1d8ee9ecb754599c1368531054387bfd00b052d311e4e9cd78b95917ec90885f

Analysis

max time kernel
96s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

379fc02152a528ae8efe9cd84899e9c0N.exe
Size

76KB
MD5

379fc02152a528ae8efe9cd84899e9c0
SHA1

56f6ed46317ce778ea1b0ea75374b75f528f0f83
SHA256

1d8ee9ecb754599c1368531054387bfd00b052d311e4e9cd78b95917ec90885f
SHA512

5f57c735f72c369f45b3eb2abaee256edc3f1487414d0f4b176c29bc7873ce016a1abc8256d11acc9a1d4c8bc313440e53ebe360f43786603dcc5aada61f14ca
SSDEEP

1536:KUU3hIdpnUepv3tOZt1zisWYZ2aRKjgPYlRXHioQV+/eCeyvCQ:i8x/wt1z6aR2XHrk+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe

Executes dropped EXE 64 IoCs

pid	Process
3836	Mgfqmfde.exe
2124	Miemjaci.exe
3576	Mlcifmbl.exe
2336	Mdjagjco.exe
824	Mgimcebb.exe
2624	Migjoaaf.exe
64	Mpablkhc.exe
1700	Mcpnhfhf.exe
2316	Mgkjhe32.exe
3768	Miifeq32.exe
5020	Mnebeogl.exe
2172	Ndokbi32.exe
1396	Ngmgne32.exe
556	Nilcjp32.exe
1140	Npfkgjdn.exe
2976	Ngpccdlj.exe
2788	Nnjlpo32.exe
3300	Nphhmj32.exe
3628	Neeqea32.exe
4208	Nnlhfn32.exe
1364	Npjebj32.exe
3684	Ncianepl.exe
2920	Nfgmjqop.exe
772	Nnneknob.exe
1028	Npmagine.exe
4564	Nggjdc32.exe
1496	Nnqbanmo.exe
4348	Oponmilc.exe
732	Ocnjidkf.exe
2200	Oflgep32.exe
1152	Ojgbfocc.exe
1688	Olfobjbg.exe
4648	Odmgcgbi.exe
1580	Ogkcpbam.exe
4112	Ofnckp32.exe
216	Ojjolnaq.exe
208	Olhlhjpd.exe
2668	Odocigqg.exe
4924	Ognpebpj.exe
5088	Onhhamgg.exe
4836	Oqfdnhfk.exe
5032	Ocdqjceo.exe
3104	Ojoign32.exe
1228	Olmeci32.exe
1492	Oddmdf32.exe
3580	Ocgmpccl.exe
1340	Ojaelm32.exe
3296	Pmoahijl.exe
3632	Pcijeb32.exe
3380	Pgefeajb.exe
2252	Pnonbk32.exe
412	Pmannhhj.exe
4960	Pdifoehl.exe
3612	Pggbkagp.exe
1940	Pnakhkol.exe
2340	Pmdkch32.exe
4752	Pdkcde32.exe
3816	Pgioqq32.exe
3704	Pjhlml32.exe
4360	Pncgmkmj.exe
1600	Pdmpje32.exe
3168	Pfolbmje.exe
3668	Pnfdcjkg.exe
2904	Pmidog32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	379fc02152a528ae8efe9cd84899e9c0N.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6828	6732	WerFault.exe	249

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3836	1596	379fc02152a528ae8efe9cd84899e9c0N.exe	83
PID 1596 wrote to memory of 3836	1596	379fc02152a528ae8efe9cd84899e9c0N.exe	83
PID 1596 wrote to memory of 3836	1596	379fc02152a528ae8efe9cd84899e9c0N.exe	83
PID 3836 wrote to memory of 2124	3836	Mgfqmfde.exe	84
PID 3836 wrote to memory of 2124	3836	Mgfqmfde.exe	84
PID 3836 wrote to memory of 2124	3836	Mgfqmfde.exe	84
PID 2124 wrote to memory of 3576	2124	Miemjaci.exe	85
PID 2124 wrote to memory of 3576	2124	Miemjaci.exe	85
PID 2124 wrote to memory of 3576	2124	Miemjaci.exe	85
PID 3576 wrote to memory of 2336	3576	Mlcifmbl.exe	86
PID 3576 wrote to memory of 2336	3576	Mlcifmbl.exe	86
PID 3576 wrote to memory of 2336	3576	Mlcifmbl.exe	86
PID 2336 wrote to memory of 824	2336	Mdjagjco.exe	87
PID 2336 wrote to memory of 824	2336	Mdjagjco.exe	87
PID 2336 wrote to memory of 824	2336	Mdjagjco.exe	87
PID 824 wrote to memory of 2624	824	Mgimcebb.exe	88
PID 824 wrote to memory of 2624	824	Mgimcebb.exe	88
PID 824 wrote to memory of 2624	824	Mgimcebb.exe	88
PID 2624 wrote to memory of 64	2624	Migjoaaf.exe	90
PID 2624 wrote to memory of 64	2624	Migjoaaf.exe	90
PID 2624 wrote to memory of 64	2624	Migjoaaf.exe	90
PID 64 wrote to memory of 1700	64	Mpablkhc.exe	91
PID 64 wrote to memory of 1700	64	Mpablkhc.exe	91
PID 64 wrote to memory of 1700	64	Mpablkhc.exe	91
PID 1700 wrote to memory of 2316	1700	Mcpnhfhf.exe	92
PID 1700 wrote to memory of 2316	1700	Mcpnhfhf.exe	92
PID 1700 wrote to memory of 2316	1700	Mcpnhfhf.exe	92
PID 2316 wrote to memory of 3768	2316	Mgkjhe32.exe	93
PID 2316 wrote to memory of 3768	2316	Mgkjhe32.exe	93
PID 2316 wrote to memory of 3768	2316	Mgkjhe32.exe	93
PID 3768 wrote to memory of 5020	3768	Miifeq32.exe	95
PID 3768 wrote to memory of 5020	3768	Miifeq32.exe	95
PID 3768 wrote to memory of 5020	3768	Miifeq32.exe	95
PID 5020 wrote to memory of 2172	5020	Mnebeogl.exe	96
PID 5020 wrote to memory of 2172	5020	Mnebeogl.exe	96
PID 5020 wrote to memory of 2172	5020	Mnebeogl.exe	96
PID 2172 wrote to memory of 1396	2172	Ndokbi32.exe	97
PID 2172 wrote to memory of 1396	2172	Ndokbi32.exe	97
PID 2172 wrote to memory of 1396	2172	Ndokbi32.exe	97
PID 1396 wrote to memory of 556	1396	Ngmgne32.exe	98
PID 1396 wrote to memory of 556	1396	Ngmgne32.exe	98
PID 1396 wrote to memory of 556	1396	Ngmgne32.exe	98
PID 556 wrote to memory of 1140	556	Nilcjp32.exe	100
PID 556 wrote to memory of 1140	556	Nilcjp32.exe	100
PID 556 wrote to memory of 1140	556	Nilcjp32.exe	100
PID 1140 wrote to memory of 2976	1140	Npfkgjdn.exe	101
PID 1140 wrote to memory of 2976	1140	Npfkgjdn.exe	101
PID 1140 wrote to memory of 2976	1140	Npfkgjdn.exe	101
PID 2976 wrote to memory of 2788	2976	Ngpccdlj.exe	102
PID 2976 wrote to memory of 2788	2976	Ngpccdlj.exe	102
PID 2976 wrote to memory of 2788	2976	Ngpccdlj.exe	102
PID 2788 wrote to memory of 3300	2788	Nnjlpo32.exe	103
PID 2788 wrote to memory of 3300	2788	Nnjlpo32.exe	103
PID 2788 wrote to memory of 3300	2788	Nnjlpo32.exe	103
PID 3300 wrote to memory of 3628	3300	Nphhmj32.exe	104
PID 3300 wrote to memory of 3628	3300	Nphhmj32.exe	104
PID 3300 wrote to memory of 3628	3300	Nphhmj32.exe	104
PID 3628 wrote to memory of 4208	3628	Neeqea32.exe	105
PID 3628 wrote to memory of 4208	3628	Neeqea32.exe	105
PID 3628 wrote to memory of 4208	3628	Neeqea32.exe	105
PID 4208 wrote to memory of 1364	4208	Nnlhfn32.exe	106
PID 4208 wrote to memory of 1364	4208	Nnlhfn32.exe	106
PID 4208 wrote to memory of 1364	4208	Nnlhfn32.exe	106
PID 1364 wrote to memory of 3684	1364	Npjebj32.exe	108

C:\Users\Admin\AppData\Local\Temp\379fc02152a528ae8efe9cd84899e9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\379fc02152a528ae8efe9cd84899e9c0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\Mgfqmfde.exe
  C:\Windows\system32\Mgfqmfde.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\SysWOW64\Miemjaci.exe
    C:\Windows\system32\Miemjaci.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\Mlcifmbl.exe
      C:\Windows\system32\Mlcifmbl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        23⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        27⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        36⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        51⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        62⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        66⤵
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        70⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2000
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        74⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        79⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        80⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        92⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        96⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        97⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        98⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        100⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        107⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        111⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        114⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        117⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        118⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        122⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        124⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        126⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        129⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        130⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        131⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        134⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        135⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        138⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        139⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        141⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        143⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        145⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        147⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2120
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6184
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        151⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6304
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6560
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        159⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6688
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        162⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 404
        163⤵
        Program crash
        
        PID:6828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6732 -ip 6732
1⤵
PID:6804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
76KB

MD5
ba4e1c094323d90824225f95804187cf

SHA1
0c37663f854a606c74357c11b08237a01f18ce30

SHA256
3b1bcf1f186a06240e64a2fa810caa6397359cc9c3d0a08e06502089eed2358f

SHA512
332a7f173bb42f59b8d7de6c1f6226b33122871a1f8b3d8fe4890f055932e74473b2e56b72a5c31fbab72b90afb92f7cf15c432a50975648da5a88cb8ff14e87

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
76KB

MD5
b89328e2246230753288ab2548ff4966

SHA1
2a551bcc2c0591a287099781d476d7356c007f55

SHA256
289b98199f3265cecb5f0940eaaa9bb5734e15d089bacdf33072f9bcdad0519d

SHA512
57511d99476c6e34b1b1a8f56f54e51aa5f8a6e869baa521b08e6b13aaaa45e47cd5891b45b74ffe6e1e126c904842c8cf02757e359372de72f2a201b15c333f

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
76KB

MD5
9f078188fb98e4ecdfafb04791667011

SHA1
8779a02c8c05240443035a7c276236faeb52ce6d

SHA256
7f564f4597fe00a939c951c5541f2f9a4566f07b61afb7de9c1d0e386f8e0175

SHA512
38c732b8735b8837da984d27764b132285f88124b8005acb1f1e7a6bc62655d75f6188deb964a107fd6ec28ded4dbe9e313836c5603737a564597b96f243593d

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
76KB

MD5
4dbfeeae3da6c70db0aff2ca3e73f729

SHA1
b1cefb4ba4d471999eded7be97cf92d66641ceef

SHA256
c03a3f05f1cc51f2064a6dbdac1e536794ee75508c65d68a0e8d3320d058e796

SHA512
3afaa7cde1a23b87299502c688d4d7628dc788503a118fd96ad1c54acfb0579af3151f228cbaa7db4ed59e7a963196aca36a65b8def9c902a7fa82273817ba54

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
76KB

MD5
d4a9aa312a210136875c6ee4d6fb37c1

SHA1
ca8dbb634d0fad34f82d231d03dc28d5db3caae3

SHA256
0fc96665424caa0fd54f0ec6f80b37cebcd3f0ce2d8c0063d8cbddac0e03fada

SHA512
3e9f80373c23e1b1736eca381fb7752057be172ffda398fcc5e23bdbfa4c74d74ee3ace6d71c29830c263255800dd2d2520d15edaa8b1a136a97942f8552c0a6

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
76KB

MD5
1359d627b0953a4d8b81b27d54d990f6

SHA1
798a3d6bed9016a79da58b6778c347cd35bdb26c

SHA256
8d41a0e509dc3a6174e700eda58699af86914e0a860417397a9347915aee2b96

SHA512
ebbb5e2a80da9fd7049339172fb3ad403301a09db34023e499d968fcd90fa1f700d1db3eeb682486f39c31653672d218a5402f3703ad292d299f509960f18c60

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
76KB

MD5
a77a35e3e16ef4b40077f8cb04bb1480

SHA1
570fa0e74aad0799bf601329887fb6c95c9404bc

SHA256
4fea02149a5e87601eab8eee4004d5c9f807c2bfa2cd5bc6e596a96912078feb

SHA512
fd4616809a142dcc49fcfd37cc0efa60c979f3c0f54d64e5ef686449fd7d929600376f6e7d86688a1eac93153f6d0d0c2b91ed5e8f90fff39f017366a7aaaebb

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
76KB

MD5
c32f850741bff9be1ba89101caa98a8a

SHA1
777ce35b3035fce6af1c274edbbdeab3fcaa9066

SHA256
d9bca252874d9fa60abbe47d77da1d36965ee3320d2aa0644023a07f3535369c

SHA512
710663e6ff2aad966c7b2e43da323a10bdb8b2dd25e3bb3537079ff1f700f9579806b08af81c5c2086689fe452a1e847ebc4ac2c6cce436901f32d5c457c537b

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
76KB

MD5
98e64ce197a4699bb82d5a049f7d8f13

SHA1
77c30b2a592176469927e944ed904d5d06febdaa

SHA256
ee8bf0d8b1162251f8b85bdc5a3b14d3cb46572b8caafe3ca412fd1f68f8cf00

SHA512
65529e69eafffbb3a040e6cf2dbbf52c34ba5fd073d3376dc2deba1b8cb0cc18fb1a9833ba949ebb6400a53e14483b396dad001cab29474cd00f97f3211613ad

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
76KB

MD5
4055cc7f7119681e1a1f93282fe8c67f

SHA1
d6e222a591f2983211a0f114e7257b227ecbd8f6

SHA256
16472922cd19de6c08e78e5a5aa1cf19996ec033772bde6013108a24552eb57e

SHA512
cf0e318ce9245599362da687f3cfbd25c1b2ae4ea2e51ef4bb69720c34c17cdbe0d834c3b7a139f91bbd1cc309ffd3186714c9c15a6fcea4affdba8b8ac155ca

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
76KB

MD5
088465087b42933a961a006dd560b8c8

SHA1
47d3ecaa95a5bb5cbcbfb21451b5b0a28a7772f1

SHA256
f9de6c048c4dfebd98c0d35c6f9f6a55c4c584080fb3f4156bcfb75de4eeb4a2

SHA512
235d066d7c5e6a84f0a88519f30efe7d7566e3ad94b903621bb249d9c5fd50bcfd92ada59d79ec7ed815216ba686e7bd2ae6b05df4f0b552d3048942244089c5

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
76KB

MD5
831113a5c68d3cb8d16b0285604d4eda

SHA1
bf3081aa8807a0e90df651ae1eed33baef59e689

SHA256
c7ac1c5e5a2ba30359fb967ffdf11f65a3e08f3e611e8d3bba47289c67cf02a4

SHA512
6b55a5e281d44d12826d941ea5f92ffa5ba44d357fc39b3255f3c3a5863761145d4463f8c06497d550f0490b2807947b5c0380898a5bf1fddf9dd8201be55005

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
76KB

MD5
758d4790e6bdfceec9b0ee1fb1dd041c

SHA1
c0b9e99bc4b40d6610e4654f0cb3deced6d0749b

SHA256
fc85c8e451055ad896cd143a896b8de2cc191f0b07b9c43334193457178c9b08

SHA512
acbf6ef1ece679ed7f2ea5019f85b69d1102925daeec0c9e60e375655d28c555fe52973b39992eab82a34156f233a947fac6b7f75160463e65313bca81788e91

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
76KB

MD5
e16a33d2fc52e6ac4172677ad52ef372

SHA1
5997d8a6c8b939825b23abc3c1b8b5dd85435aea

SHA256
e3699d2c4947fff0c0d19df84a452b447d0f44640b7bc797d9de45065a5c2973

SHA512
eb3e6f4ac86eb89a173ee80aaf13dccb5530cd8162ca1e04ea347db96a8971fc1f6304922e0504f103e7088a1f21552676b84b07171bf2c1013c27bbafe792ed

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
76KB

MD5
e6012b69926ac33c7bb345b73c593be9

SHA1
4e99fa5105567e294b068bb40e391900dd8f734e

SHA256
f99b89caf7cd10b5adbfd40a1c2a6925f3f863d01b2fbba23aa83f43a88b393c

SHA512
b27cac1a765f9ab4bc3184433a94642a6745c9ec7e938d3d4c13bcc3baa76e91db26b75cc5fe0a5c0a69aea88dc0ca8c59817edd03f84cd7e9be3941fcec6bb6

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
76KB

MD5
946f508299efd1adb1dd20dcfcb06ca6

SHA1
9551a8740a4aacf0ac6bd9683f4244ab9e761540

SHA256
4e9398cc6e2aa2250ac2c2ddbea185e1084d24a69446925030072b0d4f7f91f2

SHA512
f248f6062ecd303ccde5ea1c8b72ec3172e48c6ef51f248004a046f280641badf808500dcc2182e1585215d349db27ba49a3e8801fc30a54cbe08db7ea6e3b44

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
76KB

MD5
7911c19de7257fda20e5437469c6ab4a

SHA1
1eda257c48a1177ae860802dffa4ed85f4284319

SHA256
ea4afe961d666229e21b28edd51e82704eb636058f0f1bd300f564460f97c95f

SHA512
f8cf943b3caf2fd93d6c81e6cd27f6b53487cdbfba8f49ca56db2f85f5e37f88587996dc83733d385cd47e3ab48bf77df2cc4efb2e3adea127543dc469f26b27

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
76KB

MD5
c499da024e2898f325f14c84c79d9073

SHA1
c673baaefb372477f8dbe4b8ef187cd4f5d772b5

SHA256
67d52e87d9c68f43dc5e6ad8b6eaec4f720da43c611844915a3a209aa333d0f8

SHA512
a12969f216ae44b2f4d5d33060537a9a58773aac11e1a9818d48b9c8f892b71eb81ed95e69b29fd01d3ac2bba921f2e57d8c85bf6f16855e1815e93ef9cb38a5

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
76KB

MD5
738cda34859799f21d1894045c33964e

SHA1
35571cc8ae9698370fd97b44cd0a37a5c418c295

SHA256
ce1f8f7932c2fee7bec9e15e64952941d62b61a20d9eed964f298ff5bcb13418

SHA512
2de54a6bf4c72b15ed0207c19f58c67b3ea13d880a351f741239bbfb11e8972acd1072261516ebb5f9406fbcd2dde473ab8ee8d059316d9249955378885ef657

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
76KB

MD5
da287b35e19b070f4a36178707d58cd5

SHA1
020d464865d0430fe6f6c8cb3f6582999e1e7552

SHA256
4b96c026922e592cb5c89dd31022f31f1331bf3049c586a8aa5b5fa65d3bb70b

SHA512
f52bd147ec141502a1f14070bd6ed5f5a4aa76fe05855c095505c039c9fbbf696511bae4ca60b4e187fa4f6aca740913c4bd6834fa2d516d68381f4e45dad9fd

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
76KB

MD5
b960822bdbdee023749c75f10c388bc5

SHA1
a19a306219bc39b427b17a7accd454a7ef934489

SHA256
0158f483e8e91c4a0d5a834ce7cecc6020d3b656a3f88d719e709d743386a8d7

SHA512
bcc75fc170b9a51cc78c9601187e3ce78fb6ce1f743225d10a98747fb9eae7d44527ff3a20d6e569da7f42b1ae5e8fb58cafd294af8c76f0d001746e3adbae5e

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
76KB

MD5
0be6062332698d6e322c4e5e25012e29

SHA1
40c050d38bd02ecce5d6f5c9119e0335a4095d91

SHA256
72b6ea472850291bf7b8ccef70961a9a5b721903770d81d5a9a65f8e635a2bc7

SHA512
94a178b31dead73d8ecff74551a91090a2517e00f5d773d5a15aa54ce8dbcfff1b7e4dd5d6700ea21875364249b4e1a77327ed86988c6fc5011c66340b817281

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
76KB

MD5
5c22898e3584b436018038a30f8bca56

SHA1
84be53e13d9fc2b9cac499f3edac32f9e4544fb4

SHA256
a3305059ca25d04e4150340f0b6e33f389896ebf8c4f9808e0921aa16c7746bc

SHA512
3b0983eb304cab9fb9321c18cc92f9d2f7837482cbbb7c919f3458d61877149b17a9efc545f512edfd34f1de6571355642bb669b975af3c45f1f82823df252c5

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
76KB

MD5
73a10d8abce6e7b4c8d0610fe3b9b2e4

SHA1
e1d7fbb99d99b70752a937c6c2e77d988c6eb416

SHA256
0bee90d7c769b525ba309a46a4ccb4a2a33fa2f16c658d703a3f12da1bbc51b8

SHA512
4e7d7dff0f9b801797ac0f304bde6977d93fd684b7d9fed39870be6697f4a51591ccdbd9fc80c5bf704b8c0520c8e8f6ffeedd76eaeadcc733fe49c6fdaa1106

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
76KB

MD5
eeb5ba7881f65be2094e5933d6c6dacd

SHA1
26118c99ec325245ae94a4e821f38875636803cb

SHA256
24606cf3132bcffc8fa4d41ad123d73b36cda07b8e172e219d323472b917a940

SHA512
c16519ff80547d7cfc4eb8c29823c69364dfd7bbf60b8e59c4a91e0badf9372d85e8dbc70e3e86f78eb07d0fbe4701600bfe3a75f3ae1b10628ba9dd1791f77b

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
76KB

MD5
65931561156eab29fbb1ec22fabba139

SHA1
8ef347b022d6e46bfe633149daf02cc350941b9c

SHA256
5dcb4225112ea5cf7ee53be904219c73b5c92796db9e9e23215ef1a902ec5169

SHA512
c03692e681715e28b294fc7da0c9d957fede65871e2355a9a96f227f3dd200c4a3ee1ed3a914228ac61cba74b2353475dd4ae2a952209762f906f1b99ccb85e6

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
76KB

MD5
f7f2aafcd02da3072ca65451bff26170

SHA1
020eb9c9816825bb828a0f348f2f4885b28ecdec

SHA256
42b5e9976c5a9d3e7888cb87b8d6967188dda6db77cb9e06064dd0b539ce76a7

SHA512
3aa2fef928f03069bb905239ce5328a28cf3980028852a673b5720c50843dbbae0a0d6f7ea0b20ddddbed8a0e06f41dedfb96b763c5517c26d3de642f2cf7e83

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
76KB

MD5
f5c03d356f2474f1d152c7e4bb8c672c

SHA1
1edaa8006b549fa2d9eb5377b10db04dfc0f6aec

SHA256
4ce664b3fcdb94d80b1125f2211088a30fa71590affcfd3b87b7ac08fbf12303

SHA512
2c09b0fb0847afea4b57dc0814d554d293a1601f859db8d805ce6670737a1b77594dc03d7f35c9cc895de79ec1352d762c3a70376b05db08e0e572336dd1998c

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
76KB

MD5
8feaa57afafdca3983845712a55e6b11

SHA1
1a8a3b5f52affd830776d647210c57874f21062a

SHA256
6205151d9c05cbd5ae8017f94547ebe8cbf800c8a592bf03e53056e9e005301d

SHA512
3016065b164c649f85ceab2de97909b5169c6675d9e44e2360cbc00565454bdc1e96333ec6a4be00590e2e1f3e3787c9602aae112205ef1044bcccbe6b82eef9

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
76KB

MD5
c5e61329fedc383819b2d3aac37c02ff

SHA1
3580ef5b1a4bf81abf5e376bdac40c7dbe37907f

SHA256
261f76f3e3f41383e087e71688e28f21b6009c66aec004936740a1c2809c8d4f

SHA512
be857ed317439ef38ebb1f23636f4490a8469bfd30f6aee155468c50aa5d77c2e25ed1e019cab660151de6fc9e3476502f7bda42bf23c661ac8839a1579bb835

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
76KB

MD5
68848811471e0a40da17a916634c782d

SHA1
5778d598abc9e03603f800af5a115ceba883307f

SHA256
4d963926ce34432a1987a1d1d12d401c75d4012f986f248e4ec923b0b15ffb88

SHA512
7f4ba5b5c34bab073dad5e97c64d95434d1cee5db49fb21873f73513a6eff2aacd10786109867dc40f53294ef98069e5c0fd876c81183dddf59c0497c6e76a93

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
76KB

MD5
4cf90160f0f94680dd4f0bcf3c61165b

SHA1
037c03192e75257015c9f5ee801dcd805d03b457

SHA256
68f651406f8c53d8007c8a2d2f55b21c7489fc0d6d13a4b0bb1683c826935f6a

SHA512
e5390aaf97883b51a516a3b78d46da1391fa6e506a278a19b4dd3a90bc6a4378b86f965d5d6d7ba2826dd7c3bf2f81d820ca066451756bbca4456aa02ab91ddf

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
76KB

MD5
339dbe3daf8fc06c7c6e55a2654d0534

SHA1
12931ab6e51a881be81643759482f4dec3cfd09e

SHA256
02cd338abf9b87886102b2167bd948d8722d18db17c1ca7d52a90001dfcb828e

SHA512
7bb567e43399d7806142f9ec8d8eec380c6d3642549aeae6e7e7a58adc8754d7fe9d7162276e4691e83e38c9bf114528675643dafdfd414c455d48c77decad51

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
76KB

MD5
32952009aabf32a239d2b43ebdd547dd

SHA1
d601e3e245264896d4ca2202111117a817b404ae

SHA256
a47f5a36fa1c82e44d7aaabade5b72cbae11fd219958fb88ba0f1fd2427102c3

SHA512
b7d556c986bd37c43fa83189759526ee5374770173bcb3f0ac0b6af8de4d2706eb9f808a63efacc45b9e834db0a2c0e49c571809e8fa129b995e4865bfa691ab

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
76KB

MD5
61383beef97d7b9c946c97f1237afbb1

SHA1
a64e361c863c56110b6d5e2c41868bef59b7a9c0

SHA256
06d1adf94c120036ba7d55260cc437f3f831de271c2bc9914539bf3d62497dd9

SHA512
fc1377581a14e01a7bc85ea2b754c3050b4ed101a5c2e58c8fdb87c26b1ea9bbe729fe256a83f9c7f2c15bb918076ac017ff4c5388b73f94ed5e8d90a30653c7

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
76KB

MD5
c3f23b0298d4ecfd938c06bdb079453e

SHA1
49ab4844a30e7473a876c3c84b81483419c7532f

SHA256
18c480d65a3d6a3e984b3469c595ae74ad400d14ed6d83e59fc61dd7bfaf9401

SHA512
6a6b2a781306ee604e4bf5b532eae0c0fc5af6bd2b7e857856e1766aeb9c2b8f21a56aff1af3dac69727df2a6a5e9fbe6ef7b9d7cd83d59dd0c9b87f65e16ea1

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
76KB

MD5
44c8b7f88b61d3906165f013d99dcf8b

SHA1
d8c99680f944a950810890e73ff62f559eaf96c9

SHA256
7243c3851064a0cc0d8b2bbe6471db63410f984bf717afc3bb0e99cd7807e793

SHA512
b5c2d0f17c70363baf753ad436dca321c646af16fc3e433d8c1f5ddc8f1eca873050e247eba18463fa29eb872f1dec45247bae55b7c6081c9f5412668f0ea38d

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
76KB

MD5
b37a0bfaf310e85bc876db116bd4f5d9

SHA1
24b0d00e58962492d7cd2dcc068dad345243d670

SHA256
ff79ec4b38ee77e2adac5534c760d028646063b5b8311010a6ca0296b93a8c06

SHA512
5da6ea4de06b0c0997249c868c1c691e77dd8ba7e6636dd47c2bee4774b909c4649feb4b57cc5f24cdb8a82dd3dc736ccc7990f08bbe0fd7bd6b5a0311c2bfa5

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
76KB

MD5
e0487ca62d8085ed6b578ba637a2291e

SHA1
3c896fe07867c4f5f2705ae92cf43a544f8d8464

SHA256
e250da4329439abf7768fc393afacf5d0793c6e975ceeb80339568a56ae2dd7e

SHA512
200fd740c271a840c774d06693a8d1ae67fd734babe332cfd0a5d995cbecce5cbc471e0257216efb76ecdf79f38f00da1b44b7f7bca290ab24bc92a91a633ad1

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
76KB

MD5
056224c11c5cba9c261265782c6a1b4c

SHA1
df5f9d8bd705df12d1560017e8a61df059903be5

SHA256
719b184aadf1bf094c71abf20189d9baa67440a4ed3d9429b96adce171310ee7

SHA512
ca61173ad089c7e8b74ae3c9757f0924c3a6f792d7f32bb6f4b8ab570cdde9785fb3cff379c2b7cacf571125366795de52688077499e4d47b16e98d691dda585

Download Submit
memory/64-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/64-597-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/824-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1340-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1364-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1596-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-537-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2168-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3684-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3768-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4960-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5140-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5188-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5232-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5276-584-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5312-591-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5364-598-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads