a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234

Analysis

max time kernel
32s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 03:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe
Size

109KB
MD5

a34977ab9020bbabe5e850995791f037
SHA1

d16c2627419041b99ba740812ba42ba0d85065fd
SHA256

a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234
SHA512

c6ca6287734b0ed8faf483244671d8f99287d348ff7fbdcaa0a690c5e8c9938daa589a0d1c70c4c58f688542d7077dc552354cd7650c712e5eb48329fb62734c
SSDEEP

3072:jf1xHPs/HqP4UihL7zHJ9wLCqwzBu1DjHLMVDqqkSp:jfTHPs/HvUihL7TJ9wwtu1DjrFqh

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obopobhe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olgehh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkafib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mffgfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkbfmpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljhppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbmcjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljfckodo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcqdidim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhdcbjal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbjgjqh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lamkllea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcqdidim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpeebhhf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgomoboc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkoidcaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lojeda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laknfmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laknfmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhdcbjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngafdepl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olgehh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oclpdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojeda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lednal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldikbhfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndlamke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nplkhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpmhgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogene32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nndhpqma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhhie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchjjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbjgjqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkoidcaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljfckodo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lppkgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgllj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhgpgjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglpjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjmiknng.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjpcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjeod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njaoeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqkgbkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpkal32.exe

Executes dropped EXE 64 IoCs

pid	Process
1464	Kikpgk32.exe
2280	Klimcf32.exe
2884	Leaallcb.exe
2624	Lhpmhgbf.exe
2928	Lkoidcaj.exe
2616	Lojeda32.exe
3068	Lednal32.exe
2924	Lkafib32.exe
1576	Lolbjahp.exe
2388	Laknfmgd.exe
696	Ldikbhfh.exe
2824	Lghgocek.exe
1760	Ljfckodo.exe
800	Lamkllea.exe
2016	Lppkgi32.exe
2440	Lgjcdc32.exe
2400	Ljhppo32.exe
2284	Lndlamke.exe
2504	Llgllj32.exe
1952	Lcqdidim.exe
1860	Mglpjc32.exe
1284	Mpeebhhf.exe
1676	Mogene32.exe
2552	Mgomoboc.exe
2464	Mjmiknng.exe
2772	Mhpigk32.exe
2644	Mojaceln.exe
2668	Moloidjl.exe
1696	Mchjjc32.exe
576	Mffgfo32.exe
2892	Mhdcbjal.exe
2272	Mkconepp.exe
2728	Mnakjaoc.exe
1348	Mbmgkp32.exe
548	Mhgpgjoj.exe
1444	Mgjpcf32.exe
2660	Nndhpqma.exe
2240	Ndnplk32.exe
2500	Nglmifca.exe
2436	Nkhhie32.exe
1716	Nbaafocg.exe
2412	Nccmng32.exe
1772	Nkjeod32.exe
1912	Nnhakp32.exe
964	Nmkbfmpf.exe
2920	Ndbjgjqh.exe
2308	Ngafdepl.exe
2764	Njobpa32.exe
3060	Nqijmkfm.exe
2512	Nplkhh32.exe
776	Ngcbie32.exe
2208	Njaoeq32.exe
1612	Nmpkal32.exe
2964	Nqkgbkdj.exe
3012	Nbmcjc32.exe
2460	Ojdlkp32.exe
1604	Olehbh32.exe
2656	Oclpdf32.exe
708	Obopobhe.exe
928	Oenmkngi.exe
2328	Omddmkhl.exe
1688	Olgehh32.exe
1564	Onfadc32.exe
2156	Ofmiea32.exe

Loads dropped DLL 64 IoCs

pid	Process
3036	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe
3036	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe
1464	Kikpgk32.exe
1464	Kikpgk32.exe
2280	Klimcf32.exe
2280	Klimcf32.exe
2884	Leaallcb.exe
2884	Leaallcb.exe
2624	Lhpmhgbf.exe
2624	Lhpmhgbf.exe
2928	Lkoidcaj.exe
2928	Lkoidcaj.exe
2616	Lojeda32.exe
2616	Lojeda32.exe
3068	Lednal32.exe
3068	Lednal32.exe
2924	Lkafib32.exe
2924	Lkafib32.exe
1576	Lolbjahp.exe
1576	Lolbjahp.exe
2388	Laknfmgd.exe
2388	Laknfmgd.exe
696	Ldikbhfh.exe
696	Ldikbhfh.exe
2824	Lghgocek.exe
2824	Lghgocek.exe
1760	Ljfckodo.exe
1760	Ljfckodo.exe
800	Lamkllea.exe
800	Lamkllea.exe
2016	Lppkgi32.exe
2016	Lppkgi32.exe
2440	Lgjcdc32.exe
2440	Lgjcdc32.exe
2400	Ljhppo32.exe
2400	Ljhppo32.exe
2284	Lndlamke.exe
2284	Lndlamke.exe
2504	Llgllj32.exe
2504	Llgllj32.exe
1952	Lcqdidim.exe
1952	Lcqdidim.exe
1860	Mglpjc32.exe
1860	Mglpjc32.exe
1284	Mpeebhhf.exe
1284	Mpeebhhf.exe
1676	Mogene32.exe
1676	Mogene32.exe
2552	Mgomoboc.exe
2552	Mgomoboc.exe
2464	Mjmiknng.exe
2464	Mjmiknng.exe
2772	Mhpigk32.exe
2772	Mhpigk32.exe
2644	Mojaceln.exe
2644	Mojaceln.exe
2668	Moloidjl.exe
2668	Moloidjl.exe
1696	Mchjjc32.exe
1696	Mchjjc32.exe
576	Mffgfo32.exe
576	Mffgfo32.exe
2892	Mhdcbjal.exe
2892	Mhdcbjal.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ljhppo32.exe	Lgjcdc32.exe
File opened for modification	C:\Windows\SysWOW64\Mogene32.exe	Mpeebhhf.exe
File created	C:\Windows\SysWOW64\Obopobhe.exe	Oclpdf32.exe
File created	C:\Windows\SysWOW64\Idomll32.dll	Njaoeq32.exe
File created	C:\Windows\SysWOW64\Llgllj32.exe	Lndlamke.exe
File created	C:\Windows\SysWOW64\Hmdcof32.dll	Nmkbfmpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqijmkfm.exe	Njobpa32.exe
File created	C:\Windows\SysWOW64\Lojeda32.exe	Lkoidcaj.exe
File opened for modification	C:\Windows\SysWOW64\Ldikbhfh.exe	Laknfmgd.exe
File opened for modification	C:\Windows\SysWOW64\Lgjcdc32.exe	Lppkgi32.exe
File created	C:\Windows\SysWOW64\Pncemobj.dll	Nmpkal32.exe
File opened for modification	C:\Windows\SysWOW64\Lednal32.exe	Lojeda32.exe
File created	C:\Windows\SysWOW64\Idjfdadn.dll	Lkafib32.exe
File created	C:\Windows\SysWOW64\Qegpeh32.dll	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Apeblc32.dll	Ndbjgjqh.exe
File opened for modification	C:\Windows\SysWOW64\Lamkllea.exe	Ljfckodo.exe
File created	C:\Windows\SysWOW64\Kcgjllbn.dll	Mogene32.exe
File opened for modification	C:\Windows\SysWOW64\Nqkgbkdj.exe	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Lkffpabj.dll	Mchjjc32.exe
File created	C:\Windows\SysWOW64\Jgjgfacn.dll	Olgehh32.exe
File created	C:\Windows\SysWOW64\Ndnplk32.exe	Nndhpqma.exe
File created	C:\Windows\SysWOW64\Nknplm32.dll	Lghgocek.exe
File created	C:\Windows\SysWOW64\Lcqdidim.exe	Llgllj32.exe
File created	C:\Windows\SysWOW64\Hpehnofm.dll	Laknfmgd.exe
File opened for modification	C:\Windows\SysWOW64\Llgllj32.exe	Lndlamke.exe
File created	C:\Windows\SysWOW64\Nbaafocg.exe	Nkhhie32.exe
File created	C:\Windows\SysWOW64\Ehcibakq.dll	Kikpgk32.exe
File created	C:\Windows\SysWOW64\Kgpobfea.dll	Ljfckodo.exe
File opened for modification	C:\Windows\SysWOW64\Mojaceln.exe	Mhpigk32.exe
File created	C:\Windows\SysWOW64\Khggofme.dll	Njobpa32.exe
File created	C:\Windows\SysWOW64\Ckdppcdq.dll	Ngcbie32.exe
File opened for modification	C:\Windows\SysWOW64\Oenmkngi.exe	Obopobhe.exe
File created	C:\Windows\SysWOW64\Lolbjahp.exe	Lkafib32.exe
File opened for modification	C:\Windows\SysWOW64\Laknfmgd.exe	Lolbjahp.exe
File opened for modification	C:\Windows\SysWOW64\Mchjjc32.exe	Moloidjl.exe
File created	C:\Windows\SysWOW64\Nkjeod32.exe	Nccmng32.exe
File created	C:\Windows\SysWOW64\Ndbjgjqh.exe	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Jceahq32.dll	Ngafdepl.exe
File created	C:\Windows\SysWOW64\Nbmcjc32.exe	Nqkgbkdj.exe
File opened for modification	C:\Windows\SysWOW64\Ndbjgjqh.exe	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Njaoeq32.exe	Ngcbie32.exe
File opened for modification	C:\Windows\SysWOW64\Nbmcjc32.exe	Nqkgbkdj.exe
File opened for modification	C:\Windows\SysWOW64\Lkafib32.exe	Lednal32.exe
File created	C:\Windows\SysWOW64\Lamkllea.exe	Ljfckodo.exe
File opened for modification	C:\Windows\SysWOW64\Lolbjahp.exe	Lkafib32.exe
File created	C:\Windows\SysWOW64\Mogene32.exe	Mpeebhhf.exe
File created	C:\Windows\SysWOW64\Mojaceln.exe	Mhpigk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgomoboc.exe	Mogene32.exe
File created	C:\Windows\SysWOW64\Mjmiknng.exe	Mgomoboc.exe
File created	C:\Windows\SysWOW64\Iofpmj32.dll	Nglmifca.exe
File created	C:\Windows\SysWOW64\Opcboqhc.dll	Mffgfo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngafdepl.exe	Ndbjgjqh.exe
File created	C:\Windows\SysWOW64\Ljhppo32.exe	Lgjcdc32.exe
File opened for modification	C:\Windows\SysWOW64\Lcqdidim.exe	Llgllj32.exe
File created	C:\Windows\SysWOW64\Laknfmgd.exe	Lolbjahp.exe
File created	C:\Windows\SysWOW64\Giiinjlg.dll	Lgjcdc32.exe
File created	C:\Windows\SysWOW64\Mchjjc32.exe	Moloidjl.exe
File opened for modification	C:\Windows\SysWOW64\Nkhhie32.exe	Nglmifca.exe
File opened for modification	C:\Windows\SysWOW64\Mpeebhhf.exe	Mglpjc32.exe
File opened for modification	C:\Windows\SysWOW64\Obopobhe.exe	Oclpdf32.exe
File opened for modification	C:\Windows\SysWOW64\Leaallcb.exe	Klimcf32.exe
File created	C:\Windows\SysWOW64\Lndlamke.exe	Ljhppo32.exe
File created	C:\Windows\SysWOW64\Oifbhdjc.dll	Lcqdidim.exe
File created	C:\Windows\SysWOW64\Ldcenn32.dll	Mhdcbjal.exe

Program crash 1 IoCs

pid	pid_target	Process
2664	2880	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojeda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgocek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljfckodo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omddmkhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkoidcaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjmiknng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjpcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgjcdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgllj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmgkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngafdepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgomoboc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njobpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbmcjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onfadc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhgpgjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglmifca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbaafocg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjeod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olgehh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplkhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lppkgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcqdidim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mglpjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpeebhhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchjjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkconepp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnakjaoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nccmng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkbfmpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njaoeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obopobhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikpgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lamkllea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lndlamke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mogene32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpigk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olehbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmiea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpmhgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffgfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngcbie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laknfmgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqijmkfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkafib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljhppo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdlkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikbhfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojaceln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oepianef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhdcbjal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nndhpqma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqkgbkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leaallcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lednal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moloidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolbjahp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqkgbkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olgehh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lndlamke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjmiknng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicgkof.dll"	Mbmgkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghhnhbf.dll"	Lolbjahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifbhdjc.dll"	Lcqdidim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjgfacn.dll"	Olgehh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkconepp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjfdld.dll"	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehkmm32.dll"	Mojaceln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllndljk.dll"	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeblc32.dll"	Ndbjgjqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lojeda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbekip32.dll"	Lndlamke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll"	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjeod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhdcbjal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll"	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpobfea.dll"	Ljfckodo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lamkllea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqlenpag.dll"	Lamkllea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll"	Nndhpqma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laknfmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkgdd32.dll"	Mpeebhhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgomoboc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgojd32.dll"	Nbmcjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcenn32.dll"	Mhdcbjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obopobhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mojaceln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchjjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obopobhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofmiea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llgllj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkffpabj.dll"	Mchjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll"	Njaoeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfkindn.dll"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahmln32.dll"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmmdfgc.dll"	Mgomoboc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgomoboc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjmiknng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcboqhc.dll"	Mffgfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljfckodo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mchjjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkconepp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfdc32.dll"	Lppkgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinnfbbo.dll"	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdfjnimm.dll"	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeecd32.dll"	Mhpigk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofpmj32.dll"	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll"	Nkjeod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lamkllea.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1464	3036	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe	29
PID 3036 wrote to memory of 1464	3036	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe	29
PID 3036 wrote to memory of 1464	3036	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe	29
PID 3036 wrote to memory of 1464	3036	a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe	29
PID 1464 wrote to memory of 2280	1464	Kikpgk32.exe	30
PID 1464 wrote to memory of 2280	1464	Kikpgk32.exe	30
PID 1464 wrote to memory of 2280	1464	Kikpgk32.exe	30
PID 1464 wrote to memory of 2280	1464	Kikpgk32.exe	30
PID 2280 wrote to memory of 2884	2280	Klimcf32.exe	31
PID 2280 wrote to memory of 2884	2280	Klimcf32.exe	31
PID 2280 wrote to memory of 2884	2280	Klimcf32.exe	31
PID 2280 wrote to memory of 2884	2280	Klimcf32.exe	31
PID 2884 wrote to memory of 2624	2884	Leaallcb.exe	32
PID 2884 wrote to memory of 2624	2884	Leaallcb.exe	32
PID 2884 wrote to memory of 2624	2884	Leaallcb.exe	32
PID 2884 wrote to memory of 2624	2884	Leaallcb.exe	32
PID 2624 wrote to memory of 2928	2624	Lhpmhgbf.exe	33
PID 2624 wrote to memory of 2928	2624	Lhpmhgbf.exe	33
PID 2624 wrote to memory of 2928	2624	Lhpmhgbf.exe	33
PID 2624 wrote to memory of 2928	2624	Lhpmhgbf.exe	33
PID 2928 wrote to memory of 2616	2928	Lkoidcaj.exe	34
PID 2928 wrote to memory of 2616	2928	Lkoidcaj.exe	34
PID 2928 wrote to memory of 2616	2928	Lkoidcaj.exe	34
PID 2928 wrote to memory of 2616	2928	Lkoidcaj.exe	34
PID 2616 wrote to memory of 3068	2616	Lojeda32.exe	35
PID 2616 wrote to memory of 3068	2616	Lojeda32.exe	35
PID 2616 wrote to memory of 3068	2616	Lojeda32.exe	35
PID 2616 wrote to memory of 3068	2616	Lojeda32.exe	35
PID 3068 wrote to memory of 2924	3068	Lednal32.exe	36
PID 3068 wrote to memory of 2924	3068	Lednal32.exe	36
PID 3068 wrote to memory of 2924	3068	Lednal32.exe	36
PID 3068 wrote to memory of 2924	3068	Lednal32.exe	36
PID 2924 wrote to memory of 1576	2924	Lkafib32.exe	37
PID 2924 wrote to memory of 1576	2924	Lkafib32.exe	37
PID 2924 wrote to memory of 1576	2924	Lkafib32.exe	37
PID 2924 wrote to memory of 1576	2924	Lkafib32.exe	37
PID 1576 wrote to memory of 2388	1576	Lolbjahp.exe	38
PID 1576 wrote to memory of 2388	1576	Lolbjahp.exe	38
PID 1576 wrote to memory of 2388	1576	Lolbjahp.exe	38
PID 1576 wrote to memory of 2388	1576	Lolbjahp.exe	38
PID 2388 wrote to memory of 696	2388	Laknfmgd.exe	39
PID 2388 wrote to memory of 696	2388	Laknfmgd.exe	39
PID 2388 wrote to memory of 696	2388	Laknfmgd.exe	39
PID 2388 wrote to memory of 696	2388	Laknfmgd.exe	39
PID 696 wrote to memory of 2824	696	Ldikbhfh.exe	40
PID 696 wrote to memory of 2824	696	Ldikbhfh.exe	40
PID 696 wrote to memory of 2824	696	Ldikbhfh.exe	40
PID 696 wrote to memory of 2824	696	Ldikbhfh.exe	40
PID 2824 wrote to memory of 1760	2824	Lghgocek.exe	41
PID 2824 wrote to memory of 1760	2824	Lghgocek.exe	41
PID 2824 wrote to memory of 1760	2824	Lghgocek.exe	41
PID 2824 wrote to memory of 1760	2824	Lghgocek.exe	41
PID 1760 wrote to memory of 800	1760	Ljfckodo.exe	42
PID 1760 wrote to memory of 800	1760	Ljfckodo.exe	42
PID 1760 wrote to memory of 800	1760	Ljfckodo.exe	42
PID 1760 wrote to memory of 800	1760	Ljfckodo.exe	42
PID 800 wrote to memory of 2016	800	Lamkllea.exe	43
PID 800 wrote to memory of 2016	800	Lamkllea.exe	43
PID 800 wrote to memory of 2016	800	Lamkllea.exe	43
PID 800 wrote to memory of 2016	800	Lamkllea.exe	43
PID 2016 wrote to memory of 2440	2016	Lppkgi32.exe	44
PID 2016 wrote to memory of 2440	2016	Lppkgi32.exe	44
PID 2016 wrote to memory of 2440	2016	Lppkgi32.exe	44
PID 2016 wrote to memory of 2440	2016	Lppkgi32.exe	44

C:\Users\Admin\AppData\Local\Temp\a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe
"C:\Users\Admin\AppData\Local\Temp\a3d1b1348ec07e6df44e500bf7aaeaa32fde1a8509cad23f777885487cff0234.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\Kikpgk32.exe
  C:\Windows\system32\Kikpgk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\Klimcf32.exe
    C:\Windows\system32\Klimcf32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\Leaallcb.exe
      C:\Windows\system32\Leaallcb.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\Lhpmhgbf.exe
        
        C:\Windows\system32\Lhpmhgbf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\Lkoidcaj.exe
        
        C:\Windows\system32\Lkoidcaj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Lojeda32.exe
        
        C:\Windows\system32\Lojeda32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Lednal32.exe
        
        C:\Windows\system32\Lednal32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Lkafib32.exe
        
        C:\Windows\system32\Lkafib32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Lolbjahp.exe
        
        C:\Windows\system32\Lolbjahp.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Laknfmgd.exe
        
        C:\Windows\system32\Laknfmgd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ldikbhfh.exe
        
        C:\Windows\system32\Ldikbhfh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Lghgocek.exe
        
        C:\Windows\system32\Lghgocek.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Ljfckodo.exe
        
        C:\Windows\system32\Ljfckodo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Lamkllea.exe
        
        C:\Windows\system32\Lamkllea.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Lppkgi32.exe
        
        C:\Windows\system32\Lppkgi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Lgjcdc32.exe
        
        C:\Windows\system32\Lgjcdc32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Ljhppo32.exe
        
        C:\Windows\system32\Ljhppo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Lndlamke.exe
        
        C:\Windows\system32\Lndlamke.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Llgllj32.exe
        
        C:\Windows\system32\Llgllj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Lcqdidim.exe
        
        C:\Windows\system32\Lcqdidim.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Mglpjc32.exe
        
        C:\Windows\system32\Mglpjc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Mpeebhhf.exe
        
        C:\Windows\system32\Mpeebhhf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Mogene32.exe
        
        C:\Windows\system32\Mogene32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Mgomoboc.exe
        
        C:\Windows\system32\Mgomoboc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Mjmiknng.exe
        
        C:\Windows\system32\Mjmiknng.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Mhpigk32.exe
        
        C:\Windows\system32\Mhpigk32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Mojaceln.exe
        
        C:\Windows\system32\Mojaceln.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Moloidjl.exe
        
        C:\Windows\system32\Moloidjl.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Mchjjc32.exe
        
        C:\Windows\system32\Mchjjc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Mffgfo32.exe
        
        C:\Windows\system32\Mffgfo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Mhdcbjal.exe
        
        C:\Windows\system32\Mhdcbjal.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Mkconepp.exe
        
        C:\Windows\system32\Mkconepp.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Mnakjaoc.exe
        
        C:\Windows\system32\Mnakjaoc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Mbmgkp32.exe
        
        C:\Windows\system32\Mbmgkp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Mhgpgjoj.exe
        
        C:\Windows\system32\Mhgpgjoj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Mgjpcf32.exe
        
        C:\Windows\system32\Mgjpcf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Nndhpqma.exe
        
        C:\Windows\system32\Nndhpqma.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ndnplk32.exe
        
        C:\Windows\system32\Ndnplk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Nglmifca.exe
        
        C:\Windows\system32\Nglmifca.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Nkhhie32.exe
        
        C:\Windows\system32\Nkhhie32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Nbaafocg.exe
        
        C:\Windows\system32\Nbaafocg.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Nccmng32.exe
        
        C:\Windows\system32\Nccmng32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Nkjeod32.exe
        
        C:\Windows\system32\Nkjeod32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Nnhakp32.exe
        
        C:\Windows\system32\Nnhakp32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Nmkbfmpf.exe
        
        C:\Windows\system32\Nmkbfmpf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Ndbjgjqh.exe
        
        C:\Windows\system32\Ndbjgjqh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Ngafdepl.exe
        
        C:\Windows\system32\Ngafdepl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Njobpa32.exe
        
        C:\Windows\system32\Njobpa32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Nqijmkfm.exe
        
        C:\Windows\system32\Nqijmkfm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Nplkhh32.exe
        
        C:\Windows\system32\Nplkhh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Ngcbie32.exe
        
        C:\Windows\system32\Ngcbie32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\Njaoeq32.exe
        
        C:\Windows\system32\Njaoeq32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Nmpkal32.exe
        
        C:\Windows\system32\Nmpkal32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Nqkgbkdj.exe
        
        C:\Windows\system32\Nqkgbkdj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Nbmcjc32.exe
        
        C:\Windows\system32\Nbmcjc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Ojdlkp32.exe
        
        C:\Windows\system32\Ojdlkp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Olehbh32.exe
        
        C:\Windows\system32\Olehbh32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Oclpdf32.exe
        
        C:\Windows\system32\Oclpdf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Obopobhe.exe
        
        C:\Windows\system32\Obopobhe.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Oenmkngi.exe
        
        C:\Windows\system32\Oenmkngi.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Omddmkhl.exe
        
        C:\Windows\system32\Omddmkhl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Olgehh32.exe
        
        C:\Windows\system32\Olgehh32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Onfadc32.exe
        
        C:\Windows\system32\Onfadc32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ofmiea32.exe
        
        C:\Windows\system32\Ofmiea32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Oepianef.exe
        
        C:\Windows\system32\Oepianef.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 140
        68⤵
        Program crash
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckhkbc32.dll

Filesize
7KB

MD5
4a3cf7677621349ccab120e9af9d1840

SHA1
9f6aa315dea6c560d2427092b41578f96b8fb7f3

SHA256
34d2d2ec156efb69a12f0b8081b11dc1b98edbe6497b1515c5c816d5a2e47fed

SHA512
79c6e9f5ccb168e62cbb5a9af959ecb657075cb9bdc254393f521132fab0269438a9ce0556292552741eb624d7b012dda1e0724cb5c0d8e874ca5e77c9dad980

Download Submit
C:\Windows\SysWOW64\Lamkllea.exe

Filesize
109KB

MD5
0e1536de56f4729a55911018a94aa68e

SHA1
1932f99ba29b6a5c9172ba0897ba7c351c8c6f14

SHA256
fa734c11987ed1a594c7ab73561e93435f843dbdf4a01768898d7268af1b692a

SHA512
56e292044d93d885eaf9164e71ea26bc04fcf0999c86697f9c05f40facda99bee754fcc1c674e817a4ffcb246c5bcc3d1a292dba51b459ac8903451957330055

Download Submit
C:\Windows\SysWOW64\Lcqdidim.exe

Filesize
109KB

MD5
15c6d6b0e5069803cc2537f7160c1519

SHA1
4cc7361bdeaaa29999b33260a5278f26516f40c9

SHA256
d04f0fcd84821805546db4dd29f5d4e3c648c9f4caf939efb8319f97286ce88e

SHA512
1b1479bb900b188675e377a3fd3be84762f6ad1aee600258dab0c31d0eeeb2fbd95615f5a24ef1be83176453c0cacf51a185f9751a7426d86f8dcc3b4a837bca

Download Submit
C:\Windows\SysWOW64\Leaallcb.exe

Filesize
109KB

MD5
6ea522f9278464d2a353342acf6c72d2

SHA1
89d497365d23028cfe147da42d0a9c047bad5257

SHA256
f31e521110fc542ffabada8fead73114ae4f8f6ad87532160f1fe43e90c4b429

SHA512
ae0fd71150f17703eaaca428dffa955c1fe5166323d6a72e965650b9f4718d1c3b849d899a1dbcdc15cb72b5998c28330230a5f6a0ea61575fe86c2c151fd906

Download Submit
C:\Windows\SysWOW64\Lednal32.exe

Filesize
109KB

MD5
85c0e7e0436106e8d23ccf68d9aee16b

SHA1
1a0f4c87158639418c03ff87083932481681a9c0

SHA256
ec8f20df458d7f2d736aaf0c3b7e93a51a5396a6b353ef16234984970770b8de

SHA512
06dd076211464e3f167faa9e75824a24ea7b5cd44fc4aa57572a3245fadbd85c61372d9ec989b3c9db60af980a8258b1329cc155d4b11e828a7f2401f898375b

Download Submit
C:\Windows\SysWOW64\Lghgocek.exe

Filesize
109KB

MD5
76daaff50ef67153bae7034ef144825b

SHA1
82869b5860df9c0f62c73000eb7bc3a864555aa1

SHA256
456a589d8002b0c2eccc862bbb1a0865978fe50a78d9f61014255a45308568e4

SHA512
4f2f7ffdd7ff4cd3239c37078087351cb7ebc6ce33d97b05a3fef315c579f4754c73b7311ace58bd0260e9e1827bddc411baa7ffa4e94716a340b7d51ceb6b3f

Download Submit
C:\Windows\SysWOW64\Lgjcdc32.exe

Filesize
109KB

MD5
2fe64d075eb1f07c526dd00fd97bfba1

SHA1
6bbdec24a5c1e23e795870f2795f4cd0a08e8e7d

SHA256
4635fc2768aadbb2df950759e6914065b48224aca1aee94ba339ccb7b51cdaac

SHA512
27254595d7dc9e046fd454e23a0a16f2696590e64b52a1f4955d7b07ae3b53910c84a74f0323cbdd1675af944ddd3b136b7d2b9700ee9ce220c452c695ec017d

Download Submit
C:\Windows\SysWOW64\Lhpmhgbf.exe

Filesize
109KB

MD5
2e1dfe38b3b41faf8a10a3461f86a176

SHA1
72c12d7541fa375de97d4584195295588287f38e

SHA256
2f5c7248058008146c8e01dc9455b98424609111c792d0856eb1ca093cff37bb

SHA512
be3d01455294b8246e927c0e30fe5d51ea573923cc56ef4ea1741380c2d0970110971d614d143960cdc59b9ffb285e87145a554d2cf657d85093e5e9cf403879

Download Submit
C:\Windows\SysWOW64\Ljfckodo.exe

Filesize
109KB

MD5
c160632c0cc110dbf3df518abfb7aac6

SHA1
9119d7438bfd0062583b11457cb3a64b9361e254

SHA256
990e1ca8aaf6622275f11e93771fe579838ab2055d45ea85f5f9e8186e4e7ea1

SHA512
4788c3981eb6eb363a2ad5783b9d61f79ba2a4ef2b81d7e14f5dc0dfa87d2ecfbaa843d5791055b741e0ccab8e1cfbfe59a440adb7f03fd82ae47eb9716fe1bc

Download Submit
C:\Windows\SysWOW64\Ljhppo32.exe

Filesize
109KB

MD5
cb5f439c58ca996bf49b37631d3e0fdb

SHA1
592ab54afc90029c5ab9ad35ce9992e487c3f359

SHA256
25e2884f7c5e83a21cb9b590fa294dea1a71478578d33997d1495bb95fc660ea

SHA512
5ba0103504ee734cad0902808120297baf57874d2b5a8c54584d36c29693f2059ee4b1da1d858ae7d28fa212d8c78093ea68b84773e1a4e2f9ff1a8e05cd5e1e

Download Submit
C:\Windows\SysWOW64\Lkoidcaj.exe

Filesize
109KB

MD5
0d7859b6b3918a90af0de6dd179e0b58

SHA1
58e6d15948687547cb56a76966fbef2e8604b2c5

SHA256
f90de99ab0339748b1db703ee7b4d05508b91ad9afe13ba3c95990260352a682

SHA512
7f380b06e80acdd41c70319f37b17e0d0d1247c3408e26baa353ac48e9bf8e9d6fbd7d3db6e54c4246bd9185f4bc70775bd9b170ec9f6e59260fd718eac505e0

Download Submit
C:\Windows\SysWOW64\Llgllj32.exe

Filesize
109KB

MD5
b15010fad4dd5d0375188fb4e2927202

SHA1
17371c7f56f64ee6e3e47ec25dab8858a96fc310

SHA256
015ef5937a7ce417affd5b82ec897737f6a4da21e442634d2e741b68befbd313

SHA512
e0f9ae4c9bb74629f2fe7a76ea929aea7e6267eb8503a15425d5d6e9e04d977ae58934f42ecf8cf3b2e0eec139411cd35aa2d55ac322cfc0d837ee235981dff1

Download Submit
C:\Windows\SysWOW64\Lndlamke.exe

Filesize
109KB

MD5
1fadd80382ab84a3bcac76c26937bfb3

SHA1
6e1d0205f37146e1f28690efc4c27d00d9bb7458

SHA256
25222d4cf30efe20cee64e97363675d2f5024d552bee44f8e85852526803ec35

SHA512
002c65c84597d6333124b80ade3aba5d2d8c2371e99053d732745e1f2f7dc64c1405cb6f270d8cacad437a57e6e711a576f409c8729f1177d0332996ff8a7c3c

Download Submit
C:\Windows\SysWOW64\Lojeda32.exe

Filesize
109KB

MD5
42ac5349a0c3bf5c7dbb05feb13fd03b

SHA1
73a4cc3a8ad2d37832c46861acdf91123167dcd7

SHA256
3bb53db894553b08057555a5f92fbbe957a19dc9fa166d413a1c3691c0e7c444

SHA512
e8c08585c98ff42f91d5acb673839d0d7a62f59656b2c55bb6b0d01bbf256aa66dbbcb177c49690bab05162fb32a81a6225fa213061a79a1b095341247a4ffb2

Download Submit
C:\Windows\SysWOW64\Lolbjahp.exe

Filesize
109KB

MD5
cb5430bac917bab0de8e1b93225d1a2d

SHA1
5f03ac0cade5e978b33547519ea5ef81da3c18bc

SHA256
38ac0e5bfc261147405586c36f1063a1880b0771741403ceff14deee32586c20

SHA512
3c1a89f3c269ff3baafcc1055337676af4dd88b76b49543bfc4f30e597cdaf946bf4e96f68348b7696da92b92cc6a5674162dd510ea9352307aae1796678c3b2

Download Submit
C:\Windows\SysWOW64\Lppkgi32.exe

Filesize
109KB

MD5
3b4fad7581886c7bdf10a6561008d1b0

SHA1
a17b68781f312fa0f311d09c051a175b4cad828c

SHA256
f62383ee763d7982a3c1f05b176d413ca43e588a174b8dfca8965bcc89294734

SHA512
c43fc90dc5499b448eeb185ae0f0886e3bba0057058cf72996892153b316a8181a7a86fa5b032c684855abc189d190717c8a5b453deccbfe2cbd1633f5169ff9

Download Submit
C:\Windows\SysWOW64\Mbmgkp32.exe

Filesize
109KB

MD5
6ab923ec0eb6a621a01f145f670c9658

SHA1
42808384b1fb92118728b3511a8020f41c4e6806

SHA256
adace2d92f4ce788f246ba8d7369cd4e584cb5090272d586f855e34f4abdd299

SHA512
84a2fb336a4dcaf6a5c84a6521503d1cdd99b7ca4375694b3d675fb51644bb8512c0da3c15e6a280d9f1590b19cccc7d44943f0194298264536d9cb5388077b0

Download Submit
C:\Windows\SysWOW64\Mchjjc32.exe

Filesize
109KB

MD5
a5648ef2d0bb9de703e2e8471c98a065

SHA1
1a5078387c30640b7d7558076c646a59db3d32d4

SHA256
4e5e1e2f775b9132f83642d9eaec5ca2bc16e301ddc34dccbb90ffedf4ced1c4

SHA512
853e8dcff8b21470ccaebadf600d83c7e0230c4ef42a6279d64772736c109d438d60ca93fb9f38007b6dab368a25cf592d56b7a77f52b33cfaa8f7ccd32e222d

Download Submit
C:\Windows\SysWOW64\Mffgfo32.exe

Filesize
109KB

MD5
f74e5dd958c0f65540c10e59d0f1896c

SHA1
6996bf2211b11342f0e0f601d335ddcdd78912b8

SHA256
10cc856d67a0f4e8c0fbbc2c2856758d3c8bd3ce5f5920f98cb8f11eefb9b25a

SHA512
a1858b0b53ecf4b87a6615edf31682057e41d897c42ad9bac834852d26ab605d3471e4a4f2499a390157074ba9d3470f3dafec2d67544a8b048296c2a0bdcd46

Download Submit
C:\Windows\SysWOW64\Mgjpcf32.exe

Filesize
109KB

MD5
099dad5c979e21aab4755e775210eace

SHA1
440d12eee8fade12514fcb19f2521c163a8a521b

SHA256
5dd0b1fc66944f75888d6f02fb4d74b21933ac6388ea1dc05b3aa2c4a288cc0b

SHA512
7f742a5c953ec5e724d7b3593ae9822f3ac1b022e8c8de3f299b4f6e7efdb0e74b7c6492799f5a227b0ebc3307ae0c77d69998f0ff75d760482f23632a48476c

Download Submit
C:\Windows\SysWOW64\Mglpjc32.exe

Filesize
109KB

MD5
f924db9f6183573dc5eb12af38d3f9ee

SHA1
f4d2c442fa242ccb3996cf96711949cdf97e3352

SHA256
0fdc1cdeb98c46f3b327dc6423e872c12e2570cfe4e820a9187864c80e93451d

SHA512
f5ae2f4a2114a3c0f45df85978fa5547f0d69b62a78c907036c4916e6464e04ce772d7b8503179b59d4a7d9152c816a28a44beabf15268654ff92f15fc2c46fc

Download Submit
C:\Windows\SysWOW64\Mgomoboc.exe

Filesize
109KB

MD5
d6a43ed7487a2f39a53d6f335cda79aa

SHA1
7bab821a57e72c0ed85d2ff52ee19f34cee533b5

SHA256
6e0a3c6bfac782a397a58a147e5eb0a763bcd5656e90626d17fa14fa812eed26

SHA512
dc33e60a16f1a482310afc29d4e1dac9f902878f600b28930a593000feb403c5bdadb79a45e0103f825cc465147f6008beec4556f4fe95032255c5a9e673c84e

Download Submit
C:\Windows\SysWOW64\Mhdcbjal.exe

Filesize
109KB

MD5
636e2ac22e89dc6ab8f09e5f5f4c7a72

SHA1
3c8d05bf0992b2c8986da06c444bef827736efd5

SHA256
e66496ddcedf5fe8f6ffe5550de451b266ee616b500c1f4e1a6e620217bf7cc1

SHA512
97c05ca4827d047c95a53fddd730aa6d8abb6db0746d168550223f8ab1f50e1bd089b9bd4df88ef7f79d08ec3b265c9416baa2c763cd0f5729d296b23137702d

Download Submit
C:\Windows\SysWOW64\Mhgpgjoj.exe

Filesize
109KB

MD5
da2f70bac1d61718b116ef307892fa31

SHA1
ca63f6695ac2b003d476d98ad6e01eaa13db51f7

SHA256
bcae329b97446b005cf55be717c27048109bad761265a87a7b4f30cc1dfef0e6

SHA512
d258c8c4ac8bd6f589cd61c8074cca326dab9430b1ec3cf42ce21af8a467c5043406e4e8ef9de0fe7faa32bbaef11752c20cf3d538b65d6d73bda28e5b33aedc

Download Submit
C:\Windows\SysWOW64\Mhpigk32.exe

Filesize
109KB

MD5
f89ed065a57db8253e31a6b11c87cbc2

SHA1
8f655a57e1df3f869a76debc533f70ea78879378

SHA256
6c7968e47a7afcfb4839a812b47af574acff67963a57e11b22606eb5165ca934

SHA512
25dae778746dcea4348dd13354f7ef36c3aacc9eb79f9c39d75374d42bfb98334f9e32afddef0db8ff01c8e717adfe7323a872a4b2ef08769f02878c32f75ef8

Download Submit
C:\Windows\SysWOW64\Mjmiknng.exe

Filesize
109KB

MD5
961ea74333fdaa6debe10a048a97c19e

SHA1
d8951ea68d93e45cb23322470f04f910a7ca8ab0

SHA256
fbfc7f725080ae89df0e38974497dcf67cfb2029162a19cb8eaab748d0a3d20c

SHA512
0618948f31af15812bd2553d2235b3cfd82097ce23d46683266a9a93ca274e2e1e62c0b0c5c4977894d6df21a78149dbc2cfdfb5145ba48c99a057f9daf86579

Download Submit
C:\Windows\SysWOW64\Mkconepp.exe

Filesize
109KB

MD5
74680e475b9b96227442578dd4b699a9

SHA1
1d059ea87eb90e9f59e3089d45e6a53a139c18fd

SHA256
be39c0e33453f0ea37c26bdd2058b912986cf8c714995d79c704c556561455df

SHA512
2a64781f95aef6682ed90a5119bc45bbece2a193bdf401bd3c6a1650dcbc04754fba6e24d5cd0f8ea13156ebced2dd48f21c3f90f8019796e2d2b357e2aca091

Download Submit
C:\Windows\SysWOW64\Mnakjaoc.exe

Filesize
109KB

MD5
4a28d2e70e67483f16d8d885be09a225

SHA1
910ac62801a222ea6ad51f172b971dcf1141e296

SHA256
2c553913ba3254c8519ccad64fe8562376c7a3d0229a268f917456f8916a45bd

SHA512
7dc16f079390e069e9ce5add5bc88076aa04fad7df7dc1426390db5722a5f330467af7bf1e02778660263f6caef6d6b1ea8ba61bdbe78a870ce78d249920002c

Download Submit
C:\Windows\SysWOW64\Mogene32.exe

Filesize
109KB

MD5
adece791984715f9f2b26b5e838301bd

SHA1
4628cd9d6c67bbbe55a637d11a75bdb5bf5318e5

SHA256
30cfef48c8ddadad7c15962453f6e20fd47a7feb64d4b5fb688478d11202d049

SHA512
789c17fca164a9191e9a36475ad776b5a7a446c36d08d46e95ab6618f13a2ee70eec74496b971e1810ac1ba45d2a69048b19eca44aa40199053687a1eacb0ae0

Download Submit
C:\Windows\SysWOW64\Mojaceln.exe

Filesize
109KB

MD5
e3d5c6660d3114c0226be28ea6a91e06

SHA1
dbac1b68c875177cb59d4f3ccca26894ec60ae2e

SHA256
35f7ce6412be9614fc078cb7265f6991dafd99e3f11b40f9db39b4a51bb455b2

SHA512
bcce928cd4fa25ce478eb0d70740e9304f2b0d521413e5d41082f0010b4a8152e8217969dc2efcfcec846c811c5a6a906eb17963bae2041b51952d1c739994a8

Download Submit
C:\Windows\SysWOW64\Moloidjl.exe

Filesize
109KB

MD5
f6f56a59bd9563c35f8dd7b807cd94ed

SHA1
0da5aa65d118bff44566818a755007e4911c451b

SHA256
f7a1e45fc8713081db2a182379b5ba7666f553292490ffbca52a3465abc9ac65

SHA512
79c7baf9100ed97a6e9c5d018df604bb421c82bfd3f433997e89f96c698ff6a2738ed927833a1bc1c6e9b6fdceb5e9eb0a06309a1ca64f33385771747d9d0fbd

Download Submit
C:\Windows\SysWOW64\Mpeebhhf.exe

Filesize
109KB

MD5
b3c5790a201f7574fd1fcc91416ac02f

SHA1
4abd0ac6b9ec5d8856dd6547d00b7f2fb9fd5e7c

SHA256
0a7b9d72fed0d16730317e254edf87bb72818d3d254be29fb32e5e78d81b0177

SHA512
e98d89640fa0da4d77734efce9c6891a31b54bb0073be4286af4b67a7c9e6d9fcdb251bcbc0e1bb6ca8ed3a1068fc7d6eed7b2e427fb027b1eee8d33352d5f3c

Download Submit
C:\Windows\SysWOW64\Nbaafocg.exe

Filesize
109KB

MD5
b8bdac7a4723fa147ae3bb6f39608a7d

SHA1
aa37716e9d32b8767b5f0aaa49e594920c3f2cf2

SHA256
fd738015ccc0e217d8500cf932b08e5218e2636477ab8d9e435349e5b33d4045

SHA512
b311460b02f180f1605177ce9e1da7a29d0283d614310e7b28b2d3d002b3b0956f37cd0e32c04e5f682056c77962ba9ce23a480f4ec78384b488880e7c1c228a

Download Submit
C:\Windows\SysWOW64\Nbmcjc32.exe

Filesize
109KB

MD5
1951ee05ed99fd9329c316cbf30deedc

SHA1
73516132b049a789f220f58837f43d67dad02827

SHA256
1ff14d544e1e06b65278a86ffdccf769aeb25d86ff4aba8f2790ad3eb28b1167

SHA512
2c302ae86cb67027a4f9e5617d8a2d7ba75147cc8c383a0516b5fe2c549e0550522dee46cb146b8be379ba429a74e89e94037715636489c6b958bfefc14c87ac

Download Submit
C:\Windows\SysWOW64\Nccmng32.exe

Filesize
109KB

MD5
48334356e1616dcc8c7f11a71f1b2ecc

SHA1
6764ea5f20ec37e9b7a5bc378246293ba37d7e68

SHA256
688dbdbcea346059998fd5f76be30c62f76dc4bf706f773c7cc90c569391446d

SHA512
39bf97441f5f50dd5cf9c6bed3e6b9f24a50c10914725ebaad2612ffe191b596eeecde73977a9f74eecff73a38109a1487cefc8ca37c8e49d04ea4ac313abce3

Download Submit
C:\Windows\SysWOW64\Ndbjgjqh.exe

Filesize
109KB

MD5
df78399d525132d1c30fbb42e3c0e722

SHA1
931767adb2f5de1a1fe96b575b2c1599ea9f62ad

SHA256
b9e92f5e8c3d1a87ff0d2904e3ec9df557c33301eb7fecd0105f6f5c5524f421

SHA512
b903421316f446faedb393d7dbee587f74a61e3b84e056053d1f40edd2eaea536f6b8f3b624b4fef3c61639bbebed304989d143b9f15360ef0a685d72fe2498a

Download Submit
C:\Windows\SysWOW64\Ndnplk32.exe

Filesize
109KB

MD5
590ec77fd9ddca668981f497e77b7c37

SHA1
e6bdd7480ac1578b0eb6a5fc098ad3d899f39785

SHA256
e917952a3bd95f09291158b3f4844c5bbbb46eb82334ab9b659cc4369aa69147

SHA512
cff519b432203b9cb2b0900c6c31cb6e66ecd2d4f4f55dd3bb7b67c0291e703778aca693b66118e82fc95d9f0fda691f030f71771a7ab9e74a4ae024b2ce4f65

Download Submit
C:\Windows\SysWOW64\Ngafdepl.exe

Filesize
109KB

MD5
cde3a604b6c2749dd5eef85c8ae144f2

SHA1
c6843189e847151b789ce98fdb75b02fefe0b302

SHA256
307b09eb9779fedffef099801f1b4d0d04c981748004b343c1981ae6a7c8b8b8

SHA512
2680140a5d433eae9cabf8e1be9d79d7565625fa53b058c2790ee42e893d1b6691ade17a6b10c96e80e1f8f626b7f4b886f5bfdd6c311c653ca17bceb97d033e

Download Submit
C:\Windows\SysWOW64\Ngcbie32.exe

Filesize
109KB

MD5
5f476a76a45e535fe3750439d727a2ec

SHA1
f87e40bd676837bf73274ec9af131267ddbd04e4

SHA256
8c7ba0cfa165681a7afc659c9c377e0ccbc0e440a4eba269db9f78dd974037c9

SHA512
f9170b78ec9f511d1b661128e942cdc10455fa3ac55e6211d3f3ff6d43120615d2b90155b59103130c1c23ea6325de66d593b2e89e4e5a594da49d95760328a5

Download Submit
C:\Windows\SysWOW64\Nglmifca.exe

Filesize
109KB

MD5
cf28ccfeafd63739f2ac32f2ad4b78c4

SHA1
f8ba41837c3210faebde3f5644cb21e2e9817d49

SHA256
42c80cf6e5092fdfbab448b1f966c1a75b8dcc19ed22124133dbfa652bfcdd93

SHA512
c7ca1240e3ac8f134ef9ead5291a82ee239d278f9e15a5053939da8886c4a2569baefbc402988e6a775644ab1d5b3e8446daba0d1a0ac5b00f437106466d37c9

Download Submit
C:\Windows\SysWOW64\Njaoeq32.exe

Filesize
109KB

MD5
41245e7722fa964e32965e1d70924e14

SHA1
90a4bcc5ad2638cb08b66937f434d6ff1568e9a3

SHA256
72911ce322f995f45a555b03969f5768c81738ba601ab229ec9260d54f5152a0

SHA512
150e2ff77ec4650daefb309c4d1b738adcbd610dad314453a769f7f1c6f25582f9fa7deaf3a4ea585c8980159635203d572da27c583ba8d3c9e13cce8d20f603

Download Submit
C:\Windows\SysWOW64\Njobpa32.exe

Filesize
109KB

MD5
a2987c17e7b98f35b8f5e77e876ec270

SHA1
e335b0f38e2415380ff29c66887f9238227abacf

SHA256
8add9497814ac4fc707e577407bda1073e7d7d67f996703646b801b89507864c

SHA512
96e4a4590be9b3cae18dc47e0868add8f03c541685c3aaa2c803b5673269e789aff86cb8fa1832273db38e533c91a4ddc1f4aaa3faec4c18bd027de51696d92f

Download Submit
C:\Windows\SysWOW64\Nkhhie32.exe

Filesize
109KB

MD5
4e9f3cd18058059f9817f7c6a4ca58dc

SHA1
2582e9ab0b9b293c0bbcd67ee138d05be8c0bfef

SHA256
cc2afa00d09732e3c177975f7460a9593e845604ba4a80a0ec14b62025d25169

SHA512
457336c3d11a607b081da9ad8dc4a639017c537b0d2c4997bbe66aa45c4f9bcde93547bf1ee802afb1eb80a374332d7fb472023a00765248ea9c9f78b83ccfc3

Download Submit
C:\Windows\SysWOW64\Nkjeod32.exe

Filesize
109KB

MD5
7587364ce57ad263a501afa29e021d8d

SHA1
ac3af3f01e3ee8bc50eabd0f855016bb694f4f77

SHA256
c2de888f831b122c81c6c43208603f03c26df06e8b2d0d544ed0c74dd0472d5c

SHA512
9fc457692ad28f5447f2015791c13d84750d87b5c56016ef54ce9e5961b450eac455db262a89648fa41981439ed2065774710109f76ef683c9daab01e9ce3f5e

Download Submit
C:\Windows\SysWOW64\Nmkbfmpf.exe

Filesize
109KB

MD5
4438fd087f0e95eb6927dd4c3c498b1e

SHA1
76b188efffdaa215e49a440dac4be8ef594cb5b7

SHA256
b815552f342b688e274d662e672ea8636e545a03e703c51b649aa51f4ca50d00

SHA512
a99adb47ee8db4d0a63a5e76ad7fd5be794924f0eb328c9a83b4b0018de8639aa7113879c20910be59070367bdfb4af1c431ee2fce8fe14a7704cd211154db7f

Download Submit
C:\Windows\SysWOW64\Nmpkal32.exe

Filesize
109KB

MD5
df873c35af8f73b9090628d3a9876ed6

SHA1
e9482b2f458e873510aac7807bc6573c2979c0c5

SHA256
a992649798a9daa045c49cd185c7939076edc7c90f48f71fa82d0397ca412afd

SHA512
9f6d371e3e0bd03725570464b3f7b688d4379924fd350c6bd2b8d6bfc119b500e318b6e4585ec85041e054822c6608305103235a23bd072e349a94caca24e62d

Download Submit
C:\Windows\SysWOW64\Nndhpqma.exe

Filesize
109KB

MD5
e465314af893b9fdf8cd985ad8e04436

SHA1
4cc7c10f2402d172b1c1342c4bbad28ce4f17f1d

SHA256
991d46c11133a5f2004e803aff2e0b97e49a12a81599bf718e8cdab3cd8acfac

SHA512
321a58e3af9de4afa39ce96c3428369ac2adb5b042ef1fc5c1de95bf1a0418d0659e10c5f2618de7825eea60c50c2d9a15733b3f8e686581a974b76ac31bf338

Download Submit
C:\Windows\SysWOW64\Nnhakp32.exe

Filesize
109KB

MD5
cbae183a514c7f915310555760375507

SHA1
779b10db8aa65e54ceac8ac9473da5cfcaf8a7a8

SHA256
ded4ffffc9c042faf32af9a0313a92bd67df692aa36b674a6b1e99f1f6bc3cda

SHA512
cf61fc72af8c698fe2c29273940b602bbf20e3685bd49b405f09a7aa2f3ed59b190f6d516259eafe494d7f090607c5745169233cb24e6c6dceba76d62009ccb0

Download Submit
C:\Windows\SysWOW64\Nplkhh32.exe

Filesize
109KB

MD5
0491af4bcd673c451a0008eb076043e5

SHA1
2cc5d0b7e22523830b77cd99cdc805ecfff0a10c

SHA256
f1385d27d82c218abea34e3fb39f931110c822013b843a87f3a13678818500ab

SHA512
8c1f0094581673c6c14d239796881927534c5f06b83dfcd2e6dc68e9ae4910db565cbcd7e6b9eb84a111ea03b347bb8e45b989cad820bfeb79d573699063727c

Download Submit
C:\Windows\SysWOW64\Nqijmkfm.exe

Filesize
109KB

MD5
ca7334b45dbe12b6b84ee88f9706f6bc

SHA1
7a2a2f4c84b56ee0ae1cd3185f4f5d0512ef79a3

SHA256
02cecb6ebce55cbc279820fe79b6fa23964114ef2356cede2b94bf20f0336ac6

SHA512
2ac6b640623ea13fd853ac39375ef4e29c40a30f14bb9509e9bfb716c831bdaeceedd8d8ed875e45375ed4a159252af3b4410acbf00b248ddba16e7dba480a69

Download Submit
C:\Windows\SysWOW64\Nqkgbkdj.exe

Filesize
109KB

MD5
09a3699b6fc15cfd06212ef7ce98cb28

SHA1
5febbff203d5e33dd00a7feccf7ed476c1a0bc6b

SHA256
197541378530a3ba21d940bd58946a69229575e92a308c5e19d330f5f6705896

SHA512
249ef77b4d5ec3bc28b265a9cd2af9ce56a5dde155fc4ccae9842d9a030c7ce62a0d3a1cab86758bad0e3dad70bfeef86bd85ea3c36ece45c5adb697af0028cd

Download Submit
C:\Windows\SysWOW64\Obopobhe.exe

Filesize
109KB

MD5
f1e371b68a9536300de596858840725c

SHA1
7ee01be6ca3da572b6725f485f78e86fa74adb7b

SHA256
96aa0acc0e42d32b1244c30ae24c167c98268543ee5b0c374d0873724fda691f

SHA512
cf11ffd9ac7a9672398492fe41a737cfeabfce0592f6d9741c20f86f98f0d9dad675945a3188dbce7cd8f3dee6ce480a4201ceeae7c34cbbbcd6864d0c287933

Download Submit
C:\Windows\SysWOW64\Oclpdf32.exe

Filesize
109KB

MD5
ce8880b0273e2c32dfc27bb48e5d78d3

SHA1
e6081500cea4dfc34970cae548885ef12f77f9ee

SHA256
b6b14a8c66305599da569d7ddf4465c455a769bcfad9e676928fadfa8253383d

SHA512
07bb092549859b3b18c02ae3508ecbd488cda3f3ec9a1356075d4215b1d7d80626afd1f3d7cffe47d74f1e60204482f404ef5827c3b4cbed3c0758e3e881847e

Download Submit
C:\Windows\SysWOW64\Oenmkngi.exe

Filesize
109KB

MD5
b3774255df055a6a37db264302b14680

SHA1
d3e0ad80ee8ebcdc92340078289ec6cd12931282

SHA256
bd23bac9867ef5d2e7424fa3788dfc37fb96b600c4fc188805efb4dda5e2fcd7

SHA512
1e5a1eba7ee4c81a669fc6702b558f7b470092bf22f27d57f19655ec3d5cdafb0c75c48959732bad8ea9743f3767514d2f454ab3c2150e9226b3ed160f82e0bd

Download Submit
C:\Windows\SysWOW64\Oepianef.exe

Filesize
109KB

MD5
3e56dcb799cfab2af9ee90f48967d5e3

SHA1
c80966ba64368fc61c93fe428231c70746737e66

SHA256
e6d3c98170ae33932077c4b9e36ddd0553295d153e16f987341514afdaf3f5f4

SHA512
1809d48a9408c26cccda5e0c0ee70ac86c132e6cc9e03f15394a5290d7a4282a064308b38cf0b902dc0399ae1f5e54909a3d32b371c5641fa9ce9425c219753b

Download Submit
C:\Windows\SysWOW64\Ofmiea32.exe

Filesize
109KB

MD5
b27052fa67959dbd026325e046714b6e

SHA1
f39ceb67f22ae43b98479b44b57e4b67d3181052

SHA256
58b9b1c3b78c3208072d7ea2eb34be27ab08f1372f84947b3ea5eb65c2f5bc54

SHA512
4fd07aec945754fb82c570a0073afa601814a50487a09ab9f6285bceacff1ccf05ec9170f852be3a1ab5db25d99b6c05bf64def58f905f79ee84bb6440c4cd70

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
109KB

MD5
aef832b9285fcd31fd5c87944fc9bac1

SHA1
8cfd4a8d183f92aea5e87474d63bc3c17ba71054

SHA256
84c4848ecda0d6c7fc5c3e7eb7178339ce78af1bae785eb00987d3b95b21a5a3

SHA512
eebc7af8fff30827261fe612d9c09c42c494685d302e69c3f41401d2c1d8756957df1484b7c147891ad3be253c75d9ac18e3a4a45025ed34399f00bb00631b5c

Download Submit
C:\Windows\SysWOW64\Ojdlkp32.exe

Filesize
109KB

MD5
0f5487da7da6e62eaf6e53dd4b82d83b

SHA1
6a6ab406bad1ab590a632864e3bdbc0a780f1976

SHA256
40d0aa4e2071aa97d85f658fb0078616969a933e20b577c2583596a2cd06799e

SHA512
08f632a195dccfbf51548d0fffeb6984cf9a69873069b914330277d65a9fb9ef8cc00af115fc60cf4c4e9e5ab0d6679f46b11f2aa42f8ca08a75099e53035116

Download Submit
C:\Windows\SysWOW64\Olehbh32.exe

Filesize
109KB

MD5
c5f1595270677b34c36228175bd02a4b

SHA1
82f2e3b856440ad45e6d13e55a4bcb7489c7d43c

SHA256
170026b30cebb0f53b255bfe0240ef57d897ec4b294eadec595eb13a5184ab1b

SHA512
3392ee76cef76d7ba52d523338b17446befda5accf54f4214b1acf8cf51af2ace66f0097c25c754647889b66ef829c3c76a9a437929ffeaa346289085658b18c

Download Submit
C:\Windows\SysWOW64\Olgehh32.exe

Filesize
109KB

MD5
0a25a331092d196f14188c3baeb6e0c3

SHA1
79b0319701ce1c36b7c4f10e0fe452e16d8ab410

SHA256
2400b5735d318ca4e02b2d5e712f8dcc3375fdf79b71870b1593a78a6426e80d

SHA512
442770a61555212eff231af7fb52d67dd7539aaa3c6e824d0e7914392ccb2585d2fddfd01da47678ed0ceec1bddba9d658426750381c4a166d2064349c49fdd7

Download Submit
C:\Windows\SysWOW64\Omddmkhl.exe

Filesize
109KB

MD5
ac6ec6ac352f5d3a51caa32ee2ffeaf1

SHA1
6c85259dcdde5b1164a02162130e63b22f5b52b4

SHA256
ebf264d781d17fdf2c441db65bb136f6d9dbece222cf739c08412dd147703c34

SHA512
7f3072e2406d95aaf4c6abb82f60616b0db4f935de844ead3fdb59809c85c62cde946182111fd1f81f7f8c0122a083b83239d5e273a29556384cdd9467a76872

Download Submit
C:\Windows\SysWOW64\Onfadc32.exe

Filesize
109KB

MD5
9998bf61ac29b079eaacbb69dbf51095

SHA1
607c71aaccfeeed48bd5b1dc6d964cbe6eb6a027

SHA256
aeea0ee74d5093b6e17c250f1af19b201c8d0e9b136889fd5e816fa0aa531ede

SHA512
84455ad5b4703f9ec793eb0729cc35784ea6dcbf73b42b6ec32487f70e675afa397459ab13732fce38d7e9ff96f606a58cf1a3997987b0454618d453891b96ac

Download Submit
\Windows\SysWOW64\Kikpgk32.exe

Filesize
109KB

MD5
dee21700ceca5a4f49a9c6f4bd7ab95d

SHA1
25ae69ca022be469df317f09c9c34286a99aae53

SHA256
72373305408a1f24c549c6bba1bd1da30d74484a49c47b560016adc04d5b981a

SHA512
7be1d7d88c551da2edd24492e55bfe6486bf2e6ff7e0a9016212eddb93c9b4abfa4f96768de02320ccc92e5f800a491f7cf1acd861d4487bc2b5badde05771e5

Download Submit
\Windows\SysWOW64\Klimcf32.exe

Filesize
109KB

MD5
90bb2ff2c4222a39bf1b05a5e406be19

SHA1
05dc17e620306840a75e33e1ee2b4aef7e3794cb

SHA256
3e1ffee0081616076d9ae08a8ef1ea2f8e7efa1614d9d3b1200138eca082a7e8

SHA512
835361d81908dacd57bcf78ddcf638d4a2821a892af48ceaebe9c59f65ef1cbb0431fc8f24267536323a6b48f311ee2b2af595cea7694086e9de09c957d263e0

Download Submit
\Windows\SysWOW64\Laknfmgd.exe

Filesize
109KB

MD5
e4fc26447f30c2e24d456cc13df1dd43

SHA1
5f9922211efbdcb4d6dc7f0aa7dd09b2da162071

SHA256
f8d8a514c3e665ff60356b97d88165ae7bb3bb9353e3918c39ee60c9748fe56e

SHA512
7bad9d83f141d981d729dcdec501342e08deb335a740075b77a11b451b3f5f760fe6f9d0d0ff6dd7d2a95e7bf4ecc98ffb80ad5b3afec0395d6c745912d0fb8c

Download Submit
\Windows\SysWOW64\Ldikbhfh.exe

Filesize
109KB

MD5
2edea01468223f567b5cce7e08a834bb

SHA1
69dad9522eae2915e183a9c71e1ebd0919e024a3

SHA256
f8933579ab8849b3afd07d82ccc81e1747a0d909122f16aabd404ac6eb5b0b2a

SHA512
55657d3b35bf23f9f8b2bae4599c09ca8bc64fb7495d338a08e8aca152cfbd8c7784e835223d83c654f0973d43688a64e484bb094e0cfead1c844d8d8c7bbc4f

Download Submit
\Windows\SysWOW64\Lkafib32.exe

Filesize
109KB

MD5
fd78c1fa93bde8d87ba008580f3ac994

SHA1
f286dca20aeda2ff0f694e0877600ebc83decc7e

SHA256
20a98e823126ae211ac7e83af227ab2618629664463d7807457ac0b3245719d3

SHA512
bbadede063f3d36e31c55912a6d8811f9db077fb86675d54d96de2cf68949ee03ceba765bb8e643e36ac5cf536a89c3c540b6deb73fcb9f2c3035ea7df35ab32

Download Submit
memory/548-432-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/548-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/548-433-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/576-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/576-375-0x00000000007C0000-0x0000000000804000-memory.dmp

Filesize
272KB

Download
memory/576-371-0x00000000007C0000-0x0000000000804000-memory.dmp

Filesize
272KB

Download
memory/696-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-186-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/800-199-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/800-200-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/1284-290-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1284-289-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1284-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1348-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1348-424-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/1348-423-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/1444-437-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1444-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-441-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1464-21-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1464-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-127-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1576-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-306-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1676-304-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1696-367-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1696-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1696-368-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1716-499-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/1716-486-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1760-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1760-180-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/1860-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1860-283-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1952-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-269-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2016-214-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2016-201-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2016-213-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2240-462-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2240-463-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2240-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2272-396-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/2272-397-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/2272-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-40-0x00000000006C0000-0x0000000000704000-memory.dmp

Filesize
272KB

Download
memory/2284-247-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2284-248-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2284-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-242-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/2436-484-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2436-485-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2436-475-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2440-227-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2440-226-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2440-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-322-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2500-473-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2500-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2500-474-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2504-258-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2504-259-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2504-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-312-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2552-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-311-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2616-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2644-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2644-343-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2660-456-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2660-455-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2660-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-353-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2728-412-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2728-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-403-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2772-332-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2772-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2772-333-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2824-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2892-389-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/2892-390-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/2892-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-67-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-13-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/3036-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3068-93-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads