1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe
Size

93KB
MD5

853ea945bcb3b71237b97d66bd0d7cb0
SHA1

8ed4c4ded6c4f5365e86fa8c6d94a6184bb3e46d
SHA256

1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257
SHA512

9512ebde16e89a12952a54f21b49cf77b58314c0e618f91250ca2f1ca3d4db7d6f77d3cc69c7cdf544e5a7032266ba3c3484817b6801d1efc0e789ce29fc1fa5
SSDEEP

1536:JPlWYvCAXY0fudmOWn4F0y9sRQQRkRLJzeLD9N0iQGRNQR8RyV+32rR:JtdvPXYAudmq0yaeQSJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe

Executes dropped EXE 64 IoCs

pid	Process
3032	Lgokmgjm.exe
856	Lmiciaaj.exe
5076	Mdckfk32.exe
1328	Medgncoe.exe
896	Mlopkm32.exe
3004	Mdehlk32.exe
1432	Megdccmb.exe
3944	Mlampmdo.exe
1452	Mdhdajea.exe
4196	Meiaib32.exe
1108	Mpoefk32.exe
3584	Mdjagjco.exe
1640	Mcmabg32.exe
1604	Melnob32.exe
4768	Menjdbgj.exe
4920	Ndokbi32.exe
3868	Nngokoej.exe
1908	Ngpccdlj.exe
848	Njnpppkn.exe
2476	Nphhmj32.exe
1788	Ngbpidjh.exe
1992	Njqmepik.exe
2228	Ndfqbhia.exe
3460	Nlaegk32.exe
1676	Nckndeni.exe
4360	Njefqo32.exe
1508	Odkjng32.exe
2700	Ocnjidkf.exe
800	Odmgcgbi.exe
3296	Opdghh32.exe
1980	Onhhamgg.exe
4892	Ofcmfodb.exe
4928	Oddmdf32.exe
4144	Ofeilobp.exe
624	Pmoahijl.exe
3256	Pcijeb32.exe
408	Pjcbbmif.exe
2656	Pdifoehl.exe
1324	Pfjcgn32.exe
3208	Pqpgdfnp.exe
400	Pgioqq32.exe
1792	Pmfhig32.exe
3604	Pcppfaka.exe
640	Pqdqof32.exe
3000	Pcbmka32.exe
312	Qnhahj32.exe
3632	Qqfmde32.exe
4676	Qfcfml32.exe
4624	Qqijje32.exe
1344	Qgcbgo32.exe
3472	Aqkgpedc.exe
2920	Ageolo32.exe
4948	Ambgef32.exe
2544	Aclpap32.exe
1356	Afjlnk32.exe
1116	Anadoi32.exe
5088	Aeklkchg.exe
4032	Agjhgngj.exe
3532	Andqdh32.exe
788	Aeniabfd.exe
1636	Aglemn32.exe
2036	Ajkaii32.exe
1112	Aminee32.exe
2772	Aepefb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5624	5536	WerFault.exe	196

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3032	3676	1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe	82
PID 3676 wrote to memory of 3032	3676	1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe	82
PID 3676 wrote to memory of 3032	3676	1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe	82
PID 3032 wrote to memory of 856	3032	Lgokmgjm.exe	83
PID 3032 wrote to memory of 856	3032	Lgokmgjm.exe	83
PID 3032 wrote to memory of 856	3032	Lgokmgjm.exe	83
PID 856 wrote to memory of 5076	856	Lmiciaaj.exe	84
PID 856 wrote to memory of 5076	856	Lmiciaaj.exe	84
PID 856 wrote to memory of 5076	856	Lmiciaaj.exe	84
PID 5076 wrote to memory of 1328	5076	Mdckfk32.exe	85
PID 5076 wrote to memory of 1328	5076	Mdckfk32.exe	85
PID 5076 wrote to memory of 1328	5076	Mdckfk32.exe	85
PID 1328 wrote to memory of 896	1328	Medgncoe.exe	86
PID 1328 wrote to memory of 896	1328	Medgncoe.exe	86
PID 1328 wrote to memory of 896	1328	Medgncoe.exe	86
PID 896 wrote to memory of 3004	896	Mlopkm32.exe	87
PID 896 wrote to memory of 3004	896	Mlopkm32.exe	87
PID 896 wrote to memory of 3004	896	Mlopkm32.exe	87
PID 3004 wrote to memory of 1432	3004	Mdehlk32.exe	88
PID 3004 wrote to memory of 1432	3004	Mdehlk32.exe	88
PID 3004 wrote to memory of 1432	3004	Mdehlk32.exe	88
PID 1432 wrote to memory of 3944	1432	Megdccmb.exe	89
PID 1432 wrote to memory of 3944	1432	Megdccmb.exe	89
PID 1432 wrote to memory of 3944	1432	Megdccmb.exe	89
PID 3944 wrote to memory of 1452	3944	Mlampmdo.exe	90
PID 3944 wrote to memory of 1452	3944	Mlampmdo.exe	90
PID 3944 wrote to memory of 1452	3944	Mlampmdo.exe	90
PID 1452 wrote to memory of 4196	1452	Mdhdajea.exe	91
PID 1452 wrote to memory of 4196	1452	Mdhdajea.exe	91
PID 1452 wrote to memory of 4196	1452	Mdhdajea.exe	91
PID 4196 wrote to memory of 1108	4196	Meiaib32.exe	92
PID 4196 wrote to memory of 1108	4196	Meiaib32.exe	92
PID 4196 wrote to memory of 1108	4196	Meiaib32.exe	92
PID 1108 wrote to memory of 3584	1108	Mpoefk32.exe	93
PID 1108 wrote to memory of 3584	1108	Mpoefk32.exe	93
PID 1108 wrote to memory of 3584	1108	Mpoefk32.exe	93
PID 3584 wrote to memory of 1640	3584	Mdjagjco.exe	94
PID 3584 wrote to memory of 1640	3584	Mdjagjco.exe	94
PID 3584 wrote to memory of 1640	3584	Mdjagjco.exe	94
PID 1640 wrote to memory of 1604	1640	Mcmabg32.exe	95
PID 1640 wrote to memory of 1604	1640	Mcmabg32.exe	95
PID 1640 wrote to memory of 1604	1640	Mcmabg32.exe	95
PID 1604 wrote to memory of 4768	1604	Melnob32.exe	96
PID 1604 wrote to memory of 4768	1604	Melnob32.exe	96
PID 1604 wrote to memory of 4768	1604	Melnob32.exe	96
PID 4768 wrote to memory of 4920	4768	Menjdbgj.exe	97
PID 4768 wrote to memory of 4920	4768	Menjdbgj.exe	97
PID 4768 wrote to memory of 4920	4768	Menjdbgj.exe	97
PID 4920 wrote to memory of 3868	4920	Ndokbi32.exe	98
PID 4920 wrote to memory of 3868	4920	Ndokbi32.exe	98
PID 4920 wrote to memory of 3868	4920	Ndokbi32.exe	98
PID 3868 wrote to memory of 1908	3868	Nngokoej.exe	99
PID 3868 wrote to memory of 1908	3868	Nngokoej.exe	99
PID 3868 wrote to memory of 1908	3868	Nngokoej.exe	99
PID 1908 wrote to memory of 848	1908	Ngpccdlj.exe	100
PID 1908 wrote to memory of 848	1908	Ngpccdlj.exe	100
PID 1908 wrote to memory of 848	1908	Ngpccdlj.exe	100
PID 848 wrote to memory of 2476	848	Njnpppkn.exe	101
PID 848 wrote to memory of 2476	848	Njnpppkn.exe	101
PID 848 wrote to memory of 2476	848	Njnpppkn.exe	101
PID 2476 wrote to memory of 1788	2476	Nphhmj32.exe	102
PID 2476 wrote to memory of 1788	2476	Nphhmj32.exe	102
PID 2476 wrote to memory of 1788	2476	Nphhmj32.exe	102
PID 1788 wrote to memory of 1992	1788	Ngbpidjh.exe	103

C:\Users\Admin\AppData\Local\Temp\1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe
"C:\Users\Admin\AppData\Local\Temp\1b6aa8915943a70498d802fd8f6923ec3de7b0c77aea9885f1e3c3c338f7c257N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\Lgokmgjm.exe
  C:\Windows\system32\Lgokmgjm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\Lmiciaaj.exe
    C:\Windows\system32\Lmiciaaj.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\Mdckfk32.exe
      C:\Windows\system32\Mdckfk32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        30⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        36⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        53⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1476
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        69⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3528
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        73⤵
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        77⤵
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4952
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        81⤵
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        87⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        91⤵
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        93⤵
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:448
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        107⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        109⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        110⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        116⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 424
        117⤵
        Program crash
        
        PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5536 -ip 5536
1⤵
PID:5600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
93KB

MD5
dc9b86ce5b0f964be57c96021f75c995

SHA1
71182d6e33bab3a7fff261e5b90e31dbd56efbb3

SHA256
f1a9b6b78aee5c366deee6ebf1966b98ec51be0f847d944bfb6e69e9373742c1

SHA512
a4f5f8588e0db4ba80815d1631e0489e07e3ec56fb8d6a032d99a17149189ededc4d794ba9ea505369ba71380b89a5b59f00e1eab507ea620fc00c7bd9578e68

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
93KB

MD5
c724c0017338dc7a82e79cd43cd9630b

SHA1
b559c9ea1b223e905fb23adb9ae66b29551f03a6

SHA256
e2f4c5a369410688aeb02e2137cef69279caa0065a1b40e75e9c2214b9b75273

SHA512
8ade4ddb9a71400594d12485fc73d700adabc4252025c08b2263258bd98e1ceb8e0d6a856abe7c2bb2cb5d66e2db46e056d1a3a487997369538de39282177316

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
93KB

MD5
6a249788ed231741d98d18b95c5115d5

SHA1
12f540c42e3c406184b2b2277fdfe7d9197558bf

SHA256
79ccb3bbb9780441afd2af7f29d3e191f80d7cf44f26568383544423269076aa

SHA512
49b8b6292b4a046882842ecdfac5448651fb166c3f85ff99f2b73158667c26c700c669a18a96864d4bead7edf38c1047fdcb5bdcbee3242b3cce6ac9fc244fcb

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
93KB

MD5
57ddb133612f4ac4e544356109b61720

SHA1
12766ae0673f5b3bd245ed953846fa3f136438fc

SHA256
49dff089c3508f9890e6461b56e4c94a17e7010bec76f24bd5a3ddf0a24ceef0

SHA512
279371a5a539901cf8c1041b89d911b1b3604f936afe16fc4beea00ba70e21c6a060bc402a72ddd82c0c5c3de474cf2af45389d117cbedfdf75d229bb5825d43

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
93KB

MD5
181252352b1f398f83ebc3222ebf9295

SHA1
2087eaea21f36ea8d237430e9faa36082fa65fd6

SHA256
1a178775c89fba64f88afd17cccac39bd4c3669e32cf6fe113640104d872933a

SHA512
e5d86ed0c316bf034a66c0bc2a7dc8a592e9692e1698b901a5a9221c56dec0ccfeb50665d78e3e6ba16117119afa190872d54cce2839668dd75d7243aff7852c

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
93KB

MD5
ed5b9557b2b416654de5fb2633aa3b7d

SHA1
276025d0323ea536663baa5aa6d80ff8cb4b6f96

SHA256
1c9fd9bad25e0f2df7fdf48ad3254fa13bc3c74b0eff0737b95a457bc28d24a6

SHA512
de68cb3650cacb902f1ea3cc4bebe388fec3c4adc76d91368396dc6890fd77c654389e1a1a0dfef8d671455737adb096e4017691dede152a537028c83ca75b8a

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
93KB

MD5
2d00b64c74e9bca4d88fbcfb110ba019

SHA1
0540827c0dbe8171252fe57529fb34f8ccf36532

SHA256
e4ac481994514a79bc5414a927a1d0b499207861bd7e08b989dc6d67bf4074a7

SHA512
7b9e1611e28cea42b0217585d5f0157c49b6eed73611cd4eb48609ef82183318d653f5d0f0b3a43c4247f6e8804f9ffa506651bdd4b20ff8db42bb08451b497a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
93KB

MD5
8695f588d476571ecdd1b7f8b33985c0

SHA1
d4d48c3f3d20583f3ce9580844eb85f929d56ef8

SHA256
f3d32cf9dcf2c74c05272cc4590b372befd6d6e935a51b1857ded5a7453d9492

SHA512
6463f2362816f43ea4e233bd9b5709c0c3755612d318459394924d0e6e131ec0b1f75204f89e2e0b640a21b0486eab21c2b1866ac6fb309e0297a765d1c51ac6

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
93KB

MD5
0b8bff21cd1d58f89c47bb510e9b5ef7

SHA1
34901033051fa345565aacc9cff4f883c25e2d59

SHA256
4dc56760615c3e99b73272347e25a60f1edccdb4d58858eb10a06a4797b1a996

SHA512
47108921eef3a0178b511bb4a9a0b76dd7700f4ed63effa8f71e4872824d450730803f4b9c6ec836bdef005170de031631df8770b6de4634c8b1c9ac7c2b79de

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
db807d3163e59d1c2182a102a1ea6ae0

SHA1
0914c8054fcf5e33842a4407d275d3550df4ce04

SHA256
b234bee94e7b0b05666b62ee3735249896b745a73f4d8b1d9768fd5e47050f32

SHA512
2a8107d3c7f8de0c367946ef6b78b7b3c5593d2ca3f61030efeb2adad9bf38e45bfc098a95c2216e3e592fa650f12ab7b40737097a7ec33396f6894ee0a55670

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
93KB

MD5
e2b609d1f5bf58d08f7994134f60330b

SHA1
092e591f61dbda2fe7a6e2351a6fa4e192620d93

SHA256
ee4e1ae5056a2bc924315872b331bcdfc2a40b8fc618252fdd6b4e94a80db9af

SHA512
c5367e6a79d84c373c052e8ea5b8818556501b6dfdc15d7e9994f576fa1b4e6acd420bb0dd9e98a3c085a574c315ed61fcfff33b8c0a2852586a437393ce3c7c

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
93KB

MD5
62ee75cdb7c70f1028b401a727850e8d

SHA1
0a8dab72ad7760a2f06f6344c75856ed3b5b0bd8

SHA256
4b91306a61c4b2365ed36ea5c137813f214c4c4ad9c54d16c77754ae7010fd0e

SHA512
4b48fad3b5b9e722a3766c28ae42aa089ca4a2c89581e02419d1452fafbdc1916881cf3b43c219186544cfda695e71c63f090830221f7261a1c4b1d3fc4540af

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
93KB

MD5
2229b33efa50b7cf84471314db25d1c2

SHA1
698279d4ddbb4e556f169c683b436166d3bbe3ad

SHA256
8a3acf64460dd2ff34acaa6bc0e3b9c3dfcd1ef6f6b58ae190fa43520028a489

SHA512
1500cbe00c7808ec619eeca0e9535feb3d372fb4756c8eb364a03aeeb63901f4ab9538c494233fadbc25a4d6d5c0f0a69b2c9874270b9505fbe70db475ea73ac

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
93KB

MD5
fdca56c5ebe1b0d48a268a12b3368053

SHA1
6a9d1c823ed3552065c756e22162b55caa080a63

SHA256
a5319b34dfc1d0a8958d3c7415adf0ab11c3a58222fba07fed7d8328881eaa80

SHA512
70cb6f855d7cd0f320d0405b5f7201329c4290fc93b9d12ef4703c05d02c6ce18233153c818d80354d756942dde72184e9678fa46d86324a3351c51317f7a08c

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
93KB

MD5
fdb359c8c78d451f4c00da447e2c33a5

SHA1
562402cbf72d4365a76c9ab860c3de2e5b05d98d

SHA256
b6fa8e474069825ad2a7b5aa59f068c6084ef01c050c146d013db99a49d46e9c

SHA512
8a0fea81089f4c0a682268d760ee2c2b2f3ec82912d900596cc15c2e043636c8384733d8728e0256556987654a2788c335454d175973b7a5af59971f435396f7

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
41f91f833be26050136bdc2424232839

SHA1
9b28ec9679d9d68266429502e4d8905f94658e7f

SHA256
94f121b702e3466444c7a3c52d2a878bc58b3ad720f0a5ef2802e587f98fb39f

SHA512
8e14953810506ff27bde44d482685d66abf73b11db871365cb29925458309128abfbda47f5ba509cf34a682e50d0152b41a44c9ab669c3a3060f2a55a6ce21bf

Download Submit
C:\Windows\SysWOW64\Ijfjal32.dll

Filesize
7KB

MD5
8bdbe8b19c0a48896dde0103bfb55324

SHA1
8d82e6910277fc7993d7793a2e891d547d666d48

SHA256
825956ee7a07e078bf87c674b2e3ac857fedcae3778e0ed78b5c9e2538ba95a8

SHA512
0b49b90a1e974f97e4a5ca04d8d1d75bb71eb60dc5d5f55b0e34e16002e66a68eb52b0ac4ceec34fd9a31f44d0d1445fe75429d2dbb9c932c95648e153a9c125

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
93KB

MD5
a61add2602fa8679bcf033a89086151f

SHA1
bccaf381e46ab8de759621bec7ccc549d761d0a7

SHA256
2e87607f4ae0ed779b635e515b4dbb51e9ee703da42d99b5ee485acc5567cb94

SHA512
4629aa2ad43906f894594bd31f2a68587e93cc0f2188a956ca0b32e63985332144f633c0f223377cfa4f5e6082df3bb4616ac4c3a0d96c96cdfb51abc3cd73d3

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
93KB

MD5
81e2c71e361eedcf8eb6342bfe668ee7

SHA1
f15bfc7c1f3b905386743fa22d94b25c131e645e

SHA256
bce1843aee5425e7ffe2ffc0f0387ff0a0d92af25186dfca13c5f8a17e096aa0

SHA512
32973f422ea528fd2267599013896aaf409d60bd550eff6f1b9026ac514cddcdfb655877c1a041ea9791254661d8e281e413479e025b8f004f032361b3c7d396

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
93KB

MD5
4d0beab7592dbf5b97fd7050b59b6c64

SHA1
8d10a2945e583e1e8e0e1811b753f2d642da5a2f

SHA256
4ebfb8164b6d480007d55787fdaf94345e14d8fc30323680962be011f07acf31

SHA512
a8b6387caa7550390ee271c4f63796d9ce5dc951ec400ead6599837e7f02816855932fe0a25f4c8ee6d7c93d78766ba220e6cf67e1014e6e1d2be0b60d319422

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
93KB

MD5
c494d97c88d78f5e6580cbd97f73818d

SHA1
27a6152eb2170676d49f41fe895fc031e67e88c0

SHA256
f2cba8a2f23118c84c85dc038e26733cb1b2db7c566a9517153b1f2cb0bce0aa

SHA512
0cc849ae24c8c58f7fcfafada2f36a61616ce288d5c3516250e6e0bd175f8d9c15d38ff6c2c356d4f5c5030a40146382b37b8c810431c37b76600a6cc147646a

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
93KB

MD5
58dd8578e9bb8a0d525dc80df66dcec4

SHA1
f2613794962d1489d0ad9c1beb7b7bc85337e370

SHA256
328ca7fa657ed7a18855e1a4225edcd38773e1822f7030fd6296f8c381f50568

SHA512
e7db790b37be33d013cf8fd1c8cfb1c21aa636d26b5a9b206e4f64a2e836196177b47c5b56ab5155d153f09f61002491bda8c311cb37ad342850a28b468bc702

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
93KB

MD5
b18d31af3f245a72cf37fb59bd56fb03

SHA1
376e1981f9f2d3f861e4e72119af481b3c476e3f

SHA256
6a957bf573915e5f6b59a35c7957d85ed415975ee4ab972d916a83cfce54321f

SHA512
50d5f7ca3edc48811841409a6733c3fd3fb180fa50320a8f8211d8023f452ec89a8c60b48d93570cb4d68d4682270d4bb79a6eadba78974774fc35edf6948190

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
93KB

MD5
f3b135a7076ceeb925d8c7092d4c6e49

SHA1
2c451b4dd1bf55e3b8823efef2e298377133e92f

SHA256
3f8ec91c887aba146b3b712c87f916bcf6fa6ab6e0cfa3fb3136df1ea31501cf

SHA512
a506eb5d3c11502d41336cdc10898d48ee9cb58d9a60b3e2c9cdaa4c1076d001f7e66bebd793f277b478d979999e82b2997bfbf48656ebb0f29a01c577a0854f

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
93KB

MD5
da8107e6e5e47265c6a90ef5dfdff224

SHA1
7194f50fc3daa383d9b6fe3b35e1ce32ce9b803f

SHA256
20469190bc5560b31d5920b0306e3d1ff7d3edd802b4a5bec1bd0b312bc8c766

SHA512
c6ba536ea95dd38f39955414a0608966c50b02f633f5c9fc6ff0d6460430b3c6e05f36435e5d4fa960e5294760c02eaf2ef53518ca20d1cb6c6d5d713b91aa5d

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
93KB

MD5
1e325df92a56245c1e87b5cd97e12435

SHA1
1ed879cb772ce518836e8014a4ef5fa8d97420fc

SHA256
8a6449555cf5feaa2fc0259735714afbf4ea8fe809282592e5153bb875b0a650

SHA512
303a53707cbe4ccc2d2f9f290cdae4e0cc93d4fa6639c1ed089885534513d3818d2e1e30a7312256cf7c9f97181619813d49fcccd5bac146ad90a8b871285b5f

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
93KB

MD5
27eaa915583b2cfdb34733bc04e1fc6d

SHA1
a3c06337e804a024d4af700749fc2be05a943419

SHA256
b4459b9c69ec903ec79bfeb71a879347fb64d559c7f74c7eafbf8b0a2a733568

SHA512
d65ebedbee4eda2790a23f28a58a807bb6299b713b17b810733e41731ab91a745f124cdfdc5e3340d5464ddcbb6fc3f827d03f8c34675e28c620ebf7159f95eb

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
93KB

MD5
a703ce1c9b4929f0a0f673ecea867dc4

SHA1
c15766a0050167df64ba6fb235cc88b21487a6d2

SHA256
ac728cf152fed8a9de5b5e7d22bae8014932640efb80d46c0ae72f7b034dfb8e

SHA512
dbb64937e7b9b4508453d0a8f5b00a605e0d00201e65c4f471bc5dbbeb620822a67cbe609449d7dd7ada394fa087a93efa5f19f94fa0726dd2bae27dc3a76921

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
93KB

MD5
715c2e198a3fc8d6f7a95d4f10069d3f

SHA1
615dc8411e2a0c921372f420793660f55b7f6a1b

SHA256
c648a30d0cceb2b061994bb72730cb96886551ca014361c3ac6d6bc4b5412bf8

SHA512
114820b384820172079e7edd81a9b2af54d519a5558eae71f642c5fa6b0d51135f1e893230d5b0f2379d44e38a547bfe92aac473152f1a54e0178fd9c14152a1

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
93KB

MD5
c9840fe02303fa5cb00e6d2256394524

SHA1
af8e2e70bbe12622cf5d6fc9f444a377c921f7b4

SHA256
0b673d2b253817378328d7fc1521ea268740a50ff545ccf44fb9b62c61c0b1d4

SHA512
56676eeb318defddda57aa4ee00f8122e50588b790a7598289a28b443c9c93b22cb14424f9a0bedf1bb05eb9ba6a8ee654a8c05e123d647652c1eaeacdb38f5f

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
93KB

MD5
2e2142928d738b400841a8045293b927

SHA1
67dd53e7e881a05a51a8214f599917d5a57de575

SHA256
2ed57644064a13514d5ed4e4be894e84b2cf7b5693aeba9c8243cdc38d72c79c

SHA512
fec4207efb4fecaaa5d902e0506760ef4c0b02f8e76f2695fce8ec2348a67171d0b4eb5717a8e009da5e7b489099905b125221c1200662df6d98fb04d4efc290

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
93KB

MD5
99f771de7a77ac81e1dc8bf48572d22c

SHA1
25ad7d92fb046faf9cc4a824388b46e42a752e00

SHA256
f6ecdd74eb4c7393afe4323b96b012417cf38b347c5fc3d7cba440a9acddf72e

SHA512
41c6a0da4f95a9a8eca800363067a6406334d3efea8687cb056041d9285263199565087eb33c54bfe1782956a8e1536f736ae09aa5752ad48a2373e8b675aa22

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
93KB

MD5
f6cf3129c2aef779685b5eca1e0d4f07

SHA1
3bcb999b581f9476798399a9eeb942f87d6ee5f9

SHA256
de6febbf99a2295d5f8541b242b77d5fdb55b09f207b8c50130dec00b016b61d

SHA512
1420c0952a53f660c8138c7a1f3ade0994f5ba1dda8f6799aadf0658c5739788b09b3e1bfed994f2286e5ff00fa44d6060908fd777e2cb98c6aa7c2afd090903

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
fa45bae6eddcda7f636d4ceec0f548f9

SHA1
25a917ac2b09d17df017cbd44ae6ea27b69d4f4f

SHA256
80fcaae4398519fae3bb974fd06f52a66ad6df6b0a02d80ef4d55969bc2da911

SHA512
08705f5179528ac42ea40bf7dc687622da8fb57977f20becf62d6fe3ff360f2cac71a1dd186e967114a64f8482b3837fb18990f92ed4ececd7cc757bb9c0ea0d

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
93KB

MD5
183b335e17ce98ce2142d79004519e2b

SHA1
31e6626cc5e0884dc2167c64977cc2058ae301a3

SHA256
07b0842bdacb32dcb7065773cbd42c0ec3d26b2796829fec6b847e99b3c1ba4d

SHA512
30d729577dbedcfb6eb860abf11c794e6320c742b64c0a2612883b0ea3c6804c32d39a53a3d16a5c08c95c44295a72090a0ccb2160a6e19f097eec338d4eaf95

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
93KB

MD5
0dc9d740d65b8318858cb80043f73452

SHA1
2bf6096e7b9b5816007c6a19c5d2e52126e319d4

SHA256
5928e47302969fd75a6e2669969e4db4f33f0620358b8765f548ac980499739f

SHA512
7f628a1becad951ea68947da6f09a64ce73e71beb06f5b64fccb45d930ddc5bd8828410257f665be55a7810fa998f40f241eeaf589f0925a9799eab3a1bdba2c

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
93KB

MD5
edbf0dfb3754fe06b537a23602e42b23

SHA1
57b3f1404d04792a209fb20f19dad8f62f2e617a

SHA256
3bd7f1225d9365013122140954822af5c7a4f359e5525d5d55b95cae8df5e7b1

SHA512
027ce0266f7e6a564176f182db026c67109c6ffa2c36cdf7917a87b599b79220ee8309485e5754f417a573052378e2d379377de5fdfcdcc3bfb67e94cb8b4750

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
9074949698f947a18242ee20f530f5e2

SHA1
6f890ed43e74b8f5e21caa1c2b22b01a00575f95

SHA256
5a8d207b9f503167ba5ea0b0905c03551558169c76b434e27176d86e252345d6

SHA512
8c3eb84d3c1f68dd6cb7409a95191a076849cf536681c3ae1d20bfe3c80d6b5a562f1a0bee514d3b8b2336144e3e368dcd8c69dee952b6fbc4c40ac068e6050c

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
93KB

MD5
0f0b40d8ebc719a6579d2172c561b6f6

SHA1
2a50b2fca7e0f64d62ba06e48851afe46ce3dff5

SHA256
6fc3cb707417b29040f9792d50b90aee5996efa5783d07e78adf82c73b8c31d0

SHA512
aa437724697a3abff36ad671418a77507e68464aaa03186b1fbcc8996c1405b9249e4e6f942b73c87d0a7c1ab9aed8418c28a9a587c680b85da8f6b96e8f18ce

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
93KB

MD5
c68e783b962e87d3722bc978053e2efb

SHA1
347d64fa00b77147a24127db3d3bbb365de86358

SHA256
33fdf38f2e1b27a100f97ae35218a32f0a0f030aaabb076d45b00cdb3eea7dcb

SHA512
dc873691477a7e78fd236ae9ac6f9e4d2f154c8bed86b6cde6235f64f570797af820c53b780f35f9f74b6848929791b57012a0937f7b133512d9862ce86c701a

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
93KB

MD5
d815a9ed64a4a1bc48ef1724c4e40b75

SHA1
05f4ab95dbeeeda17140f57d3bfb943c71414a3b

SHA256
ea4e51c1080e977930c264ab99c54d4cbd468d671efeb55ebb58f860f6bd46fa

SHA512
4db1f42ce49218bc28b4d22a4935d2ec69b8e8f43e7ec24523c84d191d2284ff459ce8bed9cf7f16159b655f45dfc3be7332577e6f7d3f8cc1bd2d474a6997e0

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
93KB

MD5
cc390170ac03c02b68a308470762f06d

SHA1
fac8ff602c6667490a1be7f0f97f25d685b6b968

SHA256
bdc33cbf512453445f88d947762ebd8ea7fe6fc2f01c537ca95ec61dae742f9c

SHA512
bcdf720f6bd19624ff2d403ff8022053696fd58431699b658b2ccc394ac31c24000354e27d7fa1ea157a108b3712a4b4ddb648b98473a413e269240acee98586

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
93KB

MD5
d64bbde2158cb94fe75ec2f2589c390f

SHA1
9d3020d126da72e92ecf684badf3b1b65a686e82

SHA256
42e90c853a3fbf565bcd34e88743a01cee08f6ce7a5fffd9076da04b574956a7

SHA512
c2882cfef243c4753e5fe08077fd7f090c7eb6eb07210baf9bd0892ef5b9df75b7ed49b78b8bc5655d36e83a0400c0ca72f94362eea2ad3d5b1f51e2c23b7a39

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
93KB

MD5
1b5c730522a563cb7a0f31d87aae4a4f

SHA1
92008fe2f1b1aa87fdcb4e4efcc9d018655f6643

SHA256
f4e754d261060b9703344c7e86488fa5b66d0bc384bc8fd656d3bcc06a7ec0fe

SHA512
6da48d983388bdad110f01d1b62b313650fcc782b5590bfa17a20f801e73ac25ab5564e688955caf78aa00e90bf0faf8bbc493650fc9e18e34bde04c11e7fac1

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
93KB

MD5
ba243f5be5d3aaae9f5b3613b135911f

SHA1
06060966362f2dbeefdf35fb0b7adaad530f7395

SHA256
278a41d01c424342d34cbc6d5260b217f11d1c0e7eb582fe2b3b3ec5b19d89f9

SHA512
3714829c0ab953f983209f8b933a3987f05d05d133552fc44d724150c204c1041a0e1752c696d4184427f15dc0d6f30a33b997755e53a5c7c2bb871a9cb956d5

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
93KB

MD5
f97adcfef484e5ed64ea7b854728ba80

SHA1
f06d57370abe745dff1fd261717ec1417258f70a

SHA256
3e2ac1636be9a647a064196d847ce3f6f4192b821d0c94e634bf3d7d9f6a3adc

SHA512
4c9db22f67839f89a2c862b4b88252b20ff48360a18d7616874c6e131bdf591929bcf64593f386881820a89501b9030630273f707ef9bd48331cc0a9c8d407d0

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
93KB

MD5
bd52728537f5934aaacea9742e54afe9

SHA1
4191c124ee120c854d4edee444de2740f2a3c505

SHA256
6d73274d9ce5ac879bd1b047e5efeb617f5b2fc5bf90075f0930757d1abbfcbc

SHA512
3889f332ff964baa40345dc7335081263ee70a975d1a9c478cd3827b2839786f392136fbd153cebe63bb5e026a490f242e6db3629e2baa3154cc84422ce4019b

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
93KB

MD5
37d963faed6fbbc1241fb42822d3dfcc

SHA1
5a9d64802cea714a146582b03f511296a4493c5c

SHA256
9031c97787ae071f47b6169ce9e523d81fdad9931a3bd9ce4bd9d11a684ee460

SHA512
27bb81063cad71bcc186bd40ca7413a85ce0895917f0c398d31d90064096b2e380d9d9cb1069eb8c84182acb88ef0711e0f7aea5f411cf60c05dabca4824da22

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
93KB

MD5
7dfad59c04c405c5b0142702f481a419

SHA1
8a5a73ae63a105def9bf15dec6df3725815c5b9d

SHA256
65b7edb75b9809d22e3f6f6eb499a81eeb29120e6d609df1ff2c6e8552ffb109

SHA512
a135207c293ea43066129924f18f69d97e7dd9bfaa7aa73ffae252761cd1c7dc28083101ca9dc739669b96e032162e4544e05af520d263213c8882905eb812cc

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
93KB

MD5
70f195b8be31b46f83e15366ebdce7c0

SHA1
ed91f8a3eed8db987fa48e01b3fe356805a947f4

SHA256
8dca8c13fe24d65b67f769b6908c7b8c62b882b1a6ae3d05a95ea80500b36ff1

SHA512
26239592534c1beace4f601b4d678ae2f9d0c103afed2be3613b7065ef85c3baa4216d95d3af05d05e2f662d8783bd7c195ecbdb8057e17459cf1568030604a4

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
93KB

MD5
348b780058381cca3087df8d0da6228f

SHA1
7ad63efec85cf70638335e4a5ef6a0669ec2449f

SHA256
75a054378e68253edcbca019d6e3cc3251077f6f7f6be58b46692f78ae9e36e2

SHA512
e8ec45d0f17412f7ae7350d6b4fc85110a0bbc4558a65fc42a18fff68389f58be8beea252149a75136432e231be7c1fef6aed4ecf9c413fded7c469e42a03015

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
93KB

MD5
790f49f3b41d5e353f935dc818b8a11e

SHA1
c9ff3836793597d479191d3e874dbdc62dd61421

SHA256
fd23a3e4aa1d9fe980f15a2516d265dac2cd5179fdd9fb40278dc5adb9e8eda9

SHA512
2c75959f4351cbadc74224e11693ffaa04ec53d7a45f120df4fef11598b020ebc9f4d7ca656372bce4f2f14ee8960a3ade259b9198ba64b1ea36caff0fc6d7b3

Download Submit
memory/312-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/800-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/800-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/856-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/856-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/896-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/896-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1980-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1980-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads