1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b.exe
Size

64KB
MD5

71f2372ddf0c19095ee0d2f5fb987fa9
SHA1

2517de921ac3830e65e061af280e15f0b329faea
SHA256

1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b
SHA512

905d4192e38f5f331ebb084e340e4daf814edfa44dc262c07579a5d1d33f88bbb2f44c45fd3ddfce65abc3229cb3f8ff1e589e2b96146dc4c32cf4b4c0d6140b
SSDEEP

1536:5sw1bEQyF9O5AA5VjhlVxWMN8PleO6XKhbMbt2:T0OVzjAQO6Xjt2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe

Executes dropped EXE 64 IoCs

pid	Process
4256	Lebkhc32.exe
1568	Lllcen32.exe
1636	Lphoelqn.exe
4108	Mbfkbhpa.exe
3364	Mipcob32.exe
1488	Mpjlklok.exe
5020	Mchhggno.exe
3824	Mibpda32.exe
2960	Mmnldp32.exe
1640	Mdhdajea.exe
2496	Mckemg32.exe
2904	Meiaib32.exe
1408	Mmpijp32.exe
2992	Mpoefk32.exe
2304	Mgimcebb.exe
848	Mmbfpp32.exe
3876	Mpablkhc.exe
1788	Mcpnhfhf.exe
1992	Miifeq32.exe
208	Mlhbal32.exe
628	Ndokbi32.exe
220	Nilcjp32.exe
1632	Ndaggimg.exe
4884	Ngpccdlj.exe
2892	Njnpppkn.exe
3296	Nnjlpo32.exe
924	Nphhmj32.exe
3356	Ngbpidjh.exe
4316	Neeqea32.exe
2956	Nloiakho.exe
4308	Ndfqbhia.exe
3972	Ncianepl.exe
1332	Nfgmjqop.exe
768	Nnneknob.exe
1616	Npmagine.exe
3656	Ndhmhh32.exe
3728	Njefqo32.exe
2060	Olcbmj32.exe
4396	Ocnjidkf.exe
3812	Ogifjcdp.exe
1908	Oncofm32.exe
2120	Opakbi32.exe
3032	Ocpgod32.exe
1344	Ogkcpbam.exe
884	Ojjolnaq.exe
2640	Olhlhjpd.exe
776	Ocbddc32.exe
3980	Ognpebpj.exe
2700	Onhhamgg.exe
1572	Oqfdnhfk.exe
1916	Ocdqjceo.exe
4760	Ofcmfodb.exe
4340	Onjegled.exe
1620	Oqhacgdh.exe
4756	Ocgmpccl.exe
1324	Ofeilobp.exe
828	Pnlaml32.exe
2392	Pqknig32.exe
3752	Pgefeajb.exe
464	Pjcbbmif.exe
4008	Pmannhhj.exe
2152	Pdifoehl.exe
4984	Pggbkagp.exe
3500	Pjeoglgc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6656	6560	WerFault.exe	238

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4256	3380	1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b.exe	83
PID 3380 wrote to memory of 4256	3380	1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b.exe	83
PID 3380 wrote to memory of 4256	3380	1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b.exe	83
PID 4256 wrote to memory of 1568	4256	Lebkhc32.exe	84
PID 4256 wrote to memory of 1568	4256	Lebkhc32.exe	84
PID 4256 wrote to memory of 1568	4256	Lebkhc32.exe	84
PID 1568 wrote to memory of 1636	1568	Lllcen32.exe	85
PID 1568 wrote to memory of 1636	1568	Lllcen32.exe	85
PID 1568 wrote to memory of 1636	1568	Lllcen32.exe	85
PID 1636 wrote to memory of 4108	1636	Lphoelqn.exe	86
PID 1636 wrote to memory of 4108	1636	Lphoelqn.exe	86
PID 1636 wrote to memory of 4108	1636	Lphoelqn.exe	86
PID 4108 wrote to memory of 3364	4108	Mbfkbhpa.exe	87
PID 4108 wrote to memory of 3364	4108	Mbfkbhpa.exe	87
PID 4108 wrote to memory of 3364	4108	Mbfkbhpa.exe	87
PID 3364 wrote to memory of 1488	3364	Mipcob32.exe	88
PID 3364 wrote to memory of 1488	3364	Mipcob32.exe	88
PID 3364 wrote to memory of 1488	3364	Mipcob32.exe	88
PID 1488 wrote to memory of 5020	1488	Mpjlklok.exe	89
PID 1488 wrote to memory of 5020	1488	Mpjlklok.exe	89
PID 1488 wrote to memory of 5020	1488	Mpjlklok.exe	89
PID 5020 wrote to memory of 3824	5020	Mchhggno.exe	90
PID 5020 wrote to memory of 3824	5020	Mchhggno.exe	90
PID 5020 wrote to memory of 3824	5020	Mchhggno.exe	90
PID 3824 wrote to memory of 2960	3824	Mibpda32.exe	92
PID 3824 wrote to memory of 2960	3824	Mibpda32.exe	92
PID 3824 wrote to memory of 2960	3824	Mibpda32.exe	92
PID 2960 wrote to memory of 1640	2960	Mmnldp32.exe	93
PID 2960 wrote to memory of 1640	2960	Mmnldp32.exe	93
PID 2960 wrote to memory of 1640	2960	Mmnldp32.exe	93
PID 1640 wrote to memory of 2496	1640	Mdhdajea.exe	94
PID 1640 wrote to memory of 2496	1640	Mdhdajea.exe	94
PID 1640 wrote to memory of 2496	1640	Mdhdajea.exe	94
PID 2496 wrote to memory of 2904	2496	Mckemg32.exe	95
PID 2496 wrote to memory of 2904	2496	Mckemg32.exe	95
PID 2496 wrote to memory of 2904	2496	Mckemg32.exe	95
PID 2904 wrote to memory of 1408	2904	Meiaib32.exe	96
PID 2904 wrote to memory of 1408	2904	Meiaib32.exe	96
PID 2904 wrote to memory of 1408	2904	Meiaib32.exe	96
PID 1408 wrote to memory of 2992	1408	Mmpijp32.exe	97
PID 1408 wrote to memory of 2992	1408	Mmpijp32.exe	97
PID 1408 wrote to memory of 2992	1408	Mmpijp32.exe	97
PID 2992 wrote to memory of 2304	2992	Mpoefk32.exe	99
PID 2992 wrote to memory of 2304	2992	Mpoefk32.exe	99
PID 2992 wrote to memory of 2304	2992	Mpoefk32.exe	99
PID 2304 wrote to memory of 848	2304	Mgimcebb.exe	100
PID 2304 wrote to memory of 848	2304	Mgimcebb.exe	100
PID 2304 wrote to memory of 848	2304	Mgimcebb.exe	100
PID 848 wrote to memory of 3876	848	Mmbfpp32.exe	101
PID 848 wrote to memory of 3876	848	Mmbfpp32.exe	101
PID 848 wrote to memory of 3876	848	Mmbfpp32.exe	101
PID 3876 wrote to memory of 1788	3876	Mpablkhc.exe	102
PID 3876 wrote to memory of 1788	3876	Mpablkhc.exe	102
PID 3876 wrote to memory of 1788	3876	Mpablkhc.exe	102
PID 1788 wrote to memory of 1992	1788	Mcpnhfhf.exe	103
PID 1788 wrote to memory of 1992	1788	Mcpnhfhf.exe	103
PID 1788 wrote to memory of 1992	1788	Mcpnhfhf.exe	103
PID 1992 wrote to memory of 208	1992	Miifeq32.exe	104
PID 1992 wrote to memory of 208	1992	Miifeq32.exe	104
PID 1992 wrote to memory of 208	1992	Miifeq32.exe	104
PID 208 wrote to memory of 628	208	Mlhbal32.exe	106
PID 208 wrote to memory of 628	208	Mlhbal32.exe	106
PID 208 wrote to memory of 628	208	Mlhbal32.exe	106
PID 628 wrote to memory of 220	628	Ndokbi32.exe	107

C:\Users\Admin\AppData\Local\Temp\1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b.exe
"C:\Users\Admin\AppData\Local\Temp\1b3edb587a90c2eed4aa693954461354cf810804cdb7c8f60565a7a5a6fe3c1b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\Lebkhc32.exe
  C:\Windows\system32\Lebkhc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\Lllcen32.exe
    C:\Windows\system32\Lllcen32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\Lphoelqn.exe
      C:\Windows\system32\Lphoelqn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        26⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        38⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        46⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        52⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        55⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        64⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        68⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        70⤵
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        72⤵
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        75⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        77⤵
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3360
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        83⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        85⤵
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        87⤵
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        96⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        97⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        100⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        104⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        107⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3468
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        120⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        130⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        133⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        139⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        140⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        141⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        146⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        150⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 396
        151⤵
        Program crash
        
        PID:6656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6560 -ip 6560
1⤵
PID:6632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
64KB

MD5
57079c3bd9fbd27fed76afe558b48686

SHA1
f717e571b8b53fad366ca03dfd4e782eebeaae4a

SHA256
617de734844ef4243d75feef3b861ca33525044bc232e46b58f7353234c989f6

SHA512
037f8c54bcea54ac97795e861ea108b9c7aed7d52818a79beef5e7c7f67f4bb51b46d9a23451de22df3face6fc059ec7c4eb1b34054eeb1518e790a534aef66b

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
64KB

MD5
a3787933951059f7aca1c864ffaa77ee

SHA1
163405e995d2f5e6a508cae8fdc7ff4c46556bbd

SHA256
e23ee2a369bc096a012a13c6a537e0af54d972d7b9478872896d77dc4ff7b021

SHA512
e0c497c20a7900e7206b7dd0f279b431e0ef2321755d7ab115cb8d34eb86da20deca65edb27faeb3008b47046714f875d07f04e68f05ce36e89b2ffd3b29dbdc

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
64KB

MD5
fbc4c592480d125ccf9e6b3ebf0d6195

SHA1
ccf2711a20716bbd6685a7a0b65290c049a97023

SHA256
dda34925d46f1582b23654f713d90d293cbf1033215beb7d975ea4729a6d3971

SHA512
ddd69c53b02d399f74b38e1ec09d237645e4afe7e574388bafcb82297b9e9cd2f0b9559a448dcaf56b8b70c33bb93edaf63aa90c62156345b100918d192d8783

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
fb00859c90419b7615b6fdcb0b5e2f4e

SHA1
d00553945e1f88cb06958a6eff2dd26dffa7dd36

SHA256
6f3345681b5af2e7e03f89d6aa2c20897eeb98f86d83f96582af2b10b7ebdb7a

SHA512
0b7d585c973362649725bcc349ca0b3ec1982c2146ee2b004cf21875f6f1b81a1691b5b5f2d8143289dca70ef5bc85d06150d4b38d648de12bd040c142348e95

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
2ec82ea4cce4e3dbe0c18e332d7c57a7

SHA1
dc66a7baf610beb30cabebe3242639aeabaecee2

SHA256
27fe3aaab6b2786eb5251d2b307636205f7699930250d1c332eda5da8d32cffc

SHA512
f055a56e693988e4dc08578d26bbed51fbb7593abc0218b048c799e084ea14a20e00dda30bd49f8428d520a488b109d869d60e8178581cd8419657a6f189700c

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
64KB

MD5
1e43f2a62dd4a6dae5eab03b000e79cc

SHA1
f0c9291eeab9d7881e81a486cea8c832cc5dfaf6

SHA256
6916e93f6aa47f7dd4541d2e47f6448928ae9b7708cd08d20b7a0b774c163942

SHA512
be666427c39b949a7fa72b67162636742b85e660c058ef970221c3832e176d3d190b62774f8e38665c02cf783eeb5bda0bd4fcaeb6b1a4b100e5ea9e85d5ed1f

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
64KB

MD5
e8237f9341a9a08a51121f2d1bb69348

SHA1
3d767c5cdc8ec4f251f3cfe1436b632de7a4aaba

SHA256
9ed2e3d323e7ea623a7f544f87196d336f4cd3602ee39bbbe34b9cf9dd74dacf

SHA512
0c0f83fde1e99f9094f678dd003120287d5a3095b2758f39e0d2a15b1bcf6de5cf5f2f98c0483ed7f5b86dabdac3574add3237965ec62aa16e680b92acef5040

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
64KB

MD5
b9fba1e58b396e9eae3bc9d67489f415

SHA1
95d86b5e9bfe488d7ed59774fa6673bd27320174

SHA256
46e744892f98dab7558601564364b5930b3eada02106b90c68202eb3e248543f

SHA512
0608a295aaa0ed72dd7a4628e745d4e9f28444c2abaa7e2dcdb00790784630e3d81ef1f3a3b1a702f9aac2a7bd303a9f145ae91c2e4d3217ed1234bb9160b10e

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
64KB

MD5
5f0ff968f686fa020bfef52154380204

SHA1
13b014e9d76435d2845f54c9f1bf0cfa4b64af51

SHA256
91d452e270ec88e045247f545fff22d725bfb9f80353a73028e5e762cc04d2df

SHA512
2c6930883dc01b572e02649f2aafe5950366b00b2ae9beb297051992ea5c77bad48840cf5581207ce6488f3c5667ad0494c3cf82e1db574d1ba3030da9ebd4d8

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
64KB

MD5
556e2560af80a7876d6335653486cdc9

SHA1
13f501280795280d680f732b928745fe36020a1c

SHA256
f03a022306114d97d893f39c62dac27e1f41e7e9e2be637fb9dc173144209944

SHA512
cd136fc3defcec2bc40d65b5c62a0ca84dbd49015a41b72b891ff2eff01b03b7f5a62d3af4ff862324519e199d42656156562c92f65794c1fe3fc4a60933b77b

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
64KB

MD5
1f0d0aa38148a6bd53f58afe945383a8

SHA1
b7e97cdb72b9726d4cb95c9c6455f168ba7491b2

SHA256
1fadb7d696bd11539ca48095fd9085be0698863f1dd1534a48b9a0ce1eaf790a

SHA512
2bbce61ebac5b43bb42073f071caf04be1527433d9d414d4b9476f65665724e4e15ca9c5a44ffb04176e2b25170e799bc981e3d96834741d68c00e87a027074e

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
64KB

MD5
6f68deef1afe2f5e97e03035436f76c6

SHA1
db4afa6db301d6697e3d3d53a58347ea61812434

SHA256
09b3b5102ff0c0c14f42132eb51e3cd7788e079918c4e156433d826e741f882d

SHA512
5bf486ee1777ce877f8769bc9a2f19d61cf246615692ec0a5f907bdd9ed80293e39bd207976c2ac6b6ef6ac805c9dde50244cea4d91d8dbd04d7eb929713ff01

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
64KB

MD5
f96df98f4e13b3fc2f40b5f07cbc24fc

SHA1
44a1570245b2792344e1ae02880240983a1f9a1a

SHA256
e3fa2ac651d2017c158e42ba3774b262317f11abd320b899d973dfe947baeb6a

SHA512
46b0e0289774f7093f4bf7fe4811f48b0f7d130a374945003660dea63b0fc89f56bfb47f0b7e1af26411d3399aa6d0a1cacdd7ef5cf4a6cec2fb8c11fae2333d

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
64KB

MD5
c99323c9b715dc610a82cad9f1bf8426

SHA1
39d28a8cfa50731747fad8e95892d27a905af560

SHA256
af54ac4b7eeb53f7b5a600e50e25ffd71f86247cbeafde9ff520db3d04738446

SHA512
7821cadebfd160791f837fea6225358b621b2426606c3bc8d461437f0709bbff57a971ad7481961bc486cbcbdce1643b4e2e9ca853ef425908b4309076bc6fb1

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
64KB

MD5
dbfb99f84e7972d858f6dc6e6aa3c783

SHA1
b31e34b34df88de35d6d0c08344e665a74285ef9

SHA256
dde4a4dda8365cfea8bd122e5ed606d12c13f1b5431ef0b697984153c0ae13de

SHA512
26ef00cf4b52cac2f77d94892a044602da01af0c274ac3743008533a9abcf9d751abb6b727ce5e02715f61663c0e06eed5dece27b9017d18dbc17365fac07af7

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
64KB

MD5
54b385ece8e583c3f15ac9610e5900b6

SHA1
38b39905b6b03cfcf36562573c1837ba8ec90cc4

SHA256
ee168c2a78c4b62cb57ff702a025ab6959cb2b65622ec48009a4eb7a061118ea

SHA512
f3d52a7299482ba49c547cdbbc132260eccb46979f7d48c700c40205f367a73f207c54ae43c834d7016beb26fa86d99d09f78faea6f66b31968b3009bca38348

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
64KB

MD5
207d41065a612cc3a81cc6486c474d08

SHA1
8b57aed6865bae86f5602d95d75086b81406e58a

SHA256
2327ea3ae442b5ec994747ee5372235ff051757e9f6f15550e30d47edf8865fa

SHA512
bab92b316869edba75ed62447a632ad5c19d22c857039d41b4e1ed76c0b2e66b02e27cb6f0db118704d939e9a2957cb9e0a305b69f77142385425796f7cdbef5

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
64KB

MD5
dd3ce652ad8aa14c43042b7074b7685b

SHA1
05706a5d2ee20b2aeb029330f1adb1b7847f221f

SHA256
345aff76f4dd9f38050879fcccd96a9ee7fd53fee0a116164ae57e4b12a59648

SHA512
1ac6de930c9087c20973917846511040dbbb87449a0727ef258573a219ad1dbcf8d284789a5a71b932368e6243e9c469cee1ee770bb169020cbbe4df3fe0347f

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
64KB

MD5
aa1a14d886f942d0029b964a451b24a8

SHA1
5d409ea67fb898c92f1174173946e9572907ced1

SHA256
f7275990ca1140e3bde7a7ed58db91d81a263dfa073600fe1870d7c49f070e39

SHA512
491fe8046b530853b060c2014b150926d047f7dffec8fa98685d0c14a067f7e2523c242546fc03f8c9f9f3175f708c9260040e97baf4b6212130d1b9b2e58b9c

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
64KB

MD5
e15d9f86faeed6c654f410f615d3269e

SHA1
66cb1dc4e5751622dbddd1fc2551f64cc5440279

SHA256
3c973bb3c15c93b06d4730050f06e6b503b95ade64a43146212d42817b684492

SHA512
2f515d7c3843e5db954cdfc03735db82dff622a06ff34d15df7a62497de1fba2df95b99d03c5b3a1ae4cf8438c0c43925fd49d76736f8f05243adc3065e975dc

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
64KB

MD5
938914f205bb54c11f705406f01bbf9d

SHA1
7115916d46bc5d657fa43f2fb386e6e7bb3cd8df

SHA256
14092412efb2c79b0c0012d23123991c8f7a8ff27547605fd373c9e3306abbcf

SHA512
416b7a579f5a44a7a6fdb98556a6fa14930b237127c9f0461b6126f26efade32bf52fdb17cacd951f01e50da8aff6783d6fbf5118bf144f1ca5426b5dca28d85

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
64KB

MD5
dc316b1920fdee31544fe4d22143f509

SHA1
4238586e91dc8aac281d09b38fb049efe67120a7

SHA256
c3e30f2f4bbeab03a213f28e5bef3881ba4caf7289ea61635acc6956afb43906

SHA512
9327e52fe709972e63ba900a2fb251a6c4b9fc653bdf05b0291135b4b8d63731282b045b601b74c2da2c5bbffec3be6efeb519258a7d6f9322dd2c9df5318cb2

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
64KB

MD5
5262a022aae4dc4d8191cc7e42d0697e

SHA1
b1b63a56ec2f479ea732c2236f449892f4b0c845

SHA256
523e0ce1642f0469694641ffc7f481c7ae2c1db661181460ddcdf2c7f4da7f3a

SHA512
7bb2ff1547e2ffda69fc51dec26feb9cd6af500cd26936d1d0dfac056790d4d4be20d07449be0ad43d798d66561da0590926c06de277308e5c0c00c26d5d6d0b

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
64KB

MD5
dc9cadd869942ca77715220e9ce9c73c

SHA1
93161bd8a1418fe2e1aebdae3765886f410d60f1

SHA256
b687aeb2d929c00693ad7a75f5b836ee42eace769120b59f89adec2267ae9424

SHA512
d69a4551daa192ee7ceae26cacf50c390cd1fe589c6f84915b4b450fdf51def31a0b62eacb426b31c7e6b91a2295d7cc49d881b2d9e6c84cc5aab312df3854a1

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
64KB

MD5
5b9233fdcaaaae498104b23572fae433

SHA1
3ebd5957ef96b90ea2a94796a52d6fba4aa00e0e

SHA256
e00c24f053d159562385939422996e625c741404db0793b31c8652d711092905

SHA512
9c8ad36be4a9d20ae67747bdb6a856c87ba6e594d68d382b4199161c1b8624294cfab0d2d6cbdbe1adb45e4f3da06a3543b47eb9294cb840abc802b4b977b956

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
64KB

MD5
1f8b300c46d574190aa96526efad35aa

SHA1
dc2dff38bcaa3c10d23f9ed1811faacadb11b931

SHA256
dac6ad3a80e170730ade325a45c19363a8d1f888ce45bfd44b5a5e6f4405aec9

SHA512
f8ba91e8d0fc5580975ad9b7bc9d9225b82993b5704d8b50fe1ac27d3088443006a5ef563c054e8a20a93ecd8d402b15eb26a5330cffe16d5b2a1371133c4c8c

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
64KB

MD5
ab5485e9308a75cf132db8d4e9ae34f4

SHA1
c28753cbfab8cf41fdba8db1673c5e59dd5e0091

SHA256
2ec1a5fe8757f0562b44f201cb2b54f62dfd383c1c898b0f145855d9a41dfd26

SHA512
5ef5c1f4c58e2bf14577892d51ee8bffc57d7cba8f61f143a731d771c8f7f83cadefac66f028beb51061643b814b8e0c7d24ce9b8ce353feba2faa2e09f4ef17

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
64KB

MD5
2970808d8d94b08477c14ba2b68eeabb

SHA1
3c4595231531509526cec31f4acd058235e0e98c

SHA256
f9144c8a9c019b692826d2cc5c76907b04a3b18da268f0309ce9618ebe50bf2c

SHA512
579f190dd56b5122431d44f4e06667c209b41207d1ded01013a81cb20e92ad1e839512f5ff30e98d3cf21977e421b86b5727426614bb819983ab150e7da4ec42

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
64KB

MD5
cd13cc72c1b971444d3c6d1d0540ec0d

SHA1
592eedb803cf45670d7aa671179ade3ad2bfd4f2

SHA256
26a98fa085414834514cdcb6163f84dd4a9ac72b995d3c3a2acbf89c9c6fdb3c

SHA512
da3f673beeaa567d0efb27a16b362ca483f295e523de79d709dbbb62ccdb465058ac723552d52b5b601fc38609382d9be64a08d9b464d810cd3a8cf60b410beb

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
64KB

MD5
ac1133595cff79ad143316230f93f936

SHA1
54f865a6b0f1c5ef12ad904f132571ba52e29190

SHA256
01f6214caa49bd9661c1933f8093b2c894dc93b5c4eb3bab039482388489e608

SHA512
ff0797fba950dbe89bf4dc56c245ed1eedaca045a9f40f4ea58e4bd743baede6a5edf3a0529361d0cb2d01209c800dbba5fc29e48b2a25c5955705282295ef28

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
64KB

MD5
858fac6c516d3ab23c6f1690f607cc9d

SHA1
56cf27caa8f307f43ecf6a2652adb5adde5f7814

SHA256
282d697b67108b640f9c5763ab589b6710a71ce5c59dcf9fd4f865cf1b132f7c

SHA512
1db04eb6579c19fe0546a94242ee01d6837f171488eef7bd0723c8e74a51cd039db4d5b83dcf17a0a00fb12256bdcc04ab635c09ec2806fc5da76a8364673db8

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
64KB

MD5
b090f96f3e1ea812e612595fcb81addb

SHA1
79f4292efc4feabad309f3fdb993225358a90d15

SHA256
43e4023848ed719d36777c92d4839048cd240df8c5ed7f4def04c97451ab56ad

SHA512
f5a046086df6c73c035428f5e06b913db4da24fa17bd9ad8e52f8925e8e015a736a2c3837f090866d25e78cceeed09e44a71098ad07aa7df1997a09ad2a842db

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
64KB

MD5
b54c682a8b5a98a04d644b3392f9a6bf

SHA1
ea2abcd37079f1e14acccb6e515eb70526d784fe

SHA256
e2c6068b8bfc0b39aea35059a8b6b7131fb66c247dca35b16f8a091a46bee9af

SHA512
c8ddb380ced09e114d1b99498c9bb78c1d6ddc703bef36fe41e79f9002f7106cb9f7669d7c110d2b022a3977577535d9f23750ff5478ddf6f590c105f4d5f08a

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
64KB

MD5
bcc7b900d0788d00aa8465da45387753

SHA1
ffe9762213df3f5eb89561fa4bbcac1659330705

SHA256
7e564a8722795f41af01e545ed11b38351d85baeed7e941bad17ec1f6a980a1a

SHA512
f7d24355ea7aa9118f2accc9ac8006333f5c7bf7e0e94588bd14da7d9a896bc8e73d3941a25f359f1c602ae7237112adfab50dff1a0e637f0809afe84f2c4ead

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
64KB

MD5
82d38c619e5a5b95b2db652fc2e39d79

SHA1
64a861c434d50a9d5529b8b6c1b1ce939faccd66

SHA256
c92205c92b34678837d7d966625df306141150a24636bcd033daaec0fe9291a1

SHA512
eab88485860b30ac4150708350dbfbd532d9a0898a78f321cf55f97626794dfe89cccd0d6852b43d6b2edf2099ebe9278dd7be5cf3ff86b844ff677e71edf49c

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
64KB

MD5
1f99c29e137f2f951bd6e4d7d0999ca0

SHA1
4082c0766ecf89bc67769f9285740f4938507e8f

SHA256
2b6876ee3186b9758ecb741032db480fee9abd519fa99c45fb4e52f7bf08f481

SHA512
13056c880540e243f41c48bf7c2731d2c190d123f6505cc5cc98eb52438ca2b75725797a4f89e2f698c97b28648210e3969986b84957d854caf77a78481970e9

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
64KB

MD5
335b62ae32d958a41b939fba4cdc2bef

SHA1
b4e18c39c752c37543b7e2e8510758cde8a19d5f

SHA256
f79067c53d1846af8b9712a91f9fbc03ead028f3c6f2a220e5fa1ad4e092065c

SHA512
360606c13ee6a2e5e6c0352996d30ca01fb26a6b0e0a64c59cc5da8890d5a0914ed38423a1a921deeaed705ef3944dba6ae9363b28129731d771d099dfdd0698

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
64KB

MD5
ddd02ead993f04c9ab702e6268ed00ee

SHA1
408b39f9e9674d2101c563008440328023a7d734

SHA256
343d6789ff090fea9d14ff17c35c19f53c6bc8c45a06f1d2df477b14c3d40a09

SHA512
92b51e74b717818f7ce5c1dc195824ac047aaf4e467dcc4dad21e84aaf73f3d3267d4466bd248cb0066cc4b24428716376ec4b7efb056dc5c3649495e4a6be01

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
64KB

MD5
3513aab43e759110dab02d06a1d7726f

SHA1
482e1142099db9f6447e990ccb0417fad9d26a11

SHA256
684e3cd05b37a4ee124eef27aaf259b6ce779a2068cdbd125997f9c4cf867b0b

SHA512
b0a8478444ab6d87e2f4dca27b98a5b292537a2e48eee3d17a04518e394c6c123e5b9dda59cf385d3c882b08bdda78e3963804f3e7ac15825f14706a689cca98

Download Submit
memory/208-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/312-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads