3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1.exe
Size

80KB
MD5

521a7f15957e292230fbcc1db74b9385
SHA1

73562960b71b3e312eb1f05aa146d343cd41212b
SHA256

3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1
SHA512

ffea547e971cde9892fc91e4d4784365f7aa79c5b22d1fc35101e7c56122badc0494a2aadcb90775c77951f0b927a7b83d255c903781741e0e04852d5ddd607c
SSDEEP

1536:jeOzfUBtdyQATYaNYD+Zg5wys5YMkhohBE8VGh:0BtdnATYaNNgCyYUAEQGh

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe

Executes dropped EXE 64 IoCs

pid	Process
4976	Kmijbcpl.exe
904	Kdcbom32.exe
3772	Kedoge32.exe
5080	Klngdpdd.exe
1844	Kbhoqj32.exe
3352	Kfckahdj.exe
3568	Kibgmdcn.exe
1988	Kplpjn32.exe
1224	Lffhfh32.exe
3472	Liddbc32.exe
4244	Ldjhpl32.exe
3164	Lekehdgp.exe
1944	Lmbmibhb.exe
5072	Ldleel32.exe
3804	Lfkaag32.exe
4604	Lmdina32.exe
4476	Lbabgh32.exe
1404	Lgmngglp.exe
952	Lmgfda32.exe
1564	Lljfpnjg.exe
3600	Lbdolh32.exe
396	Lebkhc32.exe
4052	Lingibiq.exe
2896	Mdckfk32.exe
4100	Mipcob32.exe
8	Mpjlklok.exe
3728	Mgddhf32.exe
4928	Mmnldp32.exe
2156	Mplhql32.exe
2720	Mdhdajea.exe
2532	Mgfqmfde.exe
1052	Mlcifmbl.exe
1412	Mcmabg32.exe
3184	Melnob32.exe
5060	Mmbfpp32.exe
2696	Mdmnlj32.exe
4892	Mgkjhe32.exe
428	Miifeq32.exe
1936	Npcoakfp.exe
3920	Ndokbi32.exe
2296	Ngmgne32.exe
3452	Nepgjaeg.exe
2776	Nilcjp32.exe
3196	Npfkgjdn.exe
2364	Ncdgcf32.exe
4340	Ngpccdlj.exe
4432	Nnjlpo32.exe
4568	Ndcdmikd.exe
1604	Nloiakho.exe
3088	Npjebj32.exe
4136	Nfgmjqop.exe
4440	Njciko32.exe
3996	Ndhmhh32.exe
1448	Nggjdc32.exe
948	Nfjjppmm.exe
4760	Nnqbanmo.exe
4524	Oponmilc.exe
5040	Ogifjcdp.exe
5092	Oflgep32.exe
1792	Oncofm32.exe
3160	Olfobjbg.exe
4556	Ojjolnaq.exe
376	Opdghh32.exe
1236	Ocbddc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kfckahdj.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Lekehdgp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6692	6568	WerFault.exe	239

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjac32.dll"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 4976	3312	3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1.exe	83
PID 3312 wrote to memory of 4976	3312	3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1.exe	83
PID 3312 wrote to memory of 4976	3312	3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1.exe	83
PID 4976 wrote to memory of 904	4976	Kmijbcpl.exe	84
PID 4976 wrote to memory of 904	4976	Kmijbcpl.exe	84
PID 4976 wrote to memory of 904	4976	Kmijbcpl.exe	84
PID 904 wrote to memory of 3772	904	Kdcbom32.exe	85
PID 904 wrote to memory of 3772	904	Kdcbom32.exe	85
PID 904 wrote to memory of 3772	904	Kdcbom32.exe	85
PID 3772 wrote to memory of 5080	3772	Kedoge32.exe	86
PID 3772 wrote to memory of 5080	3772	Kedoge32.exe	86
PID 3772 wrote to memory of 5080	3772	Kedoge32.exe	86
PID 5080 wrote to memory of 1844	5080	Klngdpdd.exe	87
PID 5080 wrote to memory of 1844	5080	Klngdpdd.exe	87
PID 5080 wrote to memory of 1844	5080	Klngdpdd.exe	87
PID 1844 wrote to memory of 3352	1844	Kbhoqj32.exe	88
PID 1844 wrote to memory of 3352	1844	Kbhoqj32.exe	88
PID 1844 wrote to memory of 3352	1844	Kbhoqj32.exe	88
PID 3352 wrote to memory of 3568	3352	Kfckahdj.exe	89
PID 3352 wrote to memory of 3568	3352	Kfckahdj.exe	89
PID 3352 wrote to memory of 3568	3352	Kfckahdj.exe	89
PID 3568 wrote to memory of 1988	3568	Kibgmdcn.exe	91
PID 3568 wrote to memory of 1988	3568	Kibgmdcn.exe	91
PID 3568 wrote to memory of 1988	3568	Kibgmdcn.exe	91
PID 1988 wrote to memory of 1224	1988	Kplpjn32.exe	92
PID 1988 wrote to memory of 1224	1988	Kplpjn32.exe	92
PID 1988 wrote to memory of 1224	1988	Kplpjn32.exe	92
PID 1224 wrote to memory of 3472	1224	Lffhfh32.exe	93
PID 1224 wrote to memory of 3472	1224	Lffhfh32.exe	93
PID 1224 wrote to memory of 3472	1224	Lffhfh32.exe	93
PID 3472 wrote to memory of 4244	3472	Liddbc32.exe	94
PID 3472 wrote to memory of 4244	3472	Liddbc32.exe	94
PID 3472 wrote to memory of 4244	3472	Liddbc32.exe	94
PID 4244 wrote to memory of 3164	4244	Ldjhpl32.exe	96
PID 4244 wrote to memory of 3164	4244	Ldjhpl32.exe	96
PID 4244 wrote to memory of 3164	4244	Ldjhpl32.exe	96
PID 3164 wrote to memory of 1944	3164	Lekehdgp.exe	97
PID 3164 wrote to memory of 1944	3164	Lekehdgp.exe	97
PID 3164 wrote to memory of 1944	3164	Lekehdgp.exe	97
PID 1944 wrote to memory of 5072	1944	Lmbmibhb.exe	98
PID 1944 wrote to memory of 5072	1944	Lmbmibhb.exe	98
PID 1944 wrote to memory of 5072	1944	Lmbmibhb.exe	98
PID 5072 wrote to memory of 3804	5072	Ldleel32.exe	99
PID 5072 wrote to memory of 3804	5072	Ldleel32.exe	99
PID 5072 wrote to memory of 3804	5072	Ldleel32.exe	99
PID 3804 wrote to memory of 4604	3804	Lfkaag32.exe	100
PID 3804 wrote to memory of 4604	3804	Lfkaag32.exe	100
PID 3804 wrote to memory of 4604	3804	Lfkaag32.exe	100
PID 4604 wrote to memory of 4476	4604	Lmdina32.exe	101
PID 4604 wrote to memory of 4476	4604	Lmdina32.exe	101
PID 4604 wrote to memory of 4476	4604	Lmdina32.exe	101
PID 4476 wrote to memory of 1404	4476	Lbabgh32.exe	103
PID 4476 wrote to memory of 1404	4476	Lbabgh32.exe	103
PID 4476 wrote to memory of 1404	4476	Lbabgh32.exe	103
PID 1404 wrote to memory of 952	1404	Lgmngglp.exe	104
PID 1404 wrote to memory of 952	1404	Lgmngglp.exe	104
PID 1404 wrote to memory of 952	1404	Lgmngglp.exe	104
PID 952 wrote to memory of 1564	952	Lmgfda32.exe	105
PID 952 wrote to memory of 1564	952	Lmgfda32.exe	105
PID 952 wrote to memory of 1564	952	Lmgfda32.exe	105
PID 1564 wrote to memory of 3600	1564	Lljfpnjg.exe	106
PID 1564 wrote to memory of 3600	1564	Lljfpnjg.exe	106
PID 1564 wrote to memory of 3600	1564	Lljfpnjg.exe	106
PID 3600 wrote to memory of 396	3600	Lbdolh32.exe	107

C:\Users\Admin\AppData\Local\Temp\3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1.exe
"C:\Users\Admin\AppData\Local\Temp\3dc8ac4cc770388ab9413ed319e5f1ec7d8b58a8ce271a6d3961c068964ed7c1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\Kmijbcpl.exe
  C:\Windows\system32\Kmijbcpl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\Kdcbom32.exe
    C:\Windows\system32\Kdcbom32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\Kedoge32.exe
      C:\Windows\system32\Kedoge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        26⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        29⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        35⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        38⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        41⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        50⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        51⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3456
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        71⤵
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4724
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1896
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        87⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        88⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        89⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        91⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        98⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        100⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        102⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        108⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        119⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        120⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        122⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        123⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        127⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        128⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        131⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        133⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        134⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        140⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6392
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        148⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        149⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 396
        152⤵
        Program crash
        
        PID:6692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6568 -ip 6568
1⤵
PID:6668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
80KB

MD5
294df7afdc15ac4e8bda6d20f4f831f9

SHA1
76c9bbd68ec6f7476f1715b01267f12c3b9400a5

SHA256
a8eba2e25aa7e49e657156bcac1aac25cb9ce00668487d29511067276b2dbfdb

SHA512
b99f7e239e85afdeeaef4465549df04ba03ce670a678bc287e80aa710740799052ffe47b3d44d91b3ad49f59474ff639a6ef0fb4186fcdc332e780e7dc243296

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
b131746a13f76770435f06eafea006b4

SHA1
6072439daf92e91c9bc9de1ab4487fc364af1bd3

SHA256
69b7026c1140c6bd6e4f053e42b1e8b2a51b758f66534217791ce2561c869d5d

SHA512
fd69710750ef6a37209dc724508792f9f4f6a422890b6758140a7b19cae3a94004ee56a374bc66b23bfe0d543304b2ceb0c3874b3af46c9964c7661682b5b139

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
80KB

MD5
6850f1f0e9282c65a6fc7c4ff008fc13

SHA1
c630da875f2cc32fedfe5b44e42f2160990b892e

SHA256
a61d5292852bed749c58eb3ddec2f49d9707edbf274bd89358e93e9cf8f2927d

SHA512
4b8e3d6acf66f42dc0e1e8c658f65d6faf0263a6a88a4779c3e3355d1c01311b8bdf8b14f69a7680944a3937b0183a753bedc979a7a1a282dc0fffe0f4b45dbc

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
80KB

MD5
3bee95dcb3b256e7d19c1df4def158e1

SHA1
eefb06841657489f66530511e614309002cad01a

SHA256
6a34336299b743f71b8365c0d5521a305749e14c46ba9f97914be8bca95e6cd8

SHA512
894a93118bc42003f222c833a9c7a7838b7ace34d53398d44a37fbe3266d8d03e14f2f4371a1839f595c5f8f8b3de6a733ee5f721cf58cdddb3102513c980d83

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
80KB

MD5
e13ca0d7397997c8bd8b801bfd1bba63

SHA1
4f9e56ad4bf03665d6acb1f3f73f19eaf9ce4ee0

SHA256
31e7405d929ce30d65cf5b5d664384ac2a8d9cc7757cce4a5b909158479d9ccb

SHA512
3d90f182de5513c7a242c909bfcca62d6bd465dd391a6037ac24d3265f3a85ec90f15df90f036e4478cdda30087ec9587dd6d3f805225c2ba7b578fa48b71cc7

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
80KB

MD5
eff4ab51d907ec5da6713361ed49949f

SHA1
58789308ebe87f59db8c3fd6e3e384afe7b24bd2

SHA256
8901960b5b9e62d638321de93304bda8c28152d5836162de5edef6aa6f911d70

SHA512
edf1d5a6557d36094548a1d95cce42481843978f0bac58da05a9399702e1377cd975c0a5c27588098fe066ea71e6243a7eac1c33f137c2e39b6191952d28c316

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
80KB

MD5
fea6bf9331208bb7c75acbc073ef437a

SHA1
eea6268fe5fc6997bf86855bf0338f519ff504ea

SHA256
222867acb7a9d538a95804ee20524063ded8b7192fcfeb08a001f2980f002a44

SHA512
4aad49ea2f6c3b0c666538ddf7d52d6f6bb9c2c60efbd2e2450efafe1fac1e382a875b895ae521bef52b1049587c309852aada53448b6b21e22dd28a5f75dbaa

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
80KB

MD5
80cf33bfce23e5a2d78dff111c6b75a4

SHA1
4ddb78e1d72226e075cc5e0411dbafd8a00b4636

SHA256
d138515022761e77a5908ff74ed9cbb07062cc852112055ad1a9faecd3a175c0

SHA512
07bad47dad6a60b29f2aa13902618b15233fc41aa02b4e2ed3b8e7d6c159eecd2c12f714a88b96d85a0c43b48801a9df2d24b8eaf6a74ac8bfb4fbc75c85e872

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
80KB

MD5
6267fa666d430728d72317ce012e401f

SHA1
ed68c8d0f0a4431f48d34c09c92f7f632bf16808

SHA256
df1015c0de9edfc152c46c9479736efe0b37d9470eb5a6c9c9003a00fe41f9b0

SHA512
df9ec87e98bc7766080689a0f99ff3c9915df762454c2fafcfc4a485d1674fbee4367227cf4cf681dbb4ed513a478f651d806e13d30f4707f8227c802b20081b

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
80KB

MD5
432ed934875903be62f53b62199fdc51

SHA1
54180cac96ca4cddccf48c88a6af02ae30a08ca0

SHA256
0c72eb8bef83e2b89b7d470ec2ad05d313d46c3c3978a8e468ce620158c9040c

SHA512
ed1335ab21380ce400f8d1ac5b0e53cbbabedf7275a487f7334e8e21b12fab87073a766d298b88edab273addd0c24403096267256beab07116222a57018836d6

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
80KB

MD5
a5b75e82b79c1c8374552de6ce94a4e5

SHA1
0199a5021815a900e7527f0ca345833318924666

SHA256
0c0a617e479988a8b2dc0ed1765a0cbbd5bab137df2bea9187d2879e56ee63f4

SHA512
a9818f9fbdea10cc873f2df22448115ef1a2939895bfb9ab54f2298761e440c43459d349715cb98396b9397a1827cbb950711361ed8083aba176d1cf6344f6d9

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
80KB

MD5
c08aea28430def08554fe512f8be8715

SHA1
ee16cd2468c743bf151b1b0cf9c405b069076788

SHA256
a6af4245b2986a13edddb0a083442cdd6201975a1ccbca3cdc8592d4e3eca156

SHA512
a6c6d6f5ea2650cda38e3b08ee6a44019331d3dc686762c7d338f3bcbd2ffd857f24f076523a7138394bfd759a9005f631a82156e6f45e4f732b193df3a7aa2d

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
80KB

MD5
e033e212b66c488ead040cada92ef028

SHA1
7c4534f6ade752eeec90ffabf8db6831d8b7cfc1

SHA256
447ed7c124e340adcfa1c6c339d75d13d6cf469155e8e9ae7b44a68240e929e1

SHA512
6a6ecb4dae3f0e3b147934725f5d941f38976ff05c9aac3aee8363687d950e35b39147731b4a5a10eb6b1dea3bb7c95a22fee7aee5c5f9cf5a1c213659074890

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
80KB

MD5
2aaaae93dac5ae363f6586c263e17525

SHA1
2e5c20f606306306b14e076c63af04b699e3010c

SHA256
5430a138525e27c62c8ea8c5921633266360888f99d918e16c96f37d34bef45b

SHA512
24dd2f43cda92e6320f8c3ece8e07ad7b4855c70f61b442a1e7ef2ed5a58ebcaeac1d82ee6b96b9ede6a37e0775af9c8dd981a5a38d95882d6e8ef0f92dec593

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
80KB

MD5
08c125cb7e815ffdf1b400648cc806f0

SHA1
b92d0eb719cac05738cf6aa2ed9d8e0fe76ebeca

SHA256
d252757194b26c73dcefdf72810b240d79a3a357e255ec6f0456920d7c9307f1

SHA512
fb66c9577ec82a927309e0f27b40c04d4da551a15895f6ba1eb267764055f5a2e182d9f5f179aa152878754d0ed9badd556f566b2f4ac0f431d94c6155b8d88d

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
80KB

MD5
7d9cffe34a2704150fd37109c113d53a

SHA1
c88453a694f5d769521de6f38b8c5238060c090f

SHA256
355a4f5ae28bea9ae4790dd9b4d34f0ff88de4a9c4ae8983e8e29e7538e2a9f8

SHA512
e773c6af4ebf65359b88a6e5ba7fc25a16e28f2a93902a321fabe4ca290d07662a7045bd55981eaf4b9cd16c80028206a6019c784e4d25f9eb3755ae764b8cd8

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
80KB

MD5
1a8ce037a89231b3e0e6a2be2da93fd5

SHA1
b40210cdf7e7ebbbc37423c44ba3fda55aac0391

SHA256
da37ac36648180740e068bd333d5b1c767e0ab94f7f11a1a74fe26506982f6b3

SHA512
2ac84874cf3291abf0bf8fe6a6c8450bb5a7afac2d45fabaa59b2bc272073bdff8e31204b39707d775d2c48283ca78d67de2692bb642dff748d13578ff911dad

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
80KB

MD5
12378a54232e41beb896d52fefd1eb7d

SHA1
8bd62ce431ef1c71fc2b25c960a81d47b0305b70

SHA256
e2eadaa9b21026c4d8dd087a5e033cef23da1e56adea68a496d9a44165805bf2

SHA512
30277521c8c0d90330c44b96db9e5d0f0e9c9e47d1fb03098733b99e0f3101f244ee016b820db31f2441a61f2b871284cdb0dc0712cb7f4202393f3e71e762c7

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
80KB

MD5
f4b9c9651a9ee0bf4f82da7a6872a487

SHA1
9e48defc24c2835aef52090bc12e715d75bb07cb

SHA256
ad8fff8b2dc8285f6cba157d5bcc5b8ffc320a4dde7cb9534685a199ae9f85c7

SHA512
9db48814a87e95b1a747a1c95d6e9b895b9be7e2f503302f372c7791d0b75f439434b95d91cbcc4f9d2f4e4a8675fa5f72d25d0b96a2cb7c2e5423b3a6b58def

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
80KB

MD5
c8ceb8d511d5ce350e3b5ef2ede4e5af

SHA1
964fd2859d09929ed6cd3450f3e3010ad75b2bfa

SHA256
cf4db65fa891e06aa394a6ac7ca1d3127b803586f9b3aca0470404ef3412da8f

SHA512
196b86297b69ca45a60258324cfeca480f4e855f75ea63dce779f8187af138fdd9f08cccdca2fbb958b8edcb638486ac626e6b05b7f88df64fae944d39c81ae6

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
80KB

MD5
6ea72fa0fd5b7a4a9e7c0ad7d0ead8f9

SHA1
c136c5842c4fc39e44d83deef11282865d830514

SHA256
e5cf17d0ed5eef13115ced78f367e7670490eeb5d0efa97cd4133a3b1cf7c1a4

SHA512
343083c9aa482aff04ad040ea6d58c8813ee0b7f15d2df311767c32bf481066945863970f4d512669fd44ef9f9509d3d24878fffa55de87ec15576f0430370eb

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
80KB

MD5
31cd0f779474e7fe05b068aa76a2b6f3

SHA1
5481c300b184d7d331e15f2c59da46aec3211816

SHA256
b491665ed39e4882a9e5a96aef089fadd745fd88cdbb59f6235da3d907074219

SHA512
8cebad0189cd0ee7a93b3ed995c85b2e9212980ab94988d95239608c8a802b01771d682d16bb953dbef38f404ae2bffff26c3537d15ae3d1aaa2b2a8ed3d642b

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
80KB

MD5
42742f20d0323bb989361f222e20911f

SHA1
2566aa69252c37214b416b9351f322801769816c

SHA256
2cc4ae74201383ce73684eea09780a5c942bff3445022e970ff1eecc0e83d9c1

SHA512
39b6e439d64b549731f6abc0be8dc974cd6ac1ef9f04c2e57f2260209447ea2be9ba8b2abfc457885c38007070d8af6e3d5ed5715c1d50b5674545a0121fd42b

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
80KB

MD5
18e51b3e04aa1ee06c304d8751db318b

SHA1
27bd58cd09d3dea59aaab132025f015934530008

SHA256
cd1869695f71416917aeb44bde7024af57d8d78998f60d7ebe4811e1116e33d4

SHA512
5aa16d2dc9f73bcc7db9493480b1bab23bba756b4f044e9868a8b4a6cb863558c1c4344e1662df8fe378df26f8fcdde4d5781efa1e8f48b0df3c2434cb6829b1

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
80KB

MD5
a7a6d0061b96f205cfe2896d43ed1184

SHA1
f7d780cf47893981b84c466ef00864244e08c900

SHA256
f25a06ac32760f63e8994aa228276e216b0be41cbfeb4364941caa7649f912b1

SHA512
84a970ed336c078188a840bc212896afdf20b8cdf4a1c9651200d0f87e758d10fe01a63ed7280109d31088a0500e968bb5fec3628e28eef5a7b72a4f634f577f

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
80KB

MD5
43ecd4506b7f417fafd87e51e24cd978

SHA1
8d775bf8c3e40d273320b340bed7125ba53f8cc0

SHA256
2826ab34e2ff3247d2539c8e4419a50fcb307f85928bc66f8aa7f43d2eacb6eb

SHA512
7706ebd70e3f8ebe749e0f9914fc1b98d2517b26ea240ce8e2331308e6cb9eb28a60793b3f37cee850c7290da7ef0c99d71580d559b7745efd298c3179dffa56

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
80KB

MD5
c8bb8ae91f2b909e0389eabac366c4d6

SHA1
5be63dbdb2e85bfba889a256a12f6b0e985b9048

SHA256
55b71f5f070e6e8d0e0b973f66d9d9f8f8600a9276b6d113bcfe3d2fafd986e3

SHA512
5517afc632e5a4811fb2caf19f0a67950dbe486a5954072b3a065aef3e2c7ccf331ab75d777bac9b6dfeeedc2c64bd63de25d78100a9a6b8a7427367a4fa2a12

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
80KB

MD5
3316be2970e4a3f873c7250062cdd739

SHA1
95932fd6623efea26b8de2b6b6ffd65d19b9f110

SHA256
d9528c55e8cb6613d37d0de26bd729b6781e47643aa59f9fac544be5bbbd4582

SHA512
89d03eb2cca574ece6d0c34858a7d67c37be74a608b5613c52846ea064405a5c10d44bd2ea8022f714a21d539753cce7b4ecb1f0251f8a06b6bdeb7a5a3be179

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
80KB

MD5
76b1928eb8a5995ef3eb58125af97294

SHA1
d6e6ec03a9e2eab7d5b04b52a68f8f8a81d8a731

SHA256
eb0fd5544629a47624619f8becf5e86dc37ab08947642881cf5dde41330054bd

SHA512
b74ef37f052297f866b59cb0107c0ce118d5f1aaf7a9e560feb2777382b4a216d073db63a5e8aa52f4757bffa115f6e8ae8c8d4cdf43057399546d340e46bb8c

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
80KB

MD5
1841de927ffa66ce7a7f276119d066fb

SHA1
4795e9c2a0d5f98e5d513d2c728636a2c5d27bc9

SHA256
e661ff55ca1a70e8ea06f2d393a05f590c5716f196d1b5ae4ddcfc0ef49e0fe2

SHA512
9e5c069a8bae94a83dd63b76503209dd9036a7feb7b0a3da51e3f9dc87fb52d5c470d7bbcec90b59a748b486d43682806d95e5548ee8d962ed9c91cf0e388f1e

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
80KB

MD5
2ace1f0de0f6495da62c40740c33e45d

SHA1
273bc8ba6d22ca3e146db68b2a90c8d40193d96e

SHA256
b1b82acebd9e20aa1c5112211a210dc4bc0d121b34030ebde4348b2c0007543b

SHA512
45511d10275c6ed7fcf4d0fd189e2e1fc29ac46ab6b71ab7fbb3d17d389975365b0b8dcc901095a5b57f7f0589d6705c395d43a35dc56ebc893be11e3cee636d

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
80KB

MD5
c1d23f958cfb4d4a94012cfc5755312d

SHA1
a8a0cce7e5ca89e60148c3a583cb5b013120e8cd

SHA256
9d075228be02130c8d5d0432e8596eb39702f97a03e447f1097e7aba42dfd4e8

SHA512
6a4baf0ef5e65a54860ae2f670d8cbad182de91dc82426a2a9078f8ae4b9c3974e9e47659dd36a7727c0b8b5d27512f2206cc92e7ffc1caeb25fca1892abfd04

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
80KB

MD5
6857f592ce9a230267f35d6fff02eca8

SHA1
544c068db4cd87ab416d07d4553e27fdd2ab233f

SHA256
c4ede8c3db3d33af0c334c2caaf26c7626825f9580c52088cae32814eb441272

SHA512
1ba0dad2f62ee46167d7725102dcb6d3f321e622c342f189df860adac7d673f756433f233de081edf76c32f6be314580ee2784ff19aa8648d9d5cbe6f4b28f01

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
80KB

MD5
0c541cda542429a05c591d32beb71445

SHA1
173ea01d63339fc203815a05117c058be144b4bf

SHA256
11982b7301e585e8a0eb11ea7b6b68549fd3caa8dea9c5c24ea6bda7ad2eac68

SHA512
6402cb4db3bb571cafefabfaaa967a27b61be72aeda651333087436a232525a9f797956079756c446659a28e8af3d2e6ed3c88d729f3a53327ab6fe9d3004837

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
80KB

MD5
89cc57f50d5856ccda3b0bd30cc08275

SHA1
3afa592e34e7bf9845d9a64d51a023f15e10bcbd

SHA256
e0bd950f2ca454018593e4351cdc1c577fe2a935cc40d209449b3052867a9daa

SHA512
177f3eea74358a86321d3bc3f6a467317d14403aee42e11d5f4b9ecc820834053471f69e3f26700176740febc53b5398f360e0f2fefb548374f960cee86ea77d

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
80KB

MD5
7739f67880c5908b2150332da58db386

SHA1
9719f20bf072cd9921d0e65dd4e3e357989b9b93

SHA256
42281998487fe6b8fb234892dd322720748fe58a6bf6792fe2cc70812ff1f036

SHA512
1fd8cd1a5230cb976db2022717d5950914c1564d0b8c4fd03d7d86fe4185ce4b787fdfe18b8b817238c7f7e25515d3b8b4dfbab53173d29201a8e732901480d6

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
80KB

MD5
28a72fc7e573ca85d9cd94d7df85fa8e

SHA1
3cbab00361d8ab59916f509baa140b8ebc7fe7eb

SHA256
58202b88bec75e36864e7e3567163250c77013fdb78e355b1a4f11046d1c24ff

SHA512
e55b489a21d97ad862e86a1eb7c96c54db5572ac3670875ebb8c788c6d32b16c7c36c56a5aa105bf091945b28a3481b1368c7e1f8ecedcb9beeed9f4dd6763d2

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
80KB

MD5
98177b99ed700ade0d7eb5f070a2b8e1

SHA1
12fded730a1585cb30158199382a7a444d6f6836

SHA256
2f17e557699ae325cd0f982709cb98561a550ea21de9a79f472a2113ca2df44c

SHA512
ec2e24bed6e7e2085be2eea3abb71684bb03bbe547348fa8da8d1e59e16b322028663184dd5fd65430db9c97c8c6bd3ef3752b17f9554c0219e8b1d1194bdd45

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
80KB

MD5
d39d1ef244b24a6644824c4220ab265e

SHA1
30a8ab871c90ba669a78795562a46dbec0556a15

SHA256
a88b254d2d26dbad327e5ef7809b95b77cbc38d0c1800a5a6d3b7c0fde73ac8f

SHA512
1e12be44732811232f86ef4f868032f80e967b6476b56c205cdc01b1134aad38eb132125e4d95a2e3e926dd5035c2cb81f42041958d610f204dc26e7bb1825ee

Download Submit
memory/8-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/376-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/428-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/456-532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/904-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/904-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/916-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/952-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1224-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1412-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1564-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1840-556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-236-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-484-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3044-470-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3088-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3160-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3164-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3184-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3196-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3352-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3352-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3456-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3608-538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3804-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3920-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3996-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4116-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4136-374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4432-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4604-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5072-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5132-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5176-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5220-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5324-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5376-599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads