270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe
Size

90KB
MD5

359541f5d6947d1f889650fc44e808ce
SHA1

af786e8281c5dc5822b028e5909bc97d0872e929
SHA256

270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2
SHA512

68b233109376204b0e62932531f54f7dd615a1df9fe0dfee9c20ce7d9bf5156d111386f50fa8eb987527da71c7fb5de17d7472072fa2a27989e8b51fd5da2634
SSDEEP

1536:tXRyMg1zGaCvIvyZGkcmii8gEPmEIxAAxZmgAXJSpbMEeQhBG9zu/Ub0VkVNK:Xg1TOiyZVXiWQzX0WGBG5u/Ub0+NK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe

Executes dropped EXE 64 IoCs

pid	Process
4348	Klgqcqkl.exe
4884	Kbaipkbi.exe
3724	Kikame32.exe
2952	Kpeiioac.exe
2936	Kfoafi32.exe
816	Kmijbcpl.exe
4788	Kpgfooop.exe
2976	Kfankifm.exe
2364	Kipkhdeq.exe
2008	Kpjcdn32.exe
1796	Kfckahdj.exe
1880	Kibgmdcn.exe
3188	Kplpjn32.exe
3356	Lbjlfi32.exe
4044	Liddbc32.exe
860	Lpnlpnih.exe
5040	Lfhdlh32.exe
4620	Ligqhc32.exe
3664	Lpqiemge.exe
3276	Lfkaag32.exe
4792	Lenamdem.exe
4560	Llgjjnlj.exe
1752	Ldoaklml.exe
4024	Lgmngglp.exe
4692	Lljfpnjg.exe
3340	Ldanqkki.exe
2708	Lgokmgjm.exe
2368	Lebkhc32.exe
1132	Lmiciaaj.exe
4476	Mdckfk32.exe
1312	Medgncoe.exe
4268	Mmlpoqpg.exe
3260	Mpjlklok.exe
644	Mchhggno.exe
5104	Megdccmb.exe
2756	Mlampmdo.exe
2880	Mdhdajea.exe
440	Mgfqmfde.exe
3316	Miemjaci.exe
3392	Mlcifmbl.exe
4804	Mdjagjco.exe
3676	Mgimcebb.exe
1788	Migjoaaf.exe
1332	Mpablkhc.exe
1516	Mdmnlj32.exe
988	Menjdbgj.exe
3164	Mlhbal32.exe
1176	Ndokbi32.exe
1460	Nepgjaeg.exe
3504	Nngokoej.exe
2988	Ndaggimg.exe
2596	Ngpccdlj.exe
1368	Nebdoa32.exe
1096	Nnjlpo32.exe
2244	Nphhmj32.exe
4628	Ncfdie32.exe
1948	Njqmepik.exe
4436	Nloiakho.exe
2440	Ncianepl.exe
2788	Njciko32.exe
3440	Nlaegk32.exe
3108	Njefqo32.exe
4548	Oponmilc.exe
4488	Ogifjcdp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Ligqhc32.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kmijbcpl.exe	Kfoafi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6744	6656	WerFault.exe	243

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 4348	1288	270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe	83
PID 1288 wrote to memory of 4348	1288	270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe	83
PID 1288 wrote to memory of 4348	1288	270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe	83
PID 4348 wrote to memory of 4884	4348	Klgqcqkl.exe	84
PID 4348 wrote to memory of 4884	4348	Klgqcqkl.exe	84
PID 4348 wrote to memory of 4884	4348	Klgqcqkl.exe	84
PID 4884 wrote to memory of 3724	4884	Kbaipkbi.exe	85
PID 4884 wrote to memory of 3724	4884	Kbaipkbi.exe	85
PID 4884 wrote to memory of 3724	4884	Kbaipkbi.exe	85
PID 3724 wrote to memory of 2952	3724	Kikame32.exe	86
PID 3724 wrote to memory of 2952	3724	Kikame32.exe	86
PID 3724 wrote to memory of 2952	3724	Kikame32.exe	86
PID 2952 wrote to memory of 2936	2952	Kpeiioac.exe	87
PID 2952 wrote to memory of 2936	2952	Kpeiioac.exe	87
PID 2952 wrote to memory of 2936	2952	Kpeiioac.exe	87
PID 2936 wrote to memory of 816	2936	Kfoafi32.exe	88
PID 2936 wrote to memory of 816	2936	Kfoafi32.exe	88
PID 2936 wrote to memory of 816	2936	Kfoafi32.exe	88
PID 816 wrote to memory of 4788	816	Kmijbcpl.exe	89
PID 816 wrote to memory of 4788	816	Kmijbcpl.exe	89
PID 816 wrote to memory of 4788	816	Kmijbcpl.exe	89
PID 4788 wrote to memory of 2976	4788	Kpgfooop.exe	91
PID 4788 wrote to memory of 2976	4788	Kpgfooop.exe	91
PID 4788 wrote to memory of 2976	4788	Kpgfooop.exe	91
PID 2976 wrote to memory of 2364	2976	Kfankifm.exe	92
PID 2976 wrote to memory of 2364	2976	Kfankifm.exe	92
PID 2976 wrote to memory of 2364	2976	Kfankifm.exe	92
PID 2364 wrote to memory of 2008	2364	Kipkhdeq.exe	93
PID 2364 wrote to memory of 2008	2364	Kipkhdeq.exe	93
PID 2364 wrote to memory of 2008	2364	Kipkhdeq.exe	93
PID 2008 wrote to memory of 1796	2008	Kpjcdn32.exe	94
PID 2008 wrote to memory of 1796	2008	Kpjcdn32.exe	94
PID 2008 wrote to memory of 1796	2008	Kpjcdn32.exe	94
PID 1796 wrote to memory of 1880	1796	Kfckahdj.exe	95
PID 1796 wrote to memory of 1880	1796	Kfckahdj.exe	95
PID 1796 wrote to memory of 1880	1796	Kfckahdj.exe	95
PID 1880 wrote to memory of 3188	1880	Kibgmdcn.exe	97
PID 1880 wrote to memory of 3188	1880	Kibgmdcn.exe	97
PID 1880 wrote to memory of 3188	1880	Kibgmdcn.exe	97
PID 3188 wrote to memory of 3356	3188	Kplpjn32.exe	98
PID 3188 wrote to memory of 3356	3188	Kplpjn32.exe	98
PID 3188 wrote to memory of 3356	3188	Kplpjn32.exe	98
PID 3356 wrote to memory of 4044	3356	Lbjlfi32.exe	99
PID 3356 wrote to memory of 4044	3356	Lbjlfi32.exe	99
PID 3356 wrote to memory of 4044	3356	Lbjlfi32.exe	99
PID 4044 wrote to memory of 860	4044	Liddbc32.exe	101
PID 4044 wrote to memory of 860	4044	Liddbc32.exe	101
PID 4044 wrote to memory of 860	4044	Liddbc32.exe	101
PID 860 wrote to memory of 5040	860	Lpnlpnih.exe	102
PID 860 wrote to memory of 5040	860	Lpnlpnih.exe	102
PID 860 wrote to memory of 5040	860	Lpnlpnih.exe	102
PID 5040 wrote to memory of 4620	5040	Lfhdlh32.exe	103
PID 5040 wrote to memory of 4620	5040	Lfhdlh32.exe	103
PID 5040 wrote to memory of 4620	5040	Lfhdlh32.exe	103
PID 4620 wrote to memory of 3664	4620	Ligqhc32.exe	104
PID 4620 wrote to memory of 3664	4620	Ligqhc32.exe	104
PID 4620 wrote to memory of 3664	4620	Ligqhc32.exe	104
PID 3664 wrote to memory of 3276	3664	Lpqiemge.exe	105
PID 3664 wrote to memory of 3276	3664	Lpqiemge.exe	105
PID 3664 wrote to memory of 3276	3664	Lpqiemge.exe	105
PID 3276 wrote to memory of 4792	3276	Lfkaag32.exe	106
PID 3276 wrote to memory of 4792	3276	Lfkaag32.exe	106
PID 3276 wrote to memory of 4792	3276	Lfkaag32.exe	106
PID 4792 wrote to memory of 4560	4792	Lenamdem.exe	107

C:\Users\Admin\AppData\Local\Temp\270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe
"C:\Users\Admin\AppData\Local\Temp\270756b51ad8c8ae91264e99ad4a4eebb271e0ac92818b7525539f3816b19ae2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\Klgqcqkl.exe
  C:\Windows\system32\Klgqcqkl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\Kbaipkbi.exe
    C:\Windows\system32\Kbaipkbi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\SysWOW64\Kikame32.exe
      C:\Windows\system32\Kikame32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        34⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        36⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        39⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        43⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        48⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        66⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:208
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        73⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        77⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        78⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3388
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:976
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        83⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4372
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        88⤵
        
        PID:948
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        89⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        90⤵
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        93⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        95⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        99⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        101⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        103⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        108⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        109⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        111⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        121⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        123⤵
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        128⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        134⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        137⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        141⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        150⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        153⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        155⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 416
        156⤵
        Program crash
        
        PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6656 -ip 6656
1⤵
PID:6720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
90KB

MD5
cfcd63ec2a6c98c5c785fa2590533c30

SHA1
44d683b2a56b2c4d43ca03ca15fb31e5ef77be06

SHA256
517d7bb58d66be05818d3aed2b41a204c60febcaa587d18899f16172b1d32581

SHA512
71a12927e2c05ce1b7f35785733975a537b59e326b1858d1b9ea632d6d6d9c3dd729214514b02434743455ae9ffc160423971f15a3c5a454a2fc1cf8def80f0b

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
90KB

MD5
bc939bcfc687642b84409c1bffcb9673

SHA1
9f152aa19af817638baf6f5a7311196454d4b880

SHA256
075cf1b9770129fe10e776483d1e4b94e710213bb78c4f085836e9df0c39d1f9

SHA512
d30330a832950e7d3c9d1f3c34e86e8636a688c72a90458a11966e64ccc5b72a5d6b6b03795bdab336c4b4bef544710fd89ab53b472ebc1aba9a65a40ceb0eea

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
90KB

MD5
8eb2523a19e9b17ca5025e4cd7cdb509

SHA1
33c81415dd938cdb48d9151cf2583ee8578ff996

SHA256
d36cf017f71354995d0fdd12658ab2134122e16b1dd25f1efcb00fa322989f82

SHA512
d25fd92d911404cffac47d93132d1f9da0680d2cff45173ad022e152c020263c1eb6e3848432ab11bc59d79c0f223ea68a02ced9aff1f2667d2fe280fa0f869f

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
90KB

MD5
8d94cef41af552a7162194ad517c251d

SHA1
228948d06ac0272359db442cf45a31073c3bcc7a

SHA256
2d446bb684eeb7271f06e21d730633c31af8643f21bcceecbbb8e537c91ee68f

SHA512
dd4d3b8c59765e81d311b6ee9a8a5255eede415a6da45d71447d3cab1651f9b5bbf00fc1938bb18df9e44dedbafe310666be145ac3c7ea45fe1f5f2c1ea569dd

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
ae03b84af377594765fcf96f5a325f17

SHA1
8d568de0553276fe00d424d90b147076e63578cc

SHA256
0ca46f31f0b2f91acacae2a08b2faa75ccd6cac1e6b4f479c2a08f96ffc09cb9

SHA512
fb411d6db962e7b4afed28ab2af6ddb089af5b969532fb174dd242e73a2888fbd29e9fd70e0d4f57cddfbb6e6e50dc55d675b89c92f7c56d1776efbc528f790d

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
90KB

MD5
dce9655fec9b60e9a5b1376bed957cc9

SHA1
d64303b69dc567dbb23a3ffc15de4a965e5f4cb1

SHA256
c105e613e67af02db764263a9c328424b85aff9ebf4b7f20a77042dccc118237

SHA512
35297ec0d98ed98238416288e935cac27935ac3d7fa167c04b88949c6bd6852a1ff6f7774ff9d8869079f498006438fadb72e99dfbffb912290e8579126466c1

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
90KB

MD5
62be44dde147005fe7ffdef686bf1a96

SHA1
e201d5d331c026d259adc697941020c3216f6b81

SHA256
cc4d12cd043ff654a5c09518d8e29f6ab52449337be0a60923ffb30ac3a08bc6

SHA512
e5948bc239ff0cfdad581d0ab204f8599dfbe648298f6307261a99226eb2c9feb7c62d81a4afd77fbd1c2e1410407b6762069de21f8027c7781a5697ab064e1b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
90KB

MD5
b9fc74280bbdcdbb8e9c014e8a067938

SHA1
d1a5052971c5f5d0154ace65c36e5d22c6011c6a

SHA256
c616d93cf9a9b70378664678648fa7b5f16d9d6459308114493b0693db0a9f7b

SHA512
29eeeb90fb73ef8a1b0fc146e61f05c846f6b6dc24fea0214d62c257c1ff3a962abd2fead14063d07406691200626e45ae5b7e24ae874bbd54f0db4d48af0a9d

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
90KB

MD5
f767e76e90e587ac83e799ff615c66da

SHA1
f07927db58478ad9df787591ffc90bde65be66ee

SHA256
ed7942c28921e5ab90ba4cd1556335e9a05099334360f12404938b00a8bda05c

SHA512
349c14a0feb0b69fb3ea8718bc2d09b16a4731b2e42a44f1535d6ea8995711afbf1d73213727cc7bc2a9d0348d3512cee3a0d6ec50ad5eeac57ab549f611e7c5

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
90KB

MD5
13c0a4a75f0bdcdd13cbbbee32567f36

SHA1
57538f40e43779b1100d6a7ffa73039e757966ff

SHA256
6d0a08fb68cb0327393fe6deb798964df5233f6372e4e6f7747444a0c2fad560

SHA512
2b1a4bc5df6adf640dc899ade8deb69c3d7285fab25b09cb9e20fbbb37fc2c25526473be4d183bcceef7c41d1d5333528949c7392b06926296756a8fbba048a9

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
90KB

MD5
c9bdfd07ff9d39b8d393c680ab2b96b0

SHA1
2a57eafc9203c02dfa85c0d6c2750ff0a3d71d38

SHA256
808475a53d36a0918dac51d12001250cd39b7eb5816ed9370a1eb4cc7dd75942

SHA512
26b005731a52a5f14be44d6355a3feede56c2a5c4562a6a866bea24e101a5207192b88775b911746c231a1215b3098e772e92b5e20d965dd6019d0be08e8db96

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
90KB

MD5
4c0bc781d6d48b9afd918ce59c34eda0

SHA1
1ced97cd7054995cf9fa7d8ed059ce1191e74381

SHA256
b5a680c2804d2b3f5fcf00d77d18049a959af77095b6b6e5569385c0323bb3f9

SHA512
d8064a4d313409c1b7871fbdfb8be066ad2d81c499b0701275267dad3e851e7236f66a410b278d56e4bc45c5093b3f66d38852ae3a3ccfaefd6e42f16031cf06

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
90KB

MD5
6172512617bcaefe7151e87f092653fd

SHA1
e3d7c769ce72f3344cf7b092c22ffa3ef09929f1

SHA256
b48ec6d8cca0510acaf9779a92e5796a6659e26d70b8d1decc844ae2714af9d9

SHA512
936d2029d00fd49eead1e903b27ce66b2039a0ec7a93ca371c21b8bd10bb1b7cabf619448c41d6f9644847c7b8d511f310e69a25efbbee7e692ee32f65517290

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
90KB

MD5
adf2cb9388f8b393461ee468ed53a5b2

SHA1
e5ffbcf590da1f5d4424bbaecdc89b41a2beeb1b

SHA256
7b784ab3eefe45d3e61c39b68e2882d0cae52c69e1dbb576ae275544cd81ffbc

SHA512
95301a1f77cb0ff4cc719f691935b903fccab0404609d68af8cd76f5a2213995ae0a850a9fc3131c20668e69168d667277e199d6f744007cf0a6b551e9fe2578

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
90KB

MD5
f93abfc27ba130e558587ded4a884d7d

SHA1
4240e9b4e9bad5670c25e06e912141cf34fde745

SHA256
0725fd6016b5e98da257828fb43fc0a25a53b9a845c6d60977f96b493b91a41d

SHA512
0971964636fa8c4a2c20626ee58c2aad277890894e260385471835c2d3d2c5c7fb3b64a4ef74e445f26aa810ee6a2b51e6c3286adea87bf2d5ea4a4cf014b008

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
90KB

MD5
828ab7ddada59811f158950161e13996

SHA1
66a365dd4a398646cc2762eede60554b93402224

SHA256
87c6a300be70ba895ec45fd7578b0ea425fb77c9af8f49494958dba4a4568416

SHA512
aea06abedd4fe66fe0e38a4c3c5119e94230d0327fb3b025fe089702316fe850542e7d4030721666c007ba096a0f20f006b56ba24d636a9946ba354998bd6d1d

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
90KB

MD5
8bf9ff15e306108d95924bc2061b0599

SHA1
00fef622de3414b183b9d6d0f70f73e4d9b61487

SHA256
4039a873f9512e1201ca9d987e376fe749472aa34140787f95aacc75eb939b36

SHA512
7deca0491508843cc3baa6ad8c2f3c9a12f1dbc37fe2b9648b228183993c91801ffd46dfecaf07fccf0a6f0edcd9ca1c143677eab85c0d09eae94cc360e6e562

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
90KB

MD5
aadd84097d5ed94a417f62862b8000fc

SHA1
52d30f0f03498bedbd5256b402c277aa585d27e5

SHA256
669ba7bbdd4abc8e1cc2c2c8018f7e4355b649442c3844ffb4fbbb6da5bab0a1

SHA512
dbdedf488f8e050c82719b6e5fd100e3296371ed3310f4b57b806547e18cce38a579b0fb8d9607b539ee6914c0770a619ef771c01d555ee14243e7a64aa50213

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
90KB

MD5
30ed7789fb7a3048eca29ed0a2af0fbe

SHA1
de994dbafa1deb365248e2cd884f1c839a297bb0

SHA256
83d1af4dafa28e36a0a4799975357f5c59d18bd217a3e91cf0065e6416aa4ed3

SHA512
d7c61f19e14306982956b7b8f63c1f15922c000a459c25bb5f79c0a17400618cf8be8705582699129e6dc95fc7ebf18681b97a7f442e7cefd334f9a706cffc27

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
90KB

MD5
0f83941a1298ff767ae21bd643e4e15b

SHA1
b707dd4213ff4a65b43eb02e9f7bceccb307065a

SHA256
7f13dc530c8a31a7fbf172675c077a06128e5516829c3ba163cc7660be1be629

SHA512
85a64386a06dd4abfd4251d4cccd97521ed9d16d2f94c924ad3f99009078b086c02c8d9d066a6550a648b590c802765b73ca8afed7de67a6413107404f3f7856

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
90KB

MD5
5a678cab0684e80fc3d00878191218f4

SHA1
a029eced03d2c860d7bf78baee04f7247bd71651

SHA256
c771dfa7077507a224ee628a5546096a621728e1ec8c2c799ddac72aa6e43697

SHA512
0d1992913532ca8d32d9eaca9fa2cda37ddda99c860c6f252a3dc87d84bd8aea420bc2e4c29207091268cb0af61746fafa5b23549021c747a5baf6419baa7cb5

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
90KB

MD5
dc376b62fd82e16b8f957ea0c1c3bf4d

SHA1
c3ab3cfbc54679be21be02a9f52ab5a04749c0e1

SHA256
7cba6d8047952199b796aa33b82ab1b3e27acd3acc7861d5b8138bd4388d06c6

SHA512
70c9cea1a953fd08bb6d533db93e94d5e010303b4178a839993a90c6421b813eaa05daee4a4a2426b60320e62977963c4a3438484d962478fb62429e94ce9c9b

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
90KB

MD5
664d54817465f0545e41c240aff83f96

SHA1
e40084b0cb892ec30174046481b633f0ffc58347

SHA256
dcf637ff9749b541ba332e9b6f6857b0f4b2bc7df0f0b91ffb8cb1824fc61b35

SHA512
0ae182af5cb7d0f783933934c5c968bd85a62423cf9af39fc30839ee2dc51cff6c43a595de0431b9cf7c859ce309b5fc7929a6273cc46e9bb23e3a9c5ac1e182

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
90KB

MD5
ce037a3a602a1baa31d8c7d6c398dd2c

SHA1
d446fe0b7670591057b3ffa1da9d27ec2102d805

SHA256
738ad9cc9af94774a883013aca049abc2d05b0c1bbfb8467a2a6665db852dbc2

SHA512
832338745b0ef12dba0fdf3f4f22bcc5220ab56e6925194a2d93dc26552e8ad61fc76970b0d0adbe827e3609bdff0a1ffba43668f746e5db647ea47351966bfc

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
90KB

MD5
0b5330362009538509a0de934b42ee69

SHA1
60143ade0e229a244045b72a4d6eb1403de5718d

SHA256
6edf87748e57699c03e3f24efa91a7e54d5d95d5d1f0d13af436011646b40f09

SHA512
e3411f1b7874888b38d5708839bae66b323d6ec64df9ae120d2643d40ccc21556cc2386e62d42ab5376fa980ad88c900f7c4f1e944a6186de6636b673759e751

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
90KB

MD5
91fe95d81736cdf437ffc978f73eb837

SHA1
8e8027b34dd7e2995d63da43d2ed2b5a44f58ff9

SHA256
7b03a6198fa5ddde6332933b152ea047de1935c495c5241cbaa5c0698ca12647

SHA512
24cef1819661b4f9bc7567bcdcc91dab2302c84493ee22098be0ceb5928aff209c4085f312f988a74ce9ee23549f57cbdc6c9ca1fe700e229af5dd83ecc187d7

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
90KB

MD5
aa4c3e7b48f1a17c4bccaf299dad54ca

SHA1
e86adc09f29f9c6aa5bfa15841118dbff41ec811

SHA256
79eeb9c4ad4fe2cfe6cf1293b23e21f14ee77aa151ccf703d4994782975bd28f

SHA512
8cb17e7f2f89d5c8221958c0ca6fdb1e5b2cea02708d432d754a6b50c9d068132df19f18620ca72f1b0f7e44b0aee625092267307b352ae34690022d6d26059b

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
90KB

MD5
5faa1bb4c798f1bdfe2a8f9ceeb214b1

SHA1
c89084d340dec89f4f8719a0eedae4e7d9bb2d31

SHA256
be3125f20f63337ac35f83bd0560c907bb6fc22c9f928237733328954de3bf27

SHA512
2ff197e89f3d06162588075410241ed50cc37722f9ca6bbd9a1e23f1ca24b4eea32daf72dfcb1606afff0fff87da780752ddb7254a8ba7784e6236866c3a8b20

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
90KB

MD5
d4e2521f826cefe26d927e9741686155

SHA1
8323f8942b4997a96945df86284b078d2fdcede2

SHA256
1575bdd565c9bf58c4ae054f74f67dbd2320c59eac3202acb547ddbf29af4688

SHA512
e3b4e4f953f16f7c6695c4b21dc86be347893f5aa02d6ae2ea5d8d0ca53c4077e58a56ccc36bc5d48acb4ee942d58ec9f83ba84cb078562cc749e5dd14ccb7f5

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
90KB

MD5
8dfc3647d86f23fdca84cd41820d5e94

SHA1
7a71fc327b8707996b858dd3a3f8fbbaab7d1803

SHA256
b0de0445cd6af544b136659bc6b96472a25ba5838542f0270b3686d91b8011ea

SHA512
997da57b19114f8449f182ad13106b5ddb5115689f3067bb2f4ce34f1be5bc26e4181514b03805b1b9b95bfe2731f80fb96c7d669b862f2782d07da316e67809

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
90KB

MD5
246a063aa6b1eb27ec1cec222e77fc3c

SHA1
10767a71b6e803026141c01f5b4aea6c137276f0

SHA256
b4aad2cd21a5216e6ccc00b9526dbafb693616b2f11a23a2a39cd9aa3c49e2f6

SHA512
376079c8ec1e9ca52802813f35a2aea40809b9e9b8afbcdd77a7d44e7cd495395ccdc82981a9075fc94837973d7ca596bb7dbc00b9dfd36126cded1716b08550

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
90KB

MD5
4c63f869ee54f546939ba9f4ca50436c

SHA1
2c116d3d1cad1ade65d5ce21745c7c02aae104de

SHA256
86e45869fb3e9f8337ffa5af62d39888c0986e264d0c064aae407391cfdabb06

SHA512
7ab482abf74757750b3d128167973dc272530e0578e0e37c027de8e625c1e995707485520f411b783439adfe3ae0b2975c4f31fa08b327d2019973d556d8dd20

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
90KB

MD5
0600698e780ed4bea0e39f9ec54df48c

SHA1
fe2a0ccca077ad00d787546e139fcb6346459a07

SHA256
edc493d42cf8fdb4e8e7407aadbb6b8ece3cc9903b8bfb760ee6780b5f7c334e

SHA512
6d42f132c2b921e2616850e28bc77579c33c9c5779ab97d1321b06ec94b4940a6a6b00897c23e4f33acf757bea80aa1591b4e5ebee8841a53501591e46cecfba

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
90KB

MD5
56eb86a6973b7ee3b6558a27a1897176

SHA1
d07cf51e6d423b709093785b868c5ed842066744

SHA256
7c22177ca977c8a401e9a0d5478087e11f544952aa62d0f69e91b5d86a16d7c7

SHA512
be36ce278c8aa2bf34b2ca5b37f02191aa47b1edf6b677b0b7926d3245330556cb134df1cbff58521c34ba010951725f143354de87bd3fa4c29e2cd3ae9d5e96

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
90KB

MD5
ea0fcc0e5dc3bc605c75f2cec305b282

SHA1
ed38c9284b34a72112e56055f4bd17cdbfcd791a

SHA256
31c195dd1b8976f9f73e7b435a8aa0cb6055d75d8820985e067a3a151b1a0007

SHA512
faa088791ca0f7164acf52a449d3ea9def6f26293a646b841eede7c13896c8d465900423f26fabfc7f96024ea9bb38d5ce64ce9f7c48f534778aac2905bc79f3

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
90KB

MD5
75c87e07cdcd4acbf0ab2b4bbda4573f

SHA1
b7dca11a60bc34d35b0b3cabca2a7ed83886af5f

SHA256
d36a17521369a02626107dcd10ce209ed3a0db77b97fc19d0212850189d27e71

SHA512
cf3efc603a7ba08a7225bf56383b90d95f808107c3413ac74dfd8c08fe913e227d8d889a0eff29cef85cebfb415bf2728f2a287dd92e135c63d1d1671ccf9e84

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
90KB

MD5
75bb1679b43887c8e13faa2f192b83ce

SHA1
7982cbfe70ab05ec5e97fde8dbfcb9a3aa233bb9

SHA256
c5deb4eb4f9aa7a7deaf2ade7060e535c656a6498c94e6d98e62cc3ddcc32d3e

SHA512
b57ccb23e9e52b8ae46fceeeb57066a15217692abefdb07cc2f97e30580fee789a3200d5a1f39922231596ab42e690ba28875378a6ac3607bc15a0f5392f49c4

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
90KB

MD5
ac6635af11496caffe1e60349ffa8240

SHA1
c7068c41309320c6bb55f7d133fe3236cd3d77d2

SHA256
881eb8f3020d77472fdb65f6d54449938595e5772c55d672010e85dbc9b5b05f

SHA512
98c6f3fa299c2daee140c1920c4fc81513d5cf553207ca04c555985f4e2752c04e7fe382f9934119277316e7670de25b3a44e90f31736e4b09df234bc1d5452d

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
90KB

MD5
97693f4e1561711353a28096e6f4e4b2

SHA1
b044033a574785cf6e00d37762b2b12616dd416c

SHA256
18fed76ada4384e43a7bf77edb16f55d1c9014b2a845ffaa40e103f96dd101e1

SHA512
f86d3bbfaa29bd3a8bbc4982e9e175d503004b290379d5ede4afdfd3fb58dde7aa91407cf82c233cd6d5c50af8f57b8d7510bde4dd98f5bb55c33b9d2debe0d1

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
90KB

MD5
6834040ba709958313f0cbc19ab3f0f9

SHA1
beb97b6b65977b3c442a60adefdb3d9f9872381e

SHA256
f83f3d898e4e8fb73c1c3efa6990a20a10ac7ee036f1bd51a7c5a133832cd348

SHA512
d0ef9a97932f0e4e44de4bf6eff546f11115b5094f7db655d3747bcce1f198e339ed8812bad66d86b44067d3d4f4503e79a59267ec42ed6611072e2ef276e216

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
90KB

MD5
6cae36555520776257eb67b812bf7a45

SHA1
515f7d81a5756006149ad7ca7a43521f0275a279

SHA256
b92f58f4314334ff32be5c5b5ef2fe0bee096395f474dc53e53b6665ef73ab4a

SHA512
37d219a374e1a7130856b3935941ce267ec08df353d941065fa887693093fe2ea62cf5d28d3c652d7b774d290546fe27c8856d2d855db134d5fcd754a0894977

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
90KB

MD5
17ff5dec43f4a4bdb2a744755dbd3e4b

SHA1
6243b89c54aca651b70d3b52788c8361d63d49fa

SHA256
bbb94d282e424a7d6a78464e9ebde5542e87068ea5fbbf0344aca0066c0cccd4

SHA512
f071fdc36af27254def357edc2a6c9928871b65c2de73c1477049305fe6be4e372a9c90dbc33d2321db878cd478f929aebabd33a0b251a5cdccf6ee6081786d9

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
90KB

MD5
61df991d85e3eecdcdf45f5ed205e783

SHA1
8ed02d2415b45631dcded9425ad74edfee3151e6

SHA256
f01dbca236cd7766e938428b328c44069039ca2965b9d286e4c1176cec986e27

SHA512
4a89f3b8b6b5289c40ce1ed284d41347a72a40f120b63b6b051c9b0644bbcd0af602163c0a8d853ecc27246da85ba60d82f0ab894e18ae809598ddf2ec94440c

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
90KB

MD5
8db8d7089c96c1bbab3591a082b12bed

SHA1
318a0281b62f9567a22e9aad9a2ab9bddc5a11f9

SHA256
3ddee7f9d6faad217db6e92986b493586d1df895ac4d7c0eaa5d766d48f74b52

SHA512
0019d32276dd8798391c2574d471b76502ba6736f37217c5ede7f7cc23a443f0036f2470fbb6049ba52ed447eb50fbaa9ce2c8674efca7ff9242882835c08cc2

Download Submit
C:\Windows\SysWOW64\Qamhhedg.dll

Filesize
7KB

MD5
170a0eb34d77ac94d6dc78aa25e0b3c2

SHA1
568d00f0d209df2a95e2e67069a37b1aba11121a

SHA256
f07d857dce55577ba903156f07f984d2e30602763a37a2a2a9b1ef12fded3aba

SHA512
8886dc03cda0cd02d77ce171c1b5d744d75cccce45d5ee0f9053102aba33eb9f4e3f5cb203b04e230363fdc959175c24ee38ac45bc8479c032aaf7b6f95952c5

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
90KB

MD5
3c4b21e25cdb689d29abe6f0b26ee790

SHA1
5c22ec5f06624b550ab1fa726c7abeb46a7e06b6

SHA256
c97bafce29a36c41b1b23ddd71b23674cf60fcafbdfe2709322d05f8f974cfdc

SHA512
f5dab024568eec0c101068ae84316da7d0d0b123fccc23fcef0a82aba643c5af01f9974dbc32f905a8584bb4ea7c585d8a423b6d3d2e26e600a252f6b8a61b9e

Download Submit
memory/208-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/408-521-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/412-568-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/440-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/540-540-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/644-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/816-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/816-581-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/860-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/948-589-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/976-547-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/988-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1060-485-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1096-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1132-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1176-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1288-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1288-539-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1312-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1332-331-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1368-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1460-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1516-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1752-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1788-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1796-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1880-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1948-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2008-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-582-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2224-497-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2244-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2364-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2368-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2440-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2596-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2708-215-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2756-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2788-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2880-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2936-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2936-574-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-567-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2976-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2988-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-527-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3108-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3140-466-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3164-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3188-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3260-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3276-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3316-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3332-561-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3340-213-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3356-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3388-533-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3392-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3440-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3504-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3604-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3664-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3676-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3724-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3724-560-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3736-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3876-554-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4024-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4044-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4084-459-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4268-256-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4348-546-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4348-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4372-575-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4436-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4476-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4488-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4496-491-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4548-442-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4560-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4620-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4628-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4680-515-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4692-199-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4700-503-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4788-588-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4788-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4792-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4804-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-553-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4992-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5040-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5100-509-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5104-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads