34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052N.exe
Size

479KB
MD5

b0dc46c81d4595819bcb771ae4578780
SHA1

bf5bf1f72776021c50751fa0011b1e88d3650cc0
SHA256

34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052
SHA512

088d28af37a972391a7c5d0c31e10043ef6ab475bf8a4db54f3280ef612013c13740b96cd5cee3275c03198e9189922592d7ca76ac88664b078d33cd3af9b16c
SSDEEP

6144:CHP2lSrZCCX+sycRJ6EQnT2leTLgNPx33fpu2leTLg:JSrZC5uRJ6EQ6Q2drQ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe

Executes dropped EXE 64 IoCs

pid	Process
2444	Ibcmom32.exe
2052	Jpgmha32.exe
3492	Jedeph32.exe
1624	Jfcbjk32.exe
1908	Jmmjgejj.exe
1992	Jfeopj32.exe
2816	Jpnchp32.exe
4956	Jifhaenk.exe
968	Jpppnp32.exe
944	Kpbmco32.exe
3728	Kmfmmcbo.exe
4004	Kfoafi32.exe
652	Klljnp32.exe
60	Kedoge32.exe
4880	Kbhoqj32.exe
4196	Kmncnb32.exe
1940	Liddbc32.exe
744	Lmbmibhb.exe
2796	Lfkaag32.exe
1800	Lpcfkm32.exe
3696	Lepncd32.exe
3488	Lbdolh32.exe
1488	Lllcen32.exe
4540	Mipcob32.exe
3988	Mchhggno.exe
1088	Megdccmb.exe
2388	Mgfqmfde.exe
2036	Mdjagjco.exe
4836	Migjoaaf.exe
3768	Miifeq32.exe
2172	Ngmgne32.exe
4924	Nljofl32.exe
2136	Njnpppkn.exe
708	Ngbpidjh.exe
2960	Ndfqbhia.exe
2316	Njciko32.exe
1828	Nlaegk32.exe
2800	Nckndeni.exe
3424	Njefqo32.exe
3204	Oponmilc.exe
4440	Ojgbfocc.exe
1936	Olfobjbg.exe
1540	Opakbi32.exe
3176	Ojjolnaq.exe
2792	Odocigqg.exe
2356	Ognpebpj.exe
3104	Olkhmi32.exe
2964	Odapnf32.exe
532	Onjegled.exe
2780	Olmeci32.exe
5068	Ogbipa32.exe
3592	Pmoahijl.exe
3068	Pqknig32.exe
2280	Pgefeajb.exe
3664	Pjcbbmif.exe
1640	Pqmjog32.exe
1588	Pfjcgn32.exe
1680	Pmdkch32.exe
2868	Pcncpbmd.exe
1584	Pncgmkmj.exe
4952	Pqbdjfln.exe
2568	Pcppfaka.exe
1904	Pnfdcjkg.exe
2732	Pgnilpah.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Jpnchp32.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Dgdelcpg.dll	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jiopcppf.dll	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lfkaag32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5288	6132	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmmjgejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klljnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2444	1524	34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052N.exe	83
PID 1524 wrote to memory of 2444	1524	34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052N.exe	83
PID 1524 wrote to memory of 2444	1524	34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052N.exe	83
PID 2444 wrote to memory of 2052	2444	Ibcmom32.exe	84
PID 2444 wrote to memory of 2052	2444	Ibcmom32.exe	84
PID 2444 wrote to memory of 2052	2444	Ibcmom32.exe	84
PID 2052 wrote to memory of 3492	2052	Jpgmha32.exe	85
PID 2052 wrote to memory of 3492	2052	Jpgmha32.exe	85
PID 2052 wrote to memory of 3492	2052	Jpgmha32.exe	85
PID 3492 wrote to memory of 1624	3492	Jedeph32.exe	86
PID 3492 wrote to memory of 1624	3492	Jedeph32.exe	86
PID 3492 wrote to memory of 1624	3492	Jedeph32.exe	86
PID 1624 wrote to memory of 1908	1624	Jfcbjk32.exe	88
PID 1624 wrote to memory of 1908	1624	Jfcbjk32.exe	88
PID 1624 wrote to memory of 1908	1624	Jfcbjk32.exe	88
PID 1908 wrote to memory of 1992	1908	Jmmjgejj.exe	89
PID 1908 wrote to memory of 1992	1908	Jmmjgejj.exe	89
PID 1908 wrote to memory of 1992	1908	Jmmjgejj.exe	89
PID 1992 wrote to memory of 2816	1992	Jfeopj32.exe	90
PID 1992 wrote to memory of 2816	1992	Jfeopj32.exe	90
PID 1992 wrote to memory of 2816	1992	Jfeopj32.exe	90
PID 2816 wrote to memory of 4956	2816	Jpnchp32.exe	92
PID 2816 wrote to memory of 4956	2816	Jpnchp32.exe	92
PID 2816 wrote to memory of 4956	2816	Jpnchp32.exe	92
PID 4956 wrote to memory of 968	4956	Jifhaenk.exe	93
PID 4956 wrote to memory of 968	4956	Jifhaenk.exe	93
PID 4956 wrote to memory of 968	4956	Jifhaenk.exe	93
PID 968 wrote to memory of 944	968	Jpppnp32.exe	95
PID 968 wrote to memory of 944	968	Jpppnp32.exe	95
PID 968 wrote to memory of 944	968	Jpppnp32.exe	95
PID 944 wrote to memory of 3728	944	Kpbmco32.exe	96
PID 944 wrote to memory of 3728	944	Kpbmco32.exe	96
PID 944 wrote to memory of 3728	944	Kpbmco32.exe	96
PID 3728 wrote to memory of 4004	3728	Kmfmmcbo.exe	97
PID 3728 wrote to memory of 4004	3728	Kmfmmcbo.exe	97
PID 3728 wrote to memory of 4004	3728	Kmfmmcbo.exe	97
PID 4004 wrote to memory of 652	4004	Kfoafi32.exe	98
PID 4004 wrote to memory of 652	4004	Kfoafi32.exe	98
PID 4004 wrote to memory of 652	4004	Kfoafi32.exe	98
PID 652 wrote to memory of 60	652	Klljnp32.exe	99
PID 652 wrote to memory of 60	652	Klljnp32.exe	99
PID 652 wrote to memory of 60	652	Klljnp32.exe	99
PID 60 wrote to memory of 4880	60	Kedoge32.exe	100
PID 60 wrote to memory of 4880	60	Kedoge32.exe	100
PID 60 wrote to memory of 4880	60	Kedoge32.exe	100
PID 4880 wrote to memory of 4196	4880	Kbhoqj32.exe	101
PID 4880 wrote to memory of 4196	4880	Kbhoqj32.exe	101
PID 4880 wrote to memory of 4196	4880	Kbhoqj32.exe	101
PID 4196 wrote to memory of 1940	4196	Kmncnb32.exe	102
PID 4196 wrote to memory of 1940	4196	Kmncnb32.exe	102
PID 4196 wrote to memory of 1940	4196	Kmncnb32.exe	102
PID 1940 wrote to memory of 744	1940	Liddbc32.exe	103
PID 1940 wrote to memory of 744	1940	Liddbc32.exe	103
PID 1940 wrote to memory of 744	1940	Liddbc32.exe	103
PID 744 wrote to memory of 2796	744	Lmbmibhb.exe	104
PID 744 wrote to memory of 2796	744	Lmbmibhb.exe	104
PID 744 wrote to memory of 2796	744	Lmbmibhb.exe	104
PID 2796 wrote to memory of 1800	2796	Lfkaag32.exe	105
PID 2796 wrote to memory of 1800	2796	Lfkaag32.exe	105
PID 2796 wrote to memory of 1800	2796	Lfkaag32.exe	105
PID 1800 wrote to memory of 3696	1800	Lpcfkm32.exe	106
PID 1800 wrote to memory of 3696	1800	Lpcfkm32.exe	106
PID 1800 wrote to memory of 3696	1800	Lpcfkm32.exe	106
PID 3696 wrote to memory of 3488	3696	Lepncd32.exe	107

C:\Users\Admin\AppData\Local\Temp\34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052N.exe
"C:\Users\Admin\AppData\Local\Temp\34ce22e1eac98c7ff25f868dc654806a1025aabe045981911190033b601c3052N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\Ibcmom32.exe
  C:\Windows\system32\Ibcmom32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\Jpgmha32.exe
    C:\Windows\system32\Jpgmha32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\Jedeph32.exe
      C:\Windows\system32\Jedeph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        23⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:708
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        52⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        63⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        67⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2412
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        82⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1868
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        87⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4616
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        91⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:768
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:820
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        100⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        101⤵
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        108⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        115⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        116⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        119⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        124⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 404
        126⤵
        Program crash
        
        PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6132 -ip 6132
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
479KB

MD5
0f9b6f2c6f3748868c1c4f050487595c

SHA1
69352f87e81338a191bef1bbef6cf401fd34414f

SHA256
af760f5a57bbbee4b8731cff50a96e254401882297e9d92a2d8cb44f240d204a

SHA512
971a0f81cf42d3c11cd26acfdaca08d37db79b7874ad015dd645731f82c05a90daeb065087be75b4d9ccd612e385bdbe6db8b830f83b50470a2bc4ede471d97d

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
479KB

MD5
212a4a52d992b61c9aa879b40a4cb086

SHA1
9b3639c422327853053c4e64683f6c468bdadf48

SHA256
e9d57325a089cd088e438d899e2a02b662eefabc26dfe74af876b877856ad7aa

SHA512
cae583ac46cad4e7c224508d7f13e082e709f9c8a90d54174a2f55688ddd676cd09c92f8774aa9d4fed32eb033698c61923ceeaee311f1db4300b532aeb8feb6

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
479KB

MD5
6ec192cb093da32950f18ecf6c0ead7c

SHA1
0348d94556252a78cff03caf5540821856b67b76

SHA256
1cc3f783b42f063292f52d23c9145ac6554001f9113e096ed9b6f0a68769dc37

SHA512
ea1c5ccc00ffed6840310e1138725af8a3d0b971728afb8f6750cfd7f2a6806e5f3558a45b5a0ed5115d87d096d735b62e101d4189e87ad796f10741ba326871

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
479KB

MD5
694d40713cc3fb894df7b189d0c6e33b

SHA1
ceedf61913f1917a02b6281f08aa0cfa4d915cba

SHA256
b96a6f7415bfcd31f05b0bb9f3846cd26a30aa93804a0cb8ee1cd78a72ec5a73

SHA512
c097e1e5c40c2270046647d301356a1792c18b80a153a3c4f4c21862bc45ff2da0140e92f39a7f594abb487b07a265a15eee1029fc5d297da9ecb0c0010a8415

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
479KB

MD5
00ae5fc814d4697289160a53423af875

SHA1
b9d202e9efe3b40bb136e26dc10c72cffd2ae9a5

SHA256
dd97d455f9ed4c3cd644b4f7e6c695329a44ff53677ae5cc04b0abd301bf0320

SHA512
42c080b6b77603163608d984be7dad5df631b596fc6b3287c0ee467b37d4a743e40e1d077b785b967f748aede1131ba3cdbd517ca488771e659b59348986f0a6

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
479KB

MD5
823092a6f498f65070d54d9abcde9899

SHA1
3a79100c1238a0322c0019ac2777f37b5a457bec

SHA256
2393b4324011577c74d2a73e5ec6a343b8ed6747d6fccfa0223a363576154774

SHA512
897359e3697af496e7d71eb773c7d30699058908ef9e95e009c9c667c51c4cdab234a9227c29475d1e48708c415ed8ecbfc451834a8e5d52cc3884dc1a282ce9

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
479KB

MD5
71a130e33632c523ff46813b62fb6424

SHA1
6932d00f68cf39cf330b01dc10f270e28e8b189b

SHA256
0e30edb807e449ff651f3a7c46c18e7c6b40df1018931ac4d689d79f2d93eb84

SHA512
89cbaf672e92ec9a593541406792f190c7f4a9dcd95d8d5f9846a3a644ab72ea5c11445c6d2b0d3fe50da0d18e2b1daf8f1f162480c6ddb261b562b7ca605f4f

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
479KB

MD5
471cd646d1f545c52c595b4f0da8a8ed

SHA1
b56f95541b3f478345c9c285b6c05e99af892331

SHA256
41235b1dd4d1a363c789589d201576de1540cae05494ab062010e9ff1a0738e5

SHA512
afdbfac128553cb784284e646a3e2ade25fbb9cdbdb2774bbe8c06b0045117012b8ad8b8fe2bd0f50a046f33567535d60928806d47e4e1df36c711851b67338e

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
479KB

MD5
7c288f003bca8f879d9d73a06acff929

SHA1
0baa610304071a5eb587f3ca6ea121abb864c30f

SHA256
29d649f5c79a3c65996b2a8863067cb2fcaed45b274cd022bff8ef3a91af3fd7

SHA512
959f6d7d8945eec7bbf7c59795ddf8556e6eab3c33b297a18c7826df51d8fdc73d1972b32bc1cb0b9f61b3616471881fb741377097f962120b5f2613254a3d8c

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
479KB

MD5
e5ec5cd7baf0aa68b94f7ecfe1d93c62

SHA1
65adb57dd6cf355dbe235dd1c55d3b6b7bd956b1

SHA256
1b0fa7e6d1b1f8b77b7ef83c2f8db4919141a7eb9212dab3e9502ce6090c33a6

SHA512
af3e7265ef2e4d886cde85f5aafd9cd2a16a94d191a7db91391d6401f0eb57995963f70ed2a9971c7a54f46c6d3b3d666a7d768264a27bcba97f05db03c21538

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
479KB

MD5
72c3294d943c7dca2af89198b61ed30f

SHA1
7ec35509e05c176586e3727b5f6a503aaa7583fb

SHA256
dee207ba15fe9b8c70b8bc82cf058799f1e3ea42e301ddf1ca1d5b7899892cea

SHA512
16802b8f792a117c1abcfb77534feb061381f27ec9a582cd541dc47ca823722fbadabdb53de9afe10eb069e3e73c14845121088aa2aa349000afb95317be56ca

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
479KB

MD5
db3ae192dd630af0591086c6cadf8971

SHA1
0053fbcfe0acc225428acd455098172c294b7aba

SHA256
41c560053a541f07470fccd1ae24e0a6cedaa33d3515d2034de9c42baa1a923f

SHA512
ffc2f7c605365eac7217b4be41c54b05b3de2be9879261008feca09143689b2ff3f841145d094a13c59de32534a28704efdaa53fe4bc7cb5424af821f242c73b

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
479KB

MD5
5bd38378457c92a67419f558434e48ec

SHA1
af01aaac1b47682e74b416ce8ecf4913982acee6

SHA256
2fd1e81c9c0bab9ecdee9c972bab1fb21ee3c260afeede09ec559d8711d94d1e

SHA512
38c50c0cfe2513ddc1a4700240760705abbecdb0cddfb4760294d3a95e2a06b53df69c44b610db1019e44092e194ed2f0783f3c7719c8e1daa052b5ab1c42996

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
479KB

MD5
e0e146c504222c97eeb153d20ef6baae

SHA1
c23351f1c9edd19b75c4ff578e693f64f7b6f727

SHA256
d2017b883eadaa6a8ca3f02e0a787acdac8045f44106c05cfaa909d5906a455c

SHA512
5e5423c54be775798530931a73448919d98b8e6d4ca0c06e37b25da73db5bfaa64302c2b7e64866a0f27002b6760e3896a97c343874595841bab08d92787d05e

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
479KB

MD5
b2d21b12c16b83c5db6ab7f3a91d11b0

SHA1
594e2adb2e74461e09dc17b94735ef5451a4a6d8

SHA256
6a0a0346c72b507b008319c6b85d8a785c7329aec48c2d5d4dd67158faa6fe88

SHA512
8233dede5af34be8b466eca6f98045042240e2d7d704a3308e328d679cc1f96f596b4fbf2c3801c0bb087ed8a55276ecf52c93d27c10e4fbbbea23b4bc6c4445

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
479KB

MD5
be08c899e0d0adaf528c4fd49cfcc192

SHA1
50ab4c6cb78c2c72c89438873baa03385e6d9c4c

SHA256
07054685b324305007148a1e6db404daff1fd364270f7b0821e4b25ea5566f84

SHA512
0637d03874df5e9d7bc6c59d8af0083b49ec3130851ba59a891393b373cda3ef8c99832478eb2a4bdb071573a77c8a571b1127902fe64ac68d4a5411129e5a45

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
479KB

MD5
afbdb43e306ef28511605d1a24724268

SHA1
68e58d5b3f71441a4f5d6c3f56d5b43ea610b910

SHA256
11ffdb9288b013bd6d0f77ac30afe45c764e9c40cd6a650e5d0c00cb59d69ea8

SHA512
513b2fbf271e24ee54650e97d3dda8f022a08b67b183ab9e00d322cc28877620fe8e375113ebb5daea0b403b1b2174b9bba98369d94cb76e573f66b924d1b9a5

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
479KB

MD5
df6ccc1c709014edfb551fddad340108

SHA1
c15e500b612ffb24feb88f186a7ad8d2055a1db1

SHA256
68fe4d5a6d86277da3b9e4999948ad1a698a9b658c2d07188d901c81da2736d9

SHA512
00dae23d1ce0995ad67a54f1a4e461bc63b3ec23aa2906980311bbf2064ba62f4a8319bfbf4c369babad27c85e80d3317f36b2d73aa338b02815b36671827ee3

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
479KB

MD5
3dbc7552a580d8ec1638e2275325600c

SHA1
29db310f42bd983476aacb77c67af38ff7ea947e

SHA256
56c666e36c81c33c91b0501db57a166484081a652b7c66b9806a1330675afee0

SHA512
99b57e7e3478f0dd544312012ba45511d25835dd62a789eb01963e7da05992489a606ab0526d54c51b8f15a9d68bf98c115bbe49a43f859ff1ba71d48f6bfa80

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
479KB

MD5
4aecedbbd06d661838425807db21d176

SHA1
59b25258fccf07f34228283fce351972a4cc6200

SHA256
ca61f8f72980064ab2d96a0fd410d0db979bd3421af226d49d8a9ff34e831bdf

SHA512
16c9419fa8812073e0f92d6aeb3b4b7369aeb1e300989bfbe8c79da61092a3b7424bef03c6b5e50553c18570a1634dcfecb04f54e9744aa72895fe19df7b1ec3

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
479KB

MD5
f1371f6d73d7506f25b40409f5c1bef3

SHA1
a4c8e15d2862408e3b9a77e74a7baf8bf943445d

SHA256
e6b54ef1b80c2990f56e5f9d5af4a3c62506354c082e0529b3b8f7821a146d18

SHA512
a10845670e1406c057d5d7339fab2f2eac209165f5a8bf9ca5c8920fcf7d4df8da0056195252f06170539ed7fbe843dee9587c164c980f7fbf8a86f8004211af

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
479KB

MD5
7234a688f1f7140cd68a1616c265e193

SHA1
f69268f5ddcde0b0e4667aa817574fe2b9d44345

SHA256
57bfacfa2807e1b77381ef3788dfd3330bd3cf96962cf8ec84a8c04afa7e2ba0

SHA512
0668a08188a39395eb92d6e1576f21bd795bc6de2392169da494bc69c5245e07504dd5c23e849643d8d7e2adf6b66086b9f84c0f65d9d411156f160cce2b6d68

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
479KB

MD5
5ff436d484e22077e5b8c7f5dd5540d4

SHA1
db9f56c55d571559750be40f153bee5d501a8676

SHA256
afe8b494cff0f2cf663e24448def8b19e6120086e4f6a875fdc5db61f443e14d

SHA512
ba397dabc2e97da2a75510aff058a76eee652d7f07a06344e31c87c0a291bd8a3c100a2def43520ebc5e5be44e3dd78f94e0c28b489d2afa6b1e1c664484c37b

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
479KB

MD5
e3570135327cad8f2841c196dfb75a67

SHA1
a126caac1147dfba389e0a056f2a2d2042b43071

SHA256
b98919b407021fea1633f4ba5e9c526f2efd6bc8934628050ff86ad35aa3c6f4

SHA512
1b66ea096f4ff021ff1965b8295b4c6939f974b8e89639d06d40b001369887bbc2179b71191cc82590e3797e3c89806b754598bbd5838b0469b6be25c2b5b80b

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
479KB

MD5
7fff5c88de849ed2aa7986f9d66ce70b

SHA1
e1ddf4eaee4edead271414a8e9e63f0fc3061367

SHA256
0c46e64a9b7dd6c08f16c4c4640819b071054ea35d4c76ba7657cf48465344e4

SHA512
10c9a1704b22e99f745d7aba28d0db958501f1ea24555ce161a08130b6938ba074bab190c63b03081852e264b088f939e2745a5f34a14e0ef0d76db17a934bde

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
479KB

MD5
f1068a2b95c03711ea823638a4fae7be

SHA1
47c6e05c44d31ed1e6c202c420bfbb6f8dad0792

SHA256
ab0af627442b5b8dac902cc56c1c02b50b8288536840b7644d709e5186cd1f9f

SHA512
878c6e55b92d1586622c8e159799a20b6058bc73333bd64fc2cb076763e8786d67fc3d841bdc9de47db09ffafcf9fcd5e5962bf880a4605014717e765bb32c48

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
479KB

MD5
450faa77e83055333d9ba4eef9560a70

SHA1
c3861105b079faf9a2e5b43ee3396ebf5c018dd7

SHA256
91c6cc93b7a5c7a752830d79bb7b9f1ad085f20a6b3901f9f521e0dbda5c55f4

SHA512
3cacca358e225c98d1ede49357b1f4dfe53dfc6583f18a8b912c88cf5af0084b2a26a8b771f75bbdba170f0a9aeba3a892d673543eabbf2f213ff04e2093f74a

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
479KB

MD5
f65047343a69bc2c0d166d53c74ebe84

SHA1
5042f1b6709702ac642a795fe17c7ff26b3db799

SHA256
6cf271d7a54bd45f877d2800bb60022ec51f448435e0c9de87b30d37e0dd058d

SHA512
09078ce8a779a4aaf9737553a7de1f50d88cd2f003966aa9a3e7993c5a5f2b61d110bf02f69ca307b687c39d0d1b336055745d01afdfa19acfa03dfe3f31cec2

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
479KB

MD5
61121fae8fdc14ec699ae0eba2af9cb8

SHA1
ce119cd86acc86cf274b460addcfa9f76970398e

SHA256
ddda4d4b98b44ad3ef6fe3c856ba56ec0bf6fc26cc06f89409637cdace9c199a

SHA512
62b267f928ed480cf4b91a40b20bb0c92fe54871a20eff13b1929f5d6f8352330c3158d2e049ab22ec041c2f32ab44b1d01a088641ee7bdd06ca3e8309bb8c97

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
479KB

MD5
90c7ab6fbfe3175a6131649b51f5a8f2

SHA1
c761cb38a49ed7e41744847cfd64c7260123363b

SHA256
cd506ea9cdb71160cadc066376a0e9c9fa3cffbd77e3a383177ef850da31da9d

SHA512
d234de4a9a81e77660fa756ec6b8d9abfd6738a616446cd34a0208725e5bd9fd703a742fde458d013bfd01bbbaf48dd3ffaa2865247f571c9329859249284c09

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
479KB

MD5
e5124821667913db89e36cb461f1ed52

SHA1
c758b7f01ec88f37f587f7c4b45c497526e0e419

SHA256
b4a651b8705c9b62ad252b2b8c1b40d54cec5b9afd94921e74fd087d5838d99b

SHA512
f1aa4f67ccab342b70be66b0cebbd4344d38e0c0fe0fbe84e70fcb5cf9b970dd50cc66a5fe11d60d015ddb5ea514e6db4692f0f97541335db051efeb0a278313

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
479KB

MD5
d530974edbeb9e68761e5dfd00df7695

SHA1
d6ac8f47a01a3ace5c58aea0d70162a092f17cfa

SHA256
5470c7f00a685c4880c715c2960839f7dbb2b1a2bd6f1ae3c72ce261c6ea2c45

SHA512
4f84c70864189db0cf4489f90bd951c33f7ace82164f65748252f649c04777cd7bcc4c9a9636a0cb760ee5b6b8d232a4c176d643487cb56767b8822f5a999386

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
479KB

MD5
f55c25a41015108f93512842c3821808

SHA1
8a5c614a3c7f03aab85eb5b7a90d125c8678d820

SHA256
c8b771dd164b85b24a9e75eaaa10a24ccb8a5f688f3920aca0e10211ad31ad22

SHA512
d6a2811477f02de6a435ad68380c56a323946ece76c198e604a98d4d9f6f2589b5960a967bb69a7bdd0d30b071155198ff54c89577ddb9715b3ee7b794e28b1b

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
479KB

MD5
686634fff3e23e9d17209751ca601db5

SHA1
5990996a9872c9458129a084b2a7b21353fe16cc

SHA256
029e57186827a7bccafe97f50056336a9ac42f78ec4f74454c1f3f8d0af34960

SHA512
2a7bd8c4f809965ed91e1968f01a20c9f7f771ba5aa074aa6678f3403263da20c4aaadaa4601c32f9cc09522c63475bfd48a0bbc24be5263e9e71a501cc6894d

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
479KB

MD5
068fbf5d6361db904dd4041e892a8d58

SHA1
fed77a4ad3f56579a248dfa47018beee5ca1338e

SHA256
30712b66309640658cfe917484c09bc246a4f8f01fc1b7f69a3e097a2bc135cc

SHA512
dfbbaa711c5018fa827330869df706af9a40fceb47c4b5726d7b657f3dcbb130ba28e790cdf398845b85557add2ad61c8e6ac099e5fa50d4dfe76e22790e6ae8

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
479KB

MD5
bfbb18b275cd977ec8ce2a09dfd826e9

SHA1
942c282725f8770c533662f96865176deb5c9194

SHA256
ad13057823980d04e1741e615e6942922390b7a9134355f8c4deceb03dc4e6e9

SHA512
1e8f418a9c00edc326003e1bb87e8e17f52294425523b68a3beaa7467d4bbe9e9c151782a25c8150fe5f5e41b6b1503898e06153dc82b761ceeddda9c3485733

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
384KB

MD5
5f2a179f35d8bc7f8c7d4aa8bc5d9863

SHA1
99fbccb29744354d50c3af919c98f47ab25881d3

SHA256
6a7f8da04c040ad6ff16e86a2be11e4fb46d31e71fb233206ea1d90a4f11519d

SHA512
a84a0377910bd6f01c98ae209a32f4fc1fff903daa57471cfc2b6bf10fcafe72c11464d3b65b0f5e142aa475d913b5c695356a40569bf9cb3b0188678b1e77ea

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
479KB

MD5
a6071d0824dba66ab739483d0d077778

SHA1
0416100dc502dc249cf8d1819cd1b32d363b9abe

SHA256
32a44cbb274485b8e43eafe609daa19c5f9806713c7dcb15b9fb278264bb0313

SHA512
528fc1134098d4c098d687bb0174912766008a682d6089f1a83c2a7aedf7d5449d6653d50cbd14d3ed04cf36f939bf1783ebf32ad9af05ac94ea7706a6350c11

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
479KB

MD5
50cf83da5ec296b0cec1486003f02fd9

SHA1
978e37eec3ea9c31a5aefb7e3be443a0b32630bc

SHA256
ab68234cbf9eb0d3e4227a3ec66708a6f48014ce1294dabb0ec189b3371c1062

SHA512
16f24dd4879e16dfdb61652f17fd78e189d8b3a7f62682f7352729d40f684ea852968d7169e2d78671ee98fdb8a22160b7f345a41b2237b29b48dfe25be5df50

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
479KB

MD5
2a4cc557e27fd4c77b01874e2c14c04d

SHA1
a60b672013c9ab8fa97683e4675cf036bc4d4b24

SHA256
9f339ad17141aa41155fdfa82df7340160692a7abcd9e17936367f9039cc4642

SHA512
b1dcb46444767664695b23753bf640eebc40363d936e983663843bae2b0f3ca614a8684f985ccc771f37cac8c0df771cfec2a6172b9a3e10df16865c97d4d0a2

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
479KB

MD5
266031046acf39255316e3126e3e9b38

SHA1
fe0eb30ed122c981db2828ce7c8b03123c8009b8

SHA256
062f4c3d683e66e1344e0a9b8a9452f7edf060d8b1836e16ce36f9c06cdcf7cf

SHA512
f24d2d0e4010fbfee4d7f63d5e4beb223244277ea80bb62c85b74d42ae187ff9130d4962bd7013740b952225507efa33d92ce494181e1d522a714dc79e17d93e

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
479KB

MD5
42602211cf46cb4c0f5ba17a54c28cf0

SHA1
435346feaa54b0e58387eeab16d7fa50a7a17608

SHA256
dbef3f0e3171bd2ff271329caf46e622c16e9ab9e234b70770d4e4051ae4e43e

SHA512
67588324ef23dcdc4ed994704c23b99dd40a469eede8390edb2670a797f93f5a41d454831daec6a5786f084ee12e523dbcd3e136e93afcb7ede8fde95ffe92af

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
479KB

MD5
f668a4870e46d51df6371b8c5345019c

SHA1
cb6b82f57b8820364821b02721956ced346b7afb

SHA256
dc2800fee99dcbee2555048fa4138f8072e1b9f1bf0f5837d6f2054b694ee37f

SHA512
d052b3cb0ae0e6cb7dd0e0a2b57360fc83301b52bf64bb322876ffb0a0011bfaab7bdad059ae9ac4683049304dbaf14f5007c445f514275e93bfecf206f10c89

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
479KB

MD5
5b6af813161c0a8f1c5cc683369b0f54

SHA1
929c08a3cdddccf26e5330b338d9143544394afa

SHA256
1a2bc4e1e3a79be2821f91457b26dbf899915cd7ef1dc9ee9df9c11a2c5e54de

SHA512
f9c7199b9e0da9571de2e6a7b24989056f2e92095530a007224b2805d017d24e56c83cab86c3f046d632e92d1c204f0bcb9f5d302e741b651489fce04edf6c25

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
479KB

MD5
67e8ed7ef156cab6c2d7f1fa14a7995b

SHA1
4c2e83ce57c92b0987801437e297541ea109093c

SHA256
8a6f8d5fc64685bf8a01c0c00c58bada5082ff2b378b040b7d1606dd1f1f5e5e

SHA512
e066eba380bdf013a4c493c9f3ed7b05242c6d779abdfc8a176a9b4b2389d58eb3eaf5969c1ab6e76a0353e35ac117cd016259e8c23e9c6b521d75377e2c88ba

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
479KB

MD5
8ad05601a8ba058155e4f5bcf846861a

SHA1
06a79064948f930ef092691d0599dc177ad62428

SHA256
648e4ecda5c5dfb5e706b4ad0bf0a7de8d90b65ced4a621afc710b5741f99026

SHA512
5d7d0b750651c817d2b927b3d385c0bc6b7ff45920b04a693659d63a8d394ee9b070d7b7eb405c9095313728973f6f12917f405956a672878fe0048719141795

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
479KB

MD5
43e033908822efa7ab06c4bd1e037209

SHA1
5f5cf7440921f3293d0a652ad088b289243ff6a7

SHA256
e27ea0488acc95fa70064159672430ba8612c978b125c1ef813b661978c1963a

SHA512
5a212e8693544d7ae0c36bd2c222e8e052671dabdaed1b7a0c3f007bf1f4e5f0aa6e256d5ae85de7913cf847d53100268eefdfa625a0dbd8058ba40ee06eca82

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
479KB

MD5
129aa8aeadde593c75993a53931d3fc8

SHA1
f888a7ee3baddcd483e883005c910073974a3a4d

SHA256
7ee282d1108ca12b38c15e0d7f7bfcecc643e67009d744c5c3cdb7bacff77d53

SHA512
3a2de14754c78758dd456d299c077b21bb0bbc99230cded74edf57bd85aa31a0e18038dc66c0450049b30642a45633d0089a5976bcf0a069fa20d54273be6918

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
479KB

MD5
d72cc6651d4bfc24b0a928aa33071724

SHA1
ce1a5d70677f68eff4272f42385fe09834da8716

SHA256
3e2c4db170b9f7e9fb5d0c0be840b4148d433a4540128f3dab1e2785b9ac3e3a

SHA512
697d77e3e5f1a7caa00bd3ae277f25c5bc5f9d85309c49bb9a221afc1195eb01d8a7df8556958002d73d9f24709be2f0ec77d445fd45deacf476cb320cc010d7

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
479KB

MD5
a3e338bc0e84cbd931e98665dce59f32

SHA1
647ef806727b91020e866ee10f725ef14122fd9e

SHA256
4cd4caaef39247f3e0226fb57497e0d6a2d3757dac47ca779729050c2a171537

SHA512
37c7c54f6849a1a68ce27514454eb74219686b806572ba981f080364cd3d41d441db57ef5b50e31b65cb696e038356702b9ee27287de2414c5134d7e4fade9b1

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
479KB

MD5
472ed937eef8576a929a0ebe1f822657

SHA1
861bd714dfcb2f7ba1aeca5489ef5d41e392b1ce

SHA256
4b8be1570d6bfcd39923b652b8859d6b3257299231e52ef71f0c747cc96c6c65

SHA512
5eabdbf0b1b69b7a2f1ccba953769e1d6cd93748c8a886df65e73e583c6017b4ca44d0ecbf10d2f340d08bb576282fec25d9c73e1e1cd7729867c1506ddde3b3

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
479KB

MD5
21f543940c13a180d7d5a212aed89136

SHA1
f12fa748b0192dea4a75c5938c559ac6c46cd84a

SHA256
87b69aef7271be8c9477ef8a0ca372eaf930040c195a06f3c2e0636990f170e7

SHA512
7066555c8974e9f83c3366f409bc1a840b7034aca7fa34e658a64427b86969b4d4bc7822738c07c4d1959800caf4bcf7898b78706ec85bd6d3eabb09b6008ccc

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
479KB

MD5
9302c47c3c4055dfff413ecdf43fdaaf

SHA1
fccd7a49e0974b049eb25e7de92456fae9ea9227

SHA256
c0a621811289e2cf31a84692330b0b7b13cf643aaf92d3d35cca848b88ac32f9

SHA512
40cd8c1dab9f145f6d33615f6b8119e306c4272e7405b5a9914c1d5b4a80e4cf0ea0af805c4c65eaf29b7b1f728570c648705d6a5c836bc79ef1b6fcde3f1b88

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
479KB

MD5
ec84bfc0e43b7154af1910b4399e2645

SHA1
81a81f8d8617e7f971b098498d91adf1d50f8dd7

SHA256
8b5b296d11aea0012cf39f60c21415c1010b6fb138b09af6f97d34aa9c60f88b

SHA512
8e096f89662c8ce79a093578c9c9b9aec22b5e9ce5783e209aa6a21c4170a6ac2b09661fa62bc8440337638aa441e584876a88aaf4c237cd3cc38296bcefaa6b

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
479KB

MD5
cd37d0a8484bded74c9b3af1ff425b4c

SHA1
e27019bd9415c0ca0645983cee4cdb868099826f

SHA256
1d6fe9f6a6c078e6e240c863e8e29877f3b1637d5bb0ff43662bc50cc56bc491

SHA512
8434d93f9693e7ee09f19006e7cb3a90ab4661629f7960f86b8881eba16a7f77b9523ff0d73bb952568bccc559d6ee58abeb8ae696015f36918c00b587d1b910

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
479KB

MD5
787d343c08a66b9b60e29da72de185ad

SHA1
40af78f0e3b77297fe35e4815a60b7e819b09f22

SHA256
abec24dca95eb8a15f005490d90b317d704032892663499043f7fb42897e34f4

SHA512
5d66a6c0e0aa7593577da49afd5d95b9941a9cfa328399c0189e50f0966e384e2877f8ac13b960bd9b30f9155a94f2582112bebf431b4dd1914b79094fe74083

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
479KB

MD5
043177695bc452f89fb200e80ba2a316

SHA1
cf7d1c64d191f3b5f009784b461885545cac39fe

SHA256
9df22d35822a1afa02d900c93a2ebf1de24841ced7b826e14ba52f88e93977de

SHA512
0376598c6d4f4baa44bc9a913dfe53c47da290e7760f81afbbd5af5eb3a74fccf593b2fc0fffe5468ee3bb14c2cf85ff21dd10c98021d09fb4d4b90f68138155

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
479KB

MD5
49f3d06220b640d213fc88a95972b397

SHA1
eda010755c2fce05f615bfb66ebf07d018d21c48

SHA256
fc1aa080ea3fdd4655b519cfe478667b9e3183b93edbc40468e0f001bdcdc040

SHA512
6a3310e7e585b9cb281b4ea6969668cfc986413db5207df5ff8e1fe39203b50b247b5f84d82d4a7f9e21b1be89fbd4c3e1b0bfe2cb68e761e809f86aa12897de

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
479KB

MD5
332d0d0917cc62edfbfcd1fe0005f3bc

SHA1
5262f5229d2cb5d1a2ae5a29d05d2bb6ff7bf07a

SHA256
339622d090dbfbe68e00bca889433fdc459623c1474450507bc29d39402cfb86

SHA512
362ccdd5bd21bec30f57db9729e997bbba5867fef09220bb8d5274c842a69be6c21451ee0d9a4bacd93ba0bc08e19205a1ce888ab6e0346e852a7ded847a5243

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
479KB

MD5
c7ab862a2cf952db06dab92342efd292

SHA1
42195530b1bde79c4d7c13f3bfe27f61a32b40bf

SHA256
302a8511de98858464cb637ae37c96ef1bc1998ac662b5d862016bfeaa569e78

SHA512
6978d5821851c34420dfabc5f0cfa4ecc5295e4817b0265036db9be3d9431060a30ecac8cb0eb89972725c808268b3016a94de27e3e6e7e1d35ff7a11cc34dd1

Download Submit
memory/60-112-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/532-359-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/652-1060-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/652-104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/708-270-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/744-145-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/788-519-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/944-80-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/968-72-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/968-598-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1080-507-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1080-937-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1088-209-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1392-525-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1428-484-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1488-184-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1500-589-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1524-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1524-531-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1524-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1540-323-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1588-970-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1588-407-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1624-33-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1624-1078-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1624-564-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1640-401-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1680-968-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1680-413-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1800-160-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1828-288-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1868-565-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1904-442-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1908-41-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1908-571-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1936-1001-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1936-317-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1940-136-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1992-578-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1992-48-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2036-224-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2052-551-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2052-17-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2076-572-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2096-599-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2136-264-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2172-1023-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2172-248-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2280-389-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2316-282-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2356-341-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2388-217-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-934-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-513-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2444-544-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2444-8-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2568-436-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2732-448-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2780-365-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2792-335-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2796-152-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2800-1008-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2800-294-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2816-584-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2816-57-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2864-233-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2868-419-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2896-466-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2960-276-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2964-353-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3012-538-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3028-454-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3068-383-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3104-347-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3168-552-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3176-329-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3204-306-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3424-303-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3488-177-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3492-558-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3492-24-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3592-377-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3664-399-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3696-1044-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3696-168-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3728-89-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3768-240-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3964-464-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3988-200-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3992-545-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4004-96-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4196-129-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4212-901-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4476-472-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4496-501-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4540-192-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4540-1038-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4572-532-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4576-482-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4584-495-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4616-592-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4836-232-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4880-120-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4924-256-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4952-430-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4956-65-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4956-591-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5068-371-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5348-873-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5392-872-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5920-847-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads