750ee3cef8db58978f9ce68039b8fbbb9e26746a93d21d401470a26838e02912

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 23:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5fb2ee3ff18687096db6bb5b1cfa8600N.exe
Size

56KB
MD5

5fb2ee3ff18687096db6bb5b1cfa8600
SHA1

31aa790689dffab23b2f9f7179e123d59a73e8c6
SHA256

750ee3cef8db58978f9ce68039b8fbbb9e26746a93d21d401470a26838e02912
SHA512

e19f3e3ec53fb44e0c0e79bd29f2579747de414e9b1640853cc82bf952e337be344f9ace6dcdfdd494bf1818d93790995b2d36913d75edb93c1664e6e45c4d1a
SSDEEP

768:lpJ5UPgKLh8XkvsFFUAlFB543FNDhkYjy8PATidtSPo/aamg4gKZX1pqMsys/1Hm:lpwN8XRfUYo3LDuYjy8IOSgKZaMoYH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe

Executes dropped EXE 64 IoCs

pid	Process
3404	Jifhaenk.exe
3728	Jmbdbd32.exe
3688	Kboljk32.exe
944	Kemhff32.exe
320	Klljnp32.exe
408	Kbfbkj32.exe
2604	Kedoge32.exe
4188	Klngdpdd.exe
3212	Kdeoemeg.exe
2344	Kefkme32.exe
3276	Klqcioba.exe
512	Lbjlfi32.exe
4488	Lmppcbjd.exe
1440	Ldjhpl32.exe
3452	Ligqhc32.exe
3848	Ldleel32.exe
4404	Lfkaag32.exe
4408	Liimncmf.exe
1092	Ldoaklml.exe
3204	Lgmngglp.exe
4816	Lljfpnjg.exe
1564	Lbdolh32.exe
2332	Lingibiq.exe
4052	Lphoelqn.exe
3696	Mbfkbhpa.exe
2160	Mipcob32.exe
2552	Mpjlklok.exe
3592	Megdccmb.exe
1940	Mlampmdo.exe
2640	Mckemg32.exe
2448	Miemjaci.exe
1608	Mpoefk32.exe
3136	Mgimcebb.exe
3312	Mlefklpj.exe
4264	Mnebeogl.exe
3500	Ndokbi32.exe
3080	Ncbknfed.exe
4568	Nngokoej.exe
4632	Ndaggimg.exe
4280	Nebdoa32.exe
1212	Nlmllkja.exe
2304	Ncfdie32.exe
984	Neeqea32.exe
3044	Nloiakho.exe
4424	Ndfqbhia.exe
3700	Nnneknob.exe
4256	Ndhmhh32.exe
4464	Nggjdc32.exe
2980	Nnqbanmo.exe
4292	Oponmilc.exe
1988	Ocnjidkf.exe
3964	Oflgep32.exe
224	Oncofm32.exe
404	Opakbi32.exe
380	Ogkcpbam.exe
5064	Ofnckp32.exe
4420	Oneklm32.exe
4736	Opdghh32.exe
1524	Odocigqg.exe
1064	Ofqpqo32.exe
3620	Onhhamgg.exe
3268	Odapnf32.exe
3908	Ocdqjceo.exe
5016	Ofcmfodb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Klngdpdd.exe	Kedoge32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6224	5640	WerFault.exe	237

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fb2ee3ff18687096db6bb5b1cfa8600N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5fb2ee3ff18687096db6bb5b1cfa8600N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 3404	4184	5fb2ee3ff18687096db6bb5b1cfa8600N.exe	85
PID 4184 wrote to memory of 3404	4184	5fb2ee3ff18687096db6bb5b1cfa8600N.exe	85
PID 4184 wrote to memory of 3404	4184	5fb2ee3ff18687096db6bb5b1cfa8600N.exe	85
PID 3404 wrote to memory of 3728	3404	Jifhaenk.exe	86
PID 3404 wrote to memory of 3728	3404	Jifhaenk.exe	86
PID 3404 wrote to memory of 3728	3404	Jifhaenk.exe	86
PID 3728 wrote to memory of 3688	3728	Jmbdbd32.exe	87
PID 3728 wrote to memory of 3688	3728	Jmbdbd32.exe	87
PID 3728 wrote to memory of 3688	3728	Jmbdbd32.exe	87
PID 3688 wrote to memory of 944	3688	Kboljk32.exe	88
PID 3688 wrote to memory of 944	3688	Kboljk32.exe	88
PID 3688 wrote to memory of 944	3688	Kboljk32.exe	88
PID 944 wrote to memory of 320	944	Kemhff32.exe	89
PID 944 wrote to memory of 320	944	Kemhff32.exe	89
PID 944 wrote to memory of 320	944	Kemhff32.exe	89
PID 320 wrote to memory of 408	320	Klljnp32.exe	90
PID 320 wrote to memory of 408	320	Klljnp32.exe	90
PID 320 wrote to memory of 408	320	Klljnp32.exe	90
PID 408 wrote to memory of 2604	408	Kbfbkj32.exe	92
PID 408 wrote to memory of 2604	408	Kbfbkj32.exe	92
PID 408 wrote to memory of 2604	408	Kbfbkj32.exe	92
PID 2604 wrote to memory of 4188	2604	Kedoge32.exe	93
PID 2604 wrote to memory of 4188	2604	Kedoge32.exe	93
PID 2604 wrote to memory of 4188	2604	Kedoge32.exe	93
PID 4188 wrote to memory of 3212	4188	Klngdpdd.exe	94
PID 4188 wrote to memory of 3212	4188	Klngdpdd.exe	94
PID 4188 wrote to memory of 3212	4188	Klngdpdd.exe	94
PID 3212 wrote to memory of 2344	3212	Kdeoemeg.exe	95
PID 3212 wrote to memory of 2344	3212	Kdeoemeg.exe	95
PID 3212 wrote to memory of 2344	3212	Kdeoemeg.exe	95
PID 2344 wrote to memory of 3276	2344	Kefkme32.exe	97
PID 2344 wrote to memory of 3276	2344	Kefkme32.exe	97
PID 2344 wrote to memory of 3276	2344	Kefkme32.exe	97
PID 3276 wrote to memory of 512	3276	Klqcioba.exe	98
PID 3276 wrote to memory of 512	3276	Klqcioba.exe	98
PID 3276 wrote to memory of 512	3276	Klqcioba.exe	98
PID 512 wrote to memory of 4488	512	Lbjlfi32.exe	99
PID 512 wrote to memory of 4488	512	Lbjlfi32.exe	99
PID 512 wrote to memory of 4488	512	Lbjlfi32.exe	99
PID 4488 wrote to memory of 1440	4488	Lmppcbjd.exe	100
PID 4488 wrote to memory of 1440	4488	Lmppcbjd.exe	100
PID 4488 wrote to memory of 1440	4488	Lmppcbjd.exe	100
PID 1440 wrote to memory of 3452	1440	Ldjhpl32.exe	102
PID 1440 wrote to memory of 3452	1440	Ldjhpl32.exe	102
PID 1440 wrote to memory of 3452	1440	Ldjhpl32.exe	102
PID 3452 wrote to memory of 3848	3452	Ligqhc32.exe	103
PID 3452 wrote to memory of 3848	3452	Ligqhc32.exe	103
PID 3452 wrote to memory of 3848	3452	Ligqhc32.exe	103
PID 3848 wrote to memory of 4404	3848	Ldleel32.exe	104
PID 3848 wrote to memory of 4404	3848	Ldleel32.exe	104
PID 3848 wrote to memory of 4404	3848	Ldleel32.exe	104
PID 4404 wrote to memory of 4408	4404	Lfkaag32.exe	105
PID 4404 wrote to memory of 4408	4404	Lfkaag32.exe	105
PID 4404 wrote to memory of 4408	4404	Lfkaag32.exe	105
PID 4408 wrote to memory of 1092	4408	Liimncmf.exe	106
PID 4408 wrote to memory of 1092	4408	Liimncmf.exe	106
PID 4408 wrote to memory of 1092	4408	Liimncmf.exe	106
PID 1092 wrote to memory of 3204	1092	Ldoaklml.exe	107
PID 1092 wrote to memory of 3204	1092	Ldoaklml.exe	107
PID 1092 wrote to memory of 3204	1092	Ldoaklml.exe	107
PID 3204 wrote to memory of 4816	3204	Lgmngglp.exe	108
PID 3204 wrote to memory of 4816	3204	Lgmngglp.exe	108
PID 3204 wrote to memory of 4816	3204	Lgmngglp.exe	108
PID 4816 wrote to memory of 1564	4816	Lljfpnjg.exe	109

C:\Users\Admin\AppData\Local\Temp\5fb2ee3ff18687096db6bb5b1cfa8600N.exe
"C:\Users\Admin\AppData\Local\Temp\5fb2ee3ff18687096db6bb5b1cfa8600N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\Jifhaenk.exe
  C:\Windows\system32\Jifhaenk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\Jmbdbd32.exe
    C:\Windows\system32\Jmbdbd32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\Kboljk32.exe
      C:\Windows\system32\Kboljk32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        25⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        29⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        31⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        58⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        68⤵
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3300
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        74⤵
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:468
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        79⤵
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        80⤵
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        85⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        89⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3824
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        97⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        99⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        103⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        104⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        106⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        107⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        110⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        111⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        112⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        123⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        127⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        128⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        131⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        137⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1504
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        147⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 396
        148⤵
        Program crash
        
        PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5640 -ip 5640
1⤵
PID:6200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
56KB

MD5
513e96472d67be789b8792336d914a07

SHA1
79b16207d1985f2f80ddf2d8e7b3ab55c89f5494

SHA256
37bb55c2001358121449b03149d61eba368ccb83a5a7a72fd5b2eb74b7f690e8

SHA512
1a2d76f7e0b45a9ac40184c423fbf0621ed64b42d3e05a41df9724a172c62c0f40e4b927e4eaf9459ebb2384416fff3377cc0b148ae6874dc0758ac02afdff4d

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
56KB

MD5
0c7475e1412e3b3670ae88f8b910c78d

SHA1
a70dab8f3de98847d84249c006d61f3ecb19774f

SHA256
d8111ef68fce037a323d23e1397fc31d37d811f3ae17b45226e90940cd0f851f

SHA512
6db238fb0884b71163b4a9eca50d9b99bbadf514f481e444ef9d7f6081150988898a4664a488578d42640fea0f86372f58dd6e6d59cadf82e806991f763972fe

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
56KB

MD5
c44aea909a956c6278a19c5e607bb7d1

SHA1
972687ff8a484334093747d54a14e25497a6a600

SHA256
2425d8e4a71caae31d68ebfa4f9389bd9dad779e18f0cea2668288a3d07008b1

SHA512
3b23226e18a750f4e8679baafb1c0d853bbf0b4a2f7c4d5ae712fd4c471dcfce31df5a064a5f12664037b04d731d8903158107b441511017e348ff92c8c05490

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
56KB

MD5
28149e25149dfca9b79c699b03437ed8

SHA1
adbce8c6cd88f3750c941987f45ead5162958b84

SHA256
039e7016ebd3b7374e0582c990fd5f1a2c6791e518d3523cd51da1a0d1c0e556

SHA512
b5495136fa9ec598a6cf60396fc0656a05ea8cdc2d3d8cfb6e6a79b343bcea27b27d0eb8eece6130de80696d54f3ec2c32ffc66b419be8f6c01f28febfc777dc

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
56KB

MD5
bdf6c37fc8524ae3e6922e9bfd5e7f60

SHA1
152e622c517a3fa54d1b2653aa33987a0c09df73

SHA256
47f01dbec343cddb862956375af3f62aa37b9ef0b43c8c2a9facd0279aa6809b

SHA512
cab5408e097ab3b38e860aa1fc429e95a5aa3bbe1be7a5dbedea7fc04f895b65cecb88fd0686a897622114101969e25facf291fb3dc948c8bdf9aa4901942909

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
56KB

MD5
90228b4314370cde2730f56571bef271

SHA1
2278e50141fcfc560b0a78070d1265acb9f0123f

SHA256
ed2e3838ce4d0a3fb9504c24c94981823ec0bd51812315ea8de87345039eb9ba

SHA512
9c6a79e3ad67f0bfbe72ffa68818df9e75625439b7ca031ab85cf5ed5c29d6d3c7b6dc6d6e8606280905bd3fe2a1737b3ca59caa4f47a2818e0bd90d30a81332

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
56KB

MD5
895bf34e08e1fb4a89c39c85fcc7e108

SHA1
915ee5e5f342461fc69a08a5f887ab8027810315

SHA256
a74023382e2e016e8a4675347ea587a3d4616913eb0049007b24039112d0b996

SHA512
5b13595fa735f526f694e225879340a0bf88a753c26a0676f6b0b703d2a76941fcd73ab8177360e83d8709399ed2d9f8d9602dce9b3eaab47b2609b7f205e11a

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
56KB

MD5
f14b283df99e6aad088dc0f9a365d07c

SHA1
af1928bdfd8550a8b7b425bf137f6d0fcf72dec2

SHA256
4d41e31d7db52f26805ccab466ca32b9a84fe561133541ce7609f407ffa9ecdb

SHA512
de183fd32ee7a7cc087d6290aaaf0837386f72390b8d8ffdcfd795284564dac04d8d017f3e3f835cf784c321522add7e3592acc43b22b67664e95247f530dc38

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
56KB

MD5
5c12b2f7bb5b956e0de3b1290d6cb934

SHA1
fe410b30edd75e49adea041a27167550ab70caf6

SHA256
68eb06603719b248e5c1f49b1e9bb2d203c7d353666c33533a0efac1c578d8ca

SHA512
326ee43967dac229acea702bc306845390e796726a59b33e8c05e52de71517a3425f534439ba1546321cf946784f378845c96fbbdc45f4d327d3d95c1aa90d04

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
56KB

MD5
700f0991697c561e227186b3c597c3b6

SHA1
1400093f05c59101d03b5f3b08285d08781474ea

SHA256
b417b64a1bdc431a8c1b5dd372fd342645ee3235d00f27aaba39484ca6298f1f

SHA512
12696daab7e057c97fb0ce3cd7ec91093a9e291443ec132929f423cb4ca7b40e2546430a306add434f45f4f906b8ae01fbbe1e5959312b44279df6126b2be37f

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
56KB

MD5
19aa1464af9fe52afc046a6b0d266934

SHA1
ceed80c978017f13285bd67d4682d7dcddbae790

SHA256
9eaf59acce6a5f97934a0815f1d04fa4fbe129de2bcf0c682f47ad7874b6fb07

SHA512
0827c7c056334f2fbb1baf618b49fd02e1b76f0b0b33efcf04f28023c2b7b92758a22b4b43727e2764c752eac73143615c25fbb8c2c6e6ff2838ffcde8650b6b

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
56KB

MD5
548e8fb4663367e2fc33ce4ed0d241c3

SHA1
6800b4a8c8a5e6b27dd001a9cd1fade9684c924d

SHA256
d10f80f4db8e40225f599bf6423ac9e987c4154d1e0de5da9d2ee695341b689c

SHA512
75273b37a7a86399b4c37fe419120fbd07f3c4955f588feacee8f7849f72f6cf03af68231d0fba737e55a730efee7a04c3259f8d8523970e4a6ba12ac3f4aa77

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
56KB

MD5
67b042a179eddf4043c59c01aa0d55e8

SHA1
d2eac938108a9ff28c767c92c6e05a5d9fbb2770

SHA256
622a35aff1de230d909b4697cd55da657290fd10c5969ee07eb0d97213e176ac

SHA512
81a3b6940778add6b754641613e465e1e73790121b09f11b74eb0c1a91036d4f97ed4e78f4b4307d0f3510b66539616938fcc48505a6b553f2e823d4a5dc0723

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
56KB

MD5
3ba2b3bdce1b4ef2c12381cf71bd7251

SHA1
96953813c2325ca47a29925ec67b32395cdf5951

SHA256
4d3582e00e8c54062658d7c0c44bbbce459506e4c85a83efda169f08d43b0b4f

SHA512
df18d2b8e1979a5eb6c755add713a7666027566988eeb5a6f8572b3f63afffec7a4379e60c058e28873a01449a2f60d96608cc5ad5ac21e69ba9fb3dcd74a955

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
56KB

MD5
ca18a5c02238a7dd623592ae84763112

SHA1
4234e2999198d28dc0a36fec934b0d0a1f1c88b8

SHA256
b091c49ccee504d4d3d456828af9498d2523277fddbea00b769ed1b804cfd7c2

SHA512
8c98748a8017296f0f9b2ac6c5091b7040bb1c40a8bea5d9ae23b6c9f552474814bea7e5d17aa376cb382ba50ca185f8a7777e298b093228e6c186884e747b06

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
56KB

MD5
117af4c120fe79336d6683f61548c32e

SHA1
2d17f5874c2e34f845c87bf95bf2c46401e768ad

SHA256
7eb00bd22c7c132b9fcf477fa6e3b0b09581539a6b70278716d538ffb7419047

SHA512
90ba36ad16fc106bf5b551f77b524287c2c32054e9600c97f597190af3e7d3e12f721cc1b9b9cd8f5a0efbbe2ead0b4292163d9cde092d7cf2e84bc990293a7f

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
56KB

MD5
797e1e2b7451990f09b79820aa7881d9

SHA1
cb22a07dbb5aea6c1c708910ddc6442b758f5017

SHA256
515ddbd5ff94f541492bc98d85c3272edd095a718383d822d23d030548b81bc5

SHA512
3a6e4289ef0309a65a9133ab24bb718c2db2f3897029afb7c66ac6889a54533c0df0899ed48a2ad587d5585ec84de5a8dc12e5388922128a12587f43a8db059c

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
56KB

MD5
82d07cb6efd013209410c2dad6f30c60

SHA1
f52a19cdc962c8e747803633f0e825693b6dfdab

SHA256
f6ba36d5dab505bdc049ed0aa13a90589bc6670ef32f6d66f6d5df7ec2f76800

SHA512
411eb1c1b55657b45747bc94eb11072c465f6a5fae76db4a04227d6524a1b8ac9d53483af50fcd484b802065c6082cc5dd6a5633024c1c0162cf0287ed3b8984

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
56KB

MD5
abfcfa5ff475291ddee1aac10a43a4d2

SHA1
a1fae7905bdb57f1f6c52cc1caed59cfd4955747

SHA256
3dda82f1d133b2ec60f1d8e0bda6afc3c8eabd4422bc209da30d1956d6fc2072

SHA512
d956a3b93b8fea247682fb7496157473cdf40add945d2177ca0b031500eac792a95b75fb2d368edf6c19f10c2cf14335681bb73b1759123506b912b249ce5b4f

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
56KB

MD5
a5ebe8ada60b6ef06468b8ada0ecfbaa

SHA1
8ad9fa034d9c29dd65fce521cd3fadc30127e7bf

SHA256
59f41fc44db9b16dab606179cbef4fa1f58793a3ace018bdc9f260aa4b2ba148

SHA512
bbe22ee34cece1c32f6168e597303a370c7acb2a465c951ed2a4a20f97ab96a5ff4490ed37568aef9d7fa1034989f9bbe3cc25d7fb81c03d5a1ff8d698c5e143

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
56KB

MD5
8d399bfb3dfbd8269f5a0c10b71a3a1c

SHA1
7324f20ce01285d7a357712cb21a1a1b110a84a8

SHA256
1cf12ff4750ec1f018167de8983baa1616f6515bde130f4c20e872792aac4025

SHA512
875a6989542e7f68141b0a5b1a2a8cc393d73e847864b83a39224a3c561d583b635677bcebc862d143858352ecc59f2df785b714de816db9a3a2b79785658399

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
56KB

MD5
f41da203734ddbd67b24495241933f0e

SHA1
2783e73f3c9dac22df10d1c1103110f6abb43f2f

SHA256
2c191f510f5962e73c5838921a7d4e2404b17d95fb2c556e90b857b1a22ce78c

SHA512
ff5948608e019c0a642d5fbd1e03475228ab0be73d845f6a7746817a0d189df618c45b7878db4cf63738f49921ad135fb6e66c023882efbcb9743ec4370d8779

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
56KB

MD5
6e8a3da6dd6108a2d72adc1bbca158f5

SHA1
ea5890af16ed7c4a99e0090bf6f7981dc66801c3

SHA256
c4aabd614196f40ca09a39b7d89d025b06e6a4157294fcedf4d47acb51d86e2b

SHA512
06b5508cd68fd48cc62eb9c2d31b1c2f363573688077d2966ad97bd539574aa778ade70c35fabef6e960f738f0630103cca7011551fc4a2338c0ba34a11431f8

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
56KB

MD5
7bf0e6059fb8a1f54edab25c38cdc4d1

SHA1
73ef661b5b3fa82f11737092861147e72d8f1bdd

SHA256
18fd3bc7dac20f76111e528b36014b2a7e5d7cfabe3d664cab46823d8b813390

SHA512
e7e04a0df71ec17571675259a1a8edbc9c3180d9e6a570baaad4131f0ae9421826ce531db3c47a2d19cc2aa143f7f5c4e99ae98d09c416e601d940953d906066

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
56KB

MD5
f64de2f92adbbd2af3e3953d0fac19fc

SHA1
fc858b5792c29814d2eb71fce8bd17d4fd5c95d3

SHA256
58aae56591e5654983ac1b35cee6c52734594d0f854240e649a375fcc3ee1fe9

SHA512
2d391d8b01413387a32544050ecb6c30187e43449287698a4c564126f2238d715f86a15078e45b7fdae84da1fde9404d651081fcd5eff2cb8932e317305eae91

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
56KB

MD5
d775e45b4c668ab5714b7c3cc99dd9cd

SHA1
e13680fb082fc148eca333286583b2ec10a822d4

SHA256
c5dd3ded5c7774bacaeca38379b8df99b78a903d4aa125f9e8d4abc7d9b819a9

SHA512
551c332e033eee6230571387f9febcdebde166adf00928436e384018a577b14bb745897b52782136f0fad7dee5032943918d978a20fbd7780afe716af3932884

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
56KB

MD5
d82ac6eeccedcf011754939abceb7f1d

SHA1
42afd9253cffcb9b44c3551a26005afce392b69c

SHA256
b6d1b678c09d4cfc88dadb8769876ca352049eb8c277e64c87e9ce25d2669a34

SHA512
aed441d48c41d97e689d8adf41564d6c3561e0ec04d3151e8b88e053cc01b561120a28f5c2ed79096d470b9d1843caf1ddfdb9e04fd259397be1b8ce825534c9

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
56KB

MD5
449ae594a93289e866f6c67da5ff2e00

SHA1
d3ffe865acd570e7907f00b821a2cf254e742ab1

SHA256
33c59899bfdea1388150bc8c1c85f0a2dd8b7c4d14b5e9d2bc524c42a72bd001

SHA512
f78dcfcd46be96495914165b9dfb22f9cc0083eaad966fc62250845557bc836486c33efeb34c5615cc5da69f8f2135665b9ed4e4540318f38364b45c01996aa4

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
56KB

MD5
22f85a4511915ac58b2be4c094e8f51d

SHA1
83f64dc5a0bc8514612fb42a06e84fb67e9cdf38

SHA256
56ae96551588d36092d17c376b997c7d68bd78dba52a39e3114c1076625fd50e

SHA512
c057bf9f14bc25509ba82f77e462fac092475d05339e4bd13c89f06908fb0950cc48fe0a628c14a118217b4109a4040d87da36ef7d618913b08d0f403558864e

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
56KB

MD5
38b562961d4471510573a6560976cb8a

SHA1
d98c3e2b87eaa458b56d82e31392739c41d6a9c2

SHA256
44979587a31e4e060eb03d16e4248cbd95de66c54687a9e7432c46b620a19234

SHA512
3528b4203b69a1ab3d420310fd4f154dc43b4cd9cc5877470e67e7b4f8f6526ff527fc44effc8cb67a744f3ba050e4b4cbe978a613a6107b4b8e78fb38016073

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
56KB

MD5
2c36f50b67e09d9ce00a81fdff039a13

SHA1
9be9e9d2794494d14023d8b2eeead08b61e7ce77

SHA256
647512e240c592163a9ca430f67ba882198af0f74c9f0d57a6bcbea496381af3

SHA512
a56ba8112d00ffc94fddd5211ff3e6d03470d721b93f66b9f3c7cc4af1c2ad0402d62ece3b991239ee74f172520fa9c5e99b0852059f862d4b68408372369c92

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
56KB

MD5
05dad1b6398efcb992524ad6e431191e

SHA1
a08d69a966bcbb11cf3f52bd20f8691d87bdbe38

SHA256
98a7fc70fff51d93c256e3f526f9c977aa588e709e7382776a229220a7989d2b

SHA512
bd71d4c321e39f6096e8f5d24d404a3afe2e2eeda61d7e5e72a60075fb198d8068eafe92a94627fd2fde7f79c61726d35484e47021770aa0b34341f9656f387c

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
56KB

MD5
8b1ab7f2215cd85f1479b83d4c518535

SHA1
6a8ec012cc7ce600315dfac25a07cafc7d4da742

SHA256
4eac2fa717aa5ab7b75a5b0f109c73c9f03f86df9b563f6c735178516e250e3c

SHA512
3a4e43939afe17e2dc077ed095844ee3c2279a967933bd386ed5bb3de8b2c8f4c02212802241f5758c6e1b8d53444f5df6eee6fca35f1b262dc50e09a4be0287

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
56KB

MD5
d4aee08bcec6e583bb94e28b7a5eab38

SHA1
176f2ffd7bc3ea6c684ccd2e098b6acfd981fe41

SHA256
baeb49242d5532168d2cbbfb7eaf786075e8315f74ebdd188c5e069bc86ea062

SHA512
6a489a9af10a9b07bb5d9c1426c7fbd77a31611d35c40badf9bd60413d78374490325ed0f9ecc05413b0ed63cfebe3791ddd9cfc229bc1d41160d5ad31dc8462

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
56KB

MD5
45be65e12c6bba72086de291b725933c

SHA1
04126f4f14acff831f6dec62ec831c74e8376fa6

SHA256
38ee6d442a935f76ecf80480f04f526f158399a3f9e6feab2f3ded009d0f19b1

SHA512
a9e020a897f930dc28f409cba0a259a2cabfb4123c7b6a1f3b814c816aa8c6eae23a08e31f8f591d6595fc8666db452f935e4ba572dfe9de32c800a187a67c82

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
56KB

MD5
0681d7aa0b51094948a2eda93b433fbe

SHA1
398ad59266e6088c4f12ff7712cc5bc9ebe2429a

SHA256
73ca5b0f1b8633f621ac0abcecdca56d9b9c91b6ab248e0460a66f8869059286

SHA512
fdf4679402baf0eb88640657de1a8efc67448a3dfb1852e33769fa10fa4ff9efc4753bdeb44e9c7335daca481b72773cc83374d4e59547551c68fd5954386a35

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
56KB

MD5
cc5934148c0e6a73e44093431ca15337

SHA1
68aa76e79a2018925fae73c29c6f2b16d72fa453

SHA256
6c497e13bd671f3c39741d27211e22b6f03fe4e00d909a4bb5b1eb9259f08a89

SHA512
5ff9d9b1dbd92781159b304b01fb9c68c89c8e3fdc1f1a599ad755ca0de46f2ca989a17fb8b76b56fbe18695019d03dfbc8e6c36e516c434f3e236e85fd13c3e

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
56KB

MD5
d32586fb87158126a7e3dae933086eac

SHA1
e12beda4c83a36f439764ad39dae69b1697bc194

SHA256
d40219f7fc4d4a576d4775054b0eea2e347bea42d88895958bd372430f5488d8

SHA512
a3b2b337b1abb7de36ffa3d631c3ce34ba39cb0936b0b0f785764613e969a674f3c55b39c96ea3695417cf084036a72adf4b6c6a7d18806ad2b38048cf2fda8a

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
56KB

MD5
5ff29dc6ae64baf56d5d7f2a3d2b3333

SHA1
4ef30bcc561aef9bce3389eee8c61682888db13f

SHA256
77657f528d58abada2b5073c62586f461688080a2cdce506b67a3665ea916658

SHA512
fb39e442aa9e7f3d2c23b66b772af898c2f4548840b20790c74a8388bd70c3379a0ea73e28f36ce0b36563529d86d5f7a52508d97ba9291aaf955c3f8ec75956

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
56KB

MD5
feb838953f9b38d6bbc0c633459fd055

SHA1
52c17972d17d9f8a30c91b13d9e2af440ae7b3ee

SHA256
2278fd1cc8c4f1463014bca222979480d8f618becc0b30e001ebd4033e480c28

SHA512
cee322df78180c854a2cba39484f5d5fd58d704cfadcb488183f34277004d671bee9e602aa667b72b5a1eaba0783afbc68ef1a8a0f9ebb546308486db6fd7d67

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
56KB

MD5
13e41c0e0fa554e94e6b22784adb5cc2

SHA1
1ddae830824f6a7081d3b3d91a060304ad0ddd70

SHA256
835b036f66e0e0da8bcba954f91a8a3a7207d97de6a59f1cf02f42523d809d38

SHA512
293b3ad747c08bcaa79fbf0352ddece03427fc5fac6825d059b116eb226f0968434828e653c1981fdf454efbd2165b5e6e1d54b5ce2c1bd9c4e999077a13c8da

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
56KB

MD5
33d6122aa1c45f62827d4b6d1cf153a3

SHA1
cf01847252c9cee36e0055796f9b05c2d892cca7

SHA256
30cdd31f8c64ac208a85e252963aaadc891eb7bab98dd30b3a6aecc1cf922ab2

SHA512
0d8652b0d244c3ede71d5b2a0990951d9e1e1defa4e8e7023a43926b04b6988a92954636beb066f25327944b8ca4bae6f11e6a0366798d1558b3a025e97c7094

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
56KB

MD5
9936e089343ed719a905cf9e50996acd

SHA1
738f6ae725254c30a47a03a9a9ea91a781509ddd

SHA256
0896e155658ccb32707244f2194effb3fad2ae747c17368722df057622016c7d

SHA512
15a1944fa6f6c0dc776a2a3268fe0e875908f42512a2f822c7bed9e331e77318cba2ef7e65b1922e4c624318b74bd7041439408d8d194689c976278aa3f7e4f8

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
56KB

MD5
a71f018bd1e847809113394fd4b0521b

SHA1
f164863de15cf329391d56f44e9f7b0dc1fa6e24

SHA256
fffe14db00c543a836059b1554cc2d9294bc415e2bf5354d223fa9bf5059d4bc

SHA512
d3781d5a99c578a1b4bf8b82df121ca8414f68928f8568cecdb6e653b904500465aa48e348335550bd8be639c9df8c59a78b67614529d9beac8cab0170899b76

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
56KB

MD5
5d2a78c335fd106313632e7d6222fee9

SHA1
f495ca0e717711facd205d6c79421259869f241f

SHA256
9ace27e86b62c9c90ba3bd8bd5d4ba3fc87ab43893e00abfa146c9bba71f019a

SHA512
a1410efcea3fd14043d9c10a8dc142e1776d52863b82971a5a3c1502f27b93b9dfafe62d5ec61c601d9be4dc09b5d5abcd6854dd1888ca2e8278253a1b8ecf7f

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
56KB

MD5
6dc76d7c0a3ebddf8058fac3d35299be

SHA1
d6f90a035bc68bb5dfe0bb8d491c3bd71160de73

SHA256
43351546273c93bc081809f826e2197cd11216233a3cab3b0a3a3f0a451be53c

SHA512
6f814be42e3c4f26cd56600673b2504dffb2b48faa12f251c48557ffdff0b2c67d5bc53a40efbe51f6363fd80fe07805f734dd2b5dd8932e21fa433a789e4d8b

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
56KB

MD5
8abc53cd6243f5a188917cee97488278

SHA1
3ea70e6533c5283f768e33e7df1962ef96b12f5c

SHA256
f99b058dea52d7dc3a9b8cf14d34d5e5f6068af30ae92815350fe0e577b90f56

SHA512
53000099d86de9872c636c3a6c075eabe562e50fe1b3be561e434ee773ed82fd93f8d683335f7433e066f066827e5742f9ab9f72788ad67d33b1af6c7ff032d6

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
56KB

MD5
0e53867908b19542365546e3e3f5326f

SHA1
ad7f49e683e47822891169ededa8f3e34c771489

SHA256
7be2283144e4c354d00f6c38aee85239cb37c97bb5ec223728c7b589354b1142

SHA512
410b9263c7f1f48e26283062d874b4dc641ca8144271c363128bf9e419f6b75aa3371a7cb2ee634032032bb5c432f402c7bee33f79d0c7a66e9e098e6239c482

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
56KB

MD5
4477bb21d380851eafe514c060fdc72a

SHA1
531cb0ab0887dc0639ecd5be0f87a0d61429305a

SHA256
f982bc91004540744fdf146eacecb6c2e161b236d4f564cf9afacc8feebc1d74

SHA512
d0eaeb883c14e5b70d8fe2095b23074753d8810f2d80902e320b20831e1307039ff7fb69ccff580dd7f558417e2a2eeea3916e0ae259c7e2ef736450858f8752

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
56KB

MD5
ebac08f7793ead29c2d8b587bd6e5605

SHA1
3acf889e24fa4f2dfca30382d6f97af9d429987b

SHA256
a90c129fce6189544818151a1a596154ac358622491073f56b8a5edd3df168ec

SHA512
8d2d7b400afeeaf9f61cf15a697d01ddd943cbe180041570675b4d641829010713ad6efcec5ac402b54f912782dcf7d4801810480bfb9f34c7a193c423714941

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
56KB

MD5
fde26f8562a5cc385e116492d4a3fd41

SHA1
0a918daaa5bda3cffeaa67e5810849521bcb7d8e

SHA256
238668528844d9be82d93ceb5fdfe7873665646e3634b40450bee0f7007ce27b

SHA512
489cb0c50d34874d99bd566c42c7a94eb10244af581bc33e5cedfb92807c32e0fe17b494db3946c2cb0fae72536188c6d5d85b1d3dad6005ea2aa721880a6160

Download Submit
memory/320-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4188-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5456-1084-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads