65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Size

256KB
MD5

b2703a3fb49840dd7ec83d0b62091750
SHA1

c858403d15b4695247285811a98a454141cf6e6d
SHA256

65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21
SHA512

21683e9435ee8710da636ace701f8031fd91a3d2aef36549eec7a77ca6d3a4e0e8a6d37ebc83f82315d17d6bcb81f0e1ecd0bbddcbb43b111880cb06dcb1683b
SSDEEP

6144:Nx5aPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynnH:guqFHRD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmmqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lggejg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfoann32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgloefco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqkqhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcifkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlgepanl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaagkcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lflbkcll.exe

Executes dropped EXE 64 IoCs

pid	Process
5112	Jiglnf32.exe
3308	Jleijb32.exe
4012	Jlgepanl.exe
3284	Jofalmmp.exe
4120	Jepjhg32.exe
2268	Jpenfp32.exe
3764	Jgpfbjlo.exe
656	Jokkgl32.exe
1180	Jedccfqg.exe
4088	Jlolpq32.exe
2080	Kgdpni32.exe
3612	Kpmdfonj.exe
816	Keimof32.exe
4408	Knqepc32.exe
4344	Koaagkcb.exe
664	Kgiiiidd.exe
2392	Kflide32.exe
3932	Knenkbio.exe
4208	Klhnfo32.exe
1000	Kofkbk32.exe
1700	Lljklo32.exe
4484	Lgpoihnl.exe
840	Lfbped32.exe
1972	Lqhdbm32.exe
2660	Lcgpni32.exe
2208	Lnldla32.exe
1752	Lqkqhm32.exe
3328	Lfgipd32.exe
3052	Lmaamn32.exe
4772	Lopmii32.exe
4436	Lggejg32.exe
4080	Lnangaoa.exe
3524	Lgibpf32.exe
4672	Lflbkcll.exe
4084	Lncjlq32.exe
3364	Mqafhl32.exe
4496	Mcpcdg32.exe
4688	Mgloefco.exe
1036	Mjjkaabc.exe
3144	Mmhgmmbf.exe
2112	Mcbpjg32.exe
2628	Mfqlfb32.exe
3336	Mqfpckhm.exe
220	Mcelpggq.exe
2232	Mmmqhl32.exe
4844	Mfeeabda.exe
1264	Mqkiok32.exe
556	Mcifkf32.exe
3500	Mfhbga32.exe
3868	Nqmfdj32.exe
4068	Nfjola32.exe
2852	Ncnofeof.exe
408	Nncccnol.exe
2240	Nqbpojnp.exe
1904	Nglhld32.exe
448	Nnfpinmi.exe
4788	Nfaemp32.exe
1108	Njmqnobn.exe
1276	Nmkmjjaa.exe
4756	Npiiffqe.exe
4944	Nfcabp32.exe
1444	Oaifpi32.exe
3192	Ogcnmc32.exe
3080	Ompfej32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clahmb32.dll	Lnangaoa.exe
File created	C:\Windows\SysWOW64\Akpoaj32.exe	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Jlllhigk.dll	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Gdglhf32.dll	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Dckahb32.dll	Jlolpq32.exe
File created	C:\Windows\SysWOW64\Knenkbio.exe	Kflide32.exe
File opened for modification	C:\Windows\SysWOW64\Jepjhg32.exe	Jofalmmp.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Jlgepanl.exe	Jleijb32.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Mjjkaabc.exe	Mgloefco.exe
File created	C:\Windows\SysWOW64\Mqkiok32.exe	Mfeeabda.exe
File created	C:\Windows\SysWOW64\Folnlh32.dll	Mfhbga32.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Adhdjpjf.exe
File opened for modification	C:\Windows\SysWOW64\Jlgepanl.exe	Jleijb32.exe
File created	C:\Windows\SysWOW64\Mgloefco.exe	Mcpcdg32.exe
File created	C:\Windows\SysWOW64\Jjjojj32.dll	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Lfbped32.exe	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Efmnhl32.dll	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Lncjlq32.exe	Lflbkcll.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Ipbehfom.dll	Lfbped32.exe
File opened for modification	C:\Windows\SysWOW64\Mqfpckhm.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Omfmcjlk.dll	Pfoann32.exe
File created	C:\Windows\SysWOW64\Ojnkocdc.dll	Mcbpjg32.exe
File created	C:\Windows\SysWOW64\Pnmopk32.exe	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Jpenfp32.exe	Jepjhg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbpjg32.exe	Mmhgmmbf.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Bmjkic32.exe	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnaaib32.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Lljklo32.exe	Kofkbk32.exe
File created	C:\Windows\SysWOW64\Chnpamkc.dll	Aggpfkjj.exe
File opened for modification	C:\Windows\SysWOW64\Bdagpnbk.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Kpkbnj32.dll	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Agimkk32.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Lmaamn32.exe	Lfgipd32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjkaabc.exe	Mgloefco.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Fhhfif32.dll	Jpenfp32.exe
File created	C:\Windows\SysWOW64\Mmacdg32.dll	Kgdpni32.exe
File created	C:\Windows\SysWOW64\Iblhpckf.dll	Lnldla32.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	Aopemh32.exe
File created	C:\Windows\SysWOW64\Qfoaecol.dll	Coqncejg.exe
File created	C:\Windows\SysWOW64\Kbmimp32.dll	Lopmii32.exe
File opened for modification	C:\Windows\SysWOW64\Nfcabp32.exe	Npiiffqe.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Ogcnmc32.exe	Oaifpi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhpofl32.exe	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Locfbi32.dll	Jokkgl32.exe
File opened for modification	C:\Windows\SysWOW64\Knenkbio.exe	Kflide32.exe
File created	C:\Windows\SysWOW64\Nfcabp32.exe	Npiiffqe.exe
File opened for modification	C:\Windows\SysWOW64\Lgpoihnl.exe	Lljklo32.exe
File opened for modification	C:\Windows\SysWOW64\Lmaamn32.exe	Lfgipd32.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Ghkogl32.dll	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Nmiadaea.dll	Nncccnol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5596	6016	WerFault.exe	229

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcgpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgpfbjlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedccfqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgibpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klhnfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcbpjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiffqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jepjhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaagkcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kflide32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmhgmmbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfqlfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onocomdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgdpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojfcdnjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aknbkjfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofkbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfeeabda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ompfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keimof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmaamn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knqepc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkmjjaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll"	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opclldhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folnlh32.dll"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll"	Mgloefco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojenek32.dll"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljklo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlolpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knenkbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll"	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nglhld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll"	Koaagkcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keimof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpmmgb.dll"	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpnmg32.dll"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfoann32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 5112	2936	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe	85
PID 2936 wrote to memory of 5112	2936	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe	85
PID 2936 wrote to memory of 5112	2936	65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe	85
PID 5112 wrote to memory of 3308	5112	Jiglnf32.exe	86
PID 5112 wrote to memory of 3308	5112	Jiglnf32.exe	86
PID 5112 wrote to memory of 3308	5112	Jiglnf32.exe	86
PID 3308 wrote to memory of 4012	3308	Jleijb32.exe	87
PID 3308 wrote to memory of 4012	3308	Jleijb32.exe	87
PID 3308 wrote to memory of 4012	3308	Jleijb32.exe	87
PID 4012 wrote to memory of 3284	4012	Jlgepanl.exe	88
PID 4012 wrote to memory of 3284	4012	Jlgepanl.exe	88
PID 4012 wrote to memory of 3284	4012	Jlgepanl.exe	88
PID 3284 wrote to memory of 4120	3284	Jofalmmp.exe	89
PID 3284 wrote to memory of 4120	3284	Jofalmmp.exe	89
PID 3284 wrote to memory of 4120	3284	Jofalmmp.exe	89
PID 4120 wrote to memory of 2268	4120	Jepjhg32.exe	91
PID 4120 wrote to memory of 2268	4120	Jepjhg32.exe	91
PID 4120 wrote to memory of 2268	4120	Jepjhg32.exe	91
PID 2268 wrote to memory of 3764	2268	Jpenfp32.exe	92
PID 2268 wrote to memory of 3764	2268	Jpenfp32.exe	92
PID 2268 wrote to memory of 3764	2268	Jpenfp32.exe	92
PID 3764 wrote to memory of 656	3764	Jgpfbjlo.exe	93
PID 3764 wrote to memory of 656	3764	Jgpfbjlo.exe	93
PID 3764 wrote to memory of 656	3764	Jgpfbjlo.exe	93
PID 656 wrote to memory of 1180	656	Jokkgl32.exe	94
PID 656 wrote to memory of 1180	656	Jokkgl32.exe	94
PID 656 wrote to memory of 1180	656	Jokkgl32.exe	94
PID 1180 wrote to memory of 4088	1180	Jedccfqg.exe	95
PID 1180 wrote to memory of 4088	1180	Jedccfqg.exe	95
PID 1180 wrote to memory of 4088	1180	Jedccfqg.exe	95
PID 4088 wrote to memory of 2080	4088	Jlolpq32.exe	97
PID 4088 wrote to memory of 2080	4088	Jlolpq32.exe	97
PID 4088 wrote to memory of 2080	4088	Jlolpq32.exe	97
PID 2080 wrote to memory of 3612	2080	Kgdpni32.exe	98
PID 2080 wrote to memory of 3612	2080	Kgdpni32.exe	98
PID 2080 wrote to memory of 3612	2080	Kgdpni32.exe	98
PID 3612 wrote to memory of 816	3612	Kpmdfonj.exe	99
PID 3612 wrote to memory of 816	3612	Kpmdfonj.exe	99
PID 3612 wrote to memory of 816	3612	Kpmdfonj.exe	99
PID 816 wrote to memory of 4408	816	Keimof32.exe	100
PID 816 wrote to memory of 4408	816	Keimof32.exe	100
PID 816 wrote to memory of 4408	816	Keimof32.exe	100
PID 4408 wrote to memory of 4344	4408	Knqepc32.exe	101
PID 4408 wrote to memory of 4344	4408	Knqepc32.exe	101
PID 4408 wrote to memory of 4344	4408	Knqepc32.exe	101
PID 4344 wrote to memory of 664	4344	Koaagkcb.exe	102
PID 4344 wrote to memory of 664	4344	Koaagkcb.exe	102
PID 4344 wrote to memory of 664	4344	Koaagkcb.exe	102
PID 664 wrote to memory of 2392	664	Kgiiiidd.exe	103
PID 664 wrote to memory of 2392	664	Kgiiiidd.exe	103
PID 664 wrote to memory of 2392	664	Kgiiiidd.exe	103
PID 2392 wrote to memory of 3932	2392	Kflide32.exe	104
PID 2392 wrote to memory of 3932	2392	Kflide32.exe	104
PID 2392 wrote to memory of 3932	2392	Kflide32.exe	104
PID 3932 wrote to memory of 4208	3932	Knenkbio.exe	105
PID 3932 wrote to memory of 4208	3932	Knenkbio.exe	105
PID 3932 wrote to memory of 4208	3932	Knenkbio.exe	105
PID 4208 wrote to memory of 1000	4208	Klhnfo32.exe	106
PID 4208 wrote to memory of 1000	4208	Klhnfo32.exe	106
PID 4208 wrote to memory of 1000	4208	Klhnfo32.exe	106
PID 1000 wrote to memory of 1700	1000	Kofkbk32.exe	107
PID 1000 wrote to memory of 1700	1000	Kofkbk32.exe	107
PID 1000 wrote to memory of 1700	1000	Kofkbk32.exe	107
PID 1700 wrote to memory of 4484	1700	Lljklo32.exe	108

C:\Users\Admin\AppData\Local\Temp\65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe
"C:\Users\Admin\AppData\Local\Temp\65e787bbec2a22f00ba0044a289439c6f97a18bfdfe6d2334bfe3080425f0b21N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\Jiglnf32.exe
  C:\Windows\system32\Jiglnf32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\Jleijb32.exe
    C:\Windows\system32\Jleijb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\SysWOW64\Jlgepanl.exe
      C:\Windows\system32\Jlgepanl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        45⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        62⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        66⤵
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        72⤵
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1836
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        81⤵
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2068
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        85⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        89⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        91⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        92⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        93⤵
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        95⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        98⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        100⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        106⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        119⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        122⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        126⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 400
        141⤵
        Program crash
        
        PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6016 -ip 6016
1⤵
PID:5328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
256KB

MD5
9b1d7ccf22d4b6ecf5ad767dc3ff6b47

SHA1
731e2429c202fe445f05cb34cb9549ff23c125ff

SHA256
29fb1aa22c8ad63ae6fb60e55c6bb062f6ba5b18b43ff0937c19ecf9f72fcfc2

SHA512
ae5b67a675b6ec35d91af9b9f7ba17014d5af4c393ed2a9da57382f0088d8359129d33227345d997c5af0461c44502fdb3c14f6a91c4267b8193482cd6d37428

Download Submit
C:\Windows\SysWOW64\Bmjkic32.exe

Filesize
256KB

MD5
104d834f004a7fd1db7599e83e766bd7

SHA1
99e24e06d7ea452b34179b123e7c4270163ca706

SHA256
8fe5bd32fb5be9e426480030a9659b552a0d78bc58786e4fb029666d1ab7629a

SHA512
488c639d675bf32dbee25c1c08402b99e89bafac69c95ba81015c3baab3fea6e421dad8ec83aee9b34c0ecc42deeca407fee77c2cb66fd6176e5e23c6b3eaee2

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
256KB

MD5
737b42f7bd82327052bb3e60f937b839

SHA1
24dfaa8555fee14dac9365e772fa72b35407271a

SHA256
8c03a7686d54ce01cb0a0ddd78994bd1c6af6db5074f62ec2510f737b8e2e814

SHA512
887701fdf9d1761d5f0f4266a4383746a45416dbe02a90dedaae703fae0e16c37818214a3fa800d5a173ebaa95dcd79b17fe0dc96004e05caa4fe269e780908a

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
256KB

MD5
1391574e9933cac0825de497f2ec5623

SHA1
c1269948f66c6d36301a763c990d2feded43fd1c

SHA256
ab8fb24907416b394f5df9e3ab96fbb1feb0f4a9745979b11f515b9e7875efc2

SHA512
c4808b6a17588fc4c6c8b3081ece21087b54084142564e0e7ae6fc09114649df08e7f10257a739a068818802783d77ca391df221cdb707c8b784c63295520d45

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
256KB

MD5
4cfa972a9853e7e57cfcf7b987abc222

SHA1
46bcc8182a26194c10053218480fd187fae50ee7

SHA256
a3bab2d5a8255199fa66aacc30d268d2ff807040893bb5089a986edf18409370

SHA512
3c1ef4ea3e67140a7ecbb75990e3b8716da09964a7711ba1125a0bed69636be587a808b27bbe7b27f422873ead8a92e43a9550d2a228ce00dc0502af4899d0d8

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
256KB

MD5
fd479e8bc5c2bf312cdd0168388fcf8b

SHA1
957992d884b71d922fb3dcd10e53f00507ff2a85

SHA256
49cb43560dd2bca83296d0380b299fabb0620c4f0addd5795f2fe44fca4a40dd

SHA512
cdba8a898848aed17baad598337440baf29245996be518f770a4a93096821cd8128d8326e53852164de5156836e41e0406f99a603638523d9a98d94c3e2cb69b

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
256KB

MD5
5df53d10adb0c0711af5f1e4171ad7ae

SHA1
d51964486d474142ce91c4fb3514ed54abd5a71c

SHA256
6c9a9ad9711ff0d33b31835fc69dafae7a8817bf9d8ae65b5ef5f8c7fd4e0783

SHA512
714175b2444121a6b21c21de59904da60d012320ee0fa62e95999250a29b70032fe42dcca19cd28bfb1de8d14a63b2a3adf6bf1ccb1d5ca1fdde942b910d1045

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
256KB

MD5
704a233c1add85db3039ef4947210c81

SHA1
fae066afc18bc4c6a38a03904a667774f083888e

SHA256
484da51cd728602b5e9226b97eabf4e1f2fb77024bd971ee86feff74398f8a55

SHA512
ead390063501ef97ffea4d646e98ce999f3a4c922984dce4f44734207ac64ede09bdebd0dcce406272bbf082afb9c14e8d2510032fd4922af74ab174db978c5c

Download Submit
C:\Windows\SysWOW64\Jgpfbjlo.exe

Filesize
256KB

MD5
addac43cacbbe0eb6ecf6ec8b5399887

SHA1
3d082ebc39c4c3273910163f5a741477e12da98c

SHA256
20c647ad930535b871a253f60569c97dce833152f2093b17118248c703c755f5

SHA512
ed723c5173be8661e910978d413aa8748e845ee628580601153eb08f7948d3a3479cbad070876b3bbb659deae8d0f944959b988f3e8ad7784fbdf1fb55115444

Download Submit
C:\Windows\SysWOW64\Jiglnf32.exe

Filesize
256KB

MD5
b8891fd91fd35701451c76ee3823d0fb

SHA1
bba9cb98c0de2ac2a8a56bdee8c5bbb96960a8a6

SHA256
4d7b224ea8af2742434b32981a55c2b5f20d289e621bcf5747e56114f001dba3

SHA512
4bd04b17cca7aaf5d807f09ec463585f97639d8b0cc469bd60e52e824068c069827fe87b88664764dcb3a1f8040950973073690622b5347be5d6c322b9c13792

Download Submit
C:\Windows\SysWOW64\Jleijb32.exe

Filesize
256KB

MD5
3fc11e9b7abd8d97a416d54eff529bd3

SHA1
feaa37011c2f9ab42695b96da308d1ecf95ba002

SHA256
7b781f11d7676d4c292224fc926214cdc916be04ec6cf892b18c876eebe85757

SHA512
bf620f157623c178d42d96f473218c00ba36989bf9984aaaf3986a3c2a0d9c0ab9d824d0ee0f47adcc8f3496b761ccd7c8ede376f1a4c046d2f1aa919efd9133

Download Submit
C:\Windows\SysWOW64\Jlgepanl.exe

Filesize
256KB

MD5
97150d6c0f2c47a8ac8c6195aebab77d

SHA1
451c614c5e1c8644639070639fb6123220221cd7

SHA256
073bdcb582e92e43782834980c513aaf729110b0f5bdbc3906953662537530b8

SHA512
dd7f0e00fc200867d680c7816dfb485d4e56671b428da927acaacfac4930bf676f73a3409425009efc3c04b18968e7c61bbf03443e4b61a012541aaaa9f081f8

Download Submit
C:\Windows\SysWOW64\Jlolpq32.exe

Filesize
256KB

MD5
4eb24ba1c7a3c89bc2e65018a55838c6

SHA1
d24fc10d6189b69ce0fc8ad256a7986cc1fc9c9b

SHA256
744feada48f658628c736a5059e7ea3236efa342c55af353e6262b34c33375a4

SHA512
b82813c550443a0804e0dc3ef85c0e249cce6811331cad2db91402a6c41cfa635733bbadd78baa1c0490fe040414a6c40b1875e3db45e3cb21d539ff0e7f3e0b

Download Submit
C:\Windows\SysWOW64\Jofalmmp.exe

Filesize
256KB

MD5
85bdccbdf0cedcacaaabbfd3f574c35e

SHA1
0d8bbf493029849ba214eb48756225f3bd106959

SHA256
3b24aa9244ca6373aa57b472253f265ac6726258d36fbf2e0c7f346b99d35677

SHA512
07d7503b8cfb51d38e66d262e80d9849ae795ca703f9e1112b24fdaebf1c850e921e745716c0b349b617fa5de30ee5bbcd15925559d25df705be5b749378bb72

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
256KB

MD5
ec1277ddedccef62c2769951ac25e545

SHA1
2314f6722c35e29bde38e15c2d541cfb2f03d03f

SHA256
6d9e32c6065e1311462c07e5053e2e8a7abefa09af06b4e2ee57e889ce66d5f7

SHA512
ab5d0f502ba41eccf16d70f4b61bd2a2cd31a1b89ab94fe41013460ce8501e07bd8457c64135e7a757c79a6fc409c567f213077ae55588d2e6fdeac47f456b09

Download Submit
C:\Windows\SysWOW64\Jpenfp32.exe

Filesize
256KB

MD5
b929d27788eaa154736a063d2d51b3dd

SHA1
e3d035b1d03669ba69718190f00543636e77bca8

SHA256
8d4ad4a747509e3359d26ec75af70bd39465fa207b951a98d634510a69c1b15f

SHA512
bab4eb9906bfdabb3c54cc65c9523253a952de068ba6efbb59c38f5ab7b9e3d9ab95e8319ea52c5f47d75cac4a9a118a1ffb5ad788238aafee466e699955d335

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
256KB

MD5
b03e399278ace29ef59bc08ed7014627

SHA1
89f76bedee40f7d1056e855fb4af9948dc48bf09

SHA256
137c47aaa880e531a8c3cf5404243ba589d3aa51092382f1d2cea3021a76d7df

SHA512
c15d578fe9cd05789c504e3ccf6aeb21ea0b82d0c56444ea84e63b0fe55d9e988a87e287b6e8e833814c8c529cddde978012ed9dac3aca2dc0633354f79d8b3f

Download Submit
C:\Windows\SysWOW64\Kflide32.exe

Filesize
256KB

MD5
9701c553320d833b71f86c30cf3ae52d

SHA1
6892fbc7400f1f5acf20cdd37ee76a019108b936

SHA256
d67f02bde16710486767091df7f15607a16fb363c649e6eca58f6f1125ad38b6

SHA512
6aebd6b315333a0e39d8d9c7e3e03dae523d5bf1261cf84980202e3aa148f24de1d252b6b7335343531c08e47104b21db35b70fa64ae41500e94d72e8db1ab17

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
256KB

MD5
6a44215b95f647ca6d4bea3674164504

SHA1
68301104e037f7e9ede81023b99897950d4cb3ab

SHA256
1377d7bf6f02a416201db6a7e813d94cdc675bfb1301778873fb8c7a3b5c0b24

SHA512
b1e6ef9e3488ddc6be4d136d44cff623597b9e081a6648a397ac17ff1d04942cba6f732ca684bac2b9b97333abd3f67d574130a614f8c65c68d7aa022d44e53e

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
256KB

MD5
1930f7875b0f404670ffcc8b85981516

SHA1
f84d6275baaf9acb26bb51f8bace013ba5c7d148

SHA256
974cc348129ca41efb3e1ca072810351f3824a12a812fb2e2f0652212be7980e

SHA512
22a81ec0b945ee980df72aa2fea875a599856e0cc22ef14b611be043dd3af29c18a8db646ba3db1c62c54e9bca39b67a475cc4ecb319b6abdf8b2fcfbdba2614

Download Submit
C:\Windows\SysWOW64\Klhnfo32.exe

Filesize
256KB

MD5
e3021b2ff4d5fa30e251d3a92c3379b9

SHA1
9dee6800a57950f8634b13f26658dbf4b00c18cb

SHA256
3b0ba55d524a1e7434a7d63029ce33f3efd8bed88dc775523113dcc4f1969cb4

SHA512
98ea4e4ed41213c3af2d097d4a0f5d738c6fb47de79fb7514a66585862a2273a4fc3cd40756fea2f8fcd04394f0a08aed6131c1fb86d53edd98c9129d6a3b163

Download Submit
C:\Windows\SysWOW64\Knenkbio.exe

Filesize
256KB

MD5
f098ac90d074bfea0b34c9ec9f1b7464

SHA1
e8036f601bb3741c7aeeb913fea18de7e321034b

SHA256
e516cf984de03f54656af52e78b9cbc35da189a8cb0d3d408095a939f49d2192

SHA512
51e894089065b59162823ccd9c983db824d541538b1105a970be98f423db462e6571131cedb6b018cc0c64a66f4f0bdf2899efc0cc8cd9e0330a86043a395ba8

Download Submit
C:\Windows\SysWOW64\Knqepc32.exe

Filesize
256KB

MD5
4304ac89a2f9b2ea95fc33965ee38d80

SHA1
73416858fe2da497134468361d1d9092350f75f8

SHA256
b397dd8d007f0bc4bba089460a2ce78fdb8cfa47772a01a53a67290ab410cb15

SHA512
fc4b4ea3d2594e17aa83fdcc9edc3f6592c821857aa9c95f41c61b042fd90b6a8a0dcd578269a6ad94fca4234d64ab2d177c53614974eb74ce28aaaaccea93ea

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
256KB

MD5
7883e5ddcaccc3ac223bbd97606fcdb4

SHA1
9c3ee77061a4d54584f17e9ba0b1d29ae0bbb585

SHA256
30d7527249acace3bde2c3fde5292214ed4c81d69818d2557dd7e72fa0a349ed

SHA512
d8b2bc5cfcf4733fac7a0e4d99919a0fe195659eb377e7eb37326dcbeeffc659c7ee445c9396728c2e34fe42e8ee2a2a7536898bc08e0b3f1694b00a4fe7da30

Download Submit
C:\Windows\SysWOW64\Kofkbk32.exe

Filesize
256KB

MD5
343550e2f84a5ed3460f83357052c06f

SHA1
49992cd98d701b348f9a702e8351147f84928b1e

SHA256
e67145d345fe9459f64224658c8019347a7351cb646a4281f820b5ba41b2cf18

SHA512
2a8936944d30f5ebded9c4df3a6c9741cccafac622cd48e396839641c7549eec21d744fba5c603dbfb2fdbdb2c40f1e1d8d8a9f0c224b63133eec5171f78bda2

Download Submit
C:\Windows\SysWOW64\Kpmdfonj.exe

Filesize
256KB

MD5
d40cd728666ca8f59504e9d1c07d32d4

SHA1
9c683fe6d1fa6ec9f5fa766e5cef10deaa5c4414

SHA256
3b9a0ab5a0edf30d10e935cc40228267d562b601fbb19b559f4967d82fae5172

SHA512
69ec6b71ad43f8421f857097deb89f453ad0dbf23904fcda71d9569b9fbd9e804dc3b25bf69eb6c591b39dda8bdb2661f318999085c85ae0b32154a0408f385c

Download Submit
C:\Windows\SysWOW64\Lcgpni32.exe

Filesize
256KB

MD5
98710fbb1db53e3ffa0a8460ca9ae15f

SHA1
fc58015a9c9067fbfdc0d49cce5f8fc43e93d139

SHA256
ec20b8405965010505d033784ed2c85801b9cb8036e23e84f3cba106fc0a648f

SHA512
081741b2908d297105748a8e51c3b019bf9e50bcd40b17e6b860309d1422d1d94b776839931ae7955f87cf8abc74a696b38bff85ff022fe2c0f3816a5fbc6e7e

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe

Filesize
256KB

MD5
7def023071763f1a194a4f4dd5e4c353

SHA1
3389f3c945a523ad0895004f0cb737754f5097da

SHA256
ffefc36270a1375645c306d0018b86007088f6794e04766779e423f8761dddd8

SHA512
3b7c8d2c29efa567200c5b3594c78456977373fc0dfdd225ccf259867e73b2f74b246e172adc2ae82cc5707f7dcd6778909e5ec7b949a14cdf58409a24425b57

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
256KB

MD5
4800791cbcfdaaabb87b4b7269346874

SHA1
0bf207c68e6887b6d9ff23d2cc1146f320f6344c

SHA256
dd36b950cbeb63d7f7dc90c49782e66980a36516481f87769ff0b4315152eb1c

SHA512
e913d6e08701db1475a1509c0c2693731f9a9a233c78586807aa165574b7bd7affbe57b36376dd1b0e86b4b45147781c6c8d8128e16756108d897295c637ec5a

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
256KB

MD5
585c615a289ebd1d7e35160741006083

SHA1
6cfbba98bf7289a1ab4b5736909953d5f1961a1b

SHA256
33cc9e436125320df89aab68942cfe3fe4ae27b362934674587d353fbc18b12d

SHA512
d336085ed0fcf27df402bc19d4500e2a675666e73f435c28dfcea259115f710f4205616338c7ff8c41d1e55fe1a26b690fcedf1936d1a0cf38a552f3876292b4

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
256KB

MD5
6a12762151f5cbf34548935c9494942f

SHA1
981d8fccc00307e39f0e5ca738b89ae64d6a9d3e

SHA256
a7f6adfe693477e0c2704cc328f4ae75fa01fe584e7cc017c42ff700ee39a999

SHA512
8f656332b2343a6cb4f9908bfd1e6ac70489f8aee24963ce1c216d1295bba3eb7408a2fb03dfd29fd37e4b5f185bef1705748c74d0e49cb8a1034c35b3d7fb4b

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
256KB

MD5
9f8e977829875bd13d65d3b6e78b1ddb

SHA1
0ec1df7749cc01511dbcf1a9cc0dac40966b9a31

SHA256
a5fca07add1b27c03a799429fc2c13ef43c7cf1cd7b285ae05ceea5114916793

SHA512
ede148c720406cb3ed9439c5eace67361b61d64fd9e89d1e960cec925fae92b996ac5052b83aed613ffa0ee23abe3faa3d8b6cd1d43911a201ff54946dad9b78

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
256KB

MD5
ef370adb35247c1f45df3ee2193be3dd

SHA1
9b7404a5a508a0360c3ea313c4d1fd100ba84ce6

SHA256
765ef47f7b878e27a12791e60014bae72bdc1753e70939148a13d9d387d04c85

SHA512
c7b17e47eb634e8205ed216ad5c72c9e6bcc6cf183117865571ade59b17fd32c48de70fd1f00bd97c4eab54f0bdf576419def03ae7591423bd8a27b27cc97fe6

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
256KB

MD5
81799b3143406ce3c8a822490f91dbb4

SHA1
711e4ad36729401286b38b2e6e7ca8bfae4fd424

SHA256
9a413eadf3b8b66cb305e5971a881193cef120b41eb044c677e8e90d981b0d3d

SHA512
f776bfcfe5eafe65442689ab8ec095f75935b4aeeabdf3d5867f13ad41ef5be1e6b922b5d12d9db6cea23a7a1e8ef7e777818004777887caa4f5fec69a9a24d2

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
256KB

MD5
567d30e368d2c7de55f47b26a68d44bc

SHA1
38d57bd2bf2162b538abdf95b41252736e4eebef

SHA256
9591eaa178aa3874620a1b32292d14de2a2d541c446e5a7dff7527348b630765

SHA512
b571ae00b47273dde28e21561f8cce704e2e88cc8458263c225aea60cb481581a5b54e3431f85d25224ceedc06e505b1761950843ddacda99015a3b99c546010

Download Submit
C:\Windows\SysWOW64\Lopmii32.exe

Filesize
256KB

MD5
04cc694775208e0af2e1450078133900

SHA1
1df831597218bed88ad4af5bd2a8339d2135be2c

SHA256
9767637afc28c1a3ad0040d8459807cd8fd74eeb19fa6885ac5297cc8a48cdb2

SHA512
7dbf1763e866b25f3cba96ff6e7e3f172b2cf9613f6f3b59169cca8f5000add533c11ef73833e743eb252d3d5626a442deb0240218dda45ea52962397ad572aa

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe

Filesize
256KB

MD5
cc1972df23b3564b470d043eaae46770

SHA1
10e8ee2c5d63b8486230c2b35c7a2408eea3660f

SHA256
fe196ca323e366cc2a5bb222024a3fc20762cdbd3fe995c08170f417f6d00952

SHA512
5f0f7b749be79faf25613546ddb25a8259e6bd34a4d59e4ac6910e6756fb23576b5ffb14122910fab5d579d03c0555e1b7d3eef0acbf64626510dbd97009a160

Download Submit
C:\Windows\SysWOW64\Lqkqhm32.exe

Filesize
256KB

MD5
e9a8524d1f03ee208521402fb4212f3c

SHA1
618e666acfe010e65d666c9d3a2f6b6051e45c31

SHA256
f29e20e5f389906ef9a3b19a3bfcb0a297f916695e6dcefc4ffec82d92269ee5

SHA512
4506ef5233606f21cfeae1880491f67da89211a4a6290418611f1327647f76bcf62132da5fa47b0bc94695d6ab5a133ab99f3e6dc587cc1b02e7590ac636d452

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
256KB

MD5
b3521021b2b2110b6aa13da9cc2fd1bd

SHA1
14a23b48e6f2d53c333be09dc03d77ccf0336713

SHA256
996882eb19c4196d11c7c72c49b7fab9e8d738917fd8d4df5c45d02c5533883d

SHA512
04465ca8b48a4fa08fb5e41c596ab404466a8066ef650cc34d6c2969b1818f6dda319d96f651e2a36dae651fed43ea0030a44255f55fec38cc2aa536cc502fb4

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
256KB

MD5
d7aa465325d686344840b054b8c7c1ca

SHA1
abc695d8d601ba0f166a14335d82f89a34e59abd

SHA256
a6f10b2145afcd1758046921a65ee080fd819224d3f4bf235a6253759b84b9a1

SHA512
297160ec7e14c14ce156bdff29fc3dda1272533844c7a02515e34017d8e579651aeeaa569813fe978346b007ac4987a6f92028ac195debbaecef1a5a943dae9c

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
256KB

MD5
f25a216a87e92e63dbf40ed07f7bd332

SHA1
80f72bd2d88c301eb66d26d1a5e8a59629436683

SHA256
5eaf6519d370aebe93c1db6319ea8e20a7f6c4ba76b5a9f76ed4c442c46c6219

SHA512
89072c9681a464fb73220d7c5c421b20d0692ab8426cabcbe5891e00f3a250e95dcc6b78940877c638b02b0276eaa65409dab670e6091566f1f438d27b95b007

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
256KB

MD5
cfb3fccc41b5b91b71b0ea16605794bd

SHA1
2760269fcebc2a31748ad771da9a98f1140e9d0f

SHA256
1686c35f8eab704dbbea7dad4542cf35cc01a314b453df0036815ca71c73c7ae

SHA512
aba7f2dde3beee4a537260f5b62d2a4492cdc0d46e1b367a41417c312497dc5ea360d564883d1e8e98fb1ae17e87dd69e661d7185f7a82ddcad452d05f54deac

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
256KB

MD5
a174ee51dfcdaa19e6cd0602b5afe43b

SHA1
03193fab86bd9bc1cbd41dd6a2cbce8763c15e9b

SHA256
482f4578c373c4954fa16a905436cd27ae5c6d7a6afc7762aa23a64a2cf2fc43

SHA512
d3040895df7f514d8f0658711dfff73039a5a822937c8ef926d2082785907f272380a1198222c03c0b46b32851869308025437df84b5f1032490ae0ffb7273fb

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
256KB

MD5
2678d77603602ecf0b54ea74e5d09684

SHA1
7a4b7552ab279950197024e0724a444e57b08ada

SHA256
924d42aa6173491394dbdeb9aef5c250552a6c28e82dc06dff92b6056c60a82f

SHA512
adc19d3039ce2ada74bd6f47902e6d3a7420f3fe0f9a1fcd56df2e771a55e097ad1f36ffcf0124d39ee84c4e7812c6785134dd51b26be7bad0c4be4ac3ca145d

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
256KB

MD5
7ea2a72f9a4f8cc3c875444bda497c46

SHA1
ee1650dd84b4268103794b1f38f9a1727c848911

SHA256
4933c6828252049fa09a6a283e9f8eb18781ad79fb061a2aebe9fa497327eddd

SHA512
9160e5486abe1321e82d17a5c5d4875ee84d82fe2def210f9537df7e1d218f3e1dacde4795ba42b0b096eb5cdf633955f9c09b8edf95acc8a105df65c9e71283

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
256KB

MD5
6094670e73b00b5af5576a03f4dc9709

SHA1
ba60bc5800cc61d27ed538a5ee175aa8b7be58a4

SHA256
33108433d7beb2c057d24f7bc1218013c6b4f2778a6e1385a04545d0e0789f97

SHA512
f8bdc4e57f992cb9db6eddaecbbcb8f201f9df26059682e26d13d3c63e996a9c3d9be092205f27fedc594182647289f979c838a1d854c170d4c11d84d98a2d5f

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
256KB

MD5
7b0d93b7939fd7b309211f22153974c9

SHA1
c0704b5cb1d67e6acb9ece38af35d436b12f7c8a

SHA256
f798d8be04b217d57fb4e0a9f0636912768838ecf4c9e0a5c84455c1636e1c2c

SHA512
83719542c1539d6ba0ca4dab25e43faa11f8a5cb7742193b0096246594ea7ecbc307051554c8fe47baafbb322a1b4599ae7868c0afdffe2a05d40cd1d3bb1466

Download Submit
memory/8-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/664-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/700-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3052-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3524-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4088-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4688-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads