5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02a

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 07:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe
Size

93KB
MD5

99378b753d5eb0d0c844406876215620
SHA1

b7d2d0cb5ffe7cbdbda7ca46bc0d1a67eaeb4ae3
SHA256

5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02a
SHA512

7a1826753e1e6b65a39c1127196c50459af9570834059340fa9df266e3d181c8e49ec27df3ab430c2144dbcdc98eb2342039f1ecf6a788e900018894bbd8f12e
SSDEEP

1536:F+GRz9HX7gGXt6Z5ZnTTDAaT1enS7Zy5isaMiwihtIbbpkp:FDCZ5Z7Q5idMiwaIbbpkp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe

Executes dropped EXE 64 IoCs

pid	Process
2384	Kmncnb32.exe
8	Lbjlfi32.exe
3576	Liddbc32.exe
3360	Lbmhlihl.exe
2848	Ligqhc32.exe
3924	Ldleel32.exe
3880	Lenamdem.exe
1032	Llgjjnlj.exe
4932	Lbabgh32.exe
3008	Lmgfda32.exe
872	Lbdolh32.exe
3152	Lmiciaaj.exe
3372	Mbfkbhpa.exe
1752	Mgagbf32.exe
1592	Mpjlklok.exe
4528	Mchhggno.exe
4900	Mmnldp32.exe
4192	Mckemg32.exe
1360	Miemjaci.exe
2624	Mpoefk32.exe
3204	Melnob32.exe
1904	Mlefklpj.exe
2756	Mcpnhfhf.exe
2612	Mnebeogl.exe
3012	Ndokbi32.exe
4972	Nepgjaeg.exe
1636	Nljofl32.exe
5036	Ngpccdlj.exe
4732	Nnjlpo32.exe
4676	Nphhmj32.exe
1348	Neeqea32.exe
2404	Npjebj32.exe
4876	Ngdmod32.exe
4944	Nlaegk32.exe
380	Npmagine.exe
3900	Nggjdc32.exe
796	Nnqbanmo.exe
1368	Odkjng32.exe
1916	Ocnjidkf.exe
3928	Oncofm32.exe
2860	Odmgcgbi.exe
1464	Ocpgod32.exe
4460	Ojjolnaq.exe
2304	Olhlhjpd.exe
1280	Ocbddc32.exe
2764	Ofqpqo32.exe
1272	Olkhmi32.exe
4568	Ofcmfodb.exe
2796	Onjegled.exe
2336	Ocgmpccl.exe
5068	Ofeilobp.exe
3892	Pnlaml32.exe
1892	Pcijeb32.exe
1424	Pfhfan32.exe
400	Pnonbk32.exe
1920	Pclgkb32.exe
4272	Pfjcgn32.exe
2996	Pmdkch32.exe
4844	Pqpgdfnp.exe
4196	Pgioqq32.exe
220	Pncgmkmj.exe
4556	Pqbdjfln.exe
2356	Pgllfp32.exe
3464	Pnfdcjkg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Ligqhc32.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Kmncnb32.exe	5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5612	5412	WerFault.exe	217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2384	4504	5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe	82
PID 4504 wrote to memory of 2384	4504	5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe	82
PID 4504 wrote to memory of 2384	4504	5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe	82
PID 2384 wrote to memory of 8	2384	Kmncnb32.exe	83
PID 2384 wrote to memory of 8	2384	Kmncnb32.exe	83
PID 2384 wrote to memory of 8	2384	Kmncnb32.exe	83
PID 8 wrote to memory of 3576	8	Lbjlfi32.exe	84
PID 8 wrote to memory of 3576	8	Lbjlfi32.exe	84
PID 8 wrote to memory of 3576	8	Lbjlfi32.exe	84
PID 3576 wrote to memory of 3360	3576	Liddbc32.exe	85
PID 3576 wrote to memory of 3360	3576	Liddbc32.exe	85
PID 3576 wrote to memory of 3360	3576	Liddbc32.exe	85
PID 3360 wrote to memory of 2848	3360	Lbmhlihl.exe	86
PID 3360 wrote to memory of 2848	3360	Lbmhlihl.exe	86
PID 3360 wrote to memory of 2848	3360	Lbmhlihl.exe	86
PID 2848 wrote to memory of 3924	2848	Ligqhc32.exe	87
PID 2848 wrote to memory of 3924	2848	Ligqhc32.exe	87
PID 2848 wrote to memory of 3924	2848	Ligqhc32.exe	87
PID 3924 wrote to memory of 3880	3924	Ldleel32.exe	88
PID 3924 wrote to memory of 3880	3924	Ldleel32.exe	88
PID 3924 wrote to memory of 3880	3924	Ldleel32.exe	88
PID 3880 wrote to memory of 1032	3880	Lenamdem.exe	89
PID 3880 wrote to memory of 1032	3880	Lenamdem.exe	89
PID 3880 wrote to memory of 1032	3880	Lenamdem.exe	89
PID 1032 wrote to memory of 4932	1032	Llgjjnlj.exe	90
PID 1032 wrote to memory of 4932	1032	Llgjjnlj.exe	90
PID 1032 wrote to memory of 4932	1032	Llgjjnlj.exe	90
PID 4932 wrote to memory of 3008	4932	Lbabgh32.exe	91
PID 4932 wrote to memory of 3008	4932	Lbabgh32.exe	91
PID 4932 wrote to memory of 3008	4932	Lbabgh32.exe	91
PID 3008 wrote to memory of 872	3008	Lmgfda32.exe	92
PID 3008 wrote to memory of 872	3008	Lmgfda32.exe	92
PID 3008 wrote to memory of 872	3008	Lmgfda32.exe	92
PID 872 wrote to memory of 3152	872	Lbdolh32.exe	93
PID 872 wrote to memory of 3152	872	Lbdolh32.exe	93
PID 872 wrote to memory of 3152	872	Lbdolh32.exe	93
PID 3152 wrote to memory of 3372	3152	Lmiciaaj.exe	94
PID 3152 wrote to memory of 3372	3152	Lmiciaaj.exe	94
PID 3152 wrote to memory of 3372	3152	Lmiciaaj.exe	94
PID 3372 wrote to memory of 1752	3372	Mbfkbhpa.exe	95
PID 3372 wrote to memory of 1752	3372	Mbfkbhpa.exe	95
PID 3372 wrote to memory of 1752	3372	Mbfkbhpa.exe	95
PID 1752 wrote to memory of 1592	1752	Mgagbf32.exe	96
PID 1752 wrote to memory of 1592	1752	Mgagbf32.exe	96
PID 1752 wrote to memory of 1592	1752	Mgagbf32.exe	96
PID 1592 wrote to memory of 4528	1592	Mpjlklok.exe	97
PID 1592 wrote to memory of 4528	1592	Mpjlklok.exe	97
PID 1592 wrote to memory of 4528	1592	Mpjlklok.exe	97
PID 4528 wrote to memory of 4900	4528	Mchhggno.exe	98
PID 4528 wrote to memory of 4900	4528	Mchhggno.exe	98
PID 4528 wrote to memory of 4900	4528	Mchhggno.exe	98
PID 4900 wrote to memory of 4192	4900	Mmnldp32.exe	99
PID 4900 wrote to memory of 4192	4900	Mmnldp32.exe	99
PID 4900 wrote to memory of 4192	4900	Mmnldp32.exe	99
PID 4192 wrote to memory of 1360	4192	Mckemg32.exe	100
PID 4192 wrote to memory of 1360	4192	Mckemg32.exe	100
PID 4192 wrote to memory of 1360	4192	Mckemg32.exe	100
PID 1360 wrote to memory of 2624	1360	Miemjaci.exe	101
PID 1360 wrote to memory of 2624	1360	Miemjaci.exe	101
PID 1360 wrote to memory of 2624	1360	Miemjaci.exe	101
PID 2624 wrote to memory of 3204	2624	Mpoefk32.exe	102
PID 2624 wrote to memory of 3204	2624	Mpoefk32.exe	102
PID 2624 wrote to memory of 3204	2624	Mpoefk32.exe	102
PID 3204 wrote to memory of 1904	3204	Melnob32.exe	103

C:\Users\Admin\AppData\Local\Temp\5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe
"C:\Users\Admin\AppData\Local\Temp\5916e22f63e6b9d4e207e41e068792d36d67b88fb76f8e011c7ac67a098ae02aN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\Kmncnb32.exe
  C:\Windows\system32\Kmncnb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\Lbjlfi32.exe
    C:\Windows\system32\Lbjlfi32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\Liddbc32.exe
      C:\Windows\system32\Liddbc32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        23⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        33⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        35⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        44⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        47⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        57⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        63⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        68⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1472
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        73⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        74⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3652
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        78⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        79⤵
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2816
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4416
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        86⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        87⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        91⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        98⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2368
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        100⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        102⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3600
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        107⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        109⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        112⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        114⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        116⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        121⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        122⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        129⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        130⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        135⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 408
        138⤵
        Program crash
        
        PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5412 -ip 5412
1⤵
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajckij32.exe

Filesize
93KB

MD5
de69b2ae58e515375df1406cb27d0aef

SHA1
002598ab23dfa035c7a2f691fdfc6afd487a8f0e

SHA256
022ea7e4390652238a11ffcb5af719f2a950c84c90386934781f12a10765a50d

SHA512
adb48ffd28ecd6b0145aafdb6db3e3f760ac60437e27e84260bcb6dce328fdc2c128ab29b4217627fe5e8b7406cc7c8545a31de61f575e7f9c00a8867df61cc4

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
f477958473a66ccd0d106e98c55e3547

SHA1
f0f35419af6754fd4fe36738ff1c99e415a0d8e8

SHA256
85665377c9ab9151f8678b954d618948f58d1d1bb6b90793bed42a99ba47e389

SHA512
5def9c6902682eff33073728d3eb090d941a7723567f2e1c3b9f6a9d9334c013a740279786714e7c25db1bc8d1a644c5bb66b58882fb66f718bcd99cf28209fd

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
93KB

MD5
f5c73841da2be7127cc625a48c3a1505

SHA1
583d67be766e3a944f1d57cc7baa2e6e20ab7c24

SHA256
f67c76cfc9fab808fd96024580c86f199214becb4a5fad10bd2f30a19fb5b962

SHA512
df983a5efbdeecb6898bb678c320cf01a575bff3fc8f01e06779e9042c0c28acc9598562065ee2c282d1ef5733dd5a483f1cdfb820ae780025a1531982ff74cd

Download Submit
C:\Windows\SysWOW64\Benlnbhb.dll

Filesize
7KB

MD5
23dfb07879f3d89e9f03b24f3f688e5b

SHA1
2c540e7eb9f3174121e6e26e35d1f29fc37cc531

SHA256
e359e1241a500f079be52933c167f811b2c1fd2102c14e160e15eee2be988892

SHA512
53da88930079bc8b58f0c097d4a15e9f06cad1988d84335fe81cb5d3714ff02fe19560718392239d88475acf39fdd41d63332f110c27b8fed691779aaab1e12e

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
93KB

MD5
58d0c9cffcc3c82246866d486dfdce49

SHA1
97fee36012d637dd8feb40e16cbaedd289f84455

SHA256
d9ddb7ae4c15e7b9433de9e77bcacae7950f537672c0d30c5c496fab4b1a6deb

SHA512
045251d9817cb3908d37b66370857b98e6f7455fe08bbd497f7eaf940feae65a4fd419cf9626d2130391a6e52e86119ed0ee3da9214b3e440fda4448d5891f73

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
93KB

MD5
7f6dccf1f2388c8d84510b9a1193a87f

SHA1
71e76e0ec9d4d80115d483331b8650212de5cc89

SHA256
da118438a09ccb68a381e9c817a260cddd9cfb1f506d9d9291a6b63054f8becc

SHA512
297ce778f27796ad71c22d5dc96001c4d65a0e23447228fa582958b2d0e014ec1eddfca421e29c0906bb595f492b9d6ffa68d48c774fc07bd88b6695e5e3c987

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
93KB

MD5
bc3e144e7bdbb6ae033119b8e4ddf1ec

SHA1
e94c776a454c12ae05dd63f68ec883f5f37e56c4

SHA256
b16f3b55a2cd1a34630e4285c2889b30e1f802271709cf69d4a699ec9cfdde46

SHA512
8a0d40d307e51deb429c7ddf3164885ff24fae9e1d47e844e881f23ae0c9379c7b6f0c31bc876059e62dbd738758be5220863d1b46fc140ceca87faf658bb424

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
93KB

MD5
7380c94d15bc39e72e08c29f7130172d

SHA1
fa2b7f2a31abf03986f461fae29e8f39aec629dc

SHA256
beca16c46ddef74eee6399df712c8d202ea65594b8e60195aa345f7a0590cc1c

SHA512
96cc634a6358516c94756e8f3dff0ba7931d4a984ea4b0f8d43698d2b93c03bd1f44ed68d72e9469e12a96cf9e5a3502312fe77ed6167d901580ef7f6a701712

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
93KB

MD5
3f0006fc80ae477265124463424f47a8

SHA1
96ddf83aa2828e10fee5c2867510159b055ae465

SHA256
f4cd42f387b9c1a161a45a20fe0e12ac0376a99a67747b744afb787c3c3ffc43

SHA512
3c0851926c4897d486b08b1132159ded13b0ef28c83076cccbd9428f3e137057e8e52c96a8414a45a3de14bf41c9d0dbca19f61ded5b9b228f8625ca17ea08ba

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
93KB

MD5
708522f0a20e2f4539b49587b12b683d

SHA1
9633113a0122ba459cd7b640e4ef27cddc77a29a

SHA256
17e7859dd17dc8e23fb178e5a84c14f172322eb42fd1431e23221c47dc2a1a7e

SHA512
b19fa36f64856ba134e44f8f183f3dd4763463889e18bdae5e4ad609a35387be100c2985e1e85dcd1e6c1a45e713a09128b1be9cc49ea8980d5aabe1aaa1423d

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
3abc654bc7e69dd32569f35e9eba8956

SHA1
f85cd7f6d7a13e1f2df43cff0dea07fc88741bca

SHA256
992e3f9fef35cef8c83e2fe199bdaa5109b7ba60cc2cec39ca9f46c019309c4a

SHA512
3314844f6c8bc20a2b8eb405989addd53155ac5256274c0000f40368ad25c61b2b9304a5c97d728a274e4ec6811f137c5fbd204ed7a6b9b9790acc4099470247

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
93KB

MD5
2af1ee2e922ad2415cfc68179b10ca8b

SHA1
e5aed144e7d0fa6058fc07f21417a9cd6a0ef40a

SHA256
cbce30bc40ba77f334d442db9008df7bbb2a4366241b9684a00d1fe4b6dd1e9d

SHA512
61ff7cb338eb9843008acd75af22e105447a5797fa09d4ce88ffde40b2d87cb3f4524eb8222920f74f598dd7c483ae16e67c015015c3544170ba61fb3124be71

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
93KB

MD5
a991eb8862e62c51606516f57f97eb19

SHA1
f0bb8b95b4d515c979ac9ae970cf979464e2f6c3

SHA256
d0f0429565e205efb83f05353fa3f39e8def8c25a782468b739e980567b59a0c

SHA512
92bc7fee1c51ff03314200c61d2ef07b534778ad0d4e104a234945c08e98ffcfa7456c4dc53f6b16150679fcb8404f7c379574557470c1c1ea22225ff082c208

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
93KB

MD5
8c32ccae45b207095ac2d74ccd4e4db3

SHA1
00dcf59d5b8ee72beda3b725bb90d13c1e8ec83f

SHA256
6b9a4b3d4d736779f6da95c1c1f4479964b5019ecd4bc5e093c0082ffb526493

SHA512
397c1f963b8651ba7971760770f10973445cf36a8032c36d8a3b619ed4a48490bf2734277299c70f90bde595a70d919102c20ca98a11424ea7606804ab04a7da

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
93KB

MD5
4e87063395f5396d613133b920725be8

SHA1
18c873a2b3411ee7a6399f794a54261f3a06b99a

SHA256
4eecdfd8d61a8ca5c2ca7d800a3270209494c0ac96369b653c2f3aa2f24ff8c5

SHA512
942dd4207be3cad2bcab86b2e3097c74689c53bd1f4b75de5abe8669f76c4f142fe41499c7c72b227af71b7dcf9d81a120513191ec1f142959b9cbc7be294ccd

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
93KB

MD5
6514c24117e254a4ab89f0cad59bc1fd

SHA1
0c93dac5e97e9ae7bc9a9bd17774c44261a470f2

SHA256
d850ca796bc3b3b6d41943060fca24db1584eff353f486dffdba2c682229943f

SHA512
1551abc92647cb6e147ce14e4ef7c850b8e51fca121b9e6770ec3c226e48ade50c9a9cae75979be9652d3bcddc02f392e515a955fbdfeb083053dc9f59f07c9c

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
93KB

MD5
4e6d80a68e7b9e0fa56fc7c331d481fa

SHA1
f6aef43c3ed4428413f82f704e00b288df9e8967

SHA256
311214ad352acb17b63e5e2fd6193c750818343b15cdf2f44449d3831a97be21

SHA512
aca5b8f7d511256b33a10703964bee06ae8e939487ae53955a03674895ec78a8eb371f547b774486956c25899dc7565785dbac107abbe137f7a85ffff0c0c6d7

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
93KB

MD5
080a5b9d213a00d1fcaa304a01d67eb3

SHA1
0195cfad26f8c9ee0d54ce5c58891e9d75878eac

SHA256
9ea1111058ad087e2da11c575e708dd748152d223f0b057105574d4261ab7f70

SHA512
3c4f02a336bf7c545803c71e4cfc3fe5f6a0535f93843e7ff21b77d982f57acb2fd4b9605ff83725dcca0e7145a3215e971b6195333a9dbea51473b83357df61

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
93KB

MD5
76b811256658cdc7710a3bfc1c15891c

SHA1
6031bf446822398e3898a9ec681321c5d3a5bab9

SHA256
602d522c891c33666cc74ee1ddd5510256c3af4b567012df558303f8ed5d57ca

SHA512
95913935994c479236fed4e8a667b00f1b2b01e82c7a9808d1a524904c01007e50df3c2d00446192789fee067476cf4835ebac4d18dd2949f59572043b539e8f

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
93KB

MD5
399154cf669c84b487e78e2f99e0e0e9

SHA1
2db551d9377ed6de41e616c52b929f10b8a05250

SHA256
14d65107ddcb2588be11a7722f288e16796ba8d50b769e59bdbb9673b3bbbd08

SHA512
7581f035fe6b7e29fc49e3774c92ce705c385b707bb683003e6d3a1f27ca008c5ef049609b1ac86bb1c184f8e65e6963fdb224e843657483974789bd12cba313

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
93KB

MD5
942c34eed3648dc9adc58008b583b7d9

SHA1
427e34b5ab12a42e6806c44c086a67f51a78e63f

SHA256
44a60a6269d8b387af3a62d5b71181e2f54cde4ff309e25da1f96bcdfd4df203

SHA512
44295df3d4345fd570a3b12dcb39661744a61ac21fa1433bccfa9780641682bd998abd8083367ddec9e1196f3b1d4206dbb7331a92ae60b042a559e3a79eeafd

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
93KB

MD5
a4bf4b04b806e84cb5218cd8b5aa5635

SHA1
9408a633ceeec36a325a24c23ab1c148f17b42ad

SHA256
afd651495a299f1b66102d233c5e85eae4d5aa9689e4277b53ab2efd6bae79d6

SHA512
41715491e0921c229090c9ab4294fcf2ccd3bae1bc89c326dfdd53be54b030af247a2cdefafadf34e83a7a1eecbe7ab2daa19f94d621d43250c202634a458669

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
93KB

MD5
b5e80528b44679d0a0fa052853aeee2b

SHA1
4a3940f35439df1aea3a53ee2d97f8b94463c7c4

SHA256
e4b67a5e1948063cb4d2220e4b2a2dcaf092be71598196d3c502a5418a3e87b9

SHA512
c6ab9ac99faddc739d25d83d2eab9df538312f8bb9bea9bf1ab94eac2f6df58667cb46beb4dab6e7e7f46d71a369e925810eec86803dac7ff4b0d575ebcac069

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
93KB

MD5
14e1efaa9a51a19af39a40e8124550ef

SHA1
d2cd477ac8b42e4b17ff8a66e063d0efd9607978

SHA256
fa376271bb8a7530f1486c4028fd2b98fef333c9fb94f73179e8e4b57361dd42

SHA512
6a335b4b75f7ff96af8c4cf6b195da84b5946771c80edc18de37780de51d22b66ea980567f390648f5fd13b260a958df03ffb3452b34d2e079651805fa2d480f

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
93KB

MD5
1eb12f204f5bd59192b85de5d3ef93c0

SHA1
6e6bad0402b34d843308153059a122c61137f253

SHA256
ec14fa1200475000bdd3200568acac161ad11d7635d245ba4ab66c06fbedf450

SHA512
f1146fe5f877d63f8ca48f4905ad35348e08da4cdf49986aae13bd9b4d134ddc02820ff652051645c6d1a4a4b8882e74e0b6a5009a442dbca1094dcb2ca0bf51

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
93KB

MD5
9acbda50ece1b8c2402ea410bb3f6c86

SHA1
ec8faefeebc739cbc7746269b55e2cf62fa21040

SHA256
a5a0ec0047d02043eb6f3e0714f2c8879b12a805296cf0a185ffba5eb67b4067

SHA512
4d315fe3df037848ac863af2c10c7f8fd2e3115e0833f8c4981033927e1d26fc7301372ebb83e2633b78a9aaeea69131e71489ea1ce1ea8b2311c818101832fa

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
93KB

MD5
c3f5d35044ddb9e7f2cf6f3be4f9f87a

SHA1
135100f49f342422c12a7086215c7cb0c11785ea

SHA256
f9a32683db6ee2bafbdbbb1085bc27e77854b76c71ed0b61db605b6c70fe0b0a

SHA512
ec523f1121c17c6b99a4a7e265d55396e3e8af97d1866c83b03a10796d6299820b0980d1a80a2d1cd8f93c3dd5bdf1178da11abd2fee4a4116e953ab99e128e1

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
93KB

MD5
400764f79176fd79f1390bce2e0c912e

SHA1
4199e35af6e5d84d792d1cbd6bde22752a44c59c

SHA256
6a06bfcdd3d746d3dfd8194d3fb838e138914ff427f36e3f58877b9dc5b2b9af

SHA512
59c69f9a6ba5904b6b5da2d0706d69952cf0fdf7409db79793fca98a544234903d4f2ac5239d5b0b2eda02d7b43938d554bf6b468e911379aa85635065cb3c00

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
93KB

MD5
b3b68947590fed89a957f00a103b37df

SHA1
905239c85c0df4ee4c6c354bb1275733344a9590

SHA256
81dfd10aacdc96246ba6643a790e6c66d7b60ff8aadd5cf334370478741ade90

SHA512
32fb8fa86655320acf830204ae2641ac14e8c7132f88f797d52d3a36a103233f2d5f01e3e7542719c376743494318fb7b160837fb03666c6208d316385d6f5e8

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
93KB

MD5
50e3afc819a266cde6d26ac257d3c9a6

SHA1
2773ed7651e11efb43ec78b81861ada9b7cd1aba

SHA256
5d607dec611fc00196d31dee5fdbe7cce8691a5070e13d6a71f54e96b28d6558

SHA512
7f34231b63040ecde4de629056bade7a9ee6a1dac89f53071d9c0bbf33ba114a02d1a7615e70b9e8606f0216cce0c6ac509949749f1d85edf46e606e79a55816

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
93KB

MD5
b9eca23dceae3c6eeda493f0b131d1fe

SHA1
2e5c5868fcb8a2e66aa437818e8de6f7c1e79d1e

SHA256
00145d39f601fe3191adc836d47060b1691233226b49f2bf2253183e035dbf77

SHA512
0f129b3424be52f101bc5c23ffc63e6fcc4a0d48eb16b4fb18b45a0c14dba0cd5025d2cd9237adb32d60fa55f23569c3030ce509c42608f57276990910d16248

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
93KB

MD5
62909822cf154b9e3c6ad66d8a96389e

SHA1
fea9ce5433516bc6cd3317a4a299b2cca5e756f5

SHA256
9e9bc919cde55dec2412c6d002aa0cd44866f240d5bc19906c76af53e9b968fb

SHA512
730885e6e3545a5f0ecc9247673b81077d60844c3481b72526a759964c19643ed0758a7a75c4a48918e4b7c1d1e38e47e4017684948251c55045f6d69de25a5a

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
93KB

MD5
3074d1e48a4a995bd5e0f4815235e52b

SHA1
6421233f64166b38202cfd46f18bb11e2a2e4851

SHA256
0c8529faea68f2062ebbc1ea37d3865c4406c1cc076b0fe3322eca8b8e736fb2

SHA512
d2f4b65a9153cb4e1eaf053c51baa79eabe56fcbeb4c5e3070628b962e9bc3dc13789a7fb842dd23b2abe81d0f595f6a2d2b8ccee56b6443c396d338e42f11c5

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
93KB

MD5
0c4723d7330d0b1da04d90cd947f319b

SHA1
5f3682e7b343113d035f1ff5edc329fd8804f545

SHA256
daa99aea34df61e72a8e43c69c0269df20aae76755ca8cf14fe69c44110f4837

SHA512
cb823083a9f06f096f09d289c46b30dde7fe5cb8ba6b096986113a405b8c7c37495ff0d017c6cb6752842e458a0a128d3b584e295dc7081d2b12708aa1fd99d8

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
93KB

MD5
931349d9bfda6af9ca93b3cb5b10e2aa

SHA1
0430c325c6f7b9c770e964163e54d40cae4c83c4

SHA256
49937355cffc534c44eca7844ca8b3600948e8736e3d291c799d1a040e8dffd4

SHA512
d17d9aba7fef297eda91c35477e7300d463c7d0c398e23999e18dc8e303358e984312ffb21fb989856229fd53bea248f85e20d085ee38e82e70ecaf11b9c9000

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
93KB

MD5
460a6bdbbd1164be5f9fa00c41e5d8e1

SHA1
0bbb0c9b83a762b0ee9e3f1e5eabc83c93622f48

SHA256
c861280cb7917d79e18ecbf57c1151e64b3ea979de9045bdb48edc8b9c809ff0

SHA512
3a2f1e380d28132955ef3eb757be1ae5a2f483493d458a775126078fa81aacfbf33cce61a4750c6fea1f511bb068eec5ce4bc4a7f112eef3ee61453e263a0f43

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
93KB

MD5
8a3321236b70a51209d177a06d216c64

SHA1
34633e30f9897f49a12f46e4d7e5599280474ba8

SHA256
dd6ded03d809f2b72c79bbba45e061fbe5b77b100c911cf825083ef4f6ca65da

SHA512
f9fc07f53d25eab1fc8c78ce16d85c6de1efc9add189522cd0aad1f57c12153c5c602d25aa7a42a0e7db0e2b58636f63264099ae0372dc665a72c79718ad812e

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
93KB

MD5
42714fdbd5b6765fbcb459a9e9480b95

SHA1
8d1c518ba2da96794c8695be6506ef6554dcc34d

SHA256
2c68b4147145de49022b9966eaa0551299cacf48fc11289c09f00fd0593752df

SHA512
139da60971546f21a03ceabfb94ebf8b90b99ef2a09c1af48257e6b2699bbdd6cbc621572d6b1e354646b55890045876dca61d0ee5c3e9577ebc5ec183d87ba7

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
93KB

MD5
9a66163c3d2f28974d04a70b2873213b

SHA1
5c365f779ce9ec03951805da2898ef0f8177247d

SHA256
e24adb79f4ce726db42fa467472456ea3d65ad9ba09b5fb7c51f7d5c264acdc5

SHA512
bdf29fadd21519dd5b514669c728f2cdaa34dc769897379d6f01b8e080206393f08de7615c94f12e83fb2bd670d1c3c7f2b2e0be1cf84b52559b7277a985502f

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
93KB

MD5
e6d75281927ebc1a2fca60a27275f6e3

SHA1
7e5bb503512b4368f2658044689b67f1e9f4c25e

SHA256
0295b91907b6a656f7831e4ecaa0777c34dcfcb09de9cf78d0f4ac0a3ff2600e

SHA512
6b4624a049c283638ec6bf879275f91daad41e7b081cdc9f30d23bfa26ff147b15475981c253d0434794d2dd1d4d0a771fec8c4a44251b0bb90234998fe53330

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
93KB

MD5
35b2467f9fe944afea2a70fcf6c69cfe

SHA1
8b91f93a122d86ca7be20c960c38c218bb1ae355

SHA256
7fba68bad176a98c90e54069f0cdc70dbcff0c9e18c19917c2ca13d3e68102ef

SHA512
09ccdd40a27dbbaac9019cf342abe44fdcdcd711f2063fcba15472bd659e04c667a0ba15901e351176abe94609086336945e456e9d0dc743191efba836ba161a

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
93KB

MD5
5eef0392e5afbcbb503e28e99b538379

SHA1
377c60bb1a95c3ab7b6423b6e06468870ecbe676

SHA256
d348e227d75adf50901c98677f3d9f3a11b791d99322d391f520ded7af009d01

SHA512
96662f99f1030eb75f8ad0d04ba6df177b47d9c8827575e0192ec525fd4fa434a917961b076f1693102d10c6d988215b36e388091509675ba37c8aeb06f454b7

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
93KB

MD5
3d1ee524aa59692c9d8a7e2390a7a488

SHA1
f679abb1fd44607e50e7514e430aa5672e5aae3a

SHA256
6594284715bcefafc5755132f39851aeabaf0be6ba5f9e9a106f8d1af2961937

SHA512
2ac673964a43661263fbd7222d56be6874662c2472ac76fcd1b4dd8f83f74f3cf10c310c4d9d682c7bc4c2cf2c6b3444f81599b43ffd829c0a337817d10e7d31

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
93KB

MD5
8de81baa9cf760e4266d198baa044a74

SHA1
891dcc25d24e355ccf73747747cc1fbcac698826

SHA256
5c038bde6b5854339d9e8b203bbf69ad887879f9cbc9538a9e9cf1055cdcb3bf

SHA512
f2804ec8afe0151ef6245fb931a7e260949bb0f543c42a6cf7c71855cf95d4e49d61266b7e1cc377940c69400e26ad11b5d2ab9de338e989a8e1e82315fe0277

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
93KB

MD5
7cd163d8acf2cd98b70193acb31c6eb2

SHA1
731b77df679a49a411981f11840ff9591f722b71

SHA256
b3f4bbf98e77fdbdc051dac7e952e029046da25e608c55f67d5f1d00543db57c

SHA512
e8e71209ee467d1e56c9da7db12baedf51333a72e5d3041fc08728cf95d886db879e60edf7898e6b9a719ef3c6c3f088ac1f3bb61c783023470ba4f19e5633e5

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
93KB

MD5
60b0adac761cb4ac11aa0cf4394b9a61

SHA1
2bcef41aaf05c715b4bed33609256cd3ee260e51

SHA256
cb1be644cbb2e9914c73ba20ca6540d9514344f141280e7b6e56a2e77a1c16a7

SHA512
711467107af64b4bfef5a33c31504e3458ca066c2e9b987d1cf2277697b7322bfe016bc56a4bcfbaae13d06d386a49f6b5033f1282fc53befa01376b4f6a788e

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
93KB

MD5
ff83040479c683f125fd5ed7c318d924

SHA1
8863963d9ac0d3c1ebebae89c28a4cc908e2b2ff

SHA256
0abdc4102d703c0e4417e71b9f099bc1123ce584e3d1f1384a94e899aa831472

SHA512
71cee7a78a5ccda09971f17d102a438eeedd359672fd47185d4093c05f24a50301d842a889a208965afa98ff83040d92c299b0cdc05acee00cf5fc31b1015ae9

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
93KB

MD5
4c536ea8d4c32237f7ec59bb4bb8b1ac

SHA1
c7eae46797a0d098947ac28c636a2a4f78212b15

SHA256
eacd8a91b01a3a76a2911bd082baae3e6c180cbd935d22c49dd82a383bb49532

SHA512
d94a238827e66c6b6a49cb8aade7a57b64c8767469d944f15d302cf09a556ca5958bc93ed8bbdeeb1cab5a0cb0f2b5be58c4bd7cf2abf3c13cd87a59c3bf9cf1

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
93KB

MD5
8113ebad40bfc8bfc7fd9af3837a6be9

SHA1
e43ee95da940b068c4bda355d11d60195dc42601

SHA256
c455a3b10891a09c1a78b7140d2d838c80404eb76b3123dd660ff933b1b8601c

SHA512
e49a06d0c1fdf70a0c34893cd9171dec3fc17f9b52d32deb42eb58ed17b594edae30e7106722f191203b738d4a5d396c3dd82097f1e360b88ace90d29c6d912b

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
93KB

MD5
e137c767264db66728e1b3e5073ca220

SHA1
adfa47ef0a87c423308d58e1c083ee3bcc378b97

SHA256
98c4704ce5f209711e68ddce39b24683e4073807146afe09ce9a9bc5faffea93

SHA512
45525d5dec9679f1f50decb3dd6d520fa1c5c16cffec967bbc2ccd6901e4b3e33bccf911c0af03c19a7d7da703f2bee095e54fecd5181a590581a5fd6bff2d56

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
93KB

MD5
7a93b4e4892b03212be2f830c62824cb

SHA1
bcb76a9e34fb51103d91cf156bc57ea96a35cc42

SHA256
75cfeae1a863597aefc4947b34d25ba6dfe588a8958b9aedce39d24c1e458722

SHA512
3a753ce712f8ab7c9f8ee5e6c5b661b0980ba24375d5b9326326ff5ba1c64aa0faf97e831c83648cba336ce33b35af9c7493963521a8a6b29d78ea201b0be867

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
93KB

MD5
c50bab60b23cafa66129a6fa04bda631

SHA1
db3a9118d58b8d8f6cb8d1338c58dd97934544b9

SHA256
05abfae1381392263817550b4eeefb6139abd89351bd1005f0b788f579c7a740

SHA512
a6260df96aadddf6ad293b6bb4ba57b0f977b0d0c02e9cb642fea982a01504a5bedc232f959ab225ab632a2f19b7ed43624b4f765a1dc5cb4ff052dc96cc4a99

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
93KB

MD5
9dfb35dafe1c841e92da942deec52274

SHA1
5301874772e92f7c303ee16e2f751d7c870839f8

SHA256
c053093cd894d1278a504a91d8df5616b6e67336e996ea749a5de2e55dd4175e

SHA512
505d97b4a370988d6533487c7745929b150a744a481cafbe61df9fdd832eaf21ae984b0cd83561db322d68f7aff936e65a1f5b8ce1187dfd6e012bd7f22dd1b0

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
93KB

MD5
d351984cbc39ba99849c9176046a86dc

SHA1
9994a38365ea4f223328eae57f5ee799e11e39ab

SHA256
908c69836fb937ffab5dda68bbf02ad8059d54197464427646c1378189467390

SHA512
61d4163f47e40f24261cab0eaca086182e524b343c5b644a5b9c5bb266b68ac2ed248540645ec09f679469cbad7a3ecf6fedcf7949d21d1287ea6c961fb74a7b

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
93KB

MD5
761c2781585a85e305891d656cc37663

SHA1
8f4aecb16cffca8892e2ee28459cf1c5514824a1

SHA256
98bdd6abd3f6513410112acbcce925b15c395b85ce24fe3812033f9abf4a8224

SHA512
053dbffc6a5d2823e556a372c740c4f4c053abdbbfcac81b60853456960d65612776fe014cc65debf5af45f61b6b9185d5959b2ce647f046c2e8a11082f14520

Download Submit
memory/8-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/8-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/380-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/796-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/872-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1272-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1360-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1752-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2016-532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-523-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2336-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2356-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2384-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2384-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2712-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3204-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3268-484-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3360-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3360-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3464-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3580-512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3588-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3652-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3836-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3892-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3900-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3928-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4676-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4732-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5068-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads