dd4bfb49f0ff7818fff81d1607ec80f49bf0dcadad3c27eab74f35145df14528b

Download Submit
C:\Windows\SysWOW64\Hnbnjc32.exe

Filesize
96KB

MD5
c802d4bbaaeb7df81f6591866de40952

SHA1
abe29ed48f7afee874282710ec3fc79c8bf09ba7

SHA256
e2e71ad2529f0763a411fbd37f5a86d4df0a8c9c1d1ece7f1e906d049e34d050

SHA512
2ebb3aa094a67a2541bea6d1188486a95cf9f942803f7fc715f45c826414578c6f1bbea2312ae8012228349e0ae841aba82cdd7afd32a6babc799c54eb8b3461

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
96KB

MD5
1613b2b2f8e37c4bf2cffdf7f72d5813

SHA1
c8630158a0594a22a73770986edc65383384c7cc

SHA256
9c912833409d52c32d8c2ae3917a2ae99a1362f5858894b97627ef05ab83becd

SHA512
5e6e6980305c24d055083ef1af74cfecb57d4f6e105189dabc459a1f4db8216ccf86a947b3ca7380f07d244dfe3b7d5845271e05e80bf6e58d7b4cc35d69bf0d

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
96KB

MD5
7db663f4fdfe7518669ee27582f1f678

SHA1
31fa0a1161abe392ff1c62d3c46ec842130debe4

SHA256
73c95da150f694170c09539e4a8a7e50664bb9642e002d3fee4569aa9e53b9e2

SHA512
cbf5a4e6603e071f618847cde2a8986fa126a2703520efcefe7713632cfb7ff8e02e29e188fb3cf841eda186adfa4bf1298b076e76946aa6a5cfdbfe22e1f8e3

Download Submit
C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
96KB

MD5
8ea22b565f417d6cfca62d04a38b35db

SHA1
ec0bc414cafa23a5a5d9f697b2d395bab4122fe0

SHA256
10f58527246cce5481d8b78ef881f538660f1d073ce6560896ea1a3e6273bd9d

SHA512
57e53f1c22707c6a963f71ac615092580161a99fce62610df4e80f99214cea652f706025288cbc41aa0bb167b969f8ba9eeea2ca3e037cbe59a6238a2868384e

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe

Filesize
96KB

MD5
5ff9eaaf1a41f2947690e4aa1ec2611c

SHA1
5b7720fc4ca7f658ddb0a7829298c52b853026f4

SHA256
604a3f45676eb63c3a74b31a92bece4380b33e1cc6591336aec36b754a887716

SHA512
da14c5cb66d93afacb35cc9feb25ddaad2311baca9e309feafa94340805e6bd9e5f1d0a1715e11cd4aba566b41409e4e95677f5f6f86681a57b61cea101fd238

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
96KB

MD5
779b12ea06229c5c58b630b4db70967e

SHA1
b8faef5b9196448c27f369afbb51b8b94bec0be6

SHA256
e7eca1e69dca0a7ab22a7ffbd72b4df0b59d15554a9b9796ed3d0ea50e39887d

SHA512
1a915f3a09c575e01ef97947229640384517e4cd979b6fc7a31ea9d7e12d669052ed1ffc3afe1888c5a5c0a8a97d42e3d6289f250b2e9def71cbe18f7b8cbc20

Download Submit
C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
96KB

MD5
861c3b1c9321d19bba7c0a82bbcd9b64

SHA1
fcd96e396b25f67057438595c29f4e79ca6baf22

SHA256
5066ad9621b24766a8584a7e3e6b27595f01bda0aaeaf8994b44a64765beb49f

SHA512
15aeef45925b404759dd26ae0e0f2c1207547581a1b6da6ca661f5b67608b99451648234239e2c126cbc0570d29c58e8ed7111251a998e806159d62a64cc958a

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
96KB

MD5
82c96cf6321a003a0555bf727921566f

SHA1
f7fc39c9f0b9abffd517bc3ff4cbd27acf396e6d

SHA256
adfbdcef81336be2da28784e283933893d5815dbe51d7dd01048d2a3675bfdb3

SHA512
fe9f75e5ddd165ebb07e5da2302fd5cb7f8f2f3f0ec1f7c196d64d014790e1be89966f6a7f33072536b588395eb46c8ee0992a6dd8c6c1d940d97b27699d4940

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
96KB

MD5
849c4606bcfa3b3c1ed56c659bdf36c1

SHA1
b1322b9b26b2f1f5c2fbf7ea4f9e7cdada8b08f4

SHA256
8ce5421ebca3c560157593df0d7fd3941bf2a01ffd0347abaab40dab301c83ff

SHA512
6d33bc3428fda48f4e702ad4fc69b6cdcc99ade3cef7cd49eef4170b5f0b80d253e35fa4075a46048cee10f616f424c1e00ea862f98ad89d6d81f34b29c31410

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
96KB

MD5
182487c70a6327d7fb28751119664f74

SHA1
a0a0fbab84fc12f293aa15763e27a5713573f90d

SHA256
6336c3f09960b0ad9375383eb3b502713e8b227ede4e90cf4614a875e9daffb6

SHA512
30608d5a2b8183fdd6f04f32b951197df1c8b5aeef61af9c5c60acf24ad93de5dd82aee967ad15c5a5187e6161f637e61083eae523c478e6511eb12335985850

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
96KB

MD5
1b49d74387313a15d340dc0b156fc751

SHA1
44e9feead61616f54ced463afd567cc0d1c209b9

SHA256
04621c001316a42a39c7beea3e6b4475588d634a89f108fbff95846937f423a5

SHA512
2414d7bc3fc8438eef07ff0a45987db0100d8930ddbf8c809cf90337133f184685810b616e520f68f87a854fa0cf6a99e466141531c482f1263b75c063888a34

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
96KB

MD5
28fea88434bd38a4ea08059cb6808a22

SHA1
e446cd7b85ac4bbe55451a9fc868db0794844cfd

SHA256
23e50fbaa8d2b6e857bc20fe5eb2fc6bc5a28f8c2f16e1b41c91d32e74200a75

SHA512
4669202ff17d5fe1d77184f8b65aecf75d83d0e694cf6d944e75f4187d6513fe661146f15880494a688d004adef0cbdd2a52bf1f49d20bc4ea19a029ce0ee0f8

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
96KB

MD5
b63025d034750d4dd6c6426483dd9e5b

SHA1
feb7f906e5e422d2c320485b23087c318a0eaa09

SHA256
d6c22fb7704892de2739d61ba81f7f2d99d88051bee2139e54c1a371567b0a3f

SHA512
e252783c2fa6c3f7edbf8bdd01ce6fa23ddba7482fab87511d1fe02c840f3c47fc715ca0864b5fce5f822b919f1b97df8505198231f4cf7980385875ff9d2b2a

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
96KB

MD5
d63127043368d6828059526607b99a72

SHA1
8797d7f55c202b285a2da6a68e28704f2d639d52

SHA256
4c16da12d7f6070df0ccfc9dacde560c9d9a261e727dbe11549ba32ac309550c

SHA512
cd80f1685afd877883a6e8642b04aab467a7aac58dac3d1e441ce9b34433340d361d808b7ce9d67aa67136dd1a367b5be0d98baccae02003f2aee835c1e0f512

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
96KB

MD5
4a90a0a242a86b43193c3a59662670f3

SHA1
fd7b4bbce2fd05a2e2cb2a7ac4ea962ea6ca3b36

SHA256
f2fdcaae348928da8ceeb6bfe31ef4dd7d744e3873b1db8100a7812bdc883ccc

SHA512
ec83cd61740e0cbe6669f38afbc81a5db12eb3480b987555aada01cc74c2ded30cbec9d9eca602e012b1e6a87cdbc01399f219216bdb0ed64c1c64a2faf5872f

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
96KB

MD5
e4e99aad81134e2915bf0d744884d529

SHA1
98e474ceeb3c990cc018c3c5fd1643ae7f1c0817

SHA256
bb6af21d00b6b68ed25d28948a6fa2d4b5d9aa67d0fb837953359e71eb5cd83b

SHA512
ee76789f32c199251007cf2867590bdfc3a3401d6ce9cb9c606e385dc52860d644d22720c0043654b45d9093c6bab42ae14051b98273801115b6cde50fa9466d

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
96KB

MD5
081bf57009e0dd98547aa08a0ada99be

SHA1
4db73a5739762a47b1fc9db7fbd039e1a0983f3f

SHA256
d44842a3e1cd511cccfe36ddcccbfb295636d5670b9730ab8e19cbf7f7e1dbae

SHA512
ab59d5ea338d00cb6c2868d95af26932fa9b18552ed5318077bb69179034a68503c61024e0d67fe36144c38e9bffd14510b14f6c17cec98a1bf5d5a5f430254f

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
96KB

MD5
8eba7169e63b012d0d3765e04d8c99c1

SHA1
b9a164f527d127f285c9d094bd52ec56719f7b9b

SHA256
f9c39dccd1e57067505a7383fa6188d8d035fa53f70d1b8058f8b8c58e9f69ee

SHA512
082cada82bba4b5cadef7d3e772a9aa27e251bed8420a5eb41fc112f1a1019154e4a61e9eab6e238b4db203c95086579b13af904263d323b1214380a97ccda21

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
96KB

MD5
8f4e215f2599939cc401115bd33e5142

SHA1
34fa08c468392ce0af171b59e9f4f0eaec232837

SHA256
ca31ffa25bf4cd6bf6bb2bae3bbb21671da3e0f4286bb209a61b9dc3e9ad3e04

SHA512
24124d5beba513a4b4473e8054862ca270f5e7ad7e53c576f51716bc1ed68d5cba8e5b579730181651eafb37a658d20a890d8b615f01719f39bc844375a75888

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
96KB

MD5
68b50ebcd109adc16cb15a7f3361c5e1

SHA1
bec968eb3782134982518876e36daa81dfc97028

SHA256
5d55ce25bccd9c155e849f70a2cb8d309a2390c3e1338ccaec81f11f266509ee

SHA512
2efe4a8745cb1158fdea996db2a303935bd206f0ccd15d114cd4d9619fea8924017972e37e7e538247fdbb08733d890c61eb57ed87ebc241ff559210dcac3945

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
96KB

MD5
ba2cacbd5a0773591ef16a1740dbb7d1

SHA1
871bfabf07edab30b0c0f454ad012a67eaee3340

SHA256
ea0dc10e2a7af09bac832640c7ccf2c3e8d556b0e8b3044fa481ff075d285dc6

SHA512
d160f7476d9f2324c205e6e7a7f27f1ce4c777bfa0a2bc2f94087645ddadac72b12ce8e7571e9126110d839444e89c198967f4a08cdf7ad363b2a4a436f502d4

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
96KB

MD5
bcfc7fdc3968a53eec57ebf0d39cb7e7

SHA1
0a228c43181f4468fce5e137e297b665f5827519

SHA256
a126d91d79d4ce26523985e28fe99a606b362fa7464470a3f94d4b55f234c9d7

SHA512
60b0369345c9866511885d58e7052ae60d553d5212ffa4bff892cd9551c201063e2ba39f5dd54c80f111d61dc5e4b0c9cf70e99c71cbd3ca5798da0c4399b00c

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
96KB

MD5
138098de47bad708d8230920848d7888

SHA1
94fb28533dfd85829c3dd77da8674b42ff3495e5

SHA256
89e22043a3bbb81516607b3658bcb30f98d46f839846f7db5cdcfbb1364af454

SHA512
29fd9d5d484befc98241b0c2ef6b694bc1d9a130f67dbb218c36000257232884143c6cc3ad7688798264fc1f35843f4a15a19aed97046fbde5e3da704c08aa58

Download Submit
C:\Windows\SysWOW64\Kahinkaf.exe

Filesize
96KB

MD5
ef7964b8d41aa07b480b1b9bb6f5d00e

SHA1
a2f7f0c227cb73e8b49e7dea99c4b9b75dc9f875

SHA256
6ef78aec27cecab6cf8b4ae4e638b0ab346bb915012b06e987c2f34a9ea4d41a

SHA512
7b702f2c84d34629f68707595dccdaeab9b291f193b294bfdb0ccf523cb429790042b1a60ba50cc585163e284346cd019ccaf38c6c9e84f974a874046627e104

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
96KB

MD5
49da569c0deac0220c9cb2330748aaaa

SHA1
6f5746fb55b23ac532e4a2bfb3c7c9dcb4f0ca9e

SHA256
a381793b668c9c4c38555944224ee429284e3c17e7d68eaf31e475f885627c46

SHA512
282119ef2eff53339c4da61e54fdc4c0700d3bcf29ef83b7a15d3e8ef97682f4707b72597d721066c00b7971cd9affd0a3d70fd12342e7f6ff0d219d56b7949a

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
96KB

MD5
76865c4764d2e7c5acc90f8aaf741959

SHA1
4ffce4c72c114f5e43344999292fb55262bb0ebf

SHA256
2dac32880b2fd39e87269b4e8485f0df64a12da5de0705ae38b03e32639b8751

SHA512
9a888993a7f33e68d045068241981064ca7de4a1b2d82e55449f660196ddc52eba754509980e6ae9e1c80ff140e91abbc85707d4d4a3d6c4f89d79d4f62cd357

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
96KB

MD5
b3ef77a1dc18d010fcf6c1c3a8b5e02f

SHA1
b8d8878e6843fb137abda62c86e31427b2022d1e

SHA256
30c361bea7bb4369caeea875376c8cbec39e268f23bc3746ad6d45ed54226626

SHA512
49954377f8f4702961a6d54de6be1d9d0379810f685fd704a4b3b08522494647bb57a45b5139206a20a03612ccd4c22a678b7642e22caa40d51dbf817a8ce88b

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
96KB

MD5
4ea44ad6bee17391dd0e895a0345e645

SHA1
b090e549d4d567b7982d17c811718ce36a838fe5

SHA256
acda89613bcca4f7480eefdfe8a0b032b533d8c9cfeb3371f0c02482a85206ed

SHA512
9de8b841459f3408c35b95dc03de3183277873ab617be360cf01b0586ce6087cb43191f2a020fbfda26384ac4a772e583f52bfb5ed46a3ae36597ef5d1cc8fd9

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
96KB

MD5
25eacb4b880e26f3420c82cd317879c3

SHA1
96cfc8bf8a8883abbd1d64a5d28b37177e58208f

SHA256
f4cc8187104d71e5ffd3c4b5fb111e4810bb731afccbdecbe53aedb6e3bb4507

SHA512
f329af9cfef0755a4d7e5fc44b3d9ad5d982e49e8626db5bc165c7353b42caf2013d6e342bacbe3a0b5840c55cc2830b6ce4070bc79364474a0ad21b7e75ea8b

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
96KB

MD5
5843141e2c7ee0331f7ec3b48c0c7763

SHA1
a516a00b994b42ce3d7a4cbc601fec13ebc0a982

SHA256
350a6180984e719eff6b8fb767b89dff91479504bed46bcdab7a177ee74fc3e9

SHA512
ba64bf1e9ccddcd8f580cd59010e1b062a1ce0a0d29d227c3341dc9f5c875a6840778fd0c60fc449ae0970ccd9d378c3eded0fe41d8116ac63d0dddd0eb36c0c

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
96KB

MD5
b9bd403a585571514bc3efdf7f91657a

SHA1
1ec5ccadb73dde7621c8e493830c6b4e7bcbbb46

SHA256
b3c2f94093885a0510e6dbf0ae8bbe558d00fe9d61ad56be5406edde27e2a721

SHA512
6176c6d9b893733d5ebe49159c21c812c33100e7cb814a8f6593fc4fefcc2e3dd2d83b17b07866184c43572debaa4f871ceede70165efcf4bcb52d3d300e6670

Download Submit
memory/380-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5136-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5228-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5280-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5360-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5400-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5440-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5480-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5524-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5604-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5644-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5724-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5764-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5808-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5852-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5896-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5940-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5984-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6024-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6084-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads