ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095N.exe
Size

128KB
MD5

d97f3e0d5262458cc0bfb503f1e1ffd0
SHA1

c873321877752586d7ca350dc96fae943a1f4107
SHA256

ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095
SHA512

7fb5175dc9124302e87144c0b40c3a889db35565ec9c4b8f8c02c906e5297a10f3d9dd82e81170e30bf6ce15fb3e12ae5e35f87676a86496463f740216824edc
SSDEEP

3072:rvVAmTawoPPjK7Q5seAS7DxSvITW/cbFGS9n:J5TawWjK7UAWhCw9n

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe

Executes dropped EXE 64 IoCs

pid	Process
2352	Lebkhc32.exe
3520	Lingibiq.exe
5076	Lllcen32.exe
1328	Mbfkbhpa.exe
4172	Mgagbf32.exe
408	Mlopkm32.exe
4840	Mchhggno.exe
1332	Megdccmb.exe
4128	Mplhql32.exe
2392	Mgfqmfde.exe
3012	Mmpijp32.exe
4376	Mdjagjco.exe
4996	Mgimcebb.exe
4212	Mmbfpp32.exe
3456	Mdmnlj32.exe
4964	Menjdbgj.exe
5044	Mnebeogl.exe
1428	Ndokbi32.exe
3360	Nepgjaeg.exe
4040	Nljofl32.exe
3464	Ndaggimg.exe
216	Njnpppkn.exe
3468	Nnjlpo32.exe
2740	Ncfdie32.exe
668	Neeqea32.exe
2260	Nnlhfn32.exe
3852	Npjebj32.exe
1508	Ncianepl.exe
1356	Nnneknob.exe
2488	Npmagine.exe
2000	Nckndeni.exe
3396	Nnqbanmo.exe
1528	Odkjng32.exe
4892	Oflgep32.exe
1620	Ojgbfocc.exe
856	Odmgcgbi.exe
3208	Ogkcpbam.exe
4308	Ojjolnaq.exe
4356	Opdghh32.exe
3352	Ognpebpj.exe
1452	Olkhmi32.exe
2176	Odapnf32.exe
3604	Ogpmjb32.exe
1792	Olmeci32.exe
1376	Oqhacgdh.exe
2904	Ogbipa32.exe
1408	Pnlaml32.exe
1556	Pqknig32.exe
4480	Pcijeb32.exe
1952	Pjcbbmif.exe
3156	Pclgkb32.exe
4796	Pggbkagp.exe
1028	Pnakhkol.exe
2920	Pgioqq32.exe
4452	Pmfhig32.exe
4872	Pqbdjfln.exe
3948	Pjjhbl32.exe
1712	Pdpmpdbd.exe
1572	Pgnilpah.exe
2972	Pfaigm32.exe
436	Qnhahj32.exe
4916	Qqfmde32.exe
3704	Qceiaa32.exe
2684	Qfcfml32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5920	5836	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Neeqea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 2352	740	ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095N.exe	82
PID 740 wrote to memory of 2352	740	ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095N.exe	82
PID 740 wrote to memory of 2352	740	ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095N.exe	82
PID 2352 wrote to memory of 3520	2352	Lebkhc32.exe	83
PID 2352 wrote to memory of 3520	2352	Lebkhc32.exe	83
PID 2352 wrote to memory of 3520	2352	Lebkhc32.exe	83
PID 3520 wrote to memory of 5076	3520	Lingibiq.exe	84
PID 3520 wrote to memory of 5076	3520	Lingibiq.exe	84
PID 3520 wrote to memory of 5076	3520	Lingibiq.exe	84
PID 5076 wrote to memory of 1328	5076	Lllcen32.exe	85
PID 5076 wrote to memory of 1328	5076	Lllcen32.exe	85
PID 5076 wrote to memory of 1328	5076	Lllcen32.exe	85
PID 1328 wrote to memory of 4172	1328	Mbfkbhpa.exe	86
PID 1328 wrote to memory of 4172	1328	Mbfkbhpa.exe	86
PID 1328 wrote to memory of 4172	1328	Mbfkbhpa.exe	86
PID 4172 wrote to memory of 408	4172	Mgagbf32.exe	87
PID 4172 wrote to memory of 408	4172	Mgagbf32.exe	87
PID 4172 wrote to memory of 408	4172	Mgagbf32.exe	87
PID 408 wrote to memory of 4840	408	Mlopkm32.exe	88
PID 408 wrote to memory of 4840	408	Mlopkm32.exe	88
PID 408 wrote to memory of 4840	408	Mlopkm32.exe	88
PID 4840 wrote to memory of 1332	4840	Mchhggno.exe	89
PID 4840 wrote to memory of 1332	4840	Mchhggno.exe	89
PID 4840 wrote to memory of 1332	4840	Mchhggno.exe	89
PID 1332 wrote to memory of 4128	1332	Megdccmb.exe	90
PID 1332 wrote to memory of 4128	1332	Megdccmb.exe	90
PID 1332 wrote to memory of 4128	1332	Megdccmb.exe	90
PID 4128 wrote to memory of 2392	4128	Mplhql32.exe	91
PID 4128 wrote to memory of 2392	4128	Mplhql32.exe	91
PID 4128 wrote to memory of 2392	4128	Mplhql32.exe	91
PID 2392 wrote to memory of 3012	2392	Mgfqmfde.exe	92
PID 2392 wrote to memory of 3012	2392	Mgfqmfde.exe	92
PID 2392 wrote to memory of 3012	2392	Mgfqmfde.exe	92
PID 3012 wrote to memory of 4376	3012	Mmpijp32.exe	93
PID 3012 wrote to memory of 4376	3012	Mmpijp32.exe	93
PID 3012 wrote to memory of 4376	3012	Mmpijp32.exe	93
PID 4376 wrote to memory of 4996	4376	Mdjagjco.exe	94
PID 4376 wrote to memory of 4996	4376	Mdjagjco.exe	94
PID 4376 wrote to memory of 4996	4376	Mdjagjco.exe	94
PID 4996 wrote to memory of 4212	4996	Mgimcebb.exe	95
PID 4996 wrote to memory of 4212	4996	Mgimcebb.exe	95
PID 4996 wrote to memory of 4212	4996	Mgimcebb.exe	95
PID 4212 wrote to memory of 3456	4212	Mmbfpp32.exe	96
PID 4212 wrote to memory of 3456	4212	Mmbfpp32.exe	96
PID 4212 wrote to memory of 3456	4212	Mmbfpp32.exe	96
PID 3456 wrote to memory of 4964	3456	Mdmnlj32.exe	97
PID 3456 wrote to memory of 4964	3456	Mdmnlj32.exe	97
PID 3456 wrote to memory of 4964	3456	Mdmnlj32.exe	97
PID 4964 wrote to memory of 5044	4964	Menjdbgj.exe	98
PID 4964 wrote to memory of 5044	4964	Menjdbgj.exe	98
PID 4964 wrote to memory of 5044	4964	Menjdbgj.exe	98
PID 5044 wrote to memory of 1428	5044	Mnebeogl.exe	99
PID 5044 wrote to memory of 1428	5044	Mnebeogl.exe	99
PID 5044 wrote to memory of 1428	5044	Mnebeogl.exe	99
PID 1428 wrote to memory of 3360	1428	Ndokbi32.exe	100
PID 1428 wrote to memory of 3360	1428	Ndokbi32.exe	100
PID 1428 wrote to memory of 3360	1428	Ndokbi32.exe	100
PID 3360 wrote to memory of 4040	3360	Nepgjaeg.exe	101
PID 3360 wrote to memory of 4040	3360	Nepgjaeg.exe	101
PID 3360 wrote to memory of 4040	3360	Nepgjaeg.exe	101
PID 4040 wrote to memory of 3464	4040	Nljofl32.exe	102
PID 4040 wrote to memory of 3464	4040	Nljofl32.exe	102
PID 4040 wrote to memory of 3464	4040	Nljofl32.exe	102
PID 3464 wrote to memory of 216	3464	Ndaggimg.exe	103

C:\Users\Admin\AppData\Local\Temp\ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095N.exe
"C:\Users\Admin\AppData\Local\Temp\ffaf52c2638ef4d2e4395fc8079a6e6e8b0c1e351c11c1a23ffb74d320206095N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\Lebkhc32.exe
  C:\Windows\system32\Lebkhc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\Lingibiq.exe
    C:\Windows\system32\Lingibiq.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\Lllcen32.exe
      C:\Windows\system32\Lllcen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        37⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        49⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        60⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        71⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        73⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        74⤵
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1480
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        79⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        95⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        96⤵
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4444
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2656
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        117⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        120⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        121⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 408
        122⤵
        Program crash
        
        PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5836 -ip 5836
1⤵
PID:5896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
128KB

MD5
b483e588a660ea7565574bd7a4fcf345

SHA1
dee7b1f9b517ca8530e1449b6580cda17cb3033d

SHA256
938fba4b582a9321af6659f68490f443344bc92a9b87b4df6b810d1c7397d046

SHA512
8c2bf3ea69d6dc64f5b985379ffa5fe32415d59b6957e72835b7b9c7a9ff9312725f2785b321ddf3f111d8fcdba117764f13d42e94cdfbe4dffb6e7b76eac813

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
128KB

MD5
5952e28b6c863cc61fc3b16c0b941ffc

SHA1
430729e3b6f0d8d004645975f7b41969b60e6670

SHA256
f6d78bd4f83dd289e74ffa63c13243e617f66f689d720baafec8e48e14fcf1f2

SHA512
8797c352c132fbaecd11b41d9b3dab0aa0e7d402d07f1ef85a44f09509429fca8e150d0c8bb915105b0f1458a5a58facec8183e5869a1e3599eb86b1e399c021

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
128KB

MD5
48748d7a8b6485443992a58d2e5d499c

SHA1
09e6ebce9be1bf65a37dcd8e4bd86113f65c80d7

SHA256
40715069dea4947e9b2b317efc3087bf04c092670be10b85f299126bfdeb7178

SHA512
75ff58fe0749e6329048b357af4d04bc19e09fe1fd159fe13fc58f23559db8369437d3b71da93b8eba83bb524c9ad49cf9c40208d57b81c417b8965aca66cb1b

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
128KB

MD5
379904f6e2ea39b0926ef5a55bc4539c

SHA1
59b1876a0414dd9b880db6443416971deb1e7c18

SHA256
fb5840ab302ee4e3f95f61e855a1a83f850ed13bc630def0fc3806605d8c2c0b

SHA512
8a51d500e87babd88fc653179cb8861b31a9a36ab04972f633f295618dd04e88804def499e5e50d54b21f30cfc2d50d924c9d0add5ee6a16fbdabe7e5da85288

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
128KB

MD5
bc750df25e1c3ce71c09aa2561da7e03

SHA1
f240ac8065db90d28e220d23ecfad02f461e7467

SHA256
f5c8bc57441818593fe5894371fd62d3ebd3c96d796707527629e68e22c3daee

SHA512
751b75de50c0072c7fa839c016e30b660a3ecc3dc0d15a4011413a6b8b6bb32d90bcad6adba2be44616db8b52adb62020c674fe6fd56d8b82b8657dc0c3bcc8f

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
128KB

MD5
31ef4f19eb6359da85eff52d9ea68380

SHA1
74a68401827c2b226c4e7704925b6e9e97d4f88e

SHA256
b9b28cbc1e57b4b55362466e860469a57b6b37841761081f3b6ec831295c6829

SHA512
1b1c1d66fa17d6fd3bb9c5d0eb9c9aeaee817f2d049e6cc8dc6c17350ecc623eeda713b5a2f8c958e8cee41400fd196126c2688f62f45af67182a4f5ac99c3fa

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
128KB

MD5
8cc9bc91f08c3705b203f226467dc1d3

SHA1
3c2a69ac06aa6d3c69cbc30c39ae9cb1b0a5ea3b

SHA256
9d309abffbcf5ba9ab581727669c6209ea222cf929f1ed8dfdb78a47a76a993f

SHA512
15960e7eba50e6ba192c95e2f254bc60258b698d5983f3a78b4e9fbe6912f69c6419df1195c040bf283c26f6383f20204fd256f81c4d5642657ee143d61a6a8d

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
128KB

MD5
4c5578b42e9349d250c797361488f1da

SHA1
c7d23526fdab7d7586952ac68c100ff2b8acfc80

SHA256
813353b55a0cf5331eb722673b01e6cff51739614c1ce647942fddde9a686abb

SHA512
87d8ba8dde719800a983efea83764a2193d6bbafe0c7f3ec1594766f8911ed5922b854691564970fd9173a53fbd2689e1ca1e7a720a052a8f6b104673b10b8f6

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
128KB

MD5
e7cab6ec9210678526f36dccd72ecbb1

SHA1
71a2c8f8bc743d32694baeac18a2cd95e2369832

SHA256
3d4da19f79ef37d4d414d23d9717bf41e09067a70d5284365bbc8f1d835b8f5d

SHA512
f1d97a965cd4e12159d9471c970cd4689204bcc0e081a35b22de734cd587c7c3d5fa690665eb3bfb4bbdc140253694debc1cea48beb0d25505a66aef5e4c5b71

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
128KB

MD5
7ad7fa27997587e2135cf7ed5f55aa6b

SHA1
e877bce8682927f01a430f477de089fa5b19d165

SHA256
5e7460fc0a30b9d1f32e602ed0c0304160f164d41a49cb6cdc6bb3d1d05c8886

SHA512
50097c31397955f5175b159e70abe84f997f6d05aac1b9f565d440f2681ef9b1d8ef71ede4b3a229262d54018aacd868521c025ae85a2ffebfdec8f4afda983f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
128KB

MD5
37253c141c8be60e7560c695812ff600

SHA1
ff57d069dd4741cd265bcc598c5a13e7443e5f6d

SHA256
718b3a3caed851b8caf0db9e25cdf58c4d711183a9bb060ea1237f4041b74368

SHA512
d0effcc0db35fced3f0930019d7f67e2a1156132049166ee66158b6b2f3cb2d1852d8a35dd03ce1df6390f55d8e16422e1115856ddc3f8a0f32dc0364aed1c23

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
128KB

MD5
499641be2a5dde846022671612086d82

SHA1
a88e3c95e2883d35224d703ed7405e131dec3be7

SHA256
06160c6ebec0feec09689761a180c877f5bea3dc6f7993f418c8e4fa39c2f718

SHA512
e9cc55f7e4ac9cd671f345966c0622506f5785aca8142f79ae3cbfe9b3aced9588b0f839947326201ec688ccac209be15bf173bffc1769123e83dbe1c8c680f7

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
128KB

MD5
bc71684cf56c74197daf3de9eb1170d9

SHA1
aa47e20282562b33f5a9b1c87dd5f6e890ef606f

SHA256
e68231c7f60901c391843430f8f4c3f5fc1a5fed4c0e8f05462d362e50f0a2c8

SHA512
8799c5adeada59a4ed40468901dae68924783d4950cf7a338fb74e63fa50331cca3e5aaaacacc46b299d9c80c0363a74f37afd543299ebcc608ed7e0155cbd0f

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
128KB

MD5
0e88a8ce54d57aed776799e37957376b

SHA1
027742bd3db61b5237c26bbec5214d5d38f4ce73

SHA256
f9f5f9e962072bfcf010648873d9426c6d4c3618a87db1d5f1251e64421246d5

SHA512
5b0b605188794ec22507534a81ab9417a8012fd2b293fa644fe5265dd16af270cad253050e0bc0423bef2a961ad88f74e1cbe0df8ce44dce39d75060d4e03041

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
128KB

MD5
e30549fa52fbb42b33c34fd3f01ab6ee

SHA1
44b1450f12ffb500ddc962b9bcb7e635fa969847

SHA256
de6ea3a48d3126543abd0dfff3eff15a273f64c0829955ca0909a6fc52192619

SHA512
218180a9227e006bc6afafaa9336a584cc0ecf31f923112a15ee073fe26605477852e383fb7b882f6b487ed084f39d5c6c9651324af6b2d4340f107b70ad8046

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
128KB

MD5
95227c862ade131ad6a0402cf0ad6f83

SHA1
9766864c7bdffcf21aa48b94f4305bacfa56aa1b

SHA256
fd2cb972d44bf305420ef4b3fdcecf95be43988ebf1f118da41efb70cc654f47

SHA512
478e0f94734fe3e72b8d43079a76d428757600559464c8e82593663f048274a78678dd21ab8b4a5a2e6447802d88a33264331c7bbf8576e8247f45459c220368

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
128KB

MD5
8deb84ec598967ebbfe1f222cfab8c16

SHA1
bb0f1c8ac55157ea1281872c4deca974b71f3328

SHA256
dfd57a57976cd32c629869c85f2f18a65becd0d09bbf79373a8932a8cc44a899

SHA512
b4d0b58fa152e7fa76492facf004805aaa8d92ce33db97a171392170b756253e6084bf1315ecdaa811b1ce4e869311bbce826ff92560f07d4ffc9a0be7f97c01

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
128KB

MD5
0a2f17409b9381366e028e9a18ecce42

SHA1
9bda811d745c4f3254c469672cc6088a7fc801ed

SHA256
2817e9a8012c8c0caf12c227b9c0ea4df33200235714503af81df05c89259d66

SHA512
e0b5d2180d54cabce246036ff33734b0dd857c08b5d948495f2d3b4fe7b1588db9ce0fe8237894af7ab980708cfac24f0d7b6a89e4366189ee1ad982c008a985

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
128KB

MD5
d0c03044c9d3bd3e9045ed1924ed4b68

SHA1
4a99077958c8e93156a53a24fb8abd4dfaf75cdd

SHA256
ce0b33b7807c60fd37c4a5ff55cdbcdd1d1911c44e6f3426ddf40bed6051c7b6

SHA512
10b8fa17b8409ecd180fcf5430c4f48ff2dcf8694b8ae1c516b369afc1042794a779a51c4edbaae2740cd239bd186e09fa4b36296199ad61451bc3ce71d16a65

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
128KB

MD5
f51c6fa193cc15ecdc74c915568d0a30

SHA1
ec12654bceebec1bf29dfa3e303294ac7de237e6

SHA256
d6ef93cd8050f7fc6c139067907919bc58c9f551b7ff82631724a7ff56760f07

SHA512
918288bcbcbfcaf17cd84cc06952792b113db46d13204d52e067fb4ee076f8e78dc835478f3ec698f3186300b733472e6f9f5f443f98e12401a14a87c47fc348

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
128KB

MD5
fc3d191d083d81cad36acd099e6770a9

SHA1
3edc07cd9f1d36d203262d56bf9418265263376c

SHA256
36aa1cebda8e60867bc416ef54b5e2e83f42ec2e1b7f0f897432a27596472c4d

SHA512
afde4f61ec31ad13bab01f1a9586ab9fc37d14e737f082d36e69f89315229623de6c7833e282bfb2d76e3896ea1aa1142abf0b7c467718b6273eebf46db1f980

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
128KB

MD5
2883fe590b947b48ed96be77e521c6e9

SHA1
db338f5eb926614e6cdebc1553ccb3eed7df5278

SHA256
8a7d3647ed18d36953b8904892b92852017f7ed27e95293895441440a2674069

SHA512
bd15c660916c4253d440c2f570e815980411673e117efdbc2be93b3b45be0466926795c8d13e698ae01a1988e44805d7c78ec88028741887660e95a11b812d1d

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
128KB

MD5
49bd63a89060ae0d75feab37e80a6afd

SHA1
49f9b745e9d10a500e1214ffa72bf94f732918db

SHA256
dcda0992f599c54355d6b6ff96e23299263f80f2f5236ec2dce348d99aac53ef

SHA512
4cc15349ecf4a4ec12bb0fe8485502c771e96510ea4753f4aaa63f5d75f65841042107fe2c4176f0ff2b701fe29d822e09b6a7e527ec3a48912dd18a3bf42924

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
128KB

MD5
c0ca514e90fd87979e783a7b386431bc

SHA1
66a4bea4c105cf2bf22d5aa96dd8b0924fc01b9f

SHA256
84bc8accaa65faa6bd9419e768c991a221427f001a0f225c0b51a7dd60b8c2df

SHA512
78291173aad7542b79f017aa597e9babca2e1fb24c70ceb24c5d25b1ff6d969f68b4c1db789406e7c45653a1b7b23bd49bb704ce87a18660eb9ab2f0fe4bd9ec

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
128KB

MD5
5a65debd6d6abc6411e4dd16727597f3

SHA1
5b69a746fefefa6ffe42b88e5e1555b62d324989

SHA256
0ac919bae988811a408942ffc3e459d3da06a2985eeb55087a02f065b7ce6265

SHA512
322ff283d6ad7130fe943226e17b89f3b385b69dc6951a11e429b9eb8c13bcd70eef8aa5be05e935858d4170c0eb98c16a57f213f8e1af060adf05803dfbe6cb

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
128KB

MD5
fa32a5e16d021730afc899707961620a

SHA1
b952e9081c3c90b35b33dc9a272e151e2213a636

SHA256
f4c1021e5684b30540be6778ede845fec8c18f47b25338befdff13ac6d2e0959

SHA512
b8fa9cf6b35aa1a2eef0facf272d6208b8c94fe58590d287934d8bfb89b1da1897b579580f127e73a4c64efae1002d2583d54a15b9163a2b44cf7f16f7edbe26

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
128KB

MD5
c998f289322f75e26389f7fff7bb1ae9

SHA1
02c347e4b6298a820bc2abecc9fa1c92b7ebf473

SHA256
2bf6fcfb74aaf882b3cf836b8fbbb1763d43efd1f7eeb06286bc408d32f2dd0c

SHA512
6ca279f8e0d01ec405f026f8736c3c9459f688025c847e9f79bf7213b8342ceb96efe77e503bbbe83c83113f3a3fd70d71507238a76b7a0ae0b1610a0e3fcf52

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
128KB

MD5
76bbee970500e97f92e4b75df45514b0

SHA1
ab2c60a166c828a1292fdb49a91ced0c106f3e00

SHA256
a2338b4cccc80a4f9cd1b795e775b6e38469637f8c4956e5351b14c79fd722dd

SHA512
247c18e5f1901e4b88b7fb4ee0775dd2227f832054128a2caa0941a6256436736157ca5b6c0af1bffe0501e46fdd38202e4b71403cd61b44cff83635cbbd7984

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
128KB

MD5
0518cf240be8116e78be869394f71795

SHA1
79cb9cafd8a0c3e3b5eac752b1db001f33f16e1a

SHA256
d84060c2d8279bb283a60e736adf6eef4773656397d002a6de6971124ca16fe4

SHA512
3d94acbabe62af4ca5d68c9803bec76a67c8a680dd0b7aa3597b63426116f4a8985099913978d68aa4b2aa1099ca4cf8c9f0d0817388a46b8f9c941c5a3001b9

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
128KB

MD5
5aaa84f0a725d46d9b058db43c1964c6

SHA1
264f4d9ee710f7bb53a56326a1bd5dda2fdf55a3

SHA256
969471ac4427dcc1f6fe73d46c82e331f33f9073767bf972eaff75a083764e63

SHA512
439db18b8b524b3cc322c02f045f49ec19049ee13469f285dc256350c945102608016027ff03013bedba96796c74286e3293c4183af1aa18174c532b430d9291

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
128KB

MD5
4b7114d72ea80a83eb2e585970b1fdbc

SHA1
c1522c234fcff668ebdb63165db8ff0835ba65bf

SHA256
9199f04fdd1a6348f8dbf18206e638094ad3475a0cfcfa41774b6effa4b423e7

SHA512
725f508c6eb3be4127e7836d0998a6cf6e33d85e4759b0f49baa0a50d38bb81fc7244b9666f3a05bc455631ee6bc1bd0d97842306080c9b623f769f721e21cd0

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
128KB

MD5
b19a5669da1f506393b6ef8ff0af9d73

SHA1
7f47ed80e6c24633830acc22c127facd397bed6f

SHA256
0211ceaea996997b3f24beef593c276e85814ed93ec26d728c474fd62df91fd5

SHA512
2d62c3c12fd97af072c8acb8f66aec18d3650c661a8a1841d640703a79c7211b07d31f51280b185df74e5c32f4839adbe1e0b312352db055eda9305c4a001336

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
128KB

MD5
fd4adc7e4776de399116cf55f8dc0123

SHA1
d8ec4459b39a79a95d454aadee2d47f42980fd8a

SHA256
a4facfbb9dda52f9f10d8a14aee7cf87216079eba8a8398284449cf18aeaa0c8

SHA512
8741c75c5cb01d7f38d70b23a80f04b0dff3c236ab490c38e7a3cfbbacb1525b4b5e40fbc2a66c4ab982c3003dda723354a453ac10401d8ed1eb5cdb85158000

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
128KB

MD5
5e71f9e658cc129d1b711999fa2a3663

SHA1
56c92c4c5f76e45fd8d5c01b55722f82ab1afd87

SHA256
3704a459b1ce3ed408eb3af44c79100c6b82fffa972e5cbf52136a956d4f13e0

SHA512
a6dd8a0261835b14355616adb42bf606303c9f0a2b1a667e4ccf3b6b73d95af4cf6facd04f93b542216b3c758fda74e1e74ee7728198054e53b31356ceb49e13

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
128KB

MD5
32df31f0f1a462bb7ab61d7a2f9a606c

SHA1
b675c0fe8a7339324d766a0b08dfcb9541d7621a

SHA256
60f3f3bc42d5ed9f66cf3f98b56940a4861ff9c2470262ff217925c0a1b1134a

SHA512
923a7e8af91d99d0bce18f83cfe7c9f6c62a916d1c6d79ecff39a98099bcbba518ba4d89e33520b2d970449ff2771c8055b4f3ea7ab929f09713f3e4e2858f54

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
128KB

MD5
b1206223396bed8ee5f8b99fa065d5d4

SHA1
29fadd236953ee8a21e342eae161f755f997bf9f

SHA256
b4e74e2bb9d65a014947c591e28626b1eb837215d27c54b59c658fc7f4b914ba

SHA512
556fa242809320c2e73901887cac0adba5ff5743f94a0b3958b0d25f06bb02375f42ae5ee59ead03079107b69178b40f02f05ef0e7fda00e43dbe7e14ae396d2

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
128KB

MD5
48a823b37beccb3103f1373ccda81cd1

SHA1
73f05ba3106508d47774a713b1069e0723596236

SHA256
359090f9bdba508fa03d8671f5b90072bb8d8756dbeb1c7b08124f45d260738e

SHA512
dab5bc1070536e222ed9bb5853dd04b7f09feac990d1e748ffea8f7e857895723a49b6075d9d25149020c6e52d54a1750a52d9a29805a0e25adc61c291f55bd6

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
128KB

MD5
4f210fb9c626ddf3aaf0070a4965c62e

SHA1
a9149fc56a222891c658d076da2d5dcf26d6d930

SHA256
c5251d850da78f1d6c51a338ef5dd3df6235bab8fe797b694a9f716b991ce880

SHA512
69d1cabdf20852b7aa6070184b7a255d5a47ca101860fe5fba443cf514b092e8061a3df30ace6228e8d4ca3bf96a7e848226bb4a3aaf66b30235ae5e5909520f

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
128KB

MD5
b2bdf89812fa656ba51db7cbe9f5ba66

SHA1
ea541027d7ef39e95ee4cadd7224c5ad41cd8165

SHA256
eccce22caa556239e6f9e96df6a8326dd675369fcd20c5076b92f97fb95df05d

SHA512
e89c377ad9930bd5f90b79cd5400c63d0cafd25a7085b81922ec52fc2f5b3fec3988e050d8de05b1439671941b4e6708066c11d568a15161abe5b02dfb4016cc

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
128KB

MD5
2986913f4ce0b9c237eae21cee9aca04

SHA1
e8747d0ba031328aee064ab834606a3fe26d2f41

SHA256
9795b2ac4dada876a94c369a21fad4504e8122991d93e27b4429886750da2f2b

SHA512
28c515378f070908ff542b13087dc1043b7663a8955b570d52fb5dc40da4ed361a3d26b9c5965d4a47275dbc57ec842737b52127c301720d5f6d589c5dd22c56

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
128KB

MD5
32008703a297b9d4dc78ba322bedc819

SHA1
efd55ec90cb269bf904ff6eabae4bb62895f25a6

SHA256
306fdfdebca44bad0259c6b664f522a97fdffd79eb9ad10a4c551ff27ed5604a

SHA512
95b2f009e7472aaf54944e50eba7e0028b0d6e54ac2761b60bb7fe027001eaa45b4980947fd858de2eb6bdbce843c94dc93ce7cd2a1b0f709a74523488b10dce

Download Submit
C:\Windows\SysWOW64\Nniadn32.dll

Filesize
7KB

MD5
77e444edcd7ac7d433967335098fb55a

SHA1
b37d8ed03ba6409e73aa3d6f28be4c0457d53ba0

SHA256
8a847f44515f5f4cb4957e075f34ad10eec5e2de24a5f1adf2e5911208c1f92b

SHA512
e0e9cfd6d0acde7c1df15eb1083f7815e098afc7b5952011a8c2969a8c56e46174573356e9aa45c5bb3674d04233e280a23e478a2bdcc76fbc66c6e14418eb8d

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
128KB

MD5
52b8c0be02fdee42124766b4becbd3b8

SHA1
17f634db8d3408248f527e410d1582f0c7663d2e

SHA256
8babe0369732922def7942c5f76370a8f01f26018bea9acf702ccabfdfa77777

SHA512
92eb19cb68346faefb73833364f0836595f969dde2cc6d8aa5379a484c4e367c58edf3525a1c0f7a1d889981e67c6c34396aef52b2055ad9865a68f908039b71

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
128KB

MD5
0ffd27bed03703b7a0a875836799f1cc

SHA1
eb434ce5aeaa28581cc0cf721e3f9faa585089fe

SHA256
0798d13edee92b0c3f89dd98e0a10084af96983dcbe8b5a688981b6bd686f6f9

SHA512
52d8ef70afe94154799043f5fac2f8c7c6df3572a1cd18a4180cc36d588fe518f68252410e12cb0d7787173b2c659991cf9c3dccace8c140f43936d1e10fdaa6

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
128KB

MD5
10b4201321fb16c3d2ac3923c3f5c01a

SHA1
9d1c3de85a594ee2ae7af9668afecd4ea16994ab

SHA256
aa622e94e01e4d0b63cb493dedcd1fa35c36c199713614d3f3106c3bba7b9eb5

SHA512
6737d701bed64e20bf8e79f768960439780748bfb4776884f12b9866808e0681b9d5022c97192acb698050c61ce3af19fcba1abb57a2ae7063be6dc533f9f29a

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
128KB

MD5
3a009949f36f853f8efbe376e04ddd45

SHA1
c646a97ac7dcad4e9cf60253b08d8e956af7b8b4

SHA256
95af14639e0e4068c8caf53341d7ac4ca785dce6e1089f26db773c4c46f17570

SHA512
f2d994d978326e35d7609be868d837fa86a5fc3b5a7027aa37b2e9b17b9c97538a94a85e416f549ffa5ef4e523d263fd89d9c8d2ad5e7df28102c9d69a8d392f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
128KB

MD5
46c8102afce616c9d54c02a2a7266d6b

SHA1
b7e4ff49751c203ffcb3f36fbc3c6087cb2f95a2

SHA256
c5e90c255e692772adf5ad597e06be90b46f8316d5744215c8bbe3987eb51f84

SHA512
a2a20f2d5bea6627c4dda78a4cdaa09bc6dea3bf365074372a8d7aad0f227de777a812608cdf1713f1126eba8fdd7fff240d6be19334751029dc77b7c19a34fd

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
128KB

MD5
9141ba58fff59fe6cd15e9562d6b6229

SHA1
caf33c267a41b6d07db0c5c7bec1e8f8aa633e14

SHA256
dc174a1cadb8fef4b58e856254b49277bd5d6915bbb0e504c9f2636076744ba9

SHA512
767a539239ce29ce0ed96f0f6239bab08d2d9fda2dacf5f70b86e08a2ae649f60d08c8817eb52a9729d52e49fcb02580bda08e7f42e3bce7e30b213ac5e5d584

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
128KB

MD5
143daa36bca63cc9dd4504feb1b0790e

SHA1
5cb8129c6d4e5c6a699389c336d8722eae23304f

SHA256
1e73bc4826db63b68064ba5fe8b0e67d336bf25263e205d44fb091848d090ff5

SHA512
50d9a8e0cd2f4465c3f3f0f56c11396dc217cb294329c50f188309c25b0200297afb11fd61bfed0177d429c75d304e71adb3459e4c5f7e835e9295dfa1bec0d0

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
128KB

MD5
45e43639a7512c524629816fadf8c5e4

SHA1
95ab35c6b8544bd9157429dafc07e9ed50222b99

SHA256
34a6510cd4c2cb41eadfa826df2f9e245f13ee3b2bf930d8346ea7b1a2b45bb7

SHA512
353e2b8ea1af49be7c2af3ec491d4112067b346c74a7db4e5b962167f42ba62abf3355bdd2bada8631f8f918b2994c21180c210ac51771da52d7683610c03e6d

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
128KB

MD5
f724ce1b37d6c79581c60ed8c01b6ba9

SHA1
01e6ca9ca7f721a710d73501de2c6458ea3456ad

SHA256
ca8c24a8c0039bd98d49d6df7b4709cecb330c8bc520c9dd797ea6e8a88969bc

SHA512
83a4d42cb8d677077ffe9fba34466c00a08bf6ff08dfecde5e053f96bc524543fe89a469677c77bda5d32969bb3430c3e6df14acb76f548475fb81568a8bdf25

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
128KB

MD5
158bf28d4daf5b2f5dd76cc7eed26637

SHA1
6b1b7171fc34a57e864797435aa30ce8ba94f47d

SHA256
fd5cf00adab9bd5c7879c125873bd7729605edbaf2db72b46265a4d57b53ec01

SHA512
e60c6e3c8748f0bfbaf9653b4167e2b24de18f80bcdd4caf3f623af2fa31aa11e30d157617987aee7fa6d4df4e2927a43338a9fd0722721732e0741caa88d4e2

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
128KB

MD5
994f892cd37bcc4b98d339cca94ff625

SHA1
777a43d0c3bee0378183cd285af14d311eca3d6c

SHA256
43cfa2de85699afd8722fd62a0f0c01ca0dedbfb5b237cea32da6acd7cdf263d

SHA512
706686b5eb1be08d9ba92426fe71d2a7622f037f09cb378dbdaaca0f3930f41c3099af46b9d843df10e72bb5fced1ac9c46eb549f54172f9df46e6f69a47d6e3

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
128KB

MD5
554bcc4607ed0f9a5e3ce9deb7dab240

SHA1
51d51886d841b24b15073f7dbb918befd3aed91d

SHA256
06fc08ae9feb92f65ba347b461a40af63f1eae9508a756338f6b33c45f25fe55

SHA512
cd94a436628ff7ead6ae9f1364afc37a271b3ab7786a992060fbbb9d3a1f47bedcc2972705fd0c82f8d99a28f8655e1f7fd746ffe8c3638f96d5b4fbf9a340ed

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
128KB

MD5
2c9547b6a79239fa0c055f7aa47adddc

SHA1
f0b150862665b42ccb094e32d38632537cd1c9f8

SHA256
44217dd30f5ee0e85195254bf11092f745fb8fc0cf40f7f41e2e1b03f49b3036

SHA512
75fe388ad1dbc76801069ab3f6d1b73c1d56f8fefd05630898a23027a75ae520ad12a0e55126c8bd543df1915d56d3090838a52bc4dbd0a09922ae3fc58b41f1

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
128KB

MD5
a0c73846ea234696adbae6f7dfa82bc4

SHA1
26e9d31a6ea8066b1b62c7ed220ec28b234ab0cc

SHA256
dd44b85487a41962c611a690ccc81e575804646c01744a6d6aff024cf15c20e1

SHA512
dd6b56ee4174330cd1b71cf30bc469c177d5f779865268538311dd60e00abebf566280526f66d019738e2ac7c6ce4feeaa50a30ce59e6d9bf2665b44ab2d7888

Download Submit
memory/216-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/408-584-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/408-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/436-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/740-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/740-544-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/768-460-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/856-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1028-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-520-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1328-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-598-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1356-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1428-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1452-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-514-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1508-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1516-599-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1572-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1620-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1792-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1904-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2000-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2040-508-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2176-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-551-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2392-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-502-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-578-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2920-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3004-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3012-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3156-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-526-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3360-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3396-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3464-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3704-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3728-565-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3780-552-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3852-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4172-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4172-577-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4212-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4308-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4356-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4376-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-585-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4480-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4508-558-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4516-472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-545-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4768-478-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4780-532-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4796-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-496-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-591-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4840-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4844-538-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4872-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4920-490-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4964-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-592-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5044-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5048-571-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-564-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5076-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads