e6ae6e4b41ec6f4d905e2dd8cf7f3211d711ce1e9642d8750d4b1c5790959696

Analysis

max time kernel
33s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f4bd1debed5e92d7837c95d7de91bb0N.exe
Size

96KB
MD5

2f4bd1debed5e92d7837c95d7de91bb0
SHA1

e83d870f82615992db9057a08b9a0167cdd572cc
SHA256

e6ae6e4b41ec6f4d905e2dd8cf7f3211d711ce1e9642d8750d4b1c5790959696
SHA512

580a847b8c8f860d645ad04a122c04a340b4edd9a467f32d07327ae9597cf83da9f2e9d2b2520aa00fd8586a2ddf2de89097d7577d3242d7028f7f27c801b1b7
SSDEEP

1536:JG6mbf2dSm0Y1rVMbVK+Hxh6MTl2Lk1U2PXuhiTMuZXGTIVefVDkryyAyqX:JNmbf2dUgVM574MaaVPXuhuXGQmVDeCv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2f4bd1debed5e92d7837c95d7de91bb0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe

Executes dropped EXE 64 IoCs

pid	Process
2132	Onpjghhn.exe
3012	Ohendqhd.exe
2836	Oghopm32.exe
2660	Oopfakpa.exe
536	Odlojanh.exe
956	Okfgfl32.exe
2140	Oqcpob32.exe
1968	Ogmhkmki.exe
2568	Pjldghjm.exe
2992	Pqemdbaj.exe
3040	Pgpeal32.exe
1132	Pnimnfpc.exe
1444	Pqhijbog.exe
2244	Pgbafl32.exe
1080	Picnndmb.exe
1884	Pomfkndo.exe
1004	Pfgngh32.exe
1956	Piekcd32.exe
1516	Poocpnbm.exe
1908	Pbnoliap.exe
2428	Pdlkiepd.exe
1736	Poapfn32.exe
2164	Qijdocfj.exe
892	Qkhpkoen.exe
2480	Qbbhgi32.exe
3064	Qeaedd32.exe
3004	Qjnmlk32.exe
2652	Abeemhkh.exe
2312	Aaheie32.exe
2560	Ajpjakhc.exe
1492	Agdjkogm.exe
1888	Afgkfl32.exe
2532	Ajbggjfq.exe
3000	Amqccfed.exe
2912	Ajecmj32.exe
2960	Amcpie32.exe
2280	Apalea32.exe
1156	Abphal32.exe
2792	Ajgpbj32.exe
2104	Aijpnfif.exe
768	Bilmcf32.exe
832	Blkioa32.exe
2392	Bpfeppop.exe
1748	Bnielm32.exe
924	Bhajdblk.exe
2100	Blmfea32.exe
2824	Bphbeplm.exe
896	Bajomhbl.exe
1964	Beejng32.exe
1272	Bhdgjb32.exe
2616	Bjbcfn32.exe
2592	Bbikgk32.exe
696	Balkchpi.exe
580	Behgcf32.exe
2572	Blaopqpo.exe
2956	Bjdplm32.exe
2948	Bejdiffp.exe
2768	Bhhpeafc.exe
1580	Bfkpqn32.exe
2648	Bkglameg.exe
2356	Bmeimhdj.exe
1056	Cpceidcn.exe
1364	Cdoajb32.exe
2400	Cfnmfn32.exe

Loads dropped DLL 64 IoCs

pid	Process
2848	2f4bd1debed5e92d7837c95d7de91bb0N.exe
2848	2f4bd1debed5e92d7837c95d7de91bb0N.exe
2132	Onpjghhn.exe
2132	Onpjghhn.exe
3012	Ohendqhd.exe
3012	Ohendqhd.exe
2836	Oghopm32.exe
2836	Oghopm32.exe
2660	Oopfakpa.exe
2660	Oopfakpa.exe
536	Odlojanh.exe
536	Odlojanh.exe
956	Okfgfl32.exe
956	Okfgfl32.exe
2140	Oqcpob32.exe
2140	Oqcpob32.exe
1968	Ogmhkmki.exe
1968	Ogmhkmki.exe
2568	Pjldghjm.exe
2568	Pjldghjm.exe
2992	Pqemdbaj.exe
2992	Pqemdbaj.exe
3040	Pgpeal32.exe
3040	Pgpeal32.exe
1132	Pnimnfpc.exe
1132	Pnimnfpc.exe
1444	Pqhijbog.exe
1444	Pqhijbog.exe
2244	Pgbafl32.exe
2244	Pgbafl32.exe
1080	Picnndmb.exe
1080	Picnndmb.exe
1884	Pomfkndo.exe
1884	Pomfkndo.exe
1004	Pfgngh32.exe
1004	Pfgngh32.exe
1956	Piekcd32.exe
1956	Piekcd32.exe
1516	Poocpnbm.exe
1516	Poocpnbm.exe
1908	Pbnoliap.exe
1908	Pbnoliap.exe
2428	Pdlkiepd.exe
2428	Pdlkiepd.exe
1736	Poapfn32.exe
1736	Poapfn32.exe
2164	Qijdocfj.exe
2164	Qijdocfj.exe
892	Qkhpkoen.exe
892	Qkhpkoen.exe
2480	Qbbhgi32.exe
2480	Qbbhgi32.exe
3064	Qeaedd32.exe
3064	Qeaedd32.exe
3004	Qjnmlk32.exe
3004	Qjnmlk32.exe
2652	Abeemhkh.exe
2652	Abeemhkh.exe
2312	Aaheie32.exe
2312	Aaheie32.exe
2560	Ajpjakhc.exe
2560	Ajpjakhc.exe
1492	Agdjkogm.exe
1492	Agdjkogm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Oqcpob32.exe	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Jjmoilnn.dll	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Aohjlnjk.dll	Odlojanh.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	Pqemdbaj.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Apalea32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Pfnkga32.dll	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Napoohch.dll	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Okfgfl32.exe	Odlojanh.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Agdjkogm.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	Oghopm32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Aaapnkij.dll	Onpjghhn.exe
File opened for modification	C:\Windows\SysWOW64\Qeaedd32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Ogmhkmki.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Blkioa32.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Oopfakpa.exe	Oghopm32.exe
File created	C:\Windows\SysWOW64\Jbbpnl32.dll	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Pnimnfpc.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Picnndmb.exe	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Blmfea32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Fnahcn32.dll	Ohendqhd.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Ajpjcomh.dll	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bajomhbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2732	1640	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjghhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjldghjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f4bd1debed5e92d7837c95d7de91bb0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmhkmki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odlojanh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohendqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oghopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odlojanh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apalea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2f4bd1debed5e92d7837c95d7de91bb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnahcn32.dll"	Ohendqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogmhkmki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daekko32.dll"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll"	2f4bd1debed5e92d7837c95d7de91bb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbemfmf.dll"	Pjldghjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeaedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pgpeal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2132	2848	2f4bd1debed5e92d7837c95d7de91bb0N.exe	30
PID 2848 wrote to memory of 2132	2848	2f4bd1debed5e92d7837c95d7de91bb0N.exe	30
PID 2848 wrote to memory of 2132	2848	2f4bd1debed5e92d7837c95d7de91bb0N.exe	30
PID 2848 wrote to memory of 2132	2848	2f4bd1debed5e92d7837c95d7de91bb0N.exe	30
PID 2132 wrote to memory of 3012	2132	Onpjghhn.exe	31
PID 2132 wrote to memory of 3012	2132	Onpjghhn.exe	31
PID 2132 wrote to memory of 3012	2132	Onpjghhn.exe	31
PID 2132 wrote to memory of 3012	2132	Onpjghhn.exe	31
PID 3012 wrote to memory of 2836	3012	Ohendqhd.exe	32
PID 3012 wrote to memory of 2836	3012	Ohendqhd.exe	32
PID 3012 wrote to memory of 2836	3012	Ohendqhd.exe	32
PID 3012 wrote to memory of 2836	3012	Ohendqhd.exe	32
PID 2836 wrote to memory of 2660	2836	Oghopm32.exe	33
PID 2836 wrote to memory of 2660	2836	Oghopm32.exe	33
PID 2836 wrote to memory of 2660	2836	Oghopm32.exe	33
PID 2836 wrote to memory of 2660	2836	Oghopm32.exe	33
PID 2660 wrote to memory of 536	2660	Oopfakpa.exe	34
PID 2660 wrote to memory of 536	2660	Oopfakpa.exe	34
PID 2660 wrote to memory of 536	2660	Oopfakpa.exe	34
PID 2660 wrote to memory of 536	2660	Oopfakpa.exe	34
PID 536 wrote to memory of 956	536	Odlojanh.exe	35
PID 536 wrote to memory of 956	536	Odlojanh.exe	35
PID 536 wrote to memory of 956	536	Odlojanh.exe	35
PID 536 wrote to memory of 956	536	Odlojanh.exe	35
PID 956 wrote to memory of 2140	956	Okfgfl32.exe	36
PID 956 wrote to memory of 2140	956	Okfgfl32.exe	36
PID 956 wrote to memory of 2140	956	Okfgfl32.exe	36
PID 956 wrote to memory of 2140	956	Okfgfl32.exe	36
PID 2140 wrote to memory of 1968	2140	Oqcpob32.exe	37
PID 2140 wrote to memory of 1968	2140	Oqcpob32.exe	37
PID 2140 wrote to memory of 1968	2140	Oqcpob32.exe	37
PID 2140 wrote to memory of 1968	2140	Oqcpob32.exe	37
PID 1968 wrote to memory of 2568	1968	Ogmhkmki.exe	38
PID 1968 wrote to memory of 2568	1968	Ogmhkmki.exe	38
PID 1968 wrote to memory of 2568	1968	Ogmhkmki.exe	38
PID 1968 wrote to memory of 2568	1968	Ogmhkmki.exe	38
PID 2568 wrote to memory of 2992	2568	Pjldghjm.exe	39
PID 2568 wrote to memory of 2992	2568	Pjldghjm.exe	39
PID 2568 wrote to memory of 2992	2568	Pjldghjm.exe	39
PID 2568 wrote to memory of 2992	2568	Pjldghjm.exe	39
PID 2992 wrote to memory of 3040	2992	Pqemdbaj.exe	40
PID 2992 wrote to memory of 3040	2992	Pqemdbaj.exe	40
PID 2992 wrote to memory of 3040	2992	Pqemdbaj.exe	40
PID 2992 wrote to memory of 3040	2992	Pqemdbaj.exe	40
PID 3040 wrote to memory of 1132	3040	Pgpeal32.exe	41
PID 3040 wrote to memory of 1132	3040	Pgpeal32.exe	41
PID 3040 wrote to memory of 1132	3040	Pgpeal32.exe	41
PID 3040 wrote to memory of 1132	3040	Pgpeal32.exe	41
PID 1132 wrote to memory of 1444	1132	Pnimnfpc.exe	42
PID 1132 wrote to memory of 1444	1132	Pnimnfpc.exe	42
PID 1132 wrote to memory of 1444	1132	Pnimnfpc.exe	42
PID 1132 wrote to memory of 1444	1132	Pnimnfpc.exe	42
PID 1444 wrote to memory of 2244	1444	Pqhijbog.exe	43
PID 1444 wrote to memory of 2244	1444	Pqhijbog.exe	43
PID 1444 wrote to memory of 2244	1444	Pqhijbog.exe	43
PID 1444 wrote to memory of 2244	1444	Pqhijbog.exe	43
PID 2244 wrote to memory of 1080	2244	Pgbafl32.exe	44
PID 2244 wrote to memory of 1080	2244	Pgbafl32.exe	44
PID 2244 wrote to memory of 1080	2244	Pgbafl32.exe	44
PID 2244 wrote to memory of 1080	2244	Pgbafl32.exe	44
PID 1080 wrote to memory of 1884	1080	Picnndmb.exe	45
PID 1080 wrote to memory of 1884	1080	Picnndmb.exe	45
PID 1080 wrote to memory of 1884	1080	Picnndmb.exe	45
PID 1080 wrote to memory of 1884	1080	Picnndmb.exe	45

C:\Users\Admin\AppData\Local\Temp\2f4bd1debed5e92d7837c95d7de91bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\2f4bd1debed5e92d7837c95d7de91bb0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Onpjghhn.exe
  C:\Windows\system32\Onpjghhn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Ohendqhd.exe
    C:\Windows\system32\Ohendqhd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\Oghopm32.exe
      C:\Windows\system32\Oghopm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        58⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        60⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        68⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 140
        69⤵
        Program crash
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
96KB

MD5
93011733a3e7a5d4c72a7c4046f14d95

SHA1
99dc65040cc78916aceb2441f81d78f20bad9ee9

SHA256
f9ad1fca7c0869885b9e1ce3a0d898acd342dac8d1c10e271aed312155431c5d

SHA512
685cec276f28d5a2819a698a27e987d5c52e8b97acbfc5d6965c8e8d9beee8a91671f23036de9d4b3cf77fb7864de5c268e99f2b44860ed155fd83fbe72b63a0

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
96KB

MD5
1db48ef2aff3ced85bd248c608a9dfab

SHA1
7f1b780ddadae20941d9481561ee4380da27391a

SHA256
46ec652794f5522be351a9bece2e4cef66ccce6ed3f67f57c9e20ddd76aee263

SHA512
fc8de7a07e80bedc856e3fe40231cc452bc9063c9be81ef69a51b94583e5860182d4aefb4d53f8d16bd82bef714c2239ab015e71333b3c38534004f73588f66e

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
96KB

MD5
d65a3601ea5d1e0f58748ebed24bd1b8

SHA1
db987c17d08a91daf7645fba03fa888931522fe0

SHA256
cdeff46140fa456a475fe24505a096fb16f295b81180398e8731f5e9d2a74dad

SHA512
8f5e2479ea191f5e7bfa1fff7e2afbcaa2e4331db5c0743f299dec5b16f5126b67883b9bbf9586868fc7151f46592ce21656dc3be0f037160605e3b3944b2d59

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
96KB

MD5
d46a384ea26bf7cb83c47497b2fdda61

SHA1
bdcac8e63fe1f4d4c83ba21d68b54e1fe6f4d160

SHA256
bf399979c64f82c94ecb620afe395dc6a626c98d0b90b628efbbc0c9f7cb487a

SHA512
4a0be567ee7c6d0a4d7b8eb3b836813d5377bb306839e0fb00a5300feb71cb02ba51d5c6be519485097ba6a7a74681a7cfce5b8dcd85bc54882490d702572c41

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
96KB

MD5
c7fc6766e6f2ca14d1d5aafa82771fd8

SHA1
9c5d880b54327d225af4427e591229098dc752ef

SHA256
e13c8d5f1441960a6df7ea7d10bfee3ceb89c0516a3ac54766f81fed89e803c5

SHA512
96a61219926f485e17090ca889f852f481158dfa6c92712306c094ded7325a94862b5e886cff7da604c550763d210d689a44f8e364f6e5b65bb7831a4403784c

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
96KB

MD5
be8b5b2486c72dc9f378138e58caa553

SHA1
f1ae2c932105aef9be0999a4f16ea47dbb0d4661

SHA256
ee46891dabc7768ee32935959f4bc754d490ed3ac001d015c862ef08cb9edca8

SHA512
f7c84d7187b061c3f658ff5be4fddd5e16c4aeb2d6161f484cf5a919223e6fa3c92bad4b94a3b15228711ef6adfdfdc56ac695f37cf9f3f5bd5ce23aba3f46ca

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
96KB

MD5
f9692e45bfe89dd4f9bb45e40fb04726

SHA1
e826cde1228324d01cecca1f3a6398c6de16650a

SHA256
b76a777a1d7f0bb8816a07f960c0659ec60bcc62783269eb51954be4070d29f1

SHA512
cdc7e0aef0a9bf96ef2a63d4a73769e1d971eb097c36fe91eab24de35e71b41876421f5703bd8e641c3a738777aadf162dfe05f33520b10bb8e674c4a5bcda45

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
96KB

MD5
8d9242a47691df2b13b3444d05cfa34f

SHA1
3ed197757b6831158b044d7988bee7c769555426

SHA256
5280073cefc2573c5aad4359b5353c9c661c5357aca1c7da83b5a5c22babaf9c

SHA512
71352c7d48f9ef3b721d3e007a32883a11ee9549ef13fce26cae49f723c76e4d452917ecdc654d3bef06c683cc60923dbd96358f640a8f5e5c318b53068c1f47

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
96KB

MD5
4a40c9c8a4f85eae53fb0570b8a5fdc8

SHA1
5516476f6a6ac4f7db8e371137946993524ae0ba

SHA256
e1093826bab2d4fc78bea1b9f84559193b135b34b9165fef34c3ac3370816a0e

SHA512
615f8dce75dfd2cbf61b440da798dde1714fb69b2bd493d5f145e09ca0f976a717702dd535fe1ea63953bd45d36fc473850cd01a827363af073e19f8d670bc56

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
96KB

MD5
078e4ae5906d2d6087983900b1773ac8

SHA1
e8c76105b92791e668e52ee7e834dcddd18efb92

SHA256
242fd2d6262b3dca437e7ecdec8595c0791d82967577311cde287800a701825e

SHA512
191e91e8986fb3de30b4bd9d9378a3d6da8fc56d865b14cec5064a609eaa2003be2192f2dfeac72b3b674e136b7af678d8571f1b69c61fcdb18a685db5efc779

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
96KB

MD5
87b797c5d656a6327db94e06109e31b3

SHA1
c52201917274665d9b4f5f0cef2a68c70e663634

SHA256
ec5722f6a16623377e64a7f32114b3cc7f86c0b5733a7380826bde5f120e5c1a

SHA512
5950751de21bdcc42a51bf4de816a276391aa574f928f30a87aa5809c1ca3ba71e3d6403326c1969256cb6def23078fef4b26304b93d2cde6793fe0f7c53bed6

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
96KB

MD5
70b2fbedad070fc395de8ef7170128d4

SHA1
21204a0d43f34f3832be7f447957a9f0ac9ccb1e

SHA256
b3d9c4bb56aa850c4b906925489305667ae1290979203b8449c37abcc16800a7

SHA512
e39de006003ce41d6b653841d43740f7b01e699c691c22ed84d9c2c92e115b706b107a0a9de1b6c653eab03b034e68db71375af6c894d06513786c188fbc181e

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
96KB

MD5
5a967122c87c668f90092c7cd7270f06

SHA1
bcf162a3231d62e2437a8a44b1433ff1c2cde0b4

SHA256
4c6ca4ab42cb53e577d9dfec90dd691f401342181e6c6b6460f4eef6570ddcb5

SHA512
7cd35df0b16279df34f0ec95e8415abdc49c17ec39b222183def90b0d26986b674d684ebc290f08a077aea37350570e3806892bca83e09a9cb23d57e89e7c31b

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
96KB

MD5
f96d023688362c0631695b3474f0be57

SHA1
75646a082636ae28cb3c1a6bdbf3ad886858e6b7

SHA256
b2a48e38b7bd216ccbdbbc28c2b6585070ee4aa91d2a285c7dc66a64760186e7

SHA512
e47d91e0e8423889e0ffe7f829bfc8f9e35a5b1ad4e8323c9c9f25d4e54b6c69db7e90f47273d2d4da5af592eb7663f6de98d689f1c2a17eb63000c6668248c4

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
96KB

MD5
91f7117fb30853de4fd8302f428c8ad7

SHA1
d4c07f22d1e00091513323a7f088d3529050a0b8

SHA256
b620b4705e6c2ec25b2e1929ad6b25201cc234b70ef36764142380e9c2b35067

SHA512
8660694a488ac3fc6aed9c8de8d86ee0eb19691b517b5de4dd60f2b4de057b2a1c2e52f5bc4d101ed43fd734b69997902d6491112e50a2e4cc4a62e69fff5ba3

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
96KB

MD5
b7bbdc953c352dd6acfc8ed387c8ab47

SHA1
7706d6820304cd8976a30fde341bcd3686dfcd51

SHA256
6b4f9a2df1d78d8d9fe8017a7220ff2495476db0004542f82fd53cec71051c30

SHA512
909ede1531e2a9c339e56c002f5c90765fdcb9720df00f6aff94ccaa16a335d8ba4f925fc556993796de589e2774b5eb3c69b3a6696e617a87d25aaf7a0b436b

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
96KB

MD5
482262c6a657d53bd7d49c693d39ef11

SHA1
52d0a9db7b47adc17244299343ee98b634bad85e

SHA256
b4b64196e90bed28e23ed1b5b3af6a8de9480b19a48b13ba65a60913dd5e074b

SHA512
6a27a875a8d7e0aee29e0c173d3170023dab261feebced321fb8b2b77a352c486e692de1fe3e9049437844d7a9319ad5d658ba452d73f12da5a9541013bd6fae

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
96KB

MD5
3a3e0ab63ba0693727d65e3bc8ecd97a

SHA1
4ae56953055808b11d36e8725180502e21e93c20

SHA256
1a47e042735bcf2d3b6239ce24557ab6bf888b9bfad1a6cc168def8706c80706

SHA512
62be8069b0cb6f3f3f37877521a93697719191375cd4e29c214e19c51c81c082503d1173dc9d985d0205b8df5599c9da0ba151eebc737f2b93cc5080f94f6e72

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
96KB

MD5
5df2db12a95b45f9015280055e5761ff

SHA1
7b1e516ad46da76c2cc82e981125811384da3445

SHA256
1d9c279d8f5a2148f3f1052c5a186e4fb9b820ef94285703a42bd814644b6ed1

SHA512
19ff635a5908d852eca4b3d75399370b969ad267e41a91c1ec757da261c4153d5502efd338b3ebefbd8cb902649e1fcdcc7bf0cf43b7335c9ddbe70f2a97fc7f

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
96KB

MD5
241a569d7e122e75624ac44ea12c089f

SHA1
3aced97553e84b0ace68e44804cd88d925f68695

SHA256
4c13d05be7c517486e9a3d5a852764a28414082ba77b7c7542c8624b613c7bb0

SHA512
5eb9a4422e8b029b5602738a75311d9513244b7e6580db3ac4c379b97baf637f8e1162c4b66feed045439dc9b2e9bfebec50589805fd5fda08c25e2ef189dbc7

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
96KB

MD5
131c32431a7afe9ab9a0affc880abf07

SHA1
ff06dea268835eb1083d898bd04aeb300814fb66

SHA256
f9277ce5168f79b954a3b88da0226e860f1024df95e2d11340d954a17f8e5178

SHA512
6eed21595f8242847ca3a46e3e787cc84aa8568851aabf6684f7506e14152cdf97cece56e7ae1cbd8238efcf83b96d8e735b5d97768f47535dcf3a1af1a685fa

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
96KB

MD5
f027eaf725d7d635a84359c3aee9399c

SHA1
dd81c43f6042c0c71f0db44a6ad9a042d8c0a979

SHA256
8f413d9eb217add1792a1ea4b20f293cf0c46d08a9e42cf06b4a8e36d10f129b

SHA512
d39d3cf407e320dc3a8d5134199c4c60f7bc01555f09cf2c85b25c5b292a7369337540ca16ee6aa8ed8a40c91d40e43c0cbb421a8d59fcb689614ad04fce7e1e

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
96KB

MD5
a431fd9bf489dad7cf5b59ffb0dcd794

SHA1
f6fbc8293246fe58d875c9150e2fe7acff189848

SHA256
e7ccc0b9daaf981aae421490a7f9cfe3d324c62807c4f251c8dd6dfe2419e0c0

SHA512
dfa85dc2fd63cf8bc6d35889051d7ded9f6bf95659f8d5ad498aa2ea5748bf24fdd392a72c814d2a0741e72c9f6f59cf261e5b2526f0fc71a990434368d2260f

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
96KB

MD5
d4d937a6055657f3b192f404c4aafc80

SHA1
fe5e79fc75fdbeb7bab97a35345cf965da0d0c7d

SHA256
69a54f32531834ffbb04ca6a57e03a2e6bf71e55e9a8ac079b149bf79e334b51

SHA512
283fd961ff77614d26a31ee7d98270cd29912a9c5bbdd885a604c3453034b9693ff624a12a1d48bf551c62eb5b2768b5d6006c4e4ea7fbbb56b1ed3b927a859d

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
96KB

MD5
97a8972b44f934fd62f5a6be778f6fab

SHA1
da003d55f5da9c17406f6639428a6b60d02cb86f

SHA256
bb9a653828c514a8251804373580811be152a7eeb236410937feaf4fde163838

SHA512
e43714f9083d075fb5fbe2fce4a821db051bb607497f0029ed539590f0696be418dc5b747e06e2f813b181a17f94151c8cc808173aec3dca1b277455359d3797

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
96KB

MD5
c77cc77f3f22209c81671f813f6d20d6

SHA1
973b8440ad25c10de79af038f22b601cf6e18fa8

SHA256
d8cd9052c3cfb38d8f85424f6cd8bbf76bb8f30e6068956c394afbc20eb0f21f

SHA512
e9711bd0fa902ac303de1bcab4218f480126163723c985a52bcb8984f63c0f50c8ee6012cbbfd2de363e292a3743ddf458f7e598f12180a60d228fd545424389

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
96KB

MD5
818416808e5751131a85bad7699a8c4c

SHA1
639346a8eadbe8e34eff9b2774ea038edadd70b5

SHA256
5e03a052ef673b946304a46820e3a7635abd876891849de17f0b4f7055a7663a

SHA512
c4a9093969fb223ba9007351b8fe0428f5d9ed72dce5d23b8722777b2cebc5857ca60e947194af4391c643f397f30bf12e8b0db8f15e1cb30ca020c9de5e7fe3

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
96KB

MD5
f1ba98960aea4db2a3940126289ec854

SHA1
823942b6307d64170d4e2a1402ece484df567f43

SHA256
cfc32b27ca116b4fb0053c4a180a426d2ac8aac2d2698812a91902d988705da0

SHA512
91ce97e5116c13ce772a9199628cdd09235c9090c358b2e5540f2558b942a72d0370d343dcada8e2c524bc93af9c06221bdd8246c9f04fcac4b2bde795e27e33

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
96KB

MD5
16ed72206a33d93b21abfdc9efcfabd6

SHA1
efff3060daf4a50f7dacabad26a9ceefefa28cc6

SHA256
6690cbf6f54cfb3496f4900f965f5b2b07bb22a61291dc304e20bf519601194a

SHA512
00d4aa683f4b6573a760dd5b47fdc67ec58f5d38a23d477f57640a108675922354a1a8e0ad854fced00de6d34a1c0acb871a038df9cd858d1e1893cb784b47a9

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
96KB

MD5
553b8bf969d4de86023e28f2fca2ea9d

SHA1
079b92c04cd6cda5561b0a3c58858d21d01e742d

SHA256
34d95756e15d2077e4e4980d83066fbd97c635955dc751bdb2800e4d03a588fd

SHA512
3592f6d0fb7999a2de9324335638533f23915494e7222a413a4e74f4b28a22cd3208c1ae53ba40e240ca04b19b5d690868447163d17f1c19d45aec239771d0d4

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
96KB

MD5
4c601b2134be30182aa5be41403f1f57

SHA1
441a1c62bb06fc4d196d3bb90ed6354cb3ed9b0b

SHA256
3e39f625dea33b9021d9e8876e5c0004e14e6e978ce21a6f963513df20ee466a

SHA512
14387091e46a2a2a056adbe6041dcf8509d5f39565e3aff2327ca8514808cea207b43c9834d4e698b217f03d3434ff9295ea85b06ff1bd719e4649f96aafa75b

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
96KB

MD5
cf33d8a4d3f3bae17be94c6d82cf1660

SHA1
238bc8add7d996d526650d70aff817789ebf8985

SHA256
cec65d7ad240250f313e33fba7c9b8b38a390d828061c9407e395ef989ab141e

SHA512
4b49f1e51df61da3be6738064525b4c5f924950ee80df804055b60c5094642a84d857ecc7a7fc9c6af06918babf76e0fb2c9978831107135c519b9eb6fa8bd1f

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
96KB

MD5
85f255805b35cbb25d01025ca55d9108

SHA1
3b15b2283a7818a2837e48da7ede7703a3a72b1e

SHA256
6df03cb8c4a31ddfe4ce6ddde90fd40295b605bc4dce291070130d6c0d839351

SHA512
085763fa04fe43161f443a3ef537ec9b4820d588ce20bca87ae959790d0d5010a119927e23ffa9a5c8a6b09e6730bf474d3db6a6daf8fe958393612f4b187a58

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
96KB

MD5
f4df6df1383660bf16b8f4d1c5b64d7d

SHA1
e5917f84110ebfabc296b33053de41c3ce9beefd

SHA256
8276e446032fd78a62076b6cdc7651abe320c5c5c5b1635b0633f84d0eeedcd8

SHA512
f72a97fce4b65223e2cc60079a9977073f36b1b163d9d373a5bd20e8ca17541b028bc2a112fc3d992af828a069ea93a2ea9fc1799e3657147aaaad45efc075c8

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
96KB

MD5
edb409699212659af1db75737a74ae85

SHA1
7b434127e85314247e284e9678b150fab9d206c2

SHA256
112581ff8e960d0a82257ad4541883d05b7e44e4ef65bc2351f441c7d817d76e

SHA512
66b621cec48e3f76e695a031ab12c9b4f9ae62fb4134a5d31b5d4a5a47ecb0686d0a158516b1230ac2115cf2fe1389db4e43a2b1768e283080c60fd9b2a1a818

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
96KB

MD5
a706c04abdd0be6d83ad4707e3b3caf2

SHA1
2bc0c69368eba11e3678faa87828b59955553d56

SHA256
e62ef27b2981f28bf328a47d88fd903f0e15423f9359f41226ff7453a4606528

SHA512
f2b8d73c392bc5e584fc571b93c10ba6b86c848e88a18e6b5bc7ea4e8af8f625db53fa6859cc060f3c755fd217195121e54a666dacaa6280e85c2ab61b35fed0

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
96KB

MD5
81f323bb6abb69ee53bb302c1b72eafa

SHA1
b7a3a73e5e0a85e09ec9726b675148f5ca391cea

SHA256
e90a1669559727a84c0b80a4fd2583fab5a805a97e0f13468421621b7683f563

SHA512
eedad1d580b052cdeb2756bac388e24e1b0dd3e33f522d997ee877ab973faddd391734a615432f14bd1b028cabb1ad2a922a41ac9482edaebac9a09beec8f4e6

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
96KB

MD5
b47c7528e60cf029f486ab779eead24b

SHA1
4779444acf072393f60b368f507b213c758f2ff5

SHA256
97641ee7b4ba4c5f5ed0890416dfc3954bd92dbbd925c70d96b7711dfb485a29

SHA512
079b8f74af43c22fb96e6e09da593fcb3783956e372a468b8e7f60e370510719a315a1eb2d9281e17734e00efd7094ac0718914565f4b3b98220cf1324127833

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
96KB

MD5
6b89902e4216717dca177e202c3a7d53

SHA1
7fa914ffc4930011a33422ea590909fec3f58672

SHA256
c393cfcea1828960917045f13fb0f7c248faf06ba6c5eeeef59c26039e756fec

SHA512
b4b4dab711757c506f768bcb080e42ceba4808b7ea4bd790aa1c6e511288b85e5057fbfcafff8746cac337a00d11ad2e0589a79d1d05fe31535b7893acd0b6e3

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
96KB

MD5
35a82cd4bdd2b9a241b6d7fbb1391358

SHA1
0c6be2a1f6b4c52d7d6d7f8e06ead78e06999453

SHA256
dae660fb3fb2cca9a49b9df700632da25a22623020cc8cebf2ea6a3a3e39d385

SHA512
7e5ea2000da4eca39f8db6b8e236e7bf8e95b662c26088efec6e13e710cb4b89816e4e601b2b3d84061f5e5ccf4b03174f9b393ac03e29f00a76929ba1664380

Download Submit
C:\Windows\SysWOW64\Oghopm32.exe

Filesize
96KB

MD5
a8a57396364abacf6e53868d776ff857

SHA1
a8cd32c9b74385175d99b997239bcdfc5651d709

SHA256
475eb2718abccb23f651cdd68912d38f45a57844fe9b6fedd17ecc4948f3555c

SHA512
621631bd823f6e4dd3a103da42abdf0aeb1ddcd059e716f59d0bf738d947bbac71dad73519cca9924f3c38b7d0ecbbeaf9a72f934400c4a75eaf2c18889cee00

Download Submit
C:\Windows\SysWOW64\Ogmhkmki.exe

Filesize
96KB

MD5
4559633954a71121530e096e02192b5d

SHA1
c8a6b0e8b1ac04aef592394de12a15eae320816a

SHA256
d14f119742ff5809a1e2d1c5960ac406c584f9fcc72425f925f7a1604bf04c5c

SHA512
b711ad86e02a07e1baed2806fd37dce17953845b5b103cdf31b91d919c2bdbfc8a1fdb02ad9dfee21d49dbfbfc8846a87fbed087c15f7b75850675ab48e466bc

Download Submit
C:\Windows\SysWOW64\Ohendqhd.exe

Filesize
96KB

MD5
101866fdafc529db89f5a44eb4a2667e

SHA1
2e90dfdde485bc281f55d9b6174eb0d824fed81f

SHA256
49e27f75f3717a7eac647c87f7ccadeac0fb51a0778e5c24a6ccba00549b1ff8

SHA512
3a01e512ddad5d1c74fa19690e9db555e961d43ef798b84fb0fe771a32fb1ca03d9dd3af7d34aa5933e86e76499452813d73551c9d3491663340d7e953ce9a62

Download Submit
C:\Windows\SysWOW64\Oopfakpa.exe

Filesize
96KB

MD5
f5e125baa66606955f08cf9662fa838b

SHA1
1011bbeaf086a7b6142f04fa69194be13cad3f16

SHA256
ea0dd8c6a24563afd00767e123dee00648a0d06b2b83167d6dd9246b4d28285c

SHA512
1f914326680f6bf173726dd882a35ac5f55d127efb8b3ac3bd77c569072312fbed2a14c1d337b187ffa2529fa5b8a7050d5cc0dbf6d3c5d5c9fd0ceb7dc9108a

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
96KB

MD5
203e6fa6a3f3d1f95c26cf4af72f9062

SHA1
2125f9d130addf9113b16310787e10b5b3c610be

SHA256
e1cc020ec70de07ee431425160a222a449b89e26f20b0c148ceef9ab3fdf1a22

SHA512
18a4f2059c09eb7fd1fad1208a9415eb8e95351e8c6ebe295cd7ef97081306e22256661588fe0df926cd26811a16ac22749594022586785de78b616974033978

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
96KB

MD5
23496b1c181f2cc4efcac040a798b88d

SHA1
3d4c7081ce1a2e395964e675888e76a5b407ffcb

SHA256
4ba172b28886b776a182fcd540f4e893b05c5dbe5986b29f63e385152f349736

SHA512
d5e8c4e87499f0f72a4ad7ba6faebd4bc09dcf017b72c733d5819b36f9dd16d8586a81a413bd7c43c089435d4022140c6518f23310df3f6d27835c51a12bed30

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
96KB

MD5
ffc3a882fde58c71fb96ba76dea26286

SHA1
866375e9ff9a941829351c85df7b65d32b4dd692

SHA256
be582506c128523487e6fb50613f0f7f68ab84f70b914f98cabf1cd8c2411842

SHA512
21ad8504b6c99ccbf3872deb04d32801134fc32764bd3f97ea25c14ef3c9847969f55399c2ed6d9c8025466b9450815d33e6cab3519bcf1d93b63271e115397f

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
96KB

MD5
55dc53bec21cac08775e07aa463b2e82

SHA1
8f779d5cf2dd3bf7756c0346ea5696953e84f853

SHA256
97fa8697d4ada5a56c74f08715363753e91c344f7e71c819a904c860ec4a5058

SHA512
63689c17713a6b6bf9af5de8558f6929d85394b1b2cc602c09174f7fdba3b0e778e364ab1e5e2be703e1de1b74b6f64c2b9b8edb315b553d447038ff432838e8

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
96KB

MD5
3bf3795a15a42d9e08b4425d090126f0

SHA1
8741a1a12f8a3dc409a4c6ac5dbfee8e8f99f45e

SHA256
85f0ff7230e8b8a90f87b5b27229f12f4d4e5240a346fb771c37ee0857e6ae9f

SHA512
c60c8c71dfc808a19f5a30dcc18799ddf913763d3dc695de98d2234817d6c1e4e1e6d9c3a6f5096d934d0c3ce92d43422d8f220ad16da398a052b0d276b49c66

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
96KB

MD5
84e2428bc8e90e33665f916265a92676

SHA1
ce12b44ba94896a2061c0762e6625bfc6386b90a

SHA256
14d87f790c48916d92509dd7ece02bb23867319eccfe50d5984b1d971baa48fa

SHA512
addb1e26df164bab5f4b4ede302232f804896a59ed0765fec7394824c348fe248926e3645b4b90e61ebe765cb76d8631940a88bf56fd5f5c779cd0fa7ca71b91

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
96KB

MD5
cfe2946ae339d70d63457cc06ad435ae

SHA1
129d446e1cdd825a98ec57c339ae5b9b9b061af1

SHA256
7cbbc831b9e29e6904f4e26ab2dc1e70eb17860054970f31e145fb06cabe7115

SHA512
83dae1c228dcdf0d626167315908a29be7e5ac29f150935db3ff87ee99278fa64cee97d2261c1e97583eb564bbbc093b45c540ed0de60e330b94a7d54afb9eea

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
96KB

MD5
c038de42e6eb681bc1f25715722962c6

SHA1
03bdce626537883141dc7b88bc834ef19d795d6b

SHA256
90a71cfec2f98d6b48c0f8659ab6cda9537d71066d93d96ebdfa1da2e1665024

SHA512
6d1f5521bf2d3f5f9251632f082e05249c20df50aafa2227f687d69b2380d852c7dddf0586d23a5e0f29f36fe85c6d05a40329ebc708476ad503ae88e1331efb

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
96KB

MD5
b0d8af25021e94b8770dd4298af77f9d

SHA1
929fb0f9dbed08aac6559aff6d72f196e4cc691c

SHA256
81fcec644713709f2da13ec7c6d3dc8fd20cc1b3e39eb066467dfc4a54790ade

SHA512
e5f616e2ea309ca556efb93002cc863cef0981a46a80eb98fb6c47b4544a87b796a5f44ed0a7f696c4af5fd91005dffee2f098514f15c500152045dc8101ff11

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
96KB

MD5
3bdf71aeaab14c67225fce7ca97f3587

SHA1
e2a441f818667f0b62552f96c58bbd34e806fab8

SHA256
6b8f2dc5d03d26f87cdafc83afad4a0863bc074c16f0410273f01e4f31540efd

SHA512
672b9fbbe22e91558f8fc4e77e5f9831c40d48818e5a08ab45af8bf931e3d9b97a7ed1b25f3a89963180eecb959ffe7d6b037771626e0714e01e66cfcb9a78f4

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
96KB

MD5
572a729ee2423d51df4f356ddbd3658e

SHA1
ff98168f59252d29a9c69495cc7e0f54db54345c

SHA256
fc093a5fbb602ef66d6b680fe5aae279a0aedbc4968ad0ec8b50474f1a3bb6ab

SHA512
ffadb196b902a67b21e6a6c2312ec24a280196c9a36488d1e649c213e5294f1ef10176d654780cb1be9a1e1b588aa46c788c683d6b1c28dc1b331d530f7133f3

Download Submit
\Windows\SysWOW64\Odlojanh.exe

Filesize
96KB

MD5
b405dbc1a685ef8d8c597fd1ddcf261f

SHA1
345edac97b8271be41fb75874bb2a74de3cd6e27

SHA256
558e41e9846bc3ea4855677db606c393b79854c1ae75a401bb86d4b48a7326ae

SHA512
73a991d37b98d0ba1adc580852bcb57551ee0b42f6f72a1a5d4425f594a51a1147c27e353fee9e4513e140206c0644cca3593662e0ffc282520e943b27d80873

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
96KB

MD5
f71774d8966b12ad093aef65c463c1c7

SHA1
75e1678b6001e20e98b9cbe591c51484106e4368

SHA256
2bd6763c7470439a6305ae4c0ac287f8c507aee1fb3fb940a05d2e5f750c1014

SHA512
4765e114ee9dda6c1ef17d022a5d57cf7604bc635d8fbfd385eb1984567df6a56e1af0d998a467e00ba9b4de6eaa130c2d1bdd55ba5dc4aa7d82b6648b73bfc5

Download Submit
\Windows\SysWOW64\Onpjghhn.exe

Filesize
96KB

MD5
89670119c13389cf8b3ee9b2fa529aed

SHA1
f6a3945dc9df202f4445300c9b2f13f1df3a6e19

SHA256
ef391439c75967510895300006ced8d7f20f50a521d42ba060c745904fb63f20

SHA512
c495465b95f5ddae29f6d57afdf4b42bed1557d8b99555205b5f9263f51e051cbc767f95084737fd0c49eabab0cff5f0f75be8443bdd156202b61fd86676947a

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
96KB

MD5
aca3c522a3a810750bd3ad7e451bb29a

SHA1
8220d7cbbead3723b3128a588fcab4836203f1bb

SHA256
e1fbe44122f23015cda693420c0da601657f169d78196ea80da032bcce7f3495

SHA512
3f65b932bf6ca2cfd92e112ab679cd1d7dbdd4618de9b41af31ef9cfb5e64b4a4840067b44b413ded7a226be8f491e287385ec25cdf82aa396ff92588a7aabef

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
96KB

MD5
fb9bc21fdf2bb2205e10c80278ed7e0b

SHA1
fd83bb9a78b9bcf52a2ac69a4a3261b904b62797

SHA256
9e6bf5510860f0ca3a8735152cdeb15bf228b4353c442e6f8bf134a89fb17eca

SHA512
0bed18e9675ef6def1b96cceb354752222b3a19865edc8e37376c85d3c563fe0ac5f7522758a53ce6805c065a01cba259205ba7fe74f48fd1c5812b55ecdcea1

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
96KB

MD5
e78b703f9f09c9144aa7b487ad276e2f

SHA1
ae5e7da39f2c869a433a58bc91be1711c71885da

SHA256
3385d1f7205b017bd3ccac131f85ab7c8c6abbf5d027d384ccddcc31cb558b21

SHA512
0ae7265e9a9cf00db31ee10aecd97eeaa08b1b10892fa20bbeb1c84ba0823f398a381b5a3674759861aeb43b8091fb3d8f720712f3551c9de1c5415430b75af8

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
96KB

MD5
81a644b1629286cddeb33cae49cbebb4

SHA1
8339d3b0038a8831416408259eb45d2c01910dec

SHA256
3e56e7fd1e315817381c605765bdc3b6310057cd383166c80b69b2ef0e8c129e

SHA512
32098f66dd3b9fabc8e9c87efa0c89aab835d68cba466bb8b22e6d348b4e4abd8d802d7c114372313b822e59699a7c70b24f2d3a6dda18467e4514984f8052e5

Download Submit
\Windows\SysWOW64\Pjldghjm.exe

Filesize
96KB

MD5
9e693f2f9f134237f34ead22d422cb6d

SHA1
5bdf22617ad2dfb8526404b8b2bb6fceb57f078f

SHA256
279e2ce9f8d6902c60a3b6f8b0f08c79db8cd2d4228dfc36b249cdf5c44e03bc

SHA512
aad816b191696635c128a0bc20c659722c3cf6ea2018c2088d3c3e83173d21aeace21bc12f30a16babc4fe68652d820f1ab17073f1e508b900db1ee362879f96

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
96KB

MD5
a0ac36a751c835399b36c7a8c5b2365e

SHA1
93d0b85704e380a1fa7aa864bfbb482647a8f24c

SHA256
b82216200a2820ef6a40174f00d8a925fece400bbd8e16a1bbcd74ba1ca14c6d

SHA512
f057088f1a7b87b52b1c0c5bae545f07392bb1769ef4dd8f40bebe2882dcaa40d08ba329bd9c9e51365e6d337d410a52911193fad0ee6471d10973503b075bae

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
96KB

MD5
a212ccb9b8bd7b80b7f23f279cd0ad38

SHA1
46782983364c90d0a4a1b3c0ff4060675e21e514

SHA256
8699fe616e9febad1ef5970836274e043de290ae4e6ce3213a0f264d98e99615

SHA512
3cf67103567715537706bdf11ac7f4c918b0eaaf21559c6a5bd28826f49ad0a376fb20f8dc978af34f31760ad445d4ca0efa71b8d11d71943b84470f48cf7303

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
96KB

MD5
598998a0b81ceb1c68658f9a8bcc38b5

SHA1
0ac945ae59bbaa2acb4d7bc045fd6a3b7fec549a

SHA256
8656935d4699fb9ae2ff8ea046d52d2ee8606ff20134d86e4320d265bde4d7a9

SHA512
bfe66695ed5f6eb4ecf2cabd5e390ff999ed32ad3c83ed941e43509b00c852ab2377af2e44e26153953f60e7c899fcd3d8a0f4301ab864bd29d450ff002926de

Download Submit
\Windows\SysWOW64\Pqhijbog.exe

Filesize
96KB

MD5
ea1f7b3aba00c80966ecf55c56b59e9b

SHA1
c711b07ba96e2606b1df913312b6b837f7abdda8

SHA256
bca307437ef68f7497d4062557e5c8bd76d21dfd1283d0d73de2c58f746564cf

SHA512
39d138b65dc0d175b8e4631145d793cb0deb1e91e09e251e166a31432acfe7243d7bdc2c2b42ce116023536a7a15bc30796736b6b3caad940b39e01a050c7e2b

Download Submit
memory/536-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/768-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-502-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/832-498-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/832-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-299-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/892-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-303-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/956-85-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/956-78-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/956-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-228-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1004-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-163-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1156-456-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1156-458-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1156-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-375-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1492-379-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1492-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-249-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1516-245-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1516-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-281-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1736-277-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1736-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1884-215-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1884-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-390-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1908-259-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1908-258-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1956-238-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1956-234-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1968-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-112-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2104-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-291-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2164-292-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2244-190-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2244-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-446-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2280-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-355-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2392-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-269-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2428-270-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2480-314-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2480-313-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2480-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-401-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2532-402-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2560-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-124-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2652-347-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2652-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-60-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2792-470-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2792-469-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2792-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-11-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2912-425-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2912-424-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2912-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-137-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/3000-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-414-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3004-335-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/3004-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-339-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/3012-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-325-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/3064-321-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads