bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a.exe
Size

89KB
MD5

29886be2c734a907c726d6591a9c2a82
SHA1

73b8ef8112b47f157edff2affed00fd912f08b37
SHA256

bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a
SHA512

1b124f25db5285e99e3aa06e9225ae1767041a4e74a3e4aec6bdcedd59e67ba128b86a366176f2d340573e9001c0a53af7d7618d99b9bd082ea3855354f25adf
SSDEEP

1536:k2OIb+tHzbw1em8ETRVQbt3tNMWv2Zb4bmsCIK282c8CPGCECa9bC7e3iaqWpOBM:aIGMkBEFVQhLv4b4bmhD28Qxnd9GMHqI

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe

Executes dropped EXE 64 IoCs

pid	Process
2992	Kibgmdcn.exe
1884	Klqcioba.exe
1324	Lbjlfi32.exe
4252	Leihbeib.exe
1876	Llcpoo32.exe
1144	Lbmhlihl.exe
2880	Lekehdgp.exe
1888	Llemdo32.exe
4644	Lboeaifi.exe
1300	Lmdina32.exe
1364	Lpcfkm32.exe
4568	Lgmngglp.exe
2812	Lljfpnjg.exe
1236	Lgokmgjm.exe
3388	Lmiciaaj.exe
404	Mbfkbhpa.exe
2156	Mipcob32.exe
3364	Mlopkm32.exe
2200	Mdehlk32.exe
2636	Megdccmb.exe
628	Mmnldp32.exe
4712	Mplhql32.exe
4772	Mckemg32.exe
4640	Meiaib32.exe
4572	Mlcifmbl.exe
5116	Mdjagjco.exe
3652	Melnob32.exe
3016	Mmbfpp32.exe
2124	Mdmnlj32.exe
2184	Mgkjhe32.exe
4560	Mnebeogl.exe
2840	Mlhbal32.exe
3560	Ndokbi32.exe
4344	Nngokoej.exe
3092	Npfkgjdn.exe
1152	Ncdgcf32.exe
3104	Njnpppkn.exe
3352	Nlmllkja.exe
3884	Ndcdmikd.exe
2172	Ngbpidjh.exe
1276	Neeqea32.exe
4820	Npjebj32.exe
1756	Ncianepl.exe
5072	Ngdmod32.exe
1460	Nnneknob.exe
4480	Npmagine.exe
1664	Nggjdc32.exe
3432	Njefqo32.exe
4488	Nnqbanmo.exe
4884	Oponmilc.exe
2648	Ogifjcdp.exe
1688	Ojgbfocc.exe
392	Oncofm32.exe
3616	Odmgcgbi.exe
4492	Ogkcpbam.exe
536	Ofnckp32.exe
3444	Oneklm32.exe
2452	Opdghh32.exe
3284	Ognpebpj.exe
1684	Ofqpqo32.exe
1448	Onhhamgg.exe
1116	Oqfdnhfk.exe
1676	Onjegled.exe
4528	Oqhacgdh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Klqcioba.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6988	6896	WerFault.exe	247

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmlocln.dll"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkfmkdc.dll"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lekehdgp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2992	208	bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a.exe	83
PID 208 wrote to memory of 2992	208	bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a.exe	83
PID 208 wrote to memory of 2992	208	bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a.exe	83
PID 2992 wrote to memory of 1884	2992	Kibgmdcn.exe	84
PID 2992 wrote to memory of 1884	2992	Kibgmdcn.exe	84
PID 2992 wrote to memory of 1884	2992	Kibgmdcn.exe	84
PID 1884 wrote to memory of 1324	1884	Klqcioba.exe	85
PID 1884 wrote to memory of 1324	1884	Klqcioba.exe	85
PID 1884 wrote to memory of 1324	1884	Klqcioba.exe	85
PID 1324 wrote to memory of 4252	1324	Lbjlfi32.exe	86
PID 1324 wrote to memory of 4252	1324	Lbjlfi32.exe	86
PID 1324 wrote to memory of 4252	1324	Lbjlfi32.exe	86
PID 4252 wrote to memory of 1876	4252	Leihbeib.exe	87
PID 4252 wrote to memory of 1876	4252	Leihbeib.exe	87
PID 4252 wrote to memory of 1876	4252	Leihbeib.exe	87
PID 1876 wrote to memory of 1144	1876	Llcpoo32.exe	88
PID 1876 wrote to memory of 1144	1876	Llcpoo32.exe	88
PID 1876 wrote to memory of 1144	1876	Llcpoo32.exe	88
PID 1144 wrote to memory of 2880	1144	Lbmhlihl.exe	89
PID 1144 wrote to memory of 2880	1144	Lbmhlihl.exe	89
PID 1144 wrote to memory of 2880	1144	Lbmhlihl.exe	89
PID 2880 wrote to memory of 1888	2880	Lekehdgp.exe	90
PID 2880 wrote to memory of 1888	2880	Lekehdgp.exe	90
PID 2880 wrote to memory of 1888	2880	Lekehdgp.exe	90
PID 1888 wrote to memory of 4644	1888	Llemdo32.exe	91
PID 1888 wrote to memory of 4644	1888	Llemdo32.exe	91
PID 1888 wrote to memory of 4644	1888	Llemdo32.exe	91
PID 4644 wrote to memory of 1300	4644	Lboeaifi.exe	93
PID 4644 wrote to memory of 1300	4644	Lboeaifi.exe	93
PID 4644 wrote to memory of 1300	4644	Lboeaifi.exe	93
PID 1300 wrote to memory of 1364	1300	Lmdina32.exe	94
PID 1300 wrote to memory of 1364	1300	Lmdina32.exe	94
PID 1300 wrote to memory of 1364	1300	Lmdina32.exe	94
PID 1364 wrote to memory of 4568	1364	Lpcfkm32.exe	95
PID 1364 wrote to memory of 4568	1364	Lpcfkm32.exe	95
PID 1364 wrote to memory of 4568	1364	Lpcfkm32.exe	95
PID 4568 wrote to memory of 2812	4568	Lgmngglp.exe	96
PID 4568 wrote to memory of 2812	4568	Lgmngglp.exe	96
PID 4568 wrote to memory of 2812	4568	Lgmngglp.exe	96
PID 2812 wrote to memory of 1236	2812	Lljfpnjg.exe	98
PID 2812 wrote to memory of 1236	2812	Lljfpnjg.exe	98
PID 2812 wrote to memory of 1236	2812	Lljfpnjg.exe	98
PID 1236 wrote to memory of 3388	1236	Lgokmgjm.exe	99
PID 1236 wrote to memory of 3388	1236	Lgokmgjm.exe	99
PID 1236 wrote to memory of 3388	1236	Lgokmgjm.exe	99
PID 3388 wrote to memory of 404	3388	Lmiciaaj.exe	100
PID 3388 wrote to memory of 404	3388	Lmiciaaj.exe	100
PID 3388 wrote to memory of 404	3388	Lmiciaaj.exe	100
PID 404 wrote to memory of 2156	404	Mbfkbhpa.exe	102
PID 404 wrote to memory of 2156	404	Mbfkbhpa.exe	102
PID 404 wrote to memory of 2156	404	Mbfkbhpa.exe	102
PID 2156 wrote to memory of 3364	2156	Mipcob32.exe	103
PID 2156 wrote to memory of 3364	2156	Mipcob32.exe	103
PID 2156 wrote to memory of 3364	2156	Mipcob32.exe	103
PID 3364 wrote to memory of 2200	3364	Mlopkm32.exe	104
PID 3364 wrote to memory of 2200	3364	Mlopkm32.exe	104
PID 3364 wrote to memory of 2200	3364	Mlopkm32.exe	104
PID 2200 wrote to memory of 2636	2200	Mdehlk32.exe	105
PID 2200 wrote to memory of 2636	2200	Mdehlk32.exe	105
PID 2200 wrote to memory of 2636	2200	Mdehlk32.exe	105
PID 2636 wrote to memory of 628	2636	Megdccmb.exe	106
PID 2636 wrote to memory of 628	2636	Megdccmb.exe	106
PID 2636 wrote to memory of 628	2636	Megdccmb.exe	106
PID 628 wrote to memory of 4712	628	Mmnldp32.exe	107

C:\Users\Admin\AppData\Local\Temp\bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a.exe
"C:\Users\Admin\AppData\Local\Temp\bd2f2384340aafdaffeefd21b416a7b0325fcac4f987fb0d0774e1c52738c58a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\Kibgmdcn.exe
  C:\Windows\system32\Kibgmdcn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\Klqcioba.exe
    C:\Windows\system32\Klqcioba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\Lbjlfi32.exe
      C:\Windows\system32\Lbjlfi32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        23⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        27⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        28⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        45⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        47⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        48⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        52⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        59⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        62⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        70⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3168
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        78⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        87⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        95⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        101⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        103⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        106⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        107⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        112⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        113⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        114⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        120⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        127⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        131⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        135⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        136⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        144⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        146⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        147⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        148⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        151⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        152⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        153⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        154⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        156⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        157⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        159⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 396
        160⤵
        Program crash
        
        PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6896 -ip 6896
1⤵
PID:6964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ampkof32.exe

Filesize
89KB

MD5
70f9fe02f0b1d8e11a4829308bb3a6c2

SHA1
3cc62b514b7c7a7d3cbed73cb46a6d3af5faed55

SHA256
a4afa778582a144c1befb69cbe3e4def594e9e0a4225c7fa17205de9a04f8d36

SHA512
3d7c7178bce881f1e8aa6e4ea6167b6b3984b3fe1766a4c96ff94ce3e88020d12f43c5eb46911c18dde7b55bfff501085f3df92ad36e420055173e27f7a494db

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
89KB

MD5
f184011f0a86535506ca1300c3cbff63

SHA1
3f432b05c1367cb01689b37057ba4c2539912ccc

SHA256
d315ee46ebe6d689073cada3ed4281f83c4b737a6ea6f0e2421a09c67fd94053

SHA512
560f63c999d3c901e2c3ad97bebced59b1500e6d0fd887d025baa09f533491c87b1a1fdd8c3028ae1a7580fb5545a4097498ffa483c2315e8ec0acada00921b3

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
89KB

MD5
c7c7db31ace8cb260bff2d73b48bf910

SHA1
651002ac05bee196765097022c3d4d93bf349b00

SHA256
514b64eea7698744661b888d487910b2b5d62d48bb864b40d4cde845f669a8a2

SHA512
6297d3a5a2cd44cce86bc8ff41a979fc8551a6b8d6b9d88ae9aa5ac34460539404440a710c89dfe4d2d598a3a6efb55893b484ebcba488b387534889584a7c66

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
89KB

MD5
3991b2f796572411d26763abe3097911

SHA1
1f42eebf7d0e484a1d0e7cbe7ecc69eecc6ae835

SHA256
6341bd1e02cd6f95508d809282a704ded7eba97cb86a2e460f0a8ffbda264962

SHA512
7f883274f9f581f2f2eb78fb3d070bab857fe48104ef2b8f3bb45451e1f28cc0d112518530903f4a33b21ced00f37a622628814cfc4dd43f9420223c4f2979da

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
89KB

MD5
bd2276d239a5f1f031b88e714cb5af93

SHA1
5fbc4d7f4e3de97fd6ae71ab7a85f306fcfe78ba

SHA256
8b86e8c04b0640dbc75a1b25d0d57900c9d59da82ddd5aefcf74fb4c664bb284

SHA512
6cc2ea53eaed361945bf442b383636cedce9420b721a464e1277c68084871ac449d096fd5bd774b29a6586ccb4a06738d88402b100148ad6113e939a8c8f1519

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
89KB

MD5
b3c1dfcbf6ee2692b992d66e2e7bed59

SHA1
a78c6e05dafecb2dc410099f369491ec319e9a4a

SHA256
82ee7e4a4bee0a1de1968724b2d2170b892cf18463d6b3e6028e1f5350ac5653

SHA512
aa75db884ce69118d149fb1ea5acf0f880e983309abf96761df31f1ca1c4d0b7467a16338df1739d1dbdca975e77745454e57756eaa6b151b1d81193327cafbf

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
64KB

MD5
ccbf2e785855f817607c4e5436d61e62

SHA1
6cc7b5ecc9af9864dcd3126b6e51dc673c5d7115

SHA256
f9fe6c9e7d65201223e8d139173075bd25d1f6709890bbb8f26ca40ac5bb2115

SHA512
08219c327eb83164bfb889e7128859cc8d34e1e17dfb6e063183456623b515f1469564d6875c9cac0b95117b23178882fdc8e8c86e432094bce4f65bf6e8ce06

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
89KB

MD5
f7ca80ff9aefafe7a82dbfa4ecaee959

SHA1
d9496e3a9e1553d2f937e2ad2d31aef27b1781bf

SHA256
719ed9095288e4f6c0d9dd4a3a23c9aac823b4a850405165d97e6617ba298277

SHA512
5a25a05b52e7d946469e9d2d41064a201948d3435d6c65b48030adde21a08d4db896a75f72d919ba1673fa8a41cf2adfa4518edb27332e33e55faa343bde9fa8

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
89KB

MD5
afbc6628d8fe46d70913a064849d3ef4

SHA1
5edfc4dba9bd8b9439fc8202060efcb2b68a4c1f

SHA256
2b0f2b4256c739be8ff4e14356a7e54119d5362b2b86379504807339fb326c17

SHA512
c796fa046754f8c838b131b4cf708052c8a557dd8df414514c15b0043a861d539b552c1810847cb73398fcea91a038dfc39788166f535d3ceae669149bbd7073

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
89KB

MD5
78f6409a0a2b77d2e37857094c2121d2

SHA1
9ae7f5278028627d4fc3d2c1a278f4cd294814a5

SHA256
257c680472d3be57a85376f3b932cd11aa08128757b4836249723305d5282edf

SHA512
23f486237e2f593d0c12c8ae788d9748791c72da0596cf2dfe90c3bcffce2b38499cd5d4d8f78388ed7e59436b900dd08d18951a719cf890a9f594ad827e81dc

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
89KB

MD5
478dd61c8730f73d2fb70b9d2385a117

SHA1
15514abe9bc8e34cf50890240a50ac8cc19968f7

SHA256
4146ba9b15a983e79bc0a94b9adbe0062844dc616772b531775dc6a5865a7b76

SHA512
db7707f1c1f84a5647f7eea58e4c666387c9f9a6892c7729a96eea9ec6acc42275fbaf00f61a14c66c4f4b268b82d2f5d50276313346fe58800c0c6062b77cb9

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
89KB

MD5
3440c1d01dc5e1561dac21b023cc9364

SHA1
75b13f4943d9826ccea35e05284fe806c6816eec

SHA256
267c9a346049db1ffed9b59e8cf876e8dc065168739050219aa8c5bdd47cfada

SHA512
8b8e1a9a4a5382d7cb8ffc2ce69362dc6ab5cffcb23d1262bb3f98205d19e5f00ad6fda74bbd91ebe698f54d65c54d3abc6533b4b07f298b516a3cd3a1b6d0ac

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
89KB

MD5
c4481bb4a9d553fd01e043df0863828f

SHA1
318ea2e1e2ade1900c2ecb78d7d0a058a8dbcc4e

SHA256
1dd4db4dcfe17f1f5cc49a24f70f10843ebe4b12d40eebcb0cf835dda17aa190

SHA512
1b1a39270ea8bb282a0e9edc2144aae04868aa3e94ee5e2811a910c96044746bc4880dacc242b7e8fb0ddf29a85403d8df6f02f6bb09224d2e4f771553551e1b

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
89KB

MD5
bd93fd2aa6d399cadcef57c23b0a67d2

SHA1
d7781bf657213fbbc89b9910d0d4c9268c43df24

SHA256
4bad999f3b0885c4ba1e9e5751039b5a23ae0458f1baa738fd003065e15268dd

SHA512
de1e9584f000937eadffbda1ed145b9d34b1deecea8f239f9b9f0860d31af6fc9c68447cc4a4d89f7bc5c11902a4fe9f8f554ce8bdfee51dd17837d1ee4c23a2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
89KB

MD5
2c6988e954bd1ac21efd827a0a42e14f

SHA1
eeb535d76749769d8baa80693ceb90682dfbf17c

SHA256
8aa8813b44750b2332afb2d20662a6497348246c41971bcb8465d134044a3508

SHA512
9ef13d29300cd353743f32cd3c64cd61b926bf2cea99cd28a4f355e0594b353ad6d42bdbad64abeafd5dc439365124e7c34dc86a558df7cb4e5c2fdfc96951c4

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
89KB

MD5
c8069127ac67d0e5ef37abdfe5c3ca00

SHA1
4d3e528fef088d7f68981eb2a123f19e1a444829

SHA256
90a76075efe23e391dc9b2a75821bfe6157e05d0aa0f38c82adf1bb9ab86bf7f

SHA512
e1ba848973b68eed1b6abba5a60d625b7a77497209598749d91abcbd3ca2fdca20d55881f7ba37e0053a14b1881e4f15193c7e8231ccb71cbafce91056ca2e21

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
89KB

MD5
9ea1554d3910fab9337a25baaa4231fc

SHA1
a2a91aee28378b4e4ab5905cdd3907592a2021e8

SHA256
9e97008b6855d0f3f89f966e0b6c360c65466b95822a9bfd51b2d5f0710ae74d

SHA512
3bd41cf4e8965b8667b5b345cfeaad45e829fde0958050de85c97080ad7bf79e9568c65fed9b8af360c928810013922ecfe1793db095bfaaa84e396ed0b8d2e6

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
89KB

MD5
eafb5e2f7b3c70912f49094370828fc8

SHA1
467bf5d6bf393d2da199947a11825e1955c02aa8

SHA256
2657a7f320cc277f41eade1f6a77be3a9347a5d6525e4460cb14cf7af37438cb

SHA512
5d8c815e5f6a1144d33429b92195bddbb9d35339f20253d567c08b5fc52452cad7e7d17e2fce65e1067fa9e57bb6042f737e38c213406926ad02c33b303e88c8

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
89KB

MD5
fc1aa6a0440d5fc49ed7c2b9f46d79fa

SHA1
fc314171cba8ee89fb49a6603c55e1a7c9750f17

SHA256
88fc2859f24556ea8b1b0f6e306c4b5813ec7cbf2ead753380a572fd85ec8255

SHA512
4b8b8fdb5cfae5666935dce5fee4641a646d9824354bb3125a4d679e2e39b3eb86e0883e69bd52cbf12331b5d11654f51a918edd3dbcc45034b034fbc8031ae8

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
89KB

MD5
324038fc235edf456fba1c8412733184

SHA1
fca326f06a762de5cd054ce99bf2d0faa2bb2d62

SHA256
6a6ea9469dc96a73fb321f7777dcd001b876efba3965fd520640efb6624cd005

SHA512
02563296806b06fa5d8f88f977d0a0d43ca59e4d4b1877bbcbea3b93ccf0fe04efce3cb5ef5908f6b0d3c2085f69bf76b38553e6cf46fbc8188fc773942cd2de

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
89KB

MD5
d3e60b2e64782f72d875078e629d0aa4

SHA1
d5b700e6fb9d9e3a54e47b11604c7fba7bb8a62e

SHA256
7f9f2a4b1f7f401cb2ed90a91d8a6664333d2f01be8ac5f3fc26d2621f5a33e4

SHA512
32bbfb00fcf3ad9b54c3dc51679b712a29b4a681ab5722656e8c909b9a4fd43c48159daa6322f1f56578cef3ec669eb262afc3b4255fb7f7df5aeebafed1be0e

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
89KB

MD5
8773720ecdc29a7083238b963eab8984

SHA1
2289a7c3d8cdfb0c33957771ea9cea5346d827d8

SHA256
613af11583b62ff558a81c1e16d275a02f278b0447b01ccb7a708b1a9922c4a8

SHA512
6961014dc6bea40fd8f1d70e5a55ffc224bfa7c85cb5221c5504d34a1d96aeb99efbf69131a22deccf32a3cf84a3e95846263d30bc55d8fddd30fb33b8266924

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
89KB

MD5
a0beec9406ee43091f499b571b345a88

SHA1
e3ac91d8a99f4011fef1a5d32480c4dbb6898ada

SHA256
ff8781f41185084f03b2a18da338624943b3a7294d745b472a2734fb7ed9189d

SHA512
ddf4bebc3417988e34c45b3477e3c786d8436a9474202a9db5a34da6e51674b6ff5105c5c52fefc3d817782ea46ddde178f40c2249242972e9636a3ed3ef14f7

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
89KB

MD5
2131cbcb7b093f591d24ad2b1783fd2b

SHA1
90c218e6b6cc456b4c16d2072f5c9c75b3353390

SHA256
9407975fb481387a702765faddbf43da3d158856a609ec62bb0c5d4c0356ffc5

SHA512
8ada6df49d034c169901386c1c2c968d67c38de5ad86b693dfeabce24e5e2464cec45f11b91c49da5f47b05d20b8c842b19cecc8447ac236a47e1726788a0bb1

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
89KB

MD5
d70665cc1e5879b2380a6301aae9dcdb

SHA1
d259496a662f5311210c0f354532089f8398277e

SHA256
29ef66975bccbe07ca2e90415273b12b242afbd8ba82a334f356ece706182410

SHA512
27d6adde3d6955275d08c0903fbcf49dae6e682155668d0d810f1d9e853a55c522d3d990e0a7b177908218a817ea77548039e227b082822722490ffa39716b07

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
89KB

MD5
93f3513f8c0a9900f04bc849b1480d56

SHA1
6d3bdc0abae7eedefcc5c906ef892b6ec1b56ce0

SHA256
3e6f8ee935b53834df7dd61baf02c498f525aa954c952e6cba458d902c219b8b

SHA512
1a405d1715874485273f8d70c81138538d822fa332e76695cd72cf575fa1f52db6655954ff184fe66ee01e2f51007cb2918117ba909ec660435de03c0ce6635d

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
89KB

MD5
a7ee06240536be3b2d936f807aa78eef

SHA1
1e82ebcd5c86dfac33ee27f14b65a38ed4ba5055

SHA256
fb60621708c31cf0ae1ff16a243904c7c81f487afa51a309053f8de497e7aec5

SHA512
7a3620f334af97f874812df167a27476f24b5586d8b3e7eec3fbdf0c499c91c8da11c281e6ab760fe76908e065620261a2ad58870251b7950c8b053fde2cd88c

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
89KB

MD5
d2b5bc86d20e41acc9ec22e7408aaaf5

SHA1
c0f89efa45728612415117a181cdc57e2735871c

SHA256
42519708ef8a77f721e440b3691803d1058b18bd7fda2253fa82e8488165addb

SHA512
1497436184e54aca3fbe573ed8b3b4afbd9a5a63d4feeb2cb6385e9121810174da6bb696174b9f415641b994f02bca4479dbe7546c387f91f77c3d5a2804287d

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
89KB

MD5
5f09c86ff3ef83fece8bae0ff92ed72f

SHA1
42dba5b1188d898815633a84408245ec6f02c957

SHA256
e2ba75b3b7fd9e55b2c910296b19d35cd35a9847419782d8a4bd3e934e449a2a

SHA512
a17ba788978245580cae482fc0c223afb86e73a8fdd9ad623548bfa89d48ee49bc16f128210d1eaf3b408adf1d187919ea6f46107d5f131259a8ef26a5902b85

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
89KB

MD5
2ceb450dea647876357ae0f013b37e7a

SHA1
1c27f018be8eba75a294a8fe00d81845022a5d7f

SHA256
bde6633da0f78babae02e042842331dcd388f5aca74c543d4a1f67f64571c2fb

SHA512
c592650fc3aeed937027e34db6a8dbaf67b594d5b20324ac3dc9deba507dbfcc5cecab2a18ebabbe317cdc96da4d7b190512880fe1049ea18e786d2a4e5b9559

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
89KB

MD5
bf44fabfe3777b11ffd7ea0f6727b0b7

SHA1
8a73a6dd823eaf78feed47e2ffa2e555eca07518

SHA256
14616ea4bfb26fdbc3db27974c2188798dbd9aa55c397353ec8323803906bd0b

SHA512
ba79b71cd3a06a0363712d0105aeb7437bb0337d25624958a3612eefad86637da25db60da2c0c69c72674df2e6d4612cd1c4bb6324e136254e2260a1d7da1d88

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
89KB

MD5
832c576031a06e39d34dd5ad9629917d

SHA1
3f49cff0e6815538f0fb5e49cccb8539a3836ca5

SHA256
ece515a38d57437b6894ebfed0c4f78b502bff60f507206f172df7b593a43416

SHA512
93ef45d3b0a72a1ee784d6ccb0d235d89ff76c867be0175b057620d3fdc8029623e601fd48c9ea42f299083adbe86ebc235e0a590b8ed21c6958e5b926dfefff

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
89KB

MD5
098da8ff98abf9e2f39b03620522f6e9

SHA1
326e43cabba8c24b081efb727d575c9f323925db

SHA256
53ca477ea97abb263356fe521f3980e9cc52afe624d46bccf3b3ac6848c4751c

SHA512
48f67b86d96bb7b204864df68ad32ec282a4e01dc834254a554af1d6e70d4229cca91203be1784597f587de71124d023190e8fa9292f472b34ccbe279acd1ba7

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
89KB

MD5
70ddeceaf0df02d0984708e17247c7e5

SHA1
1aef52c68a622ccc14c9a4fc242a6a33416e7919

SHA256
9dd9a6a253ff5fb2e249d58e2da0fab99ac8387240cf69f3b6b368074f0ee080

SHA512
c66f8ede742b825d72dcd6bfe085c5a2068cfd87ef707d2c4aa5bcedc78b6c843e35ad0731b13eafb38e6d91d1c9c871d56e591a0c10f13122de2d45e98aaf93

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
89KB

MD5
289a6e8560be72a24b30ff5e972aa1d2

SHA1
3b3a98e648989e25dde7084005f8a9abb163ee13

SHA256
8ea9749154cfbebe2d2ab566ba22115ecde20ae5d1d4e52c283d697ea61670c4

SHA512
214272aed7f819cb918bfb8af97ad9ffc6fdc083ef82670a1881945134c0ae9360bd9a2772f9e34814ecc9c44a75c27ff1a46d859f63f3215585743d73fac77c

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
89KB

MD5
c2d8100cb5ece4a6dfae79ecb96e9553

SHA1
30b08773ba6afd3dd3e3528c828577bc9fe9f1af

SHA256
c5cb0c912080123452406d12c43764e803359ddb135d0fcc6baedbd357ee3b4c

SHA512
46a8acc4ef010e5544eeab199994c645b4a7d94ff9ed765b84f07fa403611a0ac64d24fdffb5712225d1c4c41c3e2ae04b5c9a6b52b6eb4f8e2a8c0bd0a7d940

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
89KB

MD5
417eee8ec22e3d5999f13162c613a877

SHA1
8949c59693cc8919eab55251edeea73f22110181

SHA256
e8569ae38d26ce369eb3d2768da06edf41c0b8e9052ce0b460a980d71f064899

SHA512
5856403585c28d2537c085ce66eed3df057cd74014fd9076f7a2fc701aa9eb9623b2292b39f03c0077adcc8a2a9912421f979c0cfbf937c36bd63285b729db3f

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
89KB

MD5
aa154b05e859fe095508c25456d2c6cc

SHA1
be286c0144ffee8c4e5cd2ec49f53097463ff1c2

SHA256
9203757bbb824f225fcf8d8926e0d3f77014f024fea77df54be92b6d4d97a22f

SHA512
2b9ad1b649350725dea8b93a7913b78d10cb22e0dcff9f1edd6539c345931b6861993df4c7ecf6931d1e9c25d16740c48c1a01e6a3276e294eb41d7e03770518

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
89KB

MD5
e173f8327502b9ab7ed404c6e7ae11b2

SHA1
de7e7a12258151c678f6828aad98f9d670910380

SHA256
0602314387af03ba93c17ab60c2ea7387cb4a4514e69b347426dd7f5087f2cba

SHA512
cb9f41caf0494aee9a135f8cc431f445fe331b7d24baf39ea7f664f985f8eba105f07e158bc6b67eca7509cccb59ab28fdb757ead2ecaa9b1e32f24609b6e590

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
89KB

MD5
357717bca3149272a00d12126a8f24e8

SHA1
8e2fefe2c3eb416855e4a75d6e25038eb0c61093

SHA256
b41c77ef04a20f67ae7e6ed732477102794bb2b8b6b25fd9ba0ad5d825e5ff3c

SHA512
89d1679f61fa02d0f4400ee4a7c3f5893c2b9fbc7fcd6e2320a03de5633d6ead63c7000f4d1bbd365b21457cb5b847bc27da0f06079b1bec74393844ae7d4b0a

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
89KB

MD5
4ea055dab8eaacc14ff63c135770b634

SHA1
11f6a6ffea9d208722469a467a5bc806ae1c7242

SHA256
5b5f4eae05910bc0a12821cf5ae68bd7ee57ddc681940475b699b57a5fdb4b87

SHA512
5fadcfeca36c917fe7354278e8d4dffb44637d1076db8841f78bdab98910c27316225c02e92f15b3f11d65ceba0587352e4f75211799a1fe8d7a5f0a838741e4

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
89KB

MD5
5276a11caf51d22c34bd5ed1ec4b8b6a

SHA1
2746004e460e023126692a46ea6a82d1a5988283

SHA256
0a07205cfac59476f4c466f6906a42d641c9817d8fc9af860b734c489847885c

SHA512
46c4d4c812fd8a9270af0e937eec0515430e8d3fc1a4a1c8c95fcbb14723604ddd90f47f768b86587151855bf0b374e2bbfc02c8a63ab298b86f01f380c60958

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
89KB

MD5
eee20c858b3a4e636ae6e3d137afa004

SHA1
54188349fe97b12b72dc67d64ce7e23f6ec92efd

SHA256
dbdc52df83298286a3d6ebf4227533104fbca51fc021c5a8fa871c6117aeb40a

SHA512
2b17e30d50901e76ffd0abddc75bc6dbed1c400e0d6ba8403c6d5b6869f49a806e89df5f4f57a4f4ffad44fab8ed97b43d08347da5dc98bcf861c0e6392b18a7

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
89KB

MD5
41b3b9b7940aff970ea444b4f27b162b

SHA1
a2f1bf3ce93cf582de094ec34c931198ef5be5eb

SHA256
1edc5a0d2bad69ee9e18f85c54ca307526be052041cf68e57c9c47a334a6c258

SHA512
aceaa21a9fa182e2a8cad861f7cbc7b416772322513148e23962a2af277191dcc8e9542b08a6b097dcd9f1743a59c8901538cd1918b7d70a49a768b205123e5b

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
89KB

MD5
d18e39572d65883c1fadbf645d4d7ff5

SHA1
0dd8a14e261745ed4739f4ace2a3e3d84466c0c9

SHA256
fe4ce24b373e4e7848f90207ba5bd0cac03ed9518a73b7a63b24581deae04eee

SHA512
f3a1bc370d85feb9421595876162250a9b9579a73d8d1864d0f8853de3a2b8153e1b79127845befac13036945df9960b46958bda9ac6c6fcd7f8ce213c8cc329

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
89KB

MD5
bb9d479ef4fc0d09122f56eae92820b6

SHA1
f97d85a07df46144ae005a4c1f05b06878206355

SHA256
69ffd3f25fa58c352d6c3bd3c1bbc66e89b545d5da265f571fc42fe7e32cf44c

SHA512
1b928573e76f7b1996347c6f3b4dfad443f4f3798a2fe7e03a2ca0ca1c2bfed5d8967794c1aebf5e3a1b7ac5e84aebae88ba2c3f2e6c58d033a3bbbdac157f3b

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
89KB

MD5
c1b30f5a98e215ecc750fde93f24abb5

SHA1
09b7dd73cb1e7a5e5e8f87254ce5e032921ea59b

SHA256
aa1bf2bc78065118018ebf924a026b41124a63ffd4b37784480e6b7eb8a658c2

SHA512
bc4b44a385eca6caa5fd3b0423d0b0d623e079335dd6646480b186d47e84e4805cea702c7875aae156e12764d3f097dd6a0c0efd70d4c03530c36f417b4bc859

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
89KB

MD5
c1224b4c51eecf0f1263e8df0891e0de

SHA1
8f9203d094acfec3c0f02184e81f210226d848f8

SHA256
089ca18cfee81a4e197bc5666b408257679df261aa7074f4810a64eb4d6526d7

SHA512
125af3240b440bea8fbd87d8346c8e3262f0c1e9b32a12c2820e36ed77db9879107704ba32c0d5659a3b6241c8d08086c6655cbe264c07e686223d4297806f9c

Download Submit
memory/208-542-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/208-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/208-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/392-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/404-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/892-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/940-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1144-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1144-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1364-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1460-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1632-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2804-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2840-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3104-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3204-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3352-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3364-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3388-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3444-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3884-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4164-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4884-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5072-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads