ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
Size

80KB
MD5

64f69aa6fe35fcac40bcc3fe37d3a478
SHA1

ace5061ab261c1d0855528b463493accd4832ffc
SHA256

ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6
SHA512

6ee09b6914b4c3fe3386c0f297549fa7be3b4affaf6e5f2a14fd17ef05f15299e22cf02ff6c84ade07ee7e06c67cb3564eab921ff6f717e9cfbfe4ab5cf60d89
SSDEEP

1536:1R6G+t8eN5HDk38zbTns8wxLHZ4VY/y2LQS5DUHRbPa9b6i+sIk:1RwuOtk38zbTsZt4VY//QS5DSCopsIk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khagijcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgnjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbadagln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eikimeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfchqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhkkim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammmlcgi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqinhcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efoifiep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpgfbom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miocmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nobndj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklopg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfjbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooggpiek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmaphmln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lophacfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqinhcoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meljbqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caokmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnhpdke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kijmbnpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklopg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epeajo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lonlkcho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lonlkcho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onoqfehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adiaommc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epnkip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcikog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nopaoj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbadagln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djoeki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmaphmln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kijmbnpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijiaabk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjjpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpgfbom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koibpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meljbqna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgcdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncjad32.exe

Executes dropped EXE 64 IoCs

pid	Process
2128	Jjpgfbom.exe
2748	Jcikog32.exe
2104	Kmaphmln.exe
2820	Kbnhpdke.exe
2484	Kijmbnpo.exe
2512	Koibpd32.exe
2900	Khagijcd.exe
2120	Lonlkcho.exe
2256	Lophacfl.exe
564	Lijiaabk.exe
3020	Lgnjke32.exe
3016	Miocmq32.exe
2072	Meecaa32.exe
1692	Mkdioh32.exe
2112	Maoalb32.exe
2168	Meljbqna.exe
2368	Npfjbn32.exe
2788	Nklopg32.exe
2384	Ncgcdi32.exe
784	Nopaoj32.exe
584	Nobndj32.exe
2872	Obcffefa.exe
1560	Ooggpiek.exe
2240	Oiahnnji.exe
2220	Onoqfehp.exe
2572	Okbapi32.exe
2776	Pncjad32.exe
836	Pglojj32.exe
2856	Ppipdl32.exe
2516	Pfchqf32.exe
3004	Pfeeff32.exe
1564	Plbmom32.exe
2396	Qhkkim32.exe
2944	Afqhjj32.exe
2132	Aaflgb32.exe
336	Ammmlcgi.exe
1792	Adiaommc.exe
2160	Appbcn32.exe
1280	Bkcfjk32.exe
2960	Chggdoee.exe
2192	Caokmd32.exe
956	Cjjpag32.exe
1316	Cjmmffgn.exe
2444	Cceapl32.exe
1764	Ccgnelll.exe
2440	Cffjagko.exe
2052	Dlpbna32.exe
2436	Dcjjkkji.exe
2208	Ddkgbc32.exe
2908	Dboglhna.exe
1604	Dhiphb32.exe
2740	Dbadagln.exe
2492	Dgnminke.exe
2540	Dqfabdaf.exe
2996	Djoeki32.exe
1268	Dqinhcoc.exe
1732	Enmnahnm.exe
2536	Epnkip32.exe
2672	Eifobe32.exe
2248	Epqgopbi.exe
2420	Ejfllhao.exe
1516	Ekghcq32.exe
1852	Ebappk32.exe
1352	Eikimeff.exe

Loads dropped DLL 64 IoCs

pid	Process
2992	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
2992	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
2128	Jjpgfbom.exe
2128	Jjpgfbom.exe
2748	Jcikog32.exe
2748	Jcikog32.exe
2104	Kmaphmln.exe
2104	Kmaphmln.exe
2820	Kbnhpdke.exe
2820	Kbnhpdke.exe
2484	Kijmbnpo.exe
2484	Kijmbnpo.exe
2512	Koibpd32.exe
2512	Koibpd32.exe
2900	Khagijcd.exe
2900	Khagijcd.exe
2120	Lonlkcho.exe
2120	Lonlkcho.exe
2256	Lophacfl.exe
2256	Lophacfl.exe
564	Lijiaabk.exe
564	Lijiaabk.exe
3020	Lgnjke32.exe
3020	Lgnjke32.exe
3016	Miocmq32.exe
3016	Miocmq32.exe
2072	Meecaa32.exe
2072	Meecaa32.exe
1692	Mkdioh32.exe
1692	Mkdioh32.exe
2112	Maoalb32.exe
2112	Maoalb32.exe
2168	Meljbqna.exe
2168	Meljbqna.exe
2368	Npfjbn32.exe
2368	Npfjbn32.exe
2788	Nklopg32.exe
2788	Nklopg32.exe
2384	Ncgcdi32.exe
2384	Ncgcdi32.exe
784	Nopaoj32.exe
784	Nopaoj32.exe
584	Nobndj32.exe
584	Nobndj32.exe
2872	Obcffefa.exe
2872	Obcffefa.exe
1560	Ooggpiek.exe
1560	Ooggpiek.exe
2240	Oiahnnji.exe
2240	Oiahnnji.exe
2220	Onoqfehp.exe
2220	Onoqfehp.exe
2572	Okbapi32.exe
2572	Okbapi32.exe
2776	Pncjad32.exe
2776	Pncjad32.exe
836	Pglojj32.exe
836	Pglojj32.exe
2856	Ppipdl32.exe
2856	Ppipdl32.exe
2516	Pfchqf32.exe
2516	Pfchqf32.exe
3004	Pfeeff32.exe
3004	Pfeeff32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cnfnhaca.dll	Nopaoj32.exe
File created	C:\Windows\SysWOW64\Lgnjke32.exe	Lijiaabk.exe
File created	C:\Windows\SysWOW64\Bkcfjk32.exe	Appbcn32.exe
File created	C:\Windows\SysWOW64\Eifobe32.exe	Epnkip32.exe
File created	C:\Windows\SysWOW64\Ebappk32.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Epeajo32.exe	Eikimeff.exe
File opened for modification	C:\Windows\SysWOW64\Plbmom32.exe	Pfeeff32.exe
File opened for modification	C:\Windows\SysWOW64\Lonlkcho.exe	Khagijcd.exe
File created	C:\Windows\SysWOW64\Jcngcc32.dll	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Mkdioh32.exe	Meecaa32.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Epnkip32.exe
File created	C:\Windows\SysWOW64\Kbnhpdke.exe	Kmaphmln.exe
File created	C:\Windows\SysWOW64\Nobndj32.exe	Nopaoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nobndj32.exe	Nopaoj32.exe
File opened for modification	C:\Windows\SysWOW64\Epqgopbi.exe	Eifobe32.exe
File opened for modification	C:\Windows\SysWOW64\Fpgnoo32.exe	Egpena32.exe
File created	C:\Windows\SysWOW64\Neajod32.dll	Lgnjke32.exe
File created	C:\Windows\SysWOW64\Pjnpoh32.dll	Lophacfl.exe
File created	C:\Windows\SysWOW64\Qgfnod32.dll	Maoalb32.exe
File created	C:\Windows\SysWOW64\Copjlmfa.dll	Nobndj32.exe
File created	C:\Windows\SysWOW64\Jnenhj32.dll	Jjpgfbom.exe
File created	C:\Windows\SysWOW64\Oiahnnji.exe	Ooggpiek.exe
File created	C:\Windows\SysWOW64\Ppipdl32.exe	Pglojj32.exe
File created	C:\Windows\SysWOW64\Ejfllhao.exe	Epqgopbi.exe
File opened for modification	C:\Windows\SysWOW64\Ncgcdi32.exe	Nklopg32.exe
File created	C:\Windows\SysWOW64\Gnokee32.dll	Ppipdl32.exe
File opened for modification	C:\Windows\SysWOW64\Chggdoee.exe	Bkcfjk32.exe
File created	C:\Windows\SysWOW64\Hmdkip32.dll	Djoeki32.exe
File created	C:\Windows\SysWOW64\Pncjad32.exe	Okbapi32.exe
File opened for modification	C:\Windows\SysWOW64\Bkcfjk32.exe	Appbcn32.exe
File created	C:\Windows\SysWOW64\Caokmd32.exe	Chggdoee.exe
File opened for modification	C:\Windows\SysWOW64\Pfeeff32.exe	Pfchqf32.exe
File created	C:\Windows\SysWOW64\Miocmq32.exe	Lgnjke32.exe
File created	C:\Windows\SysWOW64\Qhkkim32.exe	Plbmom32.exe
File opened for modification	C:\Windows\SysWOW64\Qhkkim32.exe	Plbmom32.exe
File created	C:\Windows\SysWOW64\Lijiaabk.exe	Lophacfl.exe
File created	C:\Windows\SysWOW64\Cjjpag32.exe	Caokmd32.exe
File created	C:\Windows\SysWOW64\Eqnpepil.dll	Ncgcdi32.exe
File created	C:\Windows\SysWOW64\Kcacil32.dll	Chggdoee.exe
File opened for modification	C:\Windows\SysWOW64\Ddkgbc32.exe	Dcjjkkji.exe
File opened for modification	C:\Windows\SysWOW64\Epeajo32.exe	Eikimeff.exe
File created	C:\Windows\SysWOW64\Jcikog32.exe	Jjpgfbom.exe
File created	C:\Windows\SysWOW64\Dqinhcoc.exe	Djoeki32.exe
File created	C:\Windows\SysWOW64\Peecqfmk.dll	Koibpd32.exe
File created	C:\Windows\SysWOW64\Npfjbn32.exe	Meljbqna.exe
File created	C:\Windows\SysWOW64\Honlnbae.dll	Meljbqna.exe
File created	C:\Windows\SysWOW64\Afqhjj32.exe	Qhkkim32.exe
File created	C:\Windows\SysWOW64\Dcjjkkji.exe	Dlpbna32.exe
File opened for modification	C:\Windows\SysWOW64\Dgnminke.exe	Dbadagln.exe
File created	C:\Windows\SysWOW64\Eomohejp.dll	Eikimeff.exe
File created	C:\Windows\SysWOW64\Fpgnoo32.exe	Egpena32.exe
File opened for modification	C:\Windows\SysWOW64\Meljbqna.exe	Maoalb32.exe
File created	C:\Windows\SysWOW64\Obcffefa.exe	Nobndj32.exe
File opened for modification	C:\Windows\SysWOW64\Okbapi32.exe	Onoqfehp.exe
File opened for modification	C:\Windows\SysWOW64\Dlpbna32.exe	Cffjagko.exe
File created	C:\Windows\SysWOW64\Ekghcq32.exe	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Kijmbnpo.exe	Kbnhpdke.exe
File created	C:\Windows\SysWOW64\Ipoidefp.dll	Bkcfjk32.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Fpgnoo32.exe
File opened for modification	C:\Windows\SysWOW64\Fipbhd32.exe	Fpgnoo32.exe
File opened for modification	C:\Windows\SysWOW64\Kijmbnpo.exe	Kbnhpdke.exe
File opened for modification	C:\Windows\SysWOW64\Ammmlcgi.exe	Aaflgb32.exe
File created	C:\Windows\SysWOW64\Kgagag32.dll	Aaflgb32.exe
File created	C:\Windows\SysWOW64\Ppfafphp.dll	Kbnhpdke.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1252	2616	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjpgfbom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcikog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lophacfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffjagko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqinhcoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khagijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nklopg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeeff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmmffgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgnelll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkdioh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoalb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caokmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboglhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kijmbnpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgnjke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djoeki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koibpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lijiaabk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfjbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcfjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonlkcho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooggpiek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pglojj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appbcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqfabdaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meecaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obcffefa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eikimeff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meljbqna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjjpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epeajo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nobndj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiahnnji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onoqfehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaflgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miocmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppipdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqhjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adiaommc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efoifiep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfchqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhkkim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cceapl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbadagln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmnahnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnhpdke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncgcdi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnhaca.dll"	Nopaoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfeeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhejoigh.dll"	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noggch32.dll"	Mkdioh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkdioh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neajod32.dll"	Lgnjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgnjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apenjhfe.dll"	Meecaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhkkim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbgoj32.dll"	Oiahnnji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdimmi.dll"	Cjjpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cceapl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqinhcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijiaabk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miocmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll"	Ebappk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ammmlcgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll"	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkcdb32.dll"	Adiaommc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adiaommc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll"	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlanmb32.dll"	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khagijcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooggpiek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbnhpdke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfeeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqinhcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnenhc32.dll"	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obcffefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipoidefp.dll"	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoeff32.dll"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgkjp32.dll"	Dqinhcoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbnhpdke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnoim32.dll"	Miocmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomohejp.dll"	Eikimeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfnod32.dll"	Maoalb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebeabe.dll"	Lonlkcho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djoeki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caokmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfafphp.dll"	Kbnhpdke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlbn32.dll"	Ammmlcgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbadagln.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2128	2992	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe	30
PID 2992 wrote to memory of 2128	2992	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe	30
PID 2992 wrote to memory of 2128	2992	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe	30
PID 2992 wrote to memory of 2128	2992	ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe	30
PID 2128 wrote to memory of 2748	2128	Jjpgfbom.exe	31
PID 2128 wrote to memory of 2748	2128	Jjpgfbom.exe	31
PID 2128 wrote to memory of 2748	2128	Jjpgfbom.exe	31
PID 2128 wrote to memory of 2748	2128	Jjpgfbom.exe	31
PID 2748 wrote to memory of 2104	2748	Jcikog32.exe	32
PID 2748 wrote to memory of 2104	2748	Jcikog32.exe	32
PID 2748 wrote to memory of 2104	2748	Jcikog32.exe	32
PID 2748 wrote to memory of 2104	2748	Jcikog32.exe	32
PID 2104 wrote to memory of 2820	2104	Kmaphmln.exe	33
PID 2104 wrote to memory of 2820	2104	Kmaphmln.exe	33
PID 2104 wrote to memory of 2820	2104	Kmaphmln.exe	33
PID 2104 wrote to memory of 2820	2104	Kmaphmln.exe	33
PID 2820 wrote to memory of 2484	2820	Kbnhpdke.exe	34
PID 2820 wrote to memory of 2484	2820	Kbnhpdke.exe	34
PID 2820 wrote to memory of 2484	2820	Kbnhpdke.exe	34
PID 2820 wrote to memory of 2484	2820	Kbnhpdke.exe	34
PID 2484 wrote to memory of 2512	2484	Kijmbnpo.exe	35
PID 2484 wrote to memory of 2512	2484	Kijmbnpo.exe	35
PID 2484 wrote to memory of 2512	2484	Kijmbnpo.exe	35
PID 2484 wrote to memory of 2512	2484	Kijmbnpo.exe	35
PID 2512 wrote to memory of 2900	2512	Koibpd32.exe	36
PID 2512 wrote to memory of 2900	2512	Koibpd32.exe	36
PID 2512 wrote to memory of 2900	2512	Koibpd32.exe	36
PID 2512 wrote to memory of 2900	2512	Koibpd32.exe	36
PID 2900 wrote to memory of 2120	2900	Khagijcd.exe	37
PID 2900 wrote to memory of 2120	2900	Khagijcd.exe	37
PID 2900 wrote to memory of 2120	2900	Khagijcd.exe	37
PID 2900 wrote to memory of 2120	2900	Khagijcd.exe	37
PID 2120 wrote to memory of 2256	2120	Lonlkcho.exe	38
PID 2120 wrote to memory of 2256	2120	Lonlkcho.exe	38
PID 2120 wrote to memory of 2256	2120	Lonlkcho.exe	38
PID 2120 wrote to memory of 2256	2120	Lonlkcho.exe	38
PID 2256 wrote to memory of 564	2256	Lophacfl.exe	39
PID 2256 wrote to memory of 564	2256	Lophacfl.exe	39
PID 2256 wrote to memory of 564	2256	Lophacfl.exe	39
PID 2256 wrote to memory of 564	2256	Lophacfl.exe	39
PID 564 wrote to memory of 3020	564	Lijiaabk.exe	40
PID 564 wrote to memory of 3020	564	Lijiaabk.exe	40
PID 564 wrote to memory of 3020	564	Lijiaabk.exe	40
PID 564 wrote to memory of 3020	564	Lijiaabk.exe	40
PID 3020 wrote to memory of 3016	3020	Lgnjke32.exe	41
PID 3020 wrote to memory of 3016	3020	Lgnjke32.exe	41
PID 3020 wrote to memory of 3016	3020	Lgnjke32.exe	41
PID 3020 wrote to memory of 3016	3020	Lgnjke32.exe	41
PID 3016 wrote to memory of 2072	3016	Miocmq32.exe	42
PID 3016 wrote to memory of 2072	3016	Miocmq32.exe	42
PID 3016 wrote to memory of 2072	3016	Miocmq32.exe	42
PID 3016 wrote to memory of 2072	3016	Miocmq32.exe	42
PID 2072 wrote to memory of 1692	2072	Meecaa32.exe	43
PID 2072 wrote to memory of 1692	2072	Meecaa32.exe	43
PID 2072 wrote to memory of 1692	2072	Meecaa32.exe	43
PID 2072 wrote to memory of 1692	2072	Meecaa32.exe	43
PID 1692 wrote to memory of 2112	1692	Mkdioh32.exe	44
PID 1692 wrote to memory of 2112	1692	Mkdioh32.exe	44
PID 1692 wrote to memory of 2112	1692	Mkdioh32.exe	44
PID 1692 wrote to memory of 2112	1692	Mkdioh32.exe	44
PID 2112 wrote to memory of 2168	2112	Maoalb32.exe	45
PID 2112 wrote to memory of 2168	2112	Maoalb32.exe	45
PID 2112 wrote to memory of 2168	2112	Maoalb32.exe	45
PID 2112 wrote to memory of 2168	2112	Maoalb32.exe	45

C:\Users\Admin\AppData\Local\Temp\ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe
"C:\Users\Admin\AppData\Local\Temp\ff9d440a82e12fa9c8b870cdd5dd7b53ca197a1ae651d6b0a2a510b6d7314fb6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Jjpgfbom.exe
  C:\Windows\system32\Jjpgfbom.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\Jcikog32.exe
    C:\Windows\system32\Jcikog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\Kmaphmln.exe
      C:\Windows\system32\Kmaphmln.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\Kbnhpdke.exe
        
        C:\Windows\system32\Kbnhpdke.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Kijmbnpo.exe
        
        C:\Windows\system32\Kijmbnpo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Koibpd32.exe
        
        C:\Windows\system32\Koibpd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Khagijcd.exe
        
        C:\Windows\system32\Khagijcd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Lonlkcho.exe
        
        C:\Windows\system32\Lonlkcho.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Lophacfl.exe
        
        C:\Windows\system32\Lophacfl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Lijiaabk.exe
        
        C:\Windows\system32\Lijiaabk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Lgnjke32.exe
        
        C:\Windows\system32\Lgnjke32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Miocmq32.exe
        
        C:\Windows\system32\Miocmq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Meecaa32.exe
        
        C:\Windows\system32\Meecaa32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Mkdioh32.exe
        
        C:\Windows\system32\Mkdioh32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Maoalb32.exe
        
        C:\Windows\system32\Maoalb32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Meljbqna.exe
        
        C:\Windows\system32\Meljbqna.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Npfjbn32.exe
        
        C:\Windows\system32\Npfjbn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Nklopg32.exe
        
        C:\Windows\system32\Nklopg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Ncgcdi32.exe
        
        C:\Windows\system32\Ncgcdi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Nopaoj32.exe
        
        C:\Windows\system32\Nopaoj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Nobndj32.exe
        
        C:\Windows\system32\Nobndj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\Obcffefa.exe
        
        C:\Windows\system32\Obcffefa.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Ooggpiek.exe
        
        C:\Windows\system32\Ooggpiek.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Oiahnnji.exe
        
        C:\Windows\system32\Oiahnnji.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Onoqfehp.exe
        
        C:\Windows\system32\Onoqfehp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Okbapi32.exe
        
        C:\Windows\system32\Okbapi32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Pncjad32.exe
        
        C:\Windows\system32\Pncjad32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Pglojj32.exe
        
        C:\Windows\system32\Pglojj32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Ppipdl32.exe
        
        C:\Windows\system32\Ppipdl32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Pfchqf32.exe
        
        C:\Windows\system32\Pfchqf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Pfeeff32.exe
        
        C:\Windows\system32\Pfeeff32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Plbmom32.exe
        
        C:\Windows\system32\Plbmom32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Qhkkim32.exe
        
        C:\Windows\system32\Qhkkim32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Afqhjj32.exe
        
        C:\Windows\system32\Afqhjj32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Aaflgb32.exe
        
        C:\Windows\system32\Aaflgb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Ammmlcgi.exe
        
        C:\Windows\system32\Ammmlcgi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Adiaommc.exe
        
        C:\Windows\system32\Adiaommc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Appbcn32.exe
        
        C:\Windows\system32\Appbcn32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Bkcfjk32.exe
        
        C:\Windows\system32\Bkcfjk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Chggdoee.exe
        
        C:\Windows\system32\Chggdoee.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Caokmd32.exe
        
        C:\Windows\system32\Caokmd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Cjjpag32.exe
        
        C:\Windows\system32\Cjjpag32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Cjmmffgn.exe
        
        C:\Windows\system32\Cjmmffgn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Cceapl32.exe
        
        C:\Windows\system32\Cceapl32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Cffjagko.exe
        
        C:\Windows\system32\Cffjagko.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Dlpbna32.exe
        
        C:\Windows\system32\Dlpbna32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Ddkgbc32.exe
        
        C:\Windows\system32\Ddkgbc32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Dboglhna.exe
        
        C:\Windows\system32\Dboglhna.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Dbadagln.exe
        
        C:\Windows\system32\Dbadagln.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Dqfabdaf.exe
        
        C:\Windows\system32\Dqfabdaf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Djoeki32.exe
        
        C:\Windows\system32\Djoeki32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Dqinhcoc.exe
        
        C:\Windows\system32\Dqinhcoc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Enmnahnm.exe
        
        C:\Windows\system32\Enmnahnm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Eikimeff.exe
        
        C:\Windows\system32\Eikimeff.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Epeajo32.exe
        
        C:\Windows\system32\Epeajo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Efoifiep.exe
        
        C:\Windows\system32\Efoifiep.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 140
        72⤵
        Program crash
        
        PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaflgb32.exe

Filesize
80KB

MD5
af0b69d9d09c570fb413fe2e4b6245e1

SHA1
3bc7680d4c278c24247066c591533b27406e15b9

SHA256
2b79c4c17e4c8b976ea81ca85226a95f94c2df92efc3b29f101d3f350b70bdf8

SHA512
2ceb7a0d52713c294a09fa62ddb4d7485f8c3af0bcc92b1470171edc157507813db609ead842d045556806a8ab1b103b9f4e845efcf3aacf8b2dde72a2d6c34f

Download Submit
C:\Windows\SysWOW64\Adiaommc.exe

Filesize
80KB

MD5
7a64def5c8b27f63ac787b4631e8068c

SHA1
c0efc6dad0385c7364428c70e7419be3730573b7

SHA256
3dde8b2a72851bde372efa9bb8529bc807163bab615877475b597ec3e3077899

SHA512
418dc7c86035872561e72925654e4c3e7c68967df813d83dc536cb51f84fa7a068ded4801f95c32923651c27d3cd7f2657215e2fea6361489b1587a8bab58d5b

Download Submit
C:\Windows\SysWOW64\Afqhjj32.exe

Filesize
80KB

MD5
63fbc5f5aa57188f331609fa0a5033d3

SHA1
fa2dce83483bb22f4ff9f7f43744052f31671900

SHA256
2e1dcb978c3acfa43cc647fdae755f097c71cf6db41f4821ec77f532c3f3e8c2

SHA512
115c17657f590f8714133fda2ce5595df53758ce62d16e276864ffea702fb325599f5e868e852a8c516109270f8c0e0128869d1e58bf2c0c1cf178624d63f97d

Download Submit
C:\Windows\SysWOW64\Ammmlcgi.exe

Filesize
80KB

MD5
dd03477f8c0d8ec5e7c0ae53c9877f1e

SHA1
09b6f9be774750328c980b814d0856bc097705bd

SHA256
eb44b31f61c397d281133229b372d6409ec1bd05230e83da20be5d68df87ede2

SHA512
8b79a7fa436d422d76307bd0579258f77a34c86e042169f5b1c901731d01c68d58c556afbcad1ebd6f1f6a2f0d2fe3bbc62817034f996d3f7d3d026525495640

Download Submit
C:\Windows\SysWOW64\Appbcn32.exe

Filesize
80KB

MD5
8d12440869900e6fec946c134a596ee7

SHA1
6c0dcb5defffe4ceb3cfb4cc845a2b0204ee04d6

SHA256
09d9f69383a21c0cb42e93c592508c229dfb24d4e5618b5c91df510efc33e3fb

SHA512
d19e7273fdbf2ae715e1ae24ac2635ec1737b11bb3ecc27a3cbceff85ca003fa61c2efe3d28117efd36ad1d6cb6a587e67e13ebecc2a87a4354a4a118e940e0f

Download Submit
C:\Windows\SysWOW64\Bkcfjk32.exe

Filesize
80KB

MD5
c093dd60e30a18627193c0e359aa5806

SHA1
4d39fdf2249506deded2da308c58ddd15966a140

SHA256
abfd419150c2019ab9f0c0460589e548103b8087ccb5f53306bb53949b547038

SHA512
fca22532975cf00e647287ba16011cabe5e92dfed0b7094c73776e8244a40a6242dfc8808e06a43cba5140370f7ddd773c3dd6514397d6016009cb56ed7a2e4f

Download Submit
C:\Windows\SysWOW64\Caokmd32.exe

Filesize
80KB

MD5
0e61d468ccc6b22270001c3495b11570

SHA1
7082aeb2183218a0d6a43bd7bf17957ccf434e94

SHA256
686327c7a8470500f172748f6da9a6f0432b6c984ba384a22645cbfe892757a9

SHA512
495c0d216f024eff9102e5e175035c820d8b0dd8c87e4b7f6d9616e25e6f8ad6eb8154daa977278bc96a70af3675e245de2648e8c9fb65f6b5bb1a5a7cd918bd

Download Submit
C:\Windows\SysWOW64\Cceapl32.exe

Filesize
80KB

MD5
6f790e0c114687f86b2659d0c5e9e1ff

SHA1
daa3dfd4260542e4a7892004a6fccdb79c8be1c9

SHA256
c438fa7a094480208e0e818a4f843258ea944c231a1b810ec3d51d0d3c218d93

SHA512
add27b0546d3ec6f8ba4d43a4673b2c1170782016e7752500306ab35e56a71af92106d550118958c50440c36fabe5f1c9b20fd6495a3816a0a4529e612f28397

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
80KB

MD5
cd2f08a8e1861db53a37f8c14db0f229

SHA1
224988e967bc5ec9f741c96e3fe2d1ce63d16d59

SHA256
8b275f34d7febdd5178ac18526d988a8e3ce51f841f1df0a9818e9988b45c328

SHA512
3b6e4840eba8e3083200cd3084bb2788c57e047b35219460d7654df3c85a50c96e464cc7960205c3d03b3dd7a3365b744cadd2f19dcb70a24a9b5427caaad6ac

Download Submit
C:\Windows\SysWOW64\Cffjagko.exe

Filesize
80KB

MD5
31f13b114b54480d60d6b7446323e151

SHA1
bb3298805532a5891c4fa37bdd08f1917e4cc756

SHA256
58e57b6cd541302fda257f1f13a06d1092a2c7774286b5abeb4e74e4e19b3346

SHA512
47301c741b88d456cffc8afa131b3b47468cf9188887f3cb572fd226748ebd34bbf3656e97780a7da37b2367a34e09e7c3783eeee0d83e70498c781b81c1a4b4

Download Submit
C:\Windows\SysWOW64\Chggdoee.exe

Filesize
80KB

MD5
63af72ddf96f0640010b9f66efd1fd84

SHA1
c287a9b28dde45d1cdef23ef08693b965351ab2a

SHA256
1a151a4be83375944775037a04b23f2f1d65f29e827a171bceb7080acb8e0134

SHA512
4aa0fa4346b3a75ff0415d58490c0961b23591a9842658cb8e2a397e9bc370f8d7cc644edded5a770becee95f454145a880040bc2e4554accd1ae24619053350

Download Submit
C:\Windows\SysWOW64\Cjjpag32.exe

Filesize
80KB

MD5
c15ade3fb58ee534b4f434251bd66ffb

SHA1
92e9d822a65986bb20f2c13d4f6225c2f5406f18

SHA256
89c1898b93ae9afbfc994910b26c0c2b915b74d662b8f49295e59e8a3099fa99

SHA512
f2b0f658b387220a7eea03bc322153f54be29b74c0457984be9f80541247f50f226565f5b3cb7f377fdd39c04e10cac96b825b17178310a0e0264664bc1012c7

Download Submit
C:\Windows\SysWOW64\Cjmmffgn.exe

Filesize
80KB

MD5
e0e92aa2b492dba40574ac9b73936a03

SHA1
5f86e2768fa59db4eb7abd403481bbc10ce2caeb

SHA256
d8a1e1146d9e70a98e05d9d56508b1db292c17258bea1bd3bec342709f3010ee

SHA512
7a7d6141933e639daf4d65337fc7334f2b1d467aa1f735d74a071ab3db658afa6f128cc215bc157a24f7c9888d3ac63c4a7d21f7b443ffc1e66ab569f3835fb9

Download Submit
C:\Windows\SysWOW64\Dbadagln.exe

Filesize
80KB

MD5
4d88a99c6a23c84aabc86d1ca544eb50

SHA1
e63156637437fc14ffa94ca53d253ea11004605f

SHA256
64edccdc8a39133a4fbf52d8e3f67237b095083cc8af5f2130352481b4fdd587

SHA512
2eb906e8342f52c782865968875866aa9f1f6550ec5549ef584f4b0d5bd4cec1af86bbb1a49b901507e523d4c609600bcc02ea6b8b625696a0f2078f565b7f50

Download Submit
C:\Windows\SysWOW64\Dboglhna.exe

Filesize
80KB

MD5
4d09623d145cea687764584bb988f1f6

SHA1
75736fc5c55ef4346c90b596f030aa4157a8ab9a

SHA256
5f8787dd8ce249e7bdc50a23822bf9e6cc5ccc38b2ed0d0ddb443e82bfb38e46

SHA512
65c9995dd618968a251ed4315c09093bc840345c4eb83d7cd5ec169a7960ea88932f1250d41e4f2f5bd5382aeb84ed7418be3b8a1111cf8115887960de1ddef2

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
80KB

MD5
cb883c91d208043281fe20d8f4367d3f

SHA1
c7ab7362e748de57df7ccbb5df96577f69116569

SHA256
fb1c7c0ee03dd52a6fe9dbaccba333f46657aebef736347900ad0c696d8278c6

SHA512
b2112c42c2cca6901f49a45a467fcd233feed91ae70b41b4923a7f00b77ccf04a1ac3293c57431017c9cb6cd34d0c19391cfeb3c2654c399e8ebf309e83eea25

Download Submit
C:\Windows\SysWOW64\Ddkgbc32.exe

Filesize
80KB

MD5
ee7a2d7907e9f51a4f5c98afd761ea95

SHA1
44c5496052c0a92a9c044495d24e63abbf6715e7

SHA256
3b746fbfc3db019113e366faa3b48af247cbc724bc603077e153426fa521a94a

SHA512
f9954c34b733b2a98cacd523bf4fc45ea53fd20593ec721d5ea9901f9bb88729bf0a6c9ef7b18ec50997d6a9ff2573e84e3344bf4b0f1d7b0e4d2e2450e9d047

Download Submit
C:\Windows\SysWOW64\Dgnminke.exe

Filesize
80KB

MD5
86f005337b38683e1c81b7ccee2b976b

SHA1
0ce0eec2b8b39bca8d97a56812e283f8659df5fd

SHA256
8522fd2f7011777e7f9826c8e8afb735e5a7b72dd48526097fd8d480e3917ac4

SHA512
4030ca3e68d9515e2dcbd01c3462a53a1d1a4abf3ec36eae35b71ee5aee18ed7b976781bd44b5c94a084957ac3b0a5b43b77d6ea4eac9ed4a70e50e64bf1cb39

Download Submit
C:\Windows\SysWOW64\Dhiphb32.exe

Filesize
80KB

MD5
1d7345eaa42d4a945cf03f7398ba859f

SHA1
dfe1ebe83b29d4eb7ebe8fcaca15b9b497cda770

SHA256
d91c0b706aec13e1f7e71ef7aa01c698749162359d9bb53ac75aede328f51b40

SHA512
5af805fdae1cb7f01a70145df5f6d5d847a8762b2103cfd72c4d55ade75face4cf23714b59aaa605894d9c8c66655169ee21430065cac04f3919954e2ccb730e

Download Submit
C:\Windows\SysWOW64\Djoeki32.exe

Filesize
80KB

MD5
08e11fffcb7237205db311dee8478843

SHA1
035695c6bd49c7a52b2d57a562be133f1f651d31

SHA256
ee0e317402811fc8c492124c1306eca765b8fa3b5fd7c3e07b98fd5a64b9ad90

SHA512
fec1e5d244254e0e6d55b3b41ef91dfeda1e75a56974b47e10cae2a55ab10c72a214583def63bde5f0d89620889a005d46850810618ef3658134441ccdac4af8

Download Submit
C:\Windows\SysWOW64\Dlpbna32.exe

Filesize
80KB

MD5
627b580161b8d8d682bd18ee864f7c2d

SHA1
4509fa920fe2a8375f3371d4c0daa730907e7d24

SHA256
2dbaf23f18c25fd65c8e1bab9d1258f9a43ecbe75c9b2f7af3fa3936223c6a9e

SHA512
eec885c1dd6c90b62e7889ac472e0897c88c0b5b5900cd5db36f1d47491e9965f2c6485e38e0a3e6ec5cd9f9f447150963f04f4cda0399fb23bd7cab267c78b1

Download Submit
C:\Windows\SysWOW64\Dqfabdaf.exe

Filesize
80KB

MD5
50f4c2a5e67473b3578b68b9f4170a57

SHA1
c4bea8d811c9e1e882840feb31e731511c5d9dfd

SHA256
60ad8c628c6206b34835bea8ccfb2a18b22456011f9fd02567b95ea9e47facc6

SHA512
2e14c149183c091bcb0082aa74767d6c7954e21fd546486a41f24c997ea994880b72b6cb050dfabd390aea0c8bebaf57a69963467d7a62f1acd137bfe254098e

Download Submit
C:\Windows\SysWOW64\Dqinhcoc.exe

Filesize
80KB

MD5
5bbf690984c27a8b2124b5dbb1061482

SHA1
9d2f50176ac36784249919572de96cd0ef76d84c

SHA256
891b1f2cffc1cf8117eb2c4be050dba25e3c71fe56dd881dfaa3170bd9b6f837

SHA512
4c7ff5fea59f09950613405ecfc3c4302660c80925206b09da1e12c11b9ab6426f4d1b5fd5421d84bfa7c26e9b6a4c6bee227395113cebae47257c0586701420

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
80KB

MD5
dc81bf6ed0f00a116d6595b34a90663a

SHA1
64308270e991fa49d49914d7880bb6e9a3c8ceff

SHA256
9db2f0e59dec15ba3e04cbdb6e681614a62ea08eb6d4818da93be06cf12fdbb3

SHA512
fef4f2baa13faa8c8d5d5d1ad28a9568d8b00ba485f5f82a7c55c8c5191379c3975db44b10087a65440ff895333f655ea53fe74c63f6c98cf34ae695d5a5eb97

Download Submit
C:\Windows\SysWOW64\Efoifiep.exe

Filesize
80KB

MD5
08f4c16fb2a042eb3c8a8200386bfddf

SHA1
6c28457ecd5527dcd36cffb6772a4ae54370d6f6

SHA256
6c1214e37533fed7f37248e4a6476a58dd2565ebf6df2c5e281540aa02be1642

SHA512
f29707132be9fe3cc850c2bfa4e7a20e1570d280961bb8410ffb5e9a81e8cf7b39433ca2ffc0ee991467f65189029869b3e4e05437ee92345625e55954b83c25

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
80KB

MD5
b0f8e25d628663ab9f4fd6cc35fe0141

SHA1
8a046362f14fbe4eacc2f4a9dbc6bab1a5aed03b

SHA256
5cc5ac607c0990e09990d25653e8d63408f5a17b4acd18e6b2504ab7a9cb4cdf

SHA512
5cce348d3fa732e37d6c688db6023b5cab1c815d3f32df6396459e155dcef767282ddb90513580fe63f8a46866d5b73d7abe8a3b0c94462e0daf23230d4a7687

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
80KB

MD5
b38248764276ff5d666b958415b0ef82

SHA1
7eb08d1fb72ab4c8ddf985d47b0c3e23d9beeb77

SHA256
6659ac80da4a470b73324622e730e9f3db034a778148744bd3fcff6cd77eb8a3

SHA512
08232484b07155ddda3664fb6460c8cdb19c3b095cab8262eb42abb5715c2eccc98edda0753d47c6f512135ca66f5bc78b25e3d93c504e53fa2a418bf272bbdb

Download Submit
C:\Windows\SysWOW64\Eikimeff.exe

Filesize
80KB

MD5
e516be984d348150ae30085dfb5a5203

SHA1
a19156d050380aa641781ff06a3057e809a1d1b6

SHA256
e5f83db4741e4e4f3a45ac92a06a21bc16a669e3bf6e7a2788156efdf5e98328

SHA512
45899743a330fb09279df2307c57e57aa3e6e38d3e184e5c1b568053c3f5df3b5db9f455bd4adfbda95d731de5cd9f8375076814ec514cb3c4df44242b713df5

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
80KB

MD5
2243dfac767111b86738ada56d0794fa

SHA1
5bfc6d3ea5b0a2fad1f7b1111f6c19c0dc66cf4d

SHA256
07611c5b7e7702e902125887ead40863d4bb79a86bc0b0e32d3a7669c8fe6761

SHA512
7c57a1a2b3a5932bd16d7a7073729883d2be938ee9c60c9d459f1adff7a618e13ef7c28d5bed6faa145eb8f0e825a2a64518afee0e2bf3603987a41d9ec6bf7e

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
80KB

MD5
b8893f94bca3c9cae9ed5692218eb525

SHA1
840ef14364accba2fe7ec7802ed703d42d1c5c9a

SHA256
5dcf6ab9a6917b561fb704b640b76df005a7c103f27e9801998dc4e9f8798784

SHA512
4ab2383ce4c6660f89627c0281e75ffef89f9e28a9c1a064b503e3155695d34e1b8fa7ed945aa5c4a8da333268f047194680a71449fe641806165fd3b38540f5

Download Submit
C:\Windows\SysWOW64\Enmnahnm.exe

Filesize
80KB

MD5
7c6ecb13a266e3f8c26d17e211f4f5fa

SHA1
71f1d18b12c0e3b17dc5b143ac5065e16b196e82

SHA256
4889125565c2524a862ce8a9a49348bcabd3a4aa1ac12acbb0f57dbfa70593cb

SHA512
a929c51852ebccd01f2957389571a6a77b9d6cafa42388c79124848b063bf46b97f4791a68f9c0ec4fbff8315b49fa2302fb4d9198b77d4df67720e6a7046223

Download Submit
C:\Windows\SysWOW64\Epeajo32.exe

Filesize
80KB

MD5
f7a4e484179d407254ab0d5405c3d023

SHA1
cfe4a912684c009482228b16cd4f5a51f1b1cbf6

SHA256
65afb001200a8aada9770bfed677f2eb8d695783f5e7597f6115e0a1301b2d6c

SHA512
1b10ef67dbaf21372f1acb2a0c9054a28ec148c02d2b015f9f827875af689219309c82b5d2b9ba446fa8192f6414c8775dc640546f0ca47900b7419877ca9a57

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
80KB

MD5
7cacfcc70ef566cb6f1b82ea6ef9a7c4

SHA1
322da773f4aa8d276261e31ce47902cef51d5a5b

SHA256
1e049058019cd4c4eab8a020713548b9fab8c7f7075906e71a1c7100f5837ace

SHA512
daaaf2d3bb55e8566ca75ec7dd381d314ec45ce904bc33a725bc8be015d1421c057c26dc4b1d5dac7e6a4bc442f086647a1ecb5e52725f1b27aa78458c86ac5c

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
80KB

MD5
3c6c0f029277a8a4bd78c1220db0a6b0

SHA1
c0cfab2182edf9660f2a93cb26a41b80a78803ea

SHA256
ab6b7c25209a9377b737a856dfe199893e549a575256bf047293cc98267bf7a4

SHA512
7948b466adb4fdec11fcb1293678d0703ce1cc79cffae25f4768a695e55ff1a789110ce4c3cd27c47aa86141a9e7100f077ab46806c3815a78a035208af22156

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
80KB

MD5
aa10e3fe3067d3bf731b6dc73611e91e

SHA1
6f8d1e8981ad1ccb46b77e3d4ef395ec6e0a17c8

SHA256
61fa0b942499d5450e30f8b34913ad0c7d0253b133292ddf2bcdd4bbd2857982

SHA512
22b538cc11737d0ea7d2c74ad46db2565586befc0b4412c42845df5690fae65e1efe21f2a27672203d72675092625bd4e104d00dedd5643a0833961796b7f6f4

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
80KB

MD5
e8e440ea263c5ea02f97aed4907cbe19

SHA1
1a08f470589f37555a95be24222f837fd09407b5

SHA256
cf5a18e35f38d40d14b3b8d31d7f36afce1a27de471cc48ef86156424d6dd44d

SHA512
cf7f6f6271ce89769301058c3a378fd5825f5de321767611d9940f495548a22a0d3eb47cc95f77bd72d3151646be9615ff0c01042fdf872d3ee639df05496dbb

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
80KB

MD5
e0fd5d0e13c8e26687f3e2d6fd562246

SHA1
02e3678ec7188fd5c52014ae9e232928f54cdbd7

SHA256
e111b1534e01a68059088a08b2cc65cea3e214dcc0238ac912422e8eefd9b02e

SHA512
25f61ef5d9e68325366497dc39f837184793c129e228128479a92eb02785d322f3c83e9520fc9e701d85f98a43619940e53b68bd1aeed61f9ccdddb6f5669f6b

Download Submit
C:\Windows\SysWOW64\Kmaphmln.exe

Filesize
80KB

MD5
8f057b21ba6866927152c1ad31ff4f31

SHA1
a036b3848b4e638217cf27a467959b21e3c5d688

SHA256
62fb04e945282ef1223d24c2b4c5306554337eb6fada43cad2e413ffa23230e3

SHA512
862e01a612eb299672c8e7e8afd347a88103da17dad96c4f320f2c4e80588aa122619a021393997ee276ed37c7050096f83245c9a326bedbe44d1d38bc4cb91e

Download Submit
C:\Windows\SysWOW64\Ncgcdi32.exe

Filesize
80KB

MD5
4c6b89b702ce4103769455ed3bf68768

SHA1
e569e4d6941474a88ca77dd1335b7078669e9911

SHA256
353ade29f96a7ed2c20e90cdbe5f48a034e7c542a3f1395081221c5f740b59d4

SHA512
fa6e950f3bc07e9360eeebf3ccf7d65c36a486716c41e8a941062a2ac03ba9ff730dc5993dcab72b21735ff4d61ee4a8758e9339ce323f976cb801dff27cf625

Download Submit
C:\Windows\SysWOW64\Nklopg32.exe

Filesize
80KB

MD5
a8e7f3ae8d136ee8f749f6ea20677fcf

SHA1
116c8903acdb149442e90e0f16fae2e33f488ef8

SHA256
0c9a42fdbcb7a71f75268689976054becd2110c74418fad9e9467416463b0b83

SHA512
6bddb6a7c97d7ee8d6b1717d4a237ec3b3e53b98aebe170dc186c990b0d0f69d573450e72097ba409b9213b80de0b02317025404dfa891fcd62e09dc73afbc8b

Download Submit
C:\Windows\SysWOW64\Nobndj32.exe

Filesize
80KB

MD5
275bda34f866352dba9405cb512889eb

SHA1
740bd11c82787f140480380d116842b7a410d2d3

SHA256
0b12fe8b2384d4ce40940a8dafe27983315441f9ce2f16884150f36cdf95461a

SHA512
c3cbd2acfc8bf340ecb6ca7f4bf855430e0e4f6ee71a9292d610e4e43b05e8a4152539533d216e052e4b4ed65870a292c174bba8dae84900f6d2732fb81c6166

Download Submit
C:\Windows\SysWOW64\Nopaoj32.exe

Filesize
80KB

MD5
eaf744aeca1de89912185e6931b5d5d4

SHA1
d8f0d048ac46542882b2955c0c129ee7b8a7d95a

SHA256
d1d8e3f4f775812df8a8f864d3c7d725b99edf869cb7a32551393ad99a270067

SHA512
39069ceb983931cb23c871df15a521bdc2d19d5010432ea0e24e3f671f6a89eabbefb1a50875f2220c6362d506916c547fbc26c70376b12cb63ad92ee7563a7b

Download Submit
C:\Windows\SysWOW64\Npfjbn32.exe

Filesize
80KB

MD5
c65cd4845ef344b7d898d9b323a296f1

SHA1
83c4975920427cfb12dee9695d01da5071051594

SHA256
97f18e71aa785cae990da5d314c1d4117c346b407534dd58badb8c16a6586486

SHA512
a431ce0b5b546213c791c3561649e0c099e10b00fa9beaa3249b67e6cfc97a0a650d840e32d4f5b010435e55412654e54c067a7d9fe904b6c6b14ce3755e9c14

Download Submit
C:\Windows\SysWOW64\Obcffefa.exe

Filesize
80KB

MD5
72f8b1870760915e7f95860534374e62

SHA1
fc4c4fc2a3d3c63811c17e2b20b0bda23005ac95

SHA256
02146b1e0aa65a82301ef5e29bd51b8c412f5a4f1a5767e50a73aab3bacf7271

SHA512
45ba38d7c6174246bcc51bc099045f24a26c86d3fc7cfc7669fd53adeb80151cd797a229a3f3dcdf3e381ab02630a8ac551505706285485e0706071fa0b5f18a

Download Submit
C:\Windows\SysWOW64\Oiahnnji.exe

Filesize
80KB

MD5
44ebef161e69070d8b953873a737216b

SHA1
703d1bf7d922b35790fb7fbe90041e6c6d78f617

SHA256
24a94dd66def38e99e0ff64a8d8aef02ab465d9b52a1ed35f46e7a111648ecd2

SHA512
9f6104f34e4147d961cb0571469a1fb50515cba467105c53753cd40f13eddc54d5806dc15f7029d47c52d6cdfe4321ab534ae53a028141a7fcde238f2f379271

Download Submit
C:\Windows\SysWOW64\Okbapi32.exe

Filesize
80KB

MD5
5a29130a45442027b6939de3c88acc12

SHA1
e278de7a892ce5288dccc6e207cebb5d5a18e8a9

SHA256
49d199f29520b04dc96d97aac2a15a310e02d25e87ef835f79538dcacb7b26d4

SHA512
79afbffc14d32ba416400f0803328f3b2a921ed6781a62a139acefbc552d5883dc2c23498ef24dbc284bf85eb15ac1afcf7a737de2a01e0f4ab2c91bc5b56645

Download Submit
C:\Windows\SysWOW64\Onoqfehp.exe

Filesize
80KB

MD5
07cff9403b304fd1b49d69051d8008a8

SHA1
70361db924974a5757d3d41b58b596259a870da7

SHA256
32e59f30306f4863d039a3980f57d1bacbd541efd0f640a8d8c5d5dc1f08ee76

SHA512
1971fab76e2291574ca1718c8c5e5fbd4e74bededcedcd17a706b8b2efbd6df686d3f7e3a3917d36576d09f66be7a0960e492137446e71fa199fa16ccad84b83

Download Submit
C:\Windows\SysWOW64\Ooggpiek.exe

Filesize
80KB

MD5
c7afa2bc7b304fcfa878a5dfd04218c3

SHA1
c8bce173c0e8d0cf2c4fc5843402f5963c483b40

SHA256
32181edb2832af87ec339be3f387cce5ea1352e7f90145fefcb6ab093b44c0c8

SHA512
84b97b4e2d394d4e71b7f21471902510db1938ee5dc949475a608db984668d66dec9b1c3cf213d53c39c0d77d05187d546f05862e3ee6bee5d3716f60a873235

Download Submit
C:\Windows\SysWOW64\Pfchqf32.exe

Filesize
80KB

MD5
e7a928c8c7bf145680748b62508b7c79

SHA1
d28d73f5cecfd81ec08869f7896ba95c544fe6a9

SHA256
140bf2d08c5ef840cc68f683507863342c184077963c5ffeff79662106beb464

SHA512
f800eba256b4bf6a73f5c6e2c9b5deffa8f816f988e6686473c7f57f2e735cc7858f1ce0e361f05a7be81ba9d588ffdd8f56b65d88c61ac8be8a23fb8530a327

Download Submit
C:\Windows\SysWOW64\Pfeeff32.exe

Filesize
80KB

MD5
f6146c57e97907f46e32c7257ac7f851

SHA1
e61d5c4848c5e85a4b02584d2a27271daf6b7ebe

SHA256
70eb2ec215859f51f5886aeccfe03c690faed45663ae111d859bbfbc9a8d19c8

SHA512
8933c035e314798c23c1afbd24fcb033b6594812efa772c985668d839b7f2bc4173b79979a72d6026179471a2c21a134c95d342cfe1e40c8076eff610e27306b

Download Submit
C:\Windows\SysWOW64\Pglojj32.exe

Filesize
80KB

MD5
32d7ec9260459b3f4dcdf3e9439d0a04

SHA1
fcfa9ea4ff946e76cfffe7eec41a209b84d89ecb

SHA256
3568677e07b65c0a5e9ac745f59750558e121dd0b27fcff06fed86b08ccb3bed

SHA512
b7a6fba3330e6719c0de0a6e06d95fdd4172dd6e602fab02ff65de38616d33366b7e08caca51419881b75aeb93b6c18b40f87974f51e2d2d84302d2b2314ff23

Download Submit
C:\Windows\SysWOW64\Plbmom32.exe

Filesize
80KB

MD5
773db998d59807e7fbab8bcf29ff168e

SHA1
b41ff6245d88f00308e2a6cc830cf22a91a8a7c4

SHA256
c2038c932d647c7816eac36093d142941868667ea36771ed96c2dc60fc764dc9

SHA512
e672e72886bd148830132d5678738102bed1abe212be51cbc8e4bc0e2504506fe4a3240846f744133077423e7aae6ef49f5bf242dc8786de470a0c6a742ef294

Download Submit
C:\Windows\SysWOW64\Pncjad32.exe

Filesize
80KB

MD5
ce613e9a4569e742fc438ddd37031f1c

SHA1
50bf4f6c004d3cded1cda456ecb2cc1a02c37afe

SHA256
064a6934d2c4c5e650a284eea35c096bb57e82d6645987fce355f62362f66706

SHA512
d0e6bebb9e82fa702e2bddd3a2098cae08d9ad8ee249588e6e07957cca6fd18d48891bad125a795cf1bfa00ffbd133b2f5fc3b9351bfcd7f5a4b09ab5132b2c3

Download Submit
C:\Windows\SysWOW64\Ppipdl32.exe

Filesize
80KB

MD5
b3569a3ee5689c152f9e9e9f29f8489c

SHA1
78c27b9dbf018861c3d7519a8de9a6f82ee368ad

SHA256
572d67f28eac4c28783ff081540045185b049d183ef6aece95c1eb8a28d60300

SHA512
653fdd047dfe0758a87969d79cbf404d72d90fe44965fdd401c3270ff67eeb6bbfd0d0341c48fc494ebc9e824bde04346641c34d7953cff2173422afb4b74355

Download Submit
C:\Windows\SysWOW64\Qhkkim32.exe

Filesize
80KB

MD5
2e0248d9b247cfd860ae8788917f0532

SHA1
d6b52cc18e44b504c1829ecebedffbba6e7191dc

SHA256
d75c19be1c74e62009cf116a956d7115fb825ea7e09d4dea9cba9eeebbacf2bf

SHA512
71aad84650671f5b25fd8d3a498e2e553baea15b09a326549640bdc2faa034c3ceabeb3732fddc9e14011dd7c496c6a10914318bd2cf4e1cb21e3f9f22cfa0e0

Download Submit
\Windows\SysWOW64\Jcikog32.exe

Filesize
80KB

MD5
a41500299128a381f4e7bc4ad474be9c

SHA1
118b3b153f7753610bcd0cc1411acc69d7424c8b

SHA256
1e7a9491bae090ca31efeaabf8c1877e143595331b12d307467c4c56b3fc605a

SHA512
83714027826bdc14baecf2f421604ffe482c48828fab375e87b900d44bb6af13c283c76124999bcaf2718b78d19291c29e43cdd5d67c5afac5cefd2b57f02ae5

Download Submit
\Windows\SysWOW64\Jjpgfbom.exe

Filesize
80KB

MD5
5a9d739e043e9afa8500c51b104d74f2

SHA1
3bd776e03d5d92dd7b39d0c95cee6fc095ada773

SHA256
d6b28f60e534b2839d5340911a92974503635866bc2164f1f7128adab6096cd0

SHA512
6cefded4ff3458dc2f3bcfc3259b157f2f41d72585333d98eaf82d23c3d0fe1d19c95d2d953ca0e3e7c5349fd5200bacb71dbe307f38a799a2a9f75b96a6274d

Download Submit
\Windows\SysWOW64\Kbnhpdke.exe

Filesize
80KB

MD5
c9866b593ff1714f7d50db034ceab42a

SHA1
1ea85f17f77cd1a4674bc6482664ada04b21630a

SHA256
1b996aebf092253177c6abb26cf95ca9c2cb68ed04b287488e74818d47ce4eff

SHA512
8ea5bac923e5e44292b505874ccc69ba5b2db9244fbf624da61c77e89bec8b8f7e5bd02d5918b47e1557abf57af66c6f1896d28b178740e7d52dc4d44b213354

Download Submit
\Windows\SysWOW64\Khagijcd.exe

Filesize
80KB

MD5
22e986dcc421e9f5ed0fbff19618096b

SHA1
8918189bd4f5a9459c2d7371f5a44db57a916cb9

SHA256
3d490fbe6ec7958290e9f21bd289fc7db6dc9580d06032c426861623756ef4df

SHA512
1247d4bdeecfd1b811b90b1367602dddcb5388efdd18face947d97efda7f647d213966ea855ae504a6f561f7b56124177ef648efda825bd4575692da6124ff0c

Download Submit
\Windows\SysWOW64\Kijmbnpo.exe

Filesize
80KB

MD5
8fe448998b7ea5abd28639a3e90a6dee

SHA1
0822613129d7c6d7312c697a1196fea1b0674915

SHA256
dba1d249595f03652e3e9900912141cdf2a8c673d58ab3af5c6a34be5a99798f

SHA512
b0eaf14f61c0ee38be8114fe0bd3c22b8042b37e0849e2c302fc4bee97d7e9a6161359151a2996be6fa55159333a415e7b15704197ed78b1f42509a097614958

Download Submit
\Windows\SysWOW64\Koibpd32.exe

Filesize
80KB

MD5
a226cc27ca2c69776aedcd80f4d52b92

SHA1
85cfbf97197c63117e6277548cc0b2618b2f3a42

SHA256
1f1a1e9b51c518fd164881afc8c61214304c7ebdee1d15f8e406070f0f0189c5

SHA512
31a88298e9913e5615124b93cb430484c37112cefc9f8ca8e3bfaf1d8c333cd9152567b43e528829ecde8899ea554a80663ebcfc297d00fde3277f01bd24737d

Download Submit
\Windows\SysWOW64\Lgnjke32.exe

Filesize
80KB

MD5
f9ce13bfd7f378bc87aa88fe9f30bdcf

SHA1
035359fb910aea6bd26e7933b4ec9643526f018d

SHA256
2250afcde78a45dc7c127b114b1197e74a6ac297ee9299bf9f72b7b73b6c9089

SHA512
bc08d9e22a6fa047bc8ae065aff29800924de475f3e7a5b7b1dcedaa4491589c16b6347b36ed9031561f6d1c20c4fb74768e5f51ab3979a8931a6b11c77e5997

Download Submit
\Windows\SysWOW64\Lijiaabk.exe

Filesize
80KB

MD5
35d35b702b3a66577107c8b2a7652b87

SHA1
06d61e99d07db9b08f2884b0e59b2833aeebf22f

SHA256
a10e9ae3648d1c7dc251630cebab03039ebc6236df0866bcaace2fb2841deea1

SHA512
505a2a97ff6d91be5e1a072a025893918ebbd4c82787294a1d8f0e10221dcb16c2bc38a03eb2409d943485f94742ee392f34b9b137411b0a691753f4826abb90

Download Submit
\Windows\SysWOW64\Lonlkcho.exe

Filesize
80KB

MD5
90c82d7344543d397d1dd1f7107644fb

SHA1
ebc66d0e55c876e0b572675e317bba037ce8e428

SHA256
5f0fa9b785fa49e6656d7111206fd029cc346ad53e3832543226fd182e9b70a3

SHA512
a67915eb5eec523f9c3ca627e04d1e3e52933c42d0f0123d40e5de513328eea1a830589c1dac19c3c334a0a81fb7c5c4261079161acda072396119209f47fb19

Download Submit
\Windows\SysWOW64\Lophacfl.exe

Filesize
80KB

MD5
52c12e74ad5707f5b4632ea7b4558d1c

SHA1
96f8751d0d0badacd6a072196c9f3c67f61122bb

SHA256
62ed39da11c53dac7a451119243c82905bd0e5e63792ce7a7dcc3f77896c8403

SHA512
68addc32e2c69ef3bd0ed20f64304722c5fbafe26478a7b1d8d45f58570757e2bc21a7bbc0350710b68f55869370cc8f41c51eb2c05c891fdc5aae90f205165e

Download Submit
\Windows\SysWOW64\Maoalb32.exe

Filesize
80KB

MD5
d7e81d995b716320979c0277da9848d9

SHA1
fb01530b4e3059f2d60240a8df7f414f52c91c57

SHA256
17c8510b5edbef846b84fc997b6cfcb2b5204d3c1d06687b5c5d61a8ce24f309

SHA512
c7ab86637b90a1623021118dca52c3ab9615c4c94debca58d176c896f6b94933c945d017f6d2d2b5d60ce79cb3b418a532fab209b006b4dbd60df4caa3b26455

Download Submit
\Windows\SysWOW64\Meecaa32.exe

Filesize
80KB

MD5
8738452f10dbfbeb38a04923d790fb0f

SHA1
317e2e7c95ff4f6214ab5d62b01684e95e26c7ad

SHA256
04197a42aa9cff1ca6995c29dd29cf9dc9f84bd931a4095d9693e6a20040f03a

SHA512
6ee36b7d078b0ffccc8a2fbd13377b09612ceb01695ea29b04accf319f587694b5d6b5094209ab528530c8661f5157c0d8afbd8a9e04cfa71adbb2fb6de770dd

Download Submit
\Windows\SysWOW64\Meljbqna.exe

Filesize
80KB

MD5
d66bc68a303604b396cdb8ad6def032b

SHA1
8cacacfc2b06196ff90516d34462c13ed3cc6798

SHA256
bef4e78a73b99d75d22a8e3fb68a9ce82cf251979d356d9ab51179b1cb3aed41

SHA512
374acccbdb78e27a9b44fadeb0c0b15b05abada46599360174bb3e9a8846a18b4f6bb07337ddd04250d76155642f7cf40bedc4324fcbddc920e85aa75d09177d

Download Submit
\Windows\SysWOW64\Miocmq32.exe

Filesize
80KB

MD5
4f7eced79d0094d25078ca2d5b96f982

SHA1
ac765a143d59af9ba5dca7e5997f9beb2f3b1aab

SHA256
69fae92dc85aa42207623b61c1e3a8b1b5089ce91e5c309b96775f8e0bdc7978

SHA512
51093e81eeb9f7dc7cabae3d31100f02283289aedd0fb0e77ab34333aa67835208ac96e4a29390d0e33015ccaad6470d7dc2951248d78b21dfa46c1fbfdd988f

Download Submit
\Windows\SysWOW64\Mkdioh32.exe

Filesize
80KB

MD5
901cf9cd442424793d854f91428306fb

SHA1
e40e7552514638415c42f8e9427edc867aa42546

SHA256
b2e8673d31365f1d67d8161ea347933d12c3bcb6633b875c3154aec3d43dfde8

SHA512
64ecab7e3f10450406712a061de77a9cea57b854a58c438b3a403ce2eb554bd88f74088347764548c257271da4731788f9042f24edf2bda85ce04c98fe2e0bf5

Download Submit
memory/336-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/564-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/564-141-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/564-487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/584-277-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/584-276-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/784-263-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/784-267-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/836-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/836-354-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/836-353-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/956-503-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/956-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-471-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1280-470-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1560-299-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/1560-298-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/1560-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1564-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-202-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1792-440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-187-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2072-184-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2104-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-55-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2112-211-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2112-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-32-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2132-429-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2132-430-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2132-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2160-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2168-227-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2168-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-489-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2220-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2220-321-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2220-320-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2240-315-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2240-309-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2240-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2368-233-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2384-257-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2384-253-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2396-406-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2396-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-89-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2512-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-375-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2572-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-332-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2572-331-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2748-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-343-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2776-342-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2788-243-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2788-247-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2788-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-417-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2856-365-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2856-364-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/2856-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-287-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2872-283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-288-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2900-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-485-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2992-383-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/2992-382-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/2992-379-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-11-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/2992-12-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/3004-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-172-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/3020-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-155-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/3020-499-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads