5352666f009f72c1f222e3c866944533cc277e243e4b574a28ee2c7b0a73a81f

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 05:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8680e406d19ccba93cb7ef8d3ef65d0N.exe
Size

224KB
MD5

a8680e406d19ccba93cb7ef8d3ef65d0
SHA1

2691d2270bcdb76635a742fe816c7a7536d2ef0d
SHA256

5352666f009f72c1f222e3c866944533cc277e243e4b574a28ee2c7b0a73a81f
SHA512

ac8efd1418b565cb49a1df759c98789189a174702191ac0d2e3a45cbcf667374d66b28d831a5d1336687250b6628a5dd84921b6ea55e10939b47f7832b4fb982
SSDEEP

6144:vfUsvPOAMxE4f9FIUpOVw86CmOJfTo9FIUIhrcflDML:EK1aAD6RrI1+lDML

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	a8680e406d19ccba93cb7ef8d3ef65d0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfaigm32.exe

Executes dropped EXE 64 IoCs

pid	Process
4668	Kboljk32.exe
4432	Kfjhkjle.exe
2256	Kpbmco32.exe
3412	Kdnidn32.exe
3400	Kmfmmcbo.exe
3596	Kpeiioac.exe
1708	Kfoafi32.exe
1412	Kebbafoj.exe
2236	Klljnp32.exe
4940	Kfankifm.exe
2296	Kmkfhc32.exe
3624	Kdeoemeg.exe
2080	Kibgmdcn.exe
2316	Kplpjn32.exe
4372	Lffhfh32.exe
4412	Lmppcbjd.exe
3104	Lfhdlh32.exe
3740	Lmbmibhb.exe
4640	Ldleel32.exe
1480	Lfkaag32.exe
2152	Lmdina32.exe
1364	Lbabgh32.exe
4816	Likjcbkc.exe
744	Lljfpnjg.exe
2244	Lpebpm32.exe
2324	Lgokmgjm.exe
1528	Lllcen32.exe
1672	Mbfkbhpa.exe
348	Medgncoe.exe
4404	Mmlpoqpg.exe
1272	Mpjlklok.exe
2912	Mibpda32.exe
2016	Mlampmdo.exe
1688	Mckemg32.exe
2540	Meiaib32.exe
1772	Mmpijp32.exe
2972	Mpoefk32.exe
1888	Mdjagjco.exe
3996	Melnob32.exe
1628	Migjoaaf.exe
1868	Menjdbgj.exe
1668	Miifeq32.exe
1524	Mlhbal32.exe
3452	Ncbknfed.exe
1776	Ngmgne32.exe
3472	Nilcjp32.exe
5096	Npfkgjdn.exe
2676	Ncdgcf32.exe
2036	Njnpppkn.exe
4616	Nlmllkja.exe
3680	Ndcdmikd.exe
2508	Ncfdie32.exe
3776	Neeqea32.exe
4400	Nnlhfn32.exe
4380	Nloiakho.exe
4992	Ncianepl.exe
2420	Ngdmod32.exe
5068	Nnneknob.exe
3772	Npmagine.exe
3856	Njefqo32.exe
4952	Odkjng32.exe
4720	Ogifjcdp.exe
4848	Olfobjbg.exe
2644	Odmgcgbi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Mmlpoqpg.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bpdkcl32.dll	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lljfpnjg.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kpeiioac.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	a8680e406d19ccba93cb7ef8d3ef65d0N.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Klljnp32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6744	6656	WerFault.exe	246

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8680e406d19ccba93cb7ef8d3ef65d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	a8680e406d19ccba93cb7ef8d3ef65d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a8680e406d19ccba93cb7ef8d3ef65d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4668	2104	a8680e406d19ccba93cb7ef8d3ef65d0N.exe	83
PID 2104 wrote to memory of 4668	2104	a8680e406d19ccba93cb7ef8d3ef65d0N.exe	83
PID 2104 wrote to memory of 4668	2104	a8680e406d19ccba93cb7ef8d3ef65d0N.exe	83
PID 4668 wrote to memory of 4432	4668	Kboljk32.exe	84
PID 4668 wrote to memory of 4432	4668	Kboljk32.exe	84
PID 4668 wrote to memory of 4432	4668	Kboljk32.exe	84
PID 4432 wrote to memory of 2256	4432	Kfjhkjle.exe	85
PID 4432 wrote to memory of 2256	4432	Kfjhkjle.exe	85
PID 4432 wrote to memory of 2256	4432	Kfjhkjle.exe	85
PID 2256 wrote to memory of 3412	2256	Kpbmco32.exe	86
PID 2256 wrote to memory of 3412	2256	Kpbmco32.exe	86
PID 2256 wrote to memory of 3412	2256	Kpbmco32.exe	86
PID 3412 wrote to memory of 3400	3412	Kdnidn32.exe	87
PID 3412 wrote to memory of 3400	3412	Kdnidn32.exe	87
PID 3412 wrote to memory of 3400	3412	Kdnidn32.exe	87
PID 3400 wrote to memory of 3596	3400	Kmfmmcbo.exe	88
PID 3400 wrote to memory of 3596	3400	Kmfmmcbo.exe	88
PID 3400 wrote to memory of 3596	3400	Kmfmmcbo.exe	88
PID 3596 wrote to memory of 1708	3596	Kpeiioac.exe	89
PID 3596 wrote to memory of 1708	3596	Kpeiioac.exe	89
PID 3596 wrote to memory of 1708	3596	Kpeiioac.exe	89
PID 1708 wrote to memory of 1412	1708	Kfoafi32.exe	90
PID 1708 wrote to memory of 1412	1708	Kfoafi32.exe	90
PID 1708 wrote to memory of 1412	1708	Kfoafi32.exe	90
PID 1412 wrote to memory of 2236	1412	Kebbafoj.exe	92
PID 1412 wrote to memory of 2236	1412	Kebbafoj.exe	92
PID 1412 wrote to memory of 2236	1412	Kebbafoj.exe	92
PID 2236 wrote to memory of 4940	2236	Klljnp32.exe	93
PID 2236 wrote to memory of 4940	2236	Klljnp32.exe	93
PID 2236 wrote to memory of 4940	2236	Klljnp32.exe	93
PID 4940 wrote to memory of 2296	4940	Kfankifm.exe	94
PID 4940 wrote to memory of 2296	4940	Kfankifm.exe	94
PID 4940 wrote to memory of 2296	4940	Kfankifm.exe	94
PID 2296 wrote to memory of 3624	2296	Kmkfhc32.exe	96
PID 2296 wrote to memory of 3624	2296	Kmkfhc32.exe	96
PID 2296 wrote to memory of 3624	2296	Kmkfhc32.exe	96
PID 3624 wrote to memory of 2080	3624	Kdeoemeg.exe	97
PID 3624 wrote to memory of 2080	3624	Kdeoemeg.exe	97
PID 3624 wrote to memory of 2080	3624	Kdeoemeg.exe	97
PID 2080 wrote to memory of 2316	2080	Kibgmdcn.exe	98
PID 2080 wrote to memory of 2316	2080	Kibgmdcn.exe	98
PID 2080 wrote to memory of 2316	2080	Kibgmdcn.exe	98
PID 2316 wrote to memory of 4372	2316	Kplpjn32.exe	99
PID 2316 wrote to memory of 4372	2316	Kplpjn32.exe	99
PID 2316 wrote to memory of 4372	2316	Kplpjn32.exe	99
PID 4372 wrote to memory of 4412	4372	Lffhfh32.exe	100
PID 4372 wrote to memory of 4412	4372	Lffhfh32.exe	100
PID 4372 wrote to memory of 4412	4372	Lffhfh32.exe	100
PID 4412 wrote to memory of 3104	4412	Lmppcbjd.exe	102
PID 4412 wrote to memory of 3104	4412	Lmppcbjd.exe	102
PID 4412 wrote to memory of 3104	4412	Lmppcbjd.exe	102
PID 3104 wrote to memory of 3740	3104	Lfhdlh32.exe	103
PID 3104 wrote to memory of 3740	3104	Lfhdlh32.exe	103
PID 3104 wrote to memory of 3740	3104	Lfhdlh32.exe	103
PID 3740 wrote to memory of 4640	3740	Lmbmibhb.exe	104
PID 3740 wrote to memory of 4640	3740	Lmbmibhb.exe	104
PID 3740 wrote to memory of 4640	3740	Lmbmibhb.exe	104
PID 4640 wrote to memory of 1480	4640	Ldleel32.exe	105
PID 4640 wrote to memory of 1480	4640	Ldleel32.exe	105
PID 4640 wrote to memory of 1480	4640	Ldleel32.exe	105
PID 1480 wrote to memory of 2152	1480	Lfkaag32.exe	106
PID 1480 wrote to memory of 2152	1480	Lfkaag32.exe	106
PID 1480 wrote to memory of 2152	1480	Lfkaag32.exe	106
PID 2152 wrote to memory of 1364	2152	Lmdina32.exe	107

C:\Users\Admin\AppData\Local\Temp\a8680e406d19ccba93cb7ef8d3ef65d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a8680e406d19ccba93cb7ef8d3ef65d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Kboljk32.exe
  C:\Windows\system32\Kboljk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\Kfjhkjle.exe
    C:\Windows\system32\Kfjhkjle.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\Kpbmco32.exe
      C:\Windows\system32\Kpbmco32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        31⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        39⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        43⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        48⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        55⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        58⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        60⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        67⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3372
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        71⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        75⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        76⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        78⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        79⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        82⤵
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        85⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1604
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        91⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        93⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        97⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        100⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        113⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        115⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        118⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        119⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        120⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        121⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        122⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1068
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        124⤵
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        125⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        127⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        128⤵
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        134⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        136⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        138⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        141⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        142⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        143⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        145⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        146⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        148⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        151⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        153⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6480
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6568
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 416
        159⤵
        Program crash
        
        PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6656 -ip 6656
1⤵
PID:6720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
224KB

MD5
0eaaab0a759bdca7a9401a70f4bed6eb

SHA1
ab40fdb537a7e56ef03bc1025023938e52046331

SHA256
08347832764d2dc6268140336c36c63ccd20345d8ec7cc490507ee8236b7b49c

SHA512
0eb378f5fe575c7c007edf78d85fc45cbd983e3e962c062ec552ad63a6af1b95fd541ef2416cdbe67d4a5fc69ce528af46a671ad72df1f722e10c920652aca44

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
224KB

MD5
d84e9bb3f2da70b2ec1a516c647344af

SHA1
9e9f4c9e697b296799dc934842f36c9f9ef4ea21

SHA256
464e64489b87b50aac46aaaa6f5aa1dc6e3833bcb416be65c476f57b53395e7e

SHA512
2a33be25771a0bab6667ac0f837c3d43c85585b0cf3dbfc0c07433a22f4d9ca6a19163945287912c34d7a89450ec967acea79618f4f89d9abf49166cc36d8ce9

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
224KB

MD5
4b1c860ebe1d4b39429d2b73f0b82fb3

SHA1
4703caa90b8fa9fcac5830b81a3f0b891ed8ea2b

SHA256
14d8d3dacf36f0cc2dac4d14addfbb7bed4a6b74dd7373c8b44e4f5712d046a9

SHA512
7d69898791a0d34be6aa3c3ed05aac1c212e3a6ed0d863ad03605cde2fb38d93c09e849995cf57f654ffe2743eb0ee2b83b02d67d28a4bf9ad6a66526ad312b0

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
224KB

MD5
f6ac783df00454356c73691baf31bd29

SHA1
fb9ad2efdfeecda8c033e3f6f3afd3bae83bc227

SHA256
8e3c65f9b7f8682242d1724affbdc5602f3f7a66258ba8ef3baed7ff0f53bacd

SHA512
5a9fe804db34b4f271b57b28085c7324b81b06dcd688acd51fdd102f6d66c52131201887485960181f413dbd2e411f25e514c7bdad4d10f7a01645d97a6c1dbf

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
224KB

MD5
fdeee82189c71ad0e84e2ce57e2efd90

SHA1
c0ec89238143f921ecb623e6c4137100792e2c4b

SHA256
4439fb463bdc7bf00c48a25d99d07efd741f20550401d3e04543206388ff00c4

SHA512
529ad7cc1ea47d3f7853340106bf0d5389292ebf577f5834de817f0e0843b4fceb0a243e3e3af801ca67c0faff35d52c1def8426a7b57d33efd7367b3ddf401e

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
224KB

MD5
e87f33af994f0a0a568bc751f7e9b65c

SHA1
ee5d636574f0568346fa9bb4e465aceb077edc62

SHA256
cd96253ffe286493a88bc611b4482f24f198a3b0a2710fe1e7fbeae7b5506946

SHA512
5daf12a785bd2c298b28f7a6388586463619c00b7ab0db60336d6dcf4a6add99a0dc09a0937043fd6ae0173966e8e17c85708bbc0c53253e057ed82d6400206d

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
224KB

MD5
dc7704a6b44ca1b31c1c10b6f2b4a47a

SHA1
a6c061c775ca74ef1052bfa5e6109c07d48eadb8

SHA256
2624d445db263d46f7e8416ef6b41f1747ed3a2f04740c41ebb0c66f9ef43eaa

SHA512
650d2634e4c49374dc241c8d69c17fc6ecd6bcce62cb69e241e6e72c7a3f81bb7adc30f5711e0898f713da9cd281e9124c0d198fbef3530bd777a92d47182327

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
224KB

MD5
08be9ddbf8937b33db6d0b32d3522426

SHA1
9f5d33d6d58da72e451db9f13c7f73f4e19c8771

SHA256
0f54d1613c7b9c44fb798a3d3902ae7f0025531910515ec582d4b69269a9020f

SHA512
6256b7e84278988d76434e46d72386eeffb74ad2e4e3c577ea33061600c69e69a741effb726520215af2ed8e0207262cc991862f2bb32991d350a3504beb7cd6

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
224KB

MD5
ef8245645c46f250bb7734869770303f

SHA1
1790975c96c8e361221eefd31dd93c444630bac0

SHA256
18db872a3d8a6b66783987f5c131a929be53524f75168edeb431e0d6af9d23ac

SHA512
066df281bf6de47280c5310ae4d0afd0181140eceb14a83a4b79e9d83beb0d7e704d7f38f87ed64fd26a3bfc6757f49e541293347eae17a6cb2eb72423725c20

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
128KB

MD5
4ddfb897e2f5ecf34cc41590a475bdac

SHA1
a2d861e1ad986bbeef640fd9c0e51d77634526e5

SHA256
1d33e8d652cecc844ec749f5244a3c174f531c09ed124bd30ff754a541a0b638

SHA512
79eacdba22c1465b86fa18d6cd385589866cae4255e416091fe39786f20a330fc3b1945d9b2d734d2ead89ddba4c2150ee849bbd55edf5dab74274de1e5a6c09

Download Submit
C:\Windows\SysWOW64\Eikdngcl.dll

Filesize
7KB

MD5
6a1f380c067e67401de96380725589e0

SHA1
d8b736af4604caaf45ae1644794339783d0b4a36

SHA256
39cd51403df7f635d114dd352cb92506435f86d10573e5dd2c526c1c28ec3915

SHA512
ac5bdcd66eb3bd447c844be306a77d4f3d16dc735e8459c545feb2cd913a7b14f26edcdb1216f3d9f8a40d9d1b2755e105d032702e244ce0254eacb935a0c922

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
224KB

MD5
2676f7108dae6ff89713f6969b1c26a8

SHA1
5288525e91b4a764c85e1b60a2f5ae7e3fc405d2

SHA256
0c04d3cb9aa06f9b4a719ca138b8abd088307bbb07f43e98d736fcbcddaeca12

SHA512
5bb2380b954a10e1951d65fbb746744839d4fd96b0fea4700bc99c839c09b03d49bcdb0e2a876eea597348452e0dab54c2c7aa5252541df0ac7aa2615176a214

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
224KB

MD5
81c0d5d8cf44e6891fe3a724c9afa858

SHA1
b6cc22395e620c8a7dc4dcebd36885ceae68bedd

SHA256
2930509b6b17fa1feb6ae0fcac05cd0b99cdc821eec11664340b5ada0089c217

SHA512
f0e34684f97f159d8e5443f29fc3afa16321444610b79bdbb8b38db303840668e7d541ea63f50c0c6d8ba5ef4d5205d75ff3d98371acc127f712c320f7ce3572

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
224KB

MD5
bacfc3db136425354f05004e52aa4894

SHA1
a5dc2e334a5e74a4a7f25de2726eb5d2bc3dc019

SHA256
8ccf36361221a6f7965977ed98600627469cfc0dae542dd5f11950bf53ed4c6b

SHA512
2d1438329fbbbabef944b43d6911fadbd1e28fc7feb65fc1a3bcd17bb73a1438d5aa8d52d430027f85cfe45dce1fc5fc817e0ba75847f8532b685515dc4e0db4

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
224KB

MD5
3013a137c26eb3d474c3d54f36b52ee4

SHA1
79bedc33f3ba2dd11a23d19ad704b995102fe8f4

SHA256
35266a6041780e2abf02d78fc3e7a81836923bf547ee95996a57b84a7f85fae7

SHA512
6717b456488c3b7776c29dacb0cb19a09bf05cc2e7d56bb102fb2f7e85fae9953260052e9da9f8983ec106f07dffac488e0abac74675b237461993420b20121f

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
224KB

MD5
332fb94360a0e34418f352f4132917e4

SHA1
6d33b794b663c6492ab2ea79c0dd5b4e62b76ff7

SHA256
cf498339ae3ab3cebc8e7139b02d7c15afe2157abaa83c1a95e8e65d32d130ce

SHA512
f616f312bd5e2f1ff2e461e73bc81ad889d8672df138595b42a4b56920c70287515ca8637482d5d19831c893058b38a1bf3d26a1927d8a09a2af7296190b731b

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
224KB

MD5
692aa9cc0126b5a13411652e403c19b2

SHA1
b4842f1149522f6c9ac10acfeb943f3fee9b4846

SHA256
4c7a09ad7e0d12edb2f08c46a77570f2f8ce1e473a3da6f6ebde8630e17beed4

SHA512
db620fbff74eb1eaf491c33a9fe99bd2fa1e2809e4c77c5bcf54956009dfd1bfc306af3405ff7a83a1fcbcaddfdb66ae4b470475fea64130762802ee990b7eef

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
224KB

MD5
b06ff0733f52485d33c5167ff5c7b6b3

SHA1
da4ba23778cf2c4dfb68bf30162e496799639268

SHA256
fdc9d01e6011e6d84660652ab16f4396f781b57cd1a79f5836e426a123a028c0

SHA512
8ccd01cdf400e119898aa5a2d36099b297d9c561520c9b76d465389cd64f6a53854a55b6b47a54a74c42480647a608d726de12e31f3a1388653be9f5b2d93849

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
224KB

MD5
dc221589e8e353d1987b4a1c9b9314d8

SHA1
f8487480e5af4d8668e253701e7532bfd3df6637

SHA256
fff15ade4d7952d411a80b3c70f0614b095f1bc41f17ee3d46cc3dd1105c602f

SHA512
5ef20fb16eddc2b2556f2a18be5ec814cb1bfb56ed003ec630fe86ddf826cb7c9dc79ddb78d2683869eee8e158f98f8b7bbc90b117d089ec0b705609855c18bc

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
224KB

MD5
acd20e9ac809832dbceb0931e6ff97b3

SHA1
16c9592bb6eb318c93c7efd1c1ca022d13c90d10

SHA256
35c66024d1f53ceb7ca3d0b7ca58d69c356e50d9a5709000d9501f87629c9340

SHA512
1b316893adbba147b93e3c07101aff29c6d422f87c1cb4211fc2e29aaae0f24e13ff03918ac5c455c04a8a6461ef77a93231d4a1903d1db2fb1c9fc34a0f2cff

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
224KB

MD5
21b43cad81ac57c58ffb08e4ba7462b6

SHA1
d8b3c59d650afafaa5da10fb5dc31ac55ce4f6e5

SHA256
cb04a97918f1d23043c286e164c498b799c8e8155bd1d20ca3e37034b0858515

SHA512
8f3beb9e2978090b2102b918382d6cbc15ff296e9e2feb550b68e9fe24634d57407c9ef7d39eaa78be85622d9ee31462ca3b31e823088ce4a30e3dde72bc1ad9

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
224KB

MD5
024f06d85861f9f69a1a60eb25baebce

SHA1
f61e88bd3cd686d34dbb85978176a6db1452da13

SHA256
cb21cee1803587b264772746b5e35f3c183d87ff6a32a4c6c7a6e36f50d652d0

SHA512
bc282c9042560f7200bb2f72080554050986cd0965f50751dda35b5d93a574376b4a02779102cf3f2586053f65b2f4a6f1d0a8526792226c4d8a113a6d5b3cb1

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
224KB

MD5
7b9387685bd32f6c74d0527894e09031

SHA1
75f8e9d8a2eb0b70a57d4ca4fec31644c49e7543

SHA256
fa13681e62acbeacbf9086d2588401b3f99d300de2f45a65673177037bff19d8

SHA512
5cb95f2cc3c3d68bb4836990bb7b3706e437a5fe66539c06ecbfc6dd3f751e944623bc23d2ad98b931e03ef0551bc80c8f049c4bdd8f76512a21d36861156922

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
224KB

MD5
6b4840502aa6cd09f2a62b49244d5bff

SHA1
86fbbcbd268e95a2df7689c629bc3e1fe2ef971a

SHA256
c854e45bd06126ef17627b46e80a0e1755fa20f6f0f9b816f36b19b15995263f

SHA512
5985753b5db4a96ae56916c4170f5b21fc3b6e64e6625148cd035a56209aa6e04c801827b0a8689a4bb76c30ade1c2b939bfc2811559f1378532694e395a74e2

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
224KB

MD5
842fcfc1fa8660fc7ce15869a8b437f7

SHA1
f3fa56fdf362f703409a47e924b4be00f840407c

SHA256
02f4f72315444a5a083d21c22090555ffe32e19cd5a511cdeea3495f6539e2bf

SHA512
21ace7284fa8123d00166cc782f281f27f508c7d391507895ed1086df5828a66aafe999858d207f8ab7e815f51dbe44b9d1f4d90556a9f696244bb2a20ea02ee

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
224KB

MD5
c16672fd283ff45d96bf23218b966c7d

SHA1
d6b3bbf78d4f083518b17dd4dafbe05f7cc08c79

SHA256
cf68605d61f09565e4af54b3f814630770db4933ec9293c6239429f7a019e37f

SHA512
9b9d1fd1ff899605a20f067960f9123f89f45c82086c1f3803da4313a8112fa3ef512926e23b44b7c049cbb12332d1e9200723d666c9eb898df338f6a2c15e8b

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
224KB

MD5
e211165318c14753985e3122ca695dbf

SHA1
8bb65f7235da4b1422743254ef258aaefe93c70e

SHA256
80c97c3adce4543eb3a4a3cb871293b58178bf80db5b2492e1a02235a1e2c85f

SHA512
68b6f766d4ace57c6dc55566a72caa930f393461163555010767f6deea37c9bdf02aee4616a046874802b00605fcd3c306a723e301a8dffaaa01e1f9b2081dd0

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
224KB

MD5
119c20e986f1155b9f866d44d2dfe6f6

SHA1
86752657a97e6e2f46d26d75aa640064d8038270

SHA256
c17cbfd4764227b493bc5b1f4ef0c558e72de994638725b3a611a9e2cb698abc

SHA512
95e9013568f262224da371c2ab426f95b6482d87b2e5e25d23e5cad04a82f13d372fb9ea59112a7eedd20f33e11cc3dff17c1db890699667facc01821c1ae3c4

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
224KB

MD5
a0ad19774df2d0cf438f8f60f2535288

SHA1
8339f373da8fdb0145aee9589a3fcf4abf387df6

SHA256
0f0a7d38d7f9e0593101eeceeda5cf48573727d92cdfbd3269afa9551020ceb7

SHA512
0d71d998d76ef3adf1e88909eedce7c2c4fef90f299aa19de11bdaa1554da5a02889563ef9979a64c6b87ba3a49ffe6e9903cbd56691c5a78aa89702d005b49c

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
224KB

MD5
b366778499cf161c27841ba527dc8fd4

SHA1
1eb981e955d8416d3d076b5f7c87412f09343e83

SHA256
725730b5f79aa615c577d41944257fdb4b4dda25e8bde55fd2a8df00b83f337f

SHA512
8c9fe779aa93e6f566e3e461b77450c6f7ff7d47f9588952aac7266ef3ec2c1b5a673a48af9ef1e5812dfed1f60f83578b14b7f11dc41a3ea393dfca3b85b71b

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
224KB

MD5
f7d1d9c318b065ee2c8abdd877f4033a

SHA1
418f979a6562845484b3dde1a36c9e299686ac9e

SHA256
fa460cc1baf2524026cbc15fafc2823bbdc225bcf5ed28990111a9c7a7e41e86

SHA512
ff6e6db613ec8cdd6ae308eaef69c390838515795a539d01f1d66fe278300fd24182893e88f2f7a76c3b4a7a2ac6a830bb5051dfaaab0b8ee97f72514cbf69e9

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
224KB

MD5
95b73287c153992a177b3f4bd2949292

SHA1
35ff1dac08edfb5423267b5b796f0ea12b06dfcc

SHA256
9b6e8e5e75fda85c1a3c288e44835f795a98614b88e844a87eceaeb361c12ea8

SHA512
69c5ea5aec117de0d8a634f17520df6b02a387ad7eaf390601bb9058ff919c77326a0b55ad875840925f5672d2155cc3d514259953e767ce3e9c1c387473bc99

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
224KB

MD5
4977b072fff2050115b16f7afd90686c

SHA1
dab0d46ab93c8296746e3d9d995db55228755c88

SHA256
437555f9c0d07803fe5914dad58486a52b12c3e6fa5f6b58126320f7514506d6

SHA512
278eda45aa7874a7ebad8dc25a187442591d1fe2994db9a0989701d5aa840c43904ba526374418899ae2da1c6ed39c783dd76fd3006a015d2fc152012fc96328

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
224KB

MD5
22327227f8ea5be9a8d330d1d5ac12f5

SHA1
a66c816d4d9afb3df11870118fb8f7437d9dbae8

SHA256
b364fcb3dc6eb4da101cd48bd663ef9ee3e5eb1185650799393e297856cf474e

SHA512
50ecec75b32e8b12f6bc6e92e9abccd26a2f96e1e729506a9aa4037df400f5645b8e1a00a772e794719fd265ad6ce2ff6fec661960b92a3031d3ea123256b621

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
224KB

MD5
39bb60b8fe8d498f542b89b8c8eb270d

SHA1
88fff27940a16837c9e2c3ef6a5b696a6f93e105

SHA256
561e87bf1ce70f93296f3eed64ee96dfaf26f271b372c55f2fa8f95b03327e4a

SHA512
7188ab629fcb572c1840edcb6a48d71f5b060981c5c1bdfa19a2ad4cd4cb9e0e3fddb683db43689c6811192054406816f4fa7c656b5b6618f8de805493f0c7dc

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
224KB

MD5
a13345178b0dc543eac42b1db557a39a

SHA1
937b3e48b10195fb0b7211a3d11aea2daeb4fd05

SHA256
c5b407d33639fa5381d74153604843420abcec444cf609d7022e69fbc1146b58

SHA512
723d2ed2cfdffd1afef5bdb68ba558b5dbf0667afce49bdcd2dae3cf72320b490261c971ce05e4311507262e6b41385e3768d6e9fb5fb2cd9f8325c08a5b2407

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
224KB

MD5
5fb9ccfe1b06c660437648eb84375082

SHA1
0ecc438cef99361e86ae6b362ab89ccdf7a79509

SHA256
3fe512447bd94e16212386c45246956279c57b89c3c65fce393c32fec8185d91

SHA512
cd01283669f98f04ca703513d4829850839a0cf12dcef4055d358efc398e2fc190f81586f6b42757d39061a00f25f624f1172256201af34dfd82060c8ecb68df

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
224KB

MD5
7b1bdc881f229a1677b46095af62af2f

SHA1
5bb8adbf6665ddaa0ed82ed0ba1d147f15271f7c

SHA256
1795d7afe56b1556dbf7ca2a271d5795ce31b16edf20aea9f1771ddf2c05d1e0

SHA512
0438ba2785ba6d007ada6dc90fa480ab06aee1bb876430a8dc77e71c73b17ab0ad7a319b0ad9f7bf9b6ead627ca0488c957987f9c8d53bf02abbe104617375ca

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
224KB

MD5
dca3641123fbdec4a975be3df7fddc38

SHA1
b14187f46a21ff5f7dede22763cd7593b6d1c4f6

SHA256
d6d6fa1e869fc0ad18c10f8854b489118879680abdbd98d02e62a29ddd201c54

SHA512
e45df8040288b238cdf21d40ed5f29b89f7c47d3265ec180392afaeeba4f04e3f4cd76d503a8b87c9c459cccfdf9b2df8faa54513972f3410dd8f88f0b2fad78

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
224KB

MD5
a2bb52c2af840720d657e5603f37dbaa

SHA1
090d4be7114867b54bab00dc3c799a4c6322d3e4

SHA256
9b171461fa32f377bdb4365381e5a6225a54aebec5899eac3af70b6febdad4d9

SHA512
9b9716c441d08a6c87611fdb615713eb86dbb323d141d1a1310cf4a73e1230a753240f4fc7ae7aac1295442531c49953667ad1e5cb4150ac1c2b9a94f8501918

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
224KB

MD5
874bd19dfdb8fee6f008eabedc863289

SHA1
d02dbd37c09b6f6be49b856efc4f75398cefd45e

SHA256
78ab9fad1af0fe5a50077fb7a2db2ac84c89f4596240115d0c8907898298d3d7

SHA512
7e207a2570c6f49b2d7b45a9891890c8d234397d9fe0e9cda44c0d0d0007f299797c3954f1f605366a7ec17bdec5767c5b6ac7feeb1cebcabbfed14e1d5ae58c

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
224KB

MD5
95faf695d13c8c86ccd2ee42be7674ea

SHA1
53accf126b30f0076e1237e4a8e0ebe9e80c52b6

SHA256
60fc82c42491293b712ee7ace13931fcf340abe471f501d7998d2afad8c4f553

SHA512
e54c774926ab5a0f610624d1ebe90641e7abdd70374cb24950c21a1ccc0fc85fad4f3e2d5e2b3f6501b62dd93cd74fd05159111cfbb523ecc18d0fe9600a3185

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
224KB

MD5
31feae5d60927a51a0c4e375563973d0

SHA1
8506fc911eac6379304dd3ccb2620b4f6c5d063f

SHA256
af475e066e70b6f90573f3b6de0a94d986c3092fe289fe029e6e89030cfcc22a

SHA512
9cd1cbbc0e1933eef01d3375c92e32980dfe972186f0fbe9700144408288c6e1cd8f98fcc95aef9f9f6fd8fc3fbf4c5a5506d7617ba24db851e8f151399e063e

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
224KB

MD5
9532b4bfbe9346b0ea66ec43eea35136

SHA1
1f0df7297b9f89bd5f81021dc8d98228e6b82e27

SHA256
bff9a61b220cf9b4321a77e321dcf8deac1128e25bbeca57094ebcc3ae34488a

SHA512
b5f0624045329adcb7ce3a3f7bbf49b1dce8386592fe8849ba10a53b24f10f46b7ca2292bf932cecada971f340f07b9103f10ab843f3a094219704739bfa3c43

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
224KB

MD5
dbf604c195997999973907c1e517ee77

SHA1
18f9e1ac8ecd3e31549b5d854d2d2f017d44fcb9

SHA256
eb203ff6f198e4141065d40629fd6d403eb25a81f1b7db8acfb52be90b43311a

SHA512
e086aa2fc81256dc6e454b342234c1548a225460f5bf1940e7965bd0ab6594a6b134b7d9a7ac228b040849c102a2d55bcc1a86a18ed81042b0c9f7f1fe9d04a0

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
224KB

MD5
001f8710e7e8dd45f8ae24ae035958f2

SHA1
92a9e14cfac33a1649da05128534f7bb4674696b

SHA256
2f5113ff412bcc8168210bb6d68a0a3bed651da787431a32abcc6ba36962a392

SHA512
afcd0bd06ef1d04f438562d959674ef84b37ac13299820ecbd11f62d0b137a8b6bab0b817f6a632150218c0a15d4b733fd40dbc96593bd15e7f138843c610748

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
224KB

MD5
2b33f5a56e7558c42b4b3b3bc7153f3e

SHA1
3d28c0c2edea89b95fda06c7f397881331305d50

SHA256
e9a45aa53bd11b93143a74670937f63c2417a739411b365f24aa8ed8e25eb625

SHA512
bf21e2f11952855b452e50f62a81b77bc3b56536eb156df155e15b004200379c8a64e17a7dd94446ba9904aab20abe791f148c69505e21f30c3d725b94f2b47b

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
224KB

MD5
714ae7fd88cdf493f1feb628713563a2

SHA1
70803768f888cd1cbde6170cc9a0c920d5ee7b16

SHA256
f8caabed291aac8329d012d582341d6ec0775377ae5954fad792bd4638e53831

SHA512
ca986bf95d62d3c44ff5e3a5bad8d3ec9cba06b4e3816eead3c7f9ff59cf2b0fe7eb3d834e5c45d328980482b021bd4a23530e5a1535df03f1b30771028c1ff9

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
224KB

MD5
e7fccc1356e7d6ff3497fa2e36520b2b

SHA1
4c394276db5bd478c94991f02388290afb5c1202

SHA256
f8682f4411f9cd97f9e250233680785966960204bca927060d3b6548b65a12f8

SHA512
43098034f31425d571742a969c19ad4e2de8e7dc429fefd1fa6d484a5640a6cc6afb9036fd1e2c215a66246edc6e3c3c29237143bf45f1ea1b3c9442070966bd

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
224KB

MD5
49996848fe461d1387d6392e59ef387f

SHA1
91f7b4ffa75bbad417cb8305db4d82f620ca378e

SHA256
19828ea4280ac1c6c35af5b4fe3243cda05648831407aade40af0cdca67b8fab

SHA512
ea230152f3bc1fdc6d19cd92aa312f41dc3a2998db9e921bf334dda25f03456e3edac5fd621e2582c26ee781fc933752406aeffc014189e6d0457ae24ea04272

Download Submit
memory/348-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-196-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1104-496-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1272-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1364-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1412-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1468-532-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1480-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1524-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1528-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1604-591-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1628-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1668-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1672-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1688-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-593-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1712-460-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1772-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1868-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1888-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2104-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2104-544-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2108-580-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2152-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2236-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2256-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2256-565-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2316-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2324-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-472-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2540-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-490-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2996-552-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3104-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3204-508-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3228-559-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3344-538-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3360-514-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3372-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3400-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3400-579-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-572-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3412-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3472-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3596-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3596-586-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3624-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3680-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3740-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3772-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3776-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-594-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3856-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3996-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4004-502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4200-520-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4372-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4380-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4400-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4404-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4412-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4432-558-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4432-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4616-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4628-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4640-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4668-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4668-551-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4720-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4728-566-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4816-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-446-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4908-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4924-545-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4940-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4952-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4992-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-526-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5092-573-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5096-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads