836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934

Analysis

max time kernel
96s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 23:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934.exe
Size

79KB
MD5

5e2e7d04611f37a9cc431aadedc90d01
SHA1

52dd0e90bd986a03c3d8d76b58879876148fd610
SHA256

836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934
SHA512

5d48ed12d5ce4b498ec538542db532c6e25c32b1af1ab7c3c1eae633d99c33d426d5ac50770b5450ce031d302d83226df77387ce82cc5af5b56a33a3d61751a2
SSDEEP

1536:pH2pTt4sN0Bio7os7XQENkZrI1jHJZrR:l2pasXVKQENku1jHJ9R

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe

Executes dropped EXE 64 IoCs

pid	Process
1284	Kplpjn32.exe
3424	Lffhfh32.exe
3924	Lmppcbjd.exe
1068	Ldjhpl32.exe
1088	Lfhdlh32.exe
3876	Lmbmibhb.exe
3092	Ldleel32.exe
4412	Lfkaag32.exe
2972	Lmdina32.exe
5068	Lpcfkm32.exe
2640	Ldoaklml.exe
1552	Lepncd32.exe
4804	Lpebpm32.exe
1416	Lbdolh32.exe
924	Lingibiq.exe
1516	Lllcen32.exe
3376	Mdckfk32.exe
1784	Medgncoe.exe
748	Mlopkm32.exe
2780	Mchhggno.exe
1444	Mibpda32.exe
3180	Mlampmdo.exe
1568	Mckemg32.exe
3576	Mgfqmfde.exe
3148	Mmpijp32.exe
3156	Mlcifmbl.exe
4508	Mdjagjco.exe
920	Mcmabg32.exe
4456	Melnob32.exe
3892	Migjoaaf.exe
2580	Mdmnlj32.exe
4124	Menjdbgj.exe
3696	Mlhbal32.exe
3528	Ndokbi32.exe
3564	Ncbknfed.exe
3980	Ngmgne32.exe
2116	Nilcjp32.exe
3176	Ndaggimg.exe
4468	Ngpccdlj.exe
2516	Njnpppkn.exe
2228	Nlmllkja.exe
2760	Nphhmj32.exe
4716	Ngbpidjh.exe
2732	Njqmepik.exe
1912	Npjebj32.exe
3048	Ncianepl.exe
3964	Ngdmod32.exe
3264	Njciko32.exe
1920	Nlaegk32.exe
2348	Nckndeni.exe
3172	Nggjdc32.exe
2812	Nnqbanmo.exe
4296	Oponmilc.exe
2232	Odkjng32.exe
4040	Ogifjcdp.exe
2560	Ojgbfocc.exe
4264	Opakbi32.exe
4192	Ogkcpbam.exe
4644	Ofnckp32.exe
1192	Oneklm32.exe
3888	Opdghh32.exe
2288	Ocbddc32.exe
1452	Ognpebpj.exe
868	Ojllan32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lmdina32.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6192	7112	WerFault.exe	252

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 1284	1036	836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934.exe	83
PID 1036 wrote to memory of 1284	1036	836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934.exe	83
PID 1036 wrote to memory of 1284	1036	836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934.exe	83
PID 1284 wrote to memory of 3424	1284	Kplpjn32.exe	84
PID 1284 wrote to memory of 3424	1284	Kplpjn32.exe	84
PID 1284 wrote to memory of 3424	1284	Kplpjn32.exe	84
PID 3424 wrote to memory of 3924	3424	Lffhfh32.exe	85
PID 3424 wrote to memory of 3924	3424	Lffhfh32.exe	85
PID 3424 wrote to memory of 3924	3424	Lffhfh32.exe	85
PID 3924 wrote to memory of 1068	3924	Lmppcbjd.exe	86
PID 3924 wrote to memory of 1068	3924	Lmppcbjd.exe	86
PID 3924 wrote to memory of 1068	3924	Lmppcbjd.exe	86
PID 1068 wrote to memory of 1088	1068	Ldjhpl32.exe	87
PID 1068 wrote to memory of 1088	1068	Ldjhpl32.exe	87
PID 1068 wrote to memory of 1088	1068	Ldjhpl32.exe	87
PID 1088 wrote to memory of 3876	1088	Lfhdlh32.exe	88
PID 1088 wrote to memory of 3876	1088	Lfhdlh32.exe	88
PID 1088 wrote to memory of 3876	1088	Lfhdlh32.exe	88
PID 3876 wrote to memory of 3092	3876	Lmbmibhb.exe	89
PID 3876 wrote to memory of 3092	3876	Lmbmibhb.exe	89
PID 3876 wrote to memory of 3092	3876	Lmbmibhb.exe	89
PID 3092 wrote to memory of 4412	3092	Ldleel32.exe	90
PID 3092 wrote to memory of 4412	3092	Ldleel32.exe	90
PID 3092 wrote to memory of 4412	3092	Ldleel32.exe	90
PID 4412 wrote to memory of 2972	4412	Lfkaag32.exe	92
PID 4412 wrote to memory of 2972	4412	Lfkaag32.exe	92
PID 4412 wrote to memory of 2972	4412	Lfkaag32.exe	92
PID 2972 wrote to memory of 5068	2972	Lmdina32.exe	93
PID 2972 wrote to memory of 5068	2972	Lmdina32.exe	93
PID 2972 wrote to memory of 5068	2972	Lmdina32.exe	93
PID 5068 wrote to memory of 2640	5068	Lpcfkm32.exe	94
PID 5068 wrote to memory of 2640	5068	Lpcfkm32.exe	94
PID 5068 wrote to memory of 2640	5068	Lpcfkm32.exe	94
PID 2640 wrote to memory of 1552	2640	Ldoaklml.exe	95
PID 2640 wrote to memory of 1552	2640	Ldoaklml.exe	95
PID 2640 wrote to memory of 1552	2640	Ldoaklml.exe	95
PID 1552 wrote to memory of 4804	1552	Lepncd32.exe	97
PID 1552 wrote to memory of 4804	1552	Lepncd32.exe	97
PID 1552 wrote to memory of 4804	1552	Lepncd32.exe	97
PID 4804 wrote to memory of 1416	4804	Lpebpm32.exe	98
PID 4804 wrote to memory of 1416	4804	Lpebpm32.exe	98
PID 4804 wrote to memory of 1416	4804	Lpebpm32.exe	98
PID 1416 wrote to memory of 924	1416	Lbdolh32.exe	99
PID 1416 wrote to memory of 924	1416	Lbdolh32.exe	99
PID 1416 wrote to memory of 924	1416	Lbdolh32.exe	99
PID 924 wrote to memory of 1516	924	Lingibiq.exe	101
PID 924 wrote to memory of 1516	924	Lingibiq.exe	101
PID 924 wrote to memory of 1516	924	Lingibiq.exe	101
PID 1516 wrote to memory of 3376	1516	Lllcen32.exe	102
PID 1516 wrote to memory of 3376	1516	Lllcen32.exe	102
PID 1516 wrote to memory of 3376	1516	Lllcen32.exe	102
PID 3376 wrote to memory of 1784	3376	Mdckfk32.exe	103
PID 3376 wrote to memory of 1784	3376	Mdckfk32.exe	103
PID 3376 wrote to memory of 1784	3376	Mdckfk32.exe	103
PID 1784 wrote to memory of 748	1784	Medgncoe.exe	104
PID 1784 wrote to memory of 748	1784	Medgncoe.exe	104
PID 1784 wrote to memory of 748	1784	Medgncoe.exe	104
PID 748 wrote to memory of 2780	748	Mlopkm32.exe	105
PID 748 wrote to memory of 2780	748	Mlopkm32.exe	105
PID 748 wrote to memory of 2780	748	Mlopkm32.exe	105
PID 2780 wrote to memory of 1444	2780	Mchhggno.exe	106
PID 2780 wrote to memory of 1444	2780	Mchhggno.exe	106
PID 2780 wrote to memory of 1444	2780	Mchhggno.exe	106
PID 1444 wrote to memory of 3180	1444	Mibpda32.exe	107

C:\Users\Admin\AppData\Local\Temp\836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934.exe
"C:\Users\Admin\AppData\Local\Temp\836b8266f32f7dc29445cbc91c8a03985378de284de8742da258596a2e482934.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\Kplpjn32.exe
  C:\Windows\system32\Kplpjn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\Lffhfh32.exe
    C:\Windows\system32\Lffhfh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\Lmppcbjd.exe
      C:\Windows\system32\Lmppcbjd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        24⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        28⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        32⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        42⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        59⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5076
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        70⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4908
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        73⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        74⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        75⤵
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        76⤵
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        78⤵
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        80⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        82⤵
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        83⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3484
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1472
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        94⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        98⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        102⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        108⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        109⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        112⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        125⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        127⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        134⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        138⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        139⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        141⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        143⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        146⤵
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6368
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        157⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        159⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        160⤵
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6972
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        164⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 404
        165⤵
        Program crash
        
        PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7112 -ip 7112
1⤵
PID:6156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
79KB

MD5
fcf8f66ad6edb86dd80ed684fa709ec8

SHA1
bc3eb1f2908fcccb6abfc48f2f9b7b7f4e8321dd

SHA256
49d25e095f332ec6bd85ce617c135f1311b39aa71f3ffb948128e52b2e14a9b3

SHA512
ef7a982f2cea4650d3b920517221ac56a0890488573e4cfd6a2ce13a634966c209f523aabe85feb7fe7e2ca8bc6a68af88d82eae9a267e3af89ae9d176496425

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
79KB

MD5
971bfe1791a5954aaa45483380b74d15

SHA1
f19525bcddbfc1768394fcc82e27b585b786b85e

SHA256
4666ab6a05f52d7f4485565d74da20ac128a4c7f0dab0eec520ef919b701b7d6

SHA512
786b8697d62c9a5b104e1f0666c83ec87b8949f0de0b7842fcea777cbf11ece0aef54dd787ce262c2131388d122fdcf7dce0ef94200e3dac00f1b1dfc184699f

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
79KB

MD5
284614803c2ec44535fc3deb6907eba3

SHA1
bb3867a5555f2f6617e97238e6a454fdfe449102

SHA256
8f15d720bdfb76921169e274b729541bc3f6208dec54bb1148876b44a2b296a5

SHA512
bc8ef77d87ed5ce50c0cef38b274a77aae73f21d1dbba8249cf2849c7bfa8ea33070eebc8ecb89b0b2aa705144aa216496874cb5df7d1435dd3e0ddcb2dfc3f2

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
79KB

MD5
0ee2be4a3bd8540ecb49c19cf55814c2

SHA1
01862de376bb948c49b6c1f40ede8399c1fc0d83

SHA256
ce541752ad7e7443478071017f50da75a5fd82405467e1a5cbcd85e57f852a12

SHA512
9e42d236a4399fe656451065ad3dc6716d36c502296a3f6bc3a9c4af8f22591b3e0ce000e0070df5338d7209741de5aeaf612ee38a4ffd67cf0ddf9792da5e11

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
79KB

MD5
ee2a904a86b8e019de983b5dd4b86a2d

SHA1
4b74a009b0343d7216174764b03177807486a15a

SHA256
3a4dae4295c7cd62bf5efecc8b7ffcccba2dd5dcfc4a3b085697240d7eaf4e89

SHA512
cb94efac8967637a43b7d1acfcf937f797330fc40b3da05c30814235ad85ee9212aac8dafe8b70d693537362294dae91c392e65a09da5968e44029bd30e8ba41

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
79KB

MD5
fd680892146af736a089e67c4c827721

SHA1
05f92e13848cba701be1a4cc25f6399a0d8e8ff2

SHA256
21f608a4df9e4026abb0fd2b31361b57b2f924527b4d960dc288c60500eb7d61

SHA512
18403fbfd7501b7af94fd82ba9229e6a7b58ae9916637bd8a6668aacb9a50354ac1ee271b661140771d932a42e3b480a1174a89ed3dbcac5f2b990fad4f37fd5

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
79KB

MD5
24e7989b0aedc4683baf6dbd07ecf94c

SHA1
29fd63cbeae81489d58fedc59cc081b19abaa7bc

SHA256
43353344851012e41d0a3a4fdb895c418e8b40aca169f0fe48c4b6c8b4ed28c9

SHA512
5623199dbee3180a879cb2f3c4bc5c3bee09e429968c23679aea904b7be8ae8b4e699f0b89458fc120342be6cddb2b658d334c10d56376019c6d38d8e1bab4e1

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
79KB

MD5
8ab465851ac959b14baacf477079bd5b

SHA1
1d3de91a5d5d37d4350958ef26b5b089ab10663c

SHA256
bedcfc39a98f266e49b5429c48ea8249f9ffab341057ec1e2c113625543db43c

SHA512
c4b793deefc5f5b74fb0e5bec58cd0602908c63d078bf7b8dcd83fc22f17eb58c35ca2d79415f1c70006d2f39e7431a9548fe1b63a07e7f9aef0d57bca0d3b51

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
79KB

MD5
260654047c540de06c59a4e345264ca8

SHA1
3874516fbd1a089616a5cc42210db972e271319e

SHA256
58540dd510ac8c5b621710ed72551fcf4c008a27a8bfadbb9af60b95f923008f

SHA512
3ecbe253a633b082bac79d357b5b683cd4afca455d157546a3ccabb2f0cf4fd634bc42feb25e0d37f61af399a8b501b78928f22b3d214b0925606abb77dd89ae

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
79KB

MD5
76855d6a1bc4ec8ae5272e7a8a02f513

SHA1
37ba37ba5afeedc27c4d4f5ceaf609bad1719fb1

SHA256
3bc246851994719b579f74d5e1409fa91b8a5bc11423486443e30374fd1de857

SHA512
ed067c44fb9535bd25548c164abaa778186b17c80e4769e31f81a1e61f7197e03dde8c4810ac9594e52775094b94e7d4a36e8e6a938ad907e45baf940380efef

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
79KB

MD5
dad4c70631ebb3f0cf06711fcc70d166

SHA1
f62861b1402d18fbfaae2a8c63ed8fb4f66ebb95

SHA256
fea296b984347f2ff3ab9c1d0b937ffa996c763046ca4d2caf6bdb427238a30c

SHA512
f5a941b8eaac709500e0dbbf859cba6a1ad8c5e2dd787983ee106a9f854246ebdbc8a3e5eb905c0b850170b63841cd38babcf3cbfdc40402364fac9a61af3910

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
79KB

MD5
ce20433a3fc7fe333406c8f6466ce184

SHA1
7737eaaff6052d44985c304f53e1d05965d0de08

SHA256
4ac04611c6ddf2dbea1fe48392182a6dbe4660f769b46e2f30d0c564a169ec4a

SHA512
84322d8f027cde43e18655c8ed82cc292eaa50970156c73841b8db711e4b153fee34356d01e9c75dd956ef963ac822d8c4ad78281a0f991c5c8fd20473e06eb9

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
79KB

MD5
0453e303c8534500f570430c4d169376

SHA1
69dd01b60673f17cb0d46a2a4f232a86ca1e35b8

SHA256
6cc4cd665771b6db2c4334c9be4f9a4cafbde4ba0d4eac9fcd3616452f053f0e

SHA512
0a7ff6d438b21e28437220906271d809d74f80f61cb90a292cd263e96b5b142675b6eb0bba910e5bc92535a94570fcdceed27081ef63d1bbd9f2188543ca2f3b

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
79KB

MD5
835af23b8ce1ecdedfee50100f348156

SHA1
0f2dbc45fcd05b1f12bf5970187aa009d05b65e6

SHA256
d0c01afaacd93b6f8d309b0e4f2848042bb44a09c05e621528be228730616ebd

SHA512
4cb08051bcface3526fa250368b434d87e75c75b75eed8df593549ee584d830a57c9bd76150d6839512ae1c39a7eab7abd557b50fa24bf72db8f10dcf2848bf7

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
79KB

MD5
5447ca3398c688da65dc2c432d463b25

SHA1
b0e2589498485276fbc5f1058cca19d39aada32e

SHA256
7d7e7c02f0e1d9c03e65a0a66e48e322f2236597bc12724b4c35f704b3642415

SHA512
752647faf1c64ec2850cbfd418b86bb981ab2274d4bf77c20f2908ff6077da0224f914733dca7f61c2f6c0094c0a5356fdc05dfbfb64c42bd594882434498b76

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
79KB

MD5
bd8fad18c2571078b3e0fb59734e0c56

SHA1
a587efd3382e036ef13bab6e2c706a172a0b9f95

SHA256
b303b2b14f267760a7b802429d14e2e9836eb5f9366f493eabd8b999312c20c3

SHA512
4915b68d8005eaedd06a9180505d90a1c214f7d639d656dee057a5eff104a1438baec037bb529e6eff4e10672ca090e3d60aa5592d5744fbd10a58cb1dfa4864

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
79KB

MD5
4cd964effbd94b504f75a3c03cfe7209

SHA1
e5e08a950d1f2d9c825caf65f9c0c650f038b656

SHA256
0dbecd173bf8991e673133353e3b5f467377f4f2b7b0e41091af816c9a635aff

SHA512
f1aecdde5882b7f4449f43dde922317c8dacb9f67da068d7793e56a91def6ff470ac34357488e28e27cb87b3efe1d08c5e34a96be099a5733f3e951eb9118586

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
79KB

MD5
34382bbdd0a4084b0a657aae6d196515

SHA1
172fc333e0b64a7d430876b417b6470e2b768e8e

SHA256
c8a66d293d29899dfd551630bcf771f625bc61cf1a142e2b51eab2303c45232a

SHA512
db00dfdbf16d09633ae257b941dbebc732efb94cf51849971031f4fb087fdfd74b1be1e0ed48082253d9d5cde940ba8e1ddfabb98972410ec7bcd640673d436a

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
79KB

MD5
a371f1f5f5f14b13887edd7405cdd544

SHA1
14a8f0db331ebb2200ab3609a88926919d5bba6f

SHA256
bcef39de1c1575e0b319f146d29efe8c1ceeb6cac90331dffea72ec34e6d4f4c

SHA512
ece32cc86e611ead38604e34ac04de7e4cbcdeb03e9f27bf3138e10dd9bf718f4b1b6cb8916a931a16d90ecdfd5118393cff4edb16c4b4333f1f7c89b8beae27

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
79KB

MD5
b338e2fe87ce5696afbeb1b986c7181c

SHA1
6ace2b85d6775f9bad5a054d427232d2dd6ef489

SHA256
152fdb53eae7221d7af3059a870ab27b7d8dd2062697aeba7080e72e79794acf

SHA512
661e0c173eb7b7f3dbde938dcb4e408e7ebc11ca0db3f370bee2d3583d1a2408c1c44a5d27ffbcdf065b25b6825a2a76580a6ca809cf2c00d56a764f8c3f9205

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
79KB

MD5
182574a6f29787ba186cc6c8a9db9d06

SHA1
ab35d2d549794a3f2cdafbea8cda9adcaa7df056

SHA256
f7ff782c7e1a70b1ab312f0a51687966e837703664246ea0b567b3e3fc6ff0ae

SHA512
1edc25d88a11dad502f7bdf184f55c6c3c0b0a9873536e5ef7441cf6a98279268cdc91fcbd4bb4d73baeb8e1a8351bf19b1eddb031cd8dc79b25f5a753703cc4

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
79KB

MD5
8293584af39d8fbe5277ff956b390728

SHA1
df22ec93c03bb5d2692eb1b0de62a48317793713

SHA256
086be53222fe5992bf6a1358521490c0a4b41e729f869e30f579acd142962996

SHA512
c0351abaa6a36ce05696cdaccbf764a3a6add662695e0b5e1d3e69b1c4130c91155fbf0bab82806aa1d57c29a7b87326a33f59d4201b125e48d0fff7174aa8a5

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
79KB

MD5
ea95f9bd99aa31f451beba524ce9db26

SHA1
a5e891e8a4bd1499c60c742b56bca0ec597a1fb9

SHA256
e601757fd304640a25be654321151312d36e7cc50ecf060d9f7f32cc29a18376

SHA512
f69eae0dbd5e9f76261d4e04518c493ea1ed19f8f2bb82e22544488a8db06bbe76065ddbbaaed7e6ea2cd75e1d5df217b0730eba23ceae76abf45f8cd609f21a

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
79KB

MD5
27e6c99fbc6844d4b5b612b2c9c8fb62

SHA1
2a99638bd5433a58af9df897482b5fc4a1092afc

SHA256
b3e796a1e36dd696e277290afb6b7ed688e02c91203b2859a29e545ac8942db6

SHA512
c914a1038fe1b72ae62eb4b0d6de2e8fcf35947cdc2148a690d37917bf1b5eb8b3f1f3e0aef93013dc0df6794302f2f53f0632066c3a247c311f68553c1c99bc

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
79KB

MD5
6015ea70e96adaf87790814351a5662e

SHA1
f162abb0d7135943f23e044537759b96d941ea52

SHA256
62a833f9ad98b230b48c12e2e1bcf14cc6ff8fea6270ccd96a2ab9cfe91aea50

SHA512
945322c78d60ac818c5bb967b276e2f54b7aa3a062cdc7a2382dec8966d3862dbcf732f8f18b67236e8fa1b5255866137c8a16ef54a3edc6ce37955d729b589f

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
79KB

MD5
d832e5952f75a3697645577290b9109e

SHA1
b459ddc5978f83ce034e1721276326a9e4782c60

SHA256
b3ceb4237c6600a01229b8181ec70a828933eca250c0e9ea58507a131f1ff5c6

SHA512
9ba7c041cfde5fa03ea103d62534e1d26592cc975f9f514c683cfe1a7a1c53b4f4b993e9df43376a697da731f2fc49832bad8de90eececf001c79b8041c3945d

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
79KB

MD5
d21ff8da4842dd93acd286c0083b807e

SHA1
dfd48debd77784c04d7685a89ce508602fb3b330

SHA256
84bc1d2f9b6b98c927914b492df56fdf5113f6f20e59bc57109bb18ef9b9e67a

SHA512
944889c3450de5edf60d9627d3f34dcdab29b792969c37dd765faf6486f51a44ef5fc29a0fc48fd5cfc846b64a655133949d83264b35482025263bfa9f752f88

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
79KB

MD5
60b2d0c3f3d10f5a5cac9b9cb79c15d2

SHA1
bcb03944b1f69a2d5e0d050ed23cb207b56afc3b

SHA256
8770e1ddebef9a0cf928188e6cb95959220d417c8cac8fa7f392f7ed7c069ef1

SHA512
dde7060a00dea5eb7ef51887c530bcca1154e862ac1cf7c036ca59294c5d23ce7cb0555e95b11ba2ff5b601a768d4e323dfd8e2dcf030fa2cc5698625f6ec597

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
79KB

MD5
3f0671c9cf25b00285253e5698585cf4

SHA1
9381882033760095eeb818ec42cd6ea3fa0fe380

SHA256
3eb897eb279d5d2a830fd14993f3a08b21da4e2113166cf4077cbcf5948d5a16

SHA512
b8746d064e7096606e1aa4493003e8eec4e5219e46b0148080fe3a55418a081f68402b7264ca903d6790ad147297431ba0c4e4c8cd3b02d66248cc77b1b5b717

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
79KB

MD5
98181fdd5b3d3020956db2c7d2570871

SHA1
f76e7d1c25861109dadf93b97cca626d20634c97

SHA256
0da58cade6950b8a82e0bc5a76dd61240e0a1f16056236cac54228281ebc61f2

SHA512
972a59695eeaf9a6f4a492cd75995a402294c608454732275db85bcadb05f6e7dcc2ad84cfa92999be2a9d0c21606b1e0e232888312b12e0e94b8dd14b791178

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
79KB

MD5
6ec3000b60429ba6a29260677feedfab

SHA1
40f2dac7934cbb5392ead94b8ba4f8e2f5b32049

SHA256
dcee031e13fb4055597cfcd6a2ddbbe838cfda995275231a2af28107c6b89383

SHA512
c23482fe1070e2d02ea52080fa126aae589d24cb3fca4b0de43a7b745f3beaadf5cf2c7fbc6e513c3b61f2dbd045d967a0582ed8a022d7401c8b71c45966826d

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
79KB

MD5
33265871a3aac4c6d13217e07a4b59f9

SHA1
ca0a8aabd450aea1bed828911ae7718cf2ec1d20

SHA256
e0adbfcf34a27a1d9741ebfd30af55d7e7e8882066b9e1ddf4d98effcdff3370

SHA512
99c64479035cd320b3f84f94bd27eb6b578fe52538cf71f782b476baa84f8186aa0f9c9234ae60db3acded07cfde23cd9f519105d77f2f57b0ac913e38dda507

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
79KB

MD5
4de8b0ad1d1b109e9f2bf3bd7710407a

SHA1
db07e6baa39df8d1b8454b0ccce7730fa29db047

SHA256
64f9ca74f6ef2fe66c3af220b8030bd1ae2558deeee18cafb8825af0d39ab817

SHA512
924d14edc79cd8e15ed381e1b3d279b9c0d447ba1abc859c841c6938dec171f3e1c67c56e3fd3e83d66db3734eee23941673ad5365942d840b3364cd6f443064

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
79KB

MD5
34b0fb6a90e929f5100b1b9511e22270

SHA1
1070bab9ff7b3b7b141cb38d57b1fb60cf6a0100

SHA256
5a41bb0bc0aa5b713e87a4636334ebb1cec534971fa7c49cf692ef4781d51885

SHA512
6e68a29ddf65fe9c68cc0fda9521a2a4704855848d1ba439978dfc22878b303896e6ccdb0f0c870eefbd0ac3e3ea8d1feb60f96bcefc598ce5aadfd8a1aa8c3a

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
79KB

MD5
a752b761a6ebe0a3dfaf3ce744880dbb

SHA1
ab2a907574e140e3bbae307bed2a88f1eba49188

SHA256
89b9c267bb009c3318f48c7dcdc5dc1d1dd466f226b0212dc1dca5d48d5ffd2a

SHA512
9994bab25d2c3028cceaf0d7a792524a9f18923802f8e88fb69c12a8f895f38cd86f020f46f12c0971a1d0953ca2de2303bbf3769aa48ee4b38ed096a22ca642

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
79KB

MD5
8867a0645e3a413b34e18996f9133d1d

SHA1
ce03fd030d5733c6538cc2e4f59124a47980f125

SHA256
016410f457d122c71310aaca8f92ab5bfcc36c51e4f30f76da0b2a95bdd3fdf1

SHA512
07502ab2fdec56912036698fe0fb594a3c32623128724f3fdf9159a9ecae046481a28bbf9a90c7014cfa3d624231ad69e388ee67629a3525d094a6633514bdec

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
79KB

MD5
6db733c3cc335ae5542a54507f663093

SHA1
dc438b0485154a43eac2e678201c0c98fe7fffa6

SHA256
c09d460a289ed9b1db51e9528cb850038f3225f3a90cd96ad2c79817028a2882

SHA512
d39f35dde9000c4703863f2c896ff0dda9eb324d56dfccb5448a07ada926283f32a8430add985c83690ddc3e17510d66e3cb1b52df54044fa88c435079311fbe

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
79KB

MD5
775087298a84bf697c502f48fd7e4813

SHA1
6397e32a2dee2613f55de57c51eb9462c833408f

SHA256
9876e708e758baa0681b1c3d07032c5e04c738c08d9fc6a0b9528a3267807380

SHA512
5eb339d06644b2fcb3cd764fd3874111ba3224bd27a01cdd0b196856b4a2cc28832ad2c9cef9a3cd00e32cfa1bc7974ab75d780c141ab7a33f56621b93427abc

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
79KB

MD5
391880b541bf5bdb8174ba3fda19a5cb

SHA1
6c56e480943a9cb59ad7bd09aac8395d9ac10f7e

SHA256
61d01710142bd03c879272686ed870c9af71a9969aa4d7261be624f6a919ec02

SHA512
b83f6104d585acf07b3382db76b38001d7ad09df8b3c04809e173742c3b2ca3d1a170d963f9fbd6861559dd1b57797cb368fe8a52c8585b89a513d6a82c5ffa6

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
79KB

MD5
91b655bbb93c762016de91f28ebb701f

SHA1
2469f2389d1a4a81b83038e86078c7b6c62153ef

SHA256
18976071f1ed6b0ccc14c23cd8906aefa14b16fe385f4a0819d6acc4b156d07c

SHA512
5f1058decbcaf9c45186f37b79150dd4bf9fdf511406a02a65ca72747765e3fce7e3fc2452625f833e8ddf36e737389e6b356f45272beba4e03bc251667b0351

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
79KB

MD5
a1fb0aec2f16816978dc381c325a3370

SHA1
922225bd062cc3ecf051bb8027cacecfedf12321

SHA256
fc977d5a4f405aaa60ec06fcfb443cbd9f9834739e02a5afcc94af6fd77cf1e7

SHA512
ec0aa9c01c4d6f3e6e908348307aba965a1a8a6a98740f38d7e246fbb817c13c9c037b5596ae7671b9298dc09694e5aa0c5a10da96f31b010bdc4e005f0b1aaa

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
79KB

MD5
74706ef9c0a1177d12df1dd594818a1a

SHA1
80cb97ce619d362f67e509e26050a75c8c1e25e3

SHA256
f15d24a8df41d54c83366edf04bea602d1ac5441e6f92a7f300577271153fe13

SHA512
ed431df561aba3cb21cdde79b6bdc4d03b463e53f34d7d5fb23fe4e21798e2d52297843a5e69eeeedd55db78fddaa111365b616de2ca518b745a04c35765618d

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
79KB

MD5
54b4b66ff507f5ef824642609f1b9558

SHA1
a6e6478c254a7bfe0a311a81e36b266e983639f2

SHA256
cb13e9fe934c4ea9412c4da2e7cbb1483866ba3367e09f96df8a1f38b31cfe35

SHA512
79304ea588e8748f9c56cf04c41005772741998a904cf9516b8830fe43e302f13e3c2d60fa202a192a3357cf8cc839cffc3b354bb148b7fdb0fe6ef86bcd4985

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
79KB

MD5
1afbbd28b1f32e156bef4c2666f6b984

SHA1
fbaa3580446a9c3ecd28b943e0971bfcce464db7

SHA256
44a655b5c36149baa2cd7ff212c2285a49d949083b8d45f9c46b5f03ade8f246

SHA512
a367fdb762e9ea354b11135f63b997a2815ec4519cf307895ad85abb9413c338980db2617f1bd3af6782f8c8dd700cf1d7053a7bffda8de9554f2f24ce5dade9

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
79KB

MD5
82b479dd92b01e5b438543e77b6702c6

SHA1
5b23128ca07e48b3993ad93175a5e9a6912a04b5

SHA256
b2c3a22c501cdf023fa66d1215a40b82cdb6f2d92caa18faa6034168092e7db6

SHA512
9bda8e58c35e3b50c54864c8b88fb5f8adfa305def3dacd84678316b05fae407c926ef6a65de35f65dcf4ba63c9af84508877ffd6effc827f75d9bd52c3fdede

Download Submit
memory/364-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/716-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/924-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1036-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1088-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1088-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1416-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-581-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1452-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1912-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2228-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2812-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3156-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3180-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3264-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3376-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3484-592-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3552-495-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3576-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3980-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4124-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4192-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4412-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4644-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-525-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4740-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4804-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5008-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5076-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads