079a3e1f4c86eccd30c7366fb6815a9fca79bd655f1534ff42d4ff8af90e94dc

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98ed989a3ca9fcbc39ffd4ba17620ec0N.exe
Size

208KB
MD5

98ed989a3ca9fcbc39ffd4ba17620ec0
SHA1

e31c1ba55b862274556beee3ec7323e3164ce43d
SHA256

079a3e1f4c86eccd30c7366fb6815a9fca79bd655f1534ff42d4ff8af90e94dc
SHA512

d0deef1f5616d348197884f5020b86764d895ac4160331d8aad2825be56cdc2694882cf95053d6bfeeca1b773ee29f2ac00dbc00354f2cb9b5a04eabc1c89130
SSDEEP

3072:vgZSUV2ekg4x6HOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJk:vjc2ekgo6ulrtMsQB+vn87L5Az

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjhgke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbpolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calbnnkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deqqek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiqomj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohaokbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbnknpqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbijinfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnblm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnhjig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglnnkid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjiloqjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpfko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkedbmab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppamjcpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dilmeida.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eejcki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpfko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okbhlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnjgog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnkbcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhppclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdklebje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaofedkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegnol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncanhaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdflaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajjjjghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjnbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaejhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgihanii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deqqek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejdonq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dicbfhni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eangjkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpchbhjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpedgghj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgjcfgoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbbdip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkiaece.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhpge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfmpob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjkiephp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odcfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pklkbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmlafk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oknnanhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phmnfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcmeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcmeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgejkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dagajlal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbijinfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niglfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odaiodbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaejhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckoifgmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngipjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbkgmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnbapjp.exe

Executes dropped EXE 64 IoCs

pid	Process
2952	Mpchbhjl.exe
3904	Mfmpob32.exe
4228	Mjiloqjb.exe
1340	Miklkm32.exe
2268	Mabdlk32.exe
3616	Mpedgghj.exe
1904	Mhmmieil.exe
1980	Mjkiephp.exe
676	Mmiealgc.exe
3144	Maeaajpl.exe
864	Mdcmnfop.exe
2884	Nfaijand.exe
1736	Njmejp32.exe
1480	Nmlafk32.exe
4144	Npjnbg32.exe
1072	Nhafcd32.exe
2360	Nkpbpp32.exe
3916	Najjmjkg.exe
2972	Ndhgie32.exe
1800	Nffceq32.exe
3340	Nieoal32.exe
4320	Nalgbi32.exe
2820	Ndjcne32.exe
3684	Ngipjp32.exe
956	Niglfl32.exe
2924	Nmbhgjoi.exe
4016	Npadcfnl.exe
5032	Nhhldc32.exe
1544	Ngklppei.exe
4236	Niihlkdm.exe
4424	Naqqmieo.exe
3600	Npcaie32.exe
1484	Ohkijc32.exe
1872	Ogmiepcf.exe
5016	Oileakbj.exe
872	Omgabj32.exe
1564	Opfnne32.exe
904	Odaiodbp.exe
4720	Ogpfko32.exe
1048	Okkalnjm.exe
5060	Omjnhiiq.exe
5124	Oaejhh32.exe
5164	Odcfdc32.exe
5204	Ogbbqo32.exe
5244	Oknnanhj.exe
5288	Oiqomj32.exe
5328	Oahgnh32.exe
5372	Opjgidfa.exe
5412	Ohaokbfd.exe
5456	Okpkgm32.exe
5496	Oickbjmb.exe
5536	Oajccgmd.exe
5576	Odhppclh.exe
5616	Ohdlpa32.exe
5656	Okbhlm32.exe
5696	Onqdhh32.exe
5736	Oalpigkb.exe
5776	Pdklebje.exe
5816	Pgihanii.exe
5856	Pkedbmab.exe
5896	Pncanhaf.exe
5936	Ppamjcpj.exe
5976	Phiekaql.exe
6016	Pgkegn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cegnol32.exe	Calbnnkj.exe
File created	C:\Windows\SysWOW64\Pgihanii.exe	Pdklebje.exe
File created	C:\Windows\SysWOW64\Mbfggf32.dll	Cegnol32.exe
File created	C:\Windows\SysWOW64\Dajnol32.exe	Dnkbcp32.exe
File created	C:\Windows\SysWOW64\Mmiealgc.exe	Mjkiephp.exe
File created	C:\Windows\SysWOW64\Ljeeki32.dll	Nieoal32.exe
File created	C:\Windows\SysWOW64\Okkalnjm.exe	Ogpfko32.exe
File created	C:\Windows\SysWOW64\Pnhjig32.exe	Pgnblm32.exe
File opened for modification	C:\Windows\SysWOW64\Bdnkhn32.exe	Bbpolb32.exe
File created	C:\Windows\SysWOW64\Llbndn32.dll	Cnboma32.exe
File created	C:\Windows\SysWOW64\Nmlafk32.exe	Njmejp32.exe
File created	C:\Windows\SysWOW64\Onbiicqa.dll	Okbhlm32.exe
File opened for modification	C:\Windows\SysWOW64\Pgkegn32.exe	Phiekaql.exe
File created	C:\Windows\SysWOW64\Pnjgog32.exe	Pklkbl32.exe
File created	C:\Windows\SysWOW64\Qpmmfbfl.exe	Qajlje32.exe
File created	C:\Windows\SysWOW64\Calbnnkj.exe	Cnmebblf.exe
File created	C:\Windows\SysWOW64\Lifmdfkg.dll	Eangjkkd.exe
File opened for modification	C:\Windows\SysWOW64\Naqqmieo.exe	Niihlkdm.exe
File created	C:\Windows\SysWOW64\Gcboln32.dll	Naqqmieo.exe
File opened for modification	C:\Windows\SysWOW64\Oajccgmd.exe	Oickbjmb.exe
File created	C:\Windows\SysWOW64\Gbjnanih.dll	Anffje32.exe
File created	C:\Windows\SysWOW64\Najjmjkg.exe	Nkpbpp32.exe
File created	C:\Windows\SysWOW64\Haapme32.dll	Agqhik32.exe
File created	C:\Windows\SysWOW64\Mjkiephp.exe	Mhmmieil.exe
File created	C:\Windows\SysWOW64\Opjgidfa.exe	Oahgnh32.exe
File created	C:\Windows\SysWOW64\Qolmplcl.dll	Oickbjmb.exe
File created	C:\Windows\SysWOW64\Edmleg32.dll	Pdofpb32.exe
File created	C:\Windows\SysWOW64\Pgnblm32.exe	Phkaqqoi.exe
File created	C:\Windows\SysWOW64\Ajhndgjj.exe	Akenij32.exe
File opened for modification	C:\Windows\SysWOW64\Ahkkhnpg.exe	Aqdbfa32.exe
File created	C:\Windows\SysWOW64\Odgodh32.dll	Bnaffdfc.exe
File opened for modification	C:\Windows\SysWOW64\Maeaajpl.exe	Mmiealgc.exe
File opened for modification	C:\Windows\SysWOW64\Bdlncn32.exe	Bnaffdfc.exe
File opened for modification	C:\Windows\SysWOW64\Nkpbpp32.exe	Nhafcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ogmiepcf.exe	Ohkijc32.exe
File created	C:\Windows\SysWOW64\Gaobmboi.dll	Opjgidfa.exe
File created	C:\Windows\SysWOW64\Clclnfln.dll	Okpkgm32.exe
File created	C:\Windows\SysWOW64\Bjcmpepm.exe	Bgeadjai.exe
File opened for modification	C:\Windows\SysWOW64\Dagajlal.exe	Dbdano32.exe
File created	C:\Windows\SysWOW64\Maeaajpl.exe	Mmiealgc.exe
File created	C:\Windows\SysWOW64\Npjnbg32.exe	Nmlafk32.exe
File created	C:\Windows\SysWOW64\Pdklebje.exe	Oalpigkb.exe
File created	C:\Windows\SysWOW64\Pafcofcg.exe	Pnjgog32.exe
File created	C:\Windows\SysWOW64\Nlaakbkm.dll	Pnlcdg32.exe
File created	C:\Windows\SysWOW64\Abmcod32.dll	Ciefek32.exe
File created	C:\Windows\SysWOW64\Lhjicplp.dll	Pddokabk.exe
File created	C:\Windows\SysWOW64\Difici32.dll	Qgehml32.exe
File opened for modification	C:\Windows\SysWOW64\Cgjcfgoa.exe	Celgjlpn.exe
File created	C:\Windows\SysWOW64\Eejcki32.exe	Eangjkkd.exe
File created	C:\Windows\SysWOW64\Bfffkmlb.dll	Mmiealgc.exe
File created	C:\Windows\SysWOW64\Eifhac32.dll	Niihlkdm.exe
File created	C:\Windows\SysWOW64\Ggmdggnj.dll	Odcfdc32.exe
File created	C:\Windows\SysWOW64\Pjjaci32.exe	Pgkegn32.exe
File opened for modification	C:\Windows\SysWOW64\Dilmeida.exe	Deqqek32.exe
File created	C:\Windows\SysWOW64\Ngklppei.exe	Nhhldc32.exe
File created	C:\Windows\SysWOW64\Aqpika32.exe	Aamipe32.exe
File opened for modification	C:\Windows\SysWOW64\Akenij32.exe	Ahgamo32.exe
File opened for modification	C:\Windows\SysWOW64\Djbbhafj.exe	Dlobmd32.exe
File created	C:\Windows\SysWOW64\Pgkegn32.exe	Phiekaql.exe
File opened for modification	C:\Windows\SysWOW64\Aqdbfa32.exe	Anffje32.exe
File created	C:\Windows\SysWOW64\Bnaffdfc.exe	Bkcjjhgp.exe
File created	C:\Windows\SysWOW64\Njmejp32.exe	Nfaijand.exe
File opened for modification	C:\Windows\SysWOW64\Cbknhqbl.exe	Cgejkh32.exe
File created	C:\Windows\SysWOW64\Dnojon32.dll	Djmima32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6364	7148	WerFault.exe	266

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpedgghj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhmmieil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odcfdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akenij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahngmnnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqilaplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejdonq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbhgjoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohdlpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phkaqqoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pacfjfej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqkigp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdhgaid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckfofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjcne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhldc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdbbfadn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anffje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diafqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Najjmjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opjgidfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dagajlal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eejcki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmejp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agqhik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maeaajpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgkegn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpmmfbfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qggebl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgodjiio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odaiodbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okbhlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phmnfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdlncn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djipbbne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiqomj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pddokabk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akopoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnaffdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkiaece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djbbhafj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabdlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnhjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agnkck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oahgnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oalpigkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhennm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98ed989a3ca9fcbc39ffd4ba17620ec0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhafcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgabj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aamipe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglnnkid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegnol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciefek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdano32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkalnjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paaidf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdgehobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjcmpepm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgejkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okpkgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjeaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anjpeelk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polnbakm.dll"	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igalei32.dll"	Anmmkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfomiaim.dll"	Bdgehobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djbbhafj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiqomj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelncp32.dll"	Pafcofcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pddokabk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goahpc32.dll"	Bnfoac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckfofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deqqek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacjdgkj.dll"	Mpedgghj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfloio32.dll"	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppamjcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njiccd32.dll"	Paaidf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjahchpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhmmieil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhndgjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anhcpeon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioaegj32.dll"	Mfmpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dicbfhni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccjlblm.dll"	Akopoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgabj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjcdih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhddgofo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agqhik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmaece32.dll"	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dioiki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhmmieil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqilaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agcdnjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakpih32.dll"	Bgjjoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbnknpqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlobmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaeccgp.dll"	Ejdonq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpffjn32.dll"	Ohkijc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knemellp.dll"	Pacfjfej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haapme32.dll"	Agqhik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdqekdcj.dll"	Ceeaim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciefek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopkoobi.dll"	Dlobmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oickbjmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcaie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phkaqqoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agcdnjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbpolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnojon32.dll"	Djmima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhgie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nieoal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblfejda.dll"	Oajccgmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odhppclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okbhlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olikhnjp.dll"	Oalpigkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonjpqid.dll"	Phmnfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgamo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maeaajpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjcmpepm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbccec32.dll"	Bbpolb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dioiki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgjbjed.dll"	Diafqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqdbfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjonehk.dll"	Pkedbmab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2952	4528	98ed989a3ca9fcbc39ffd4ba17620ec0N.exe	93
PID 4528 wrote to memory of 2952	4528	98ed989a3ca9fcbc39ffd4ba17620ec0N.exe	93
PID 4528 wrote to memory of 2952	4528	98ed989a3ca9fcbc39ffd4ba17620ec0N.exe	93
PID 2952 wrote to memory of 3904	2952	Mpchbhjl.exe	94
PID 2952 wrote to memory of 3904	2952	Mpchbhjl.exe	94
PID 2952 wrote to memory of 3904	2952	Mpchbhjl.exe	94
PID 3904 wrote to memory of 4228	3904	Mfmpob32.exe	95
PID 3904 wrote to memory of 4228	3904	Mfmpob32.exe	95
PID 3904 wrote to memory of 4228	3904	Mfmpob32.exe	95
PID 4228 wrote to memory of 1340	4228	Mjiloqjb.exe	96
PID 4228 wrote to memory of 1340	4228	Mjiloqjb.exe	96
PID 4228 wrote to memory of 1340	4228	Mjiloqjb.exe	96
PID 1340 wrote to memory of 2268	1340	Miklkm32.exe	97
PID 1340 wrote to memory of 2268	1340	Miklkm32.exe	97
PID 1340 wrote to memory of 2268	1340	Miklkm32.exe	97
PID 2268 wrote to memory of 3616	2268	Mabdlk32.exe	98
PID 2268 wrote to memory of 3616	2268	Mabdlk32.exe	98
PID 2268 wrote to memory of 3616	2268	Mabdlk32.exe	98
PID 3616 wrote to memory of 1904	3616	Mpedgghj.exe	99
PID 3616 wrote to memory of 1904	3616	Mpedgghj.exe	99
PID 3616 wrote to memory of 1904	3616	Mpedgghj.exe	99
PID 1904 wrote to memory of 1980	1904	Mhmmieil.exe	100
PID 1904 wrote to memory of 1980	1904	Mhmmieil.exe	100
PID 1904 wrote to memory of 1980	1904	Mhmmieil.exe	100
PID 1980 wrote to memory of 676	1980	Mjkiephp.exe	101
PID 1980 wrote to memory of 676	1980	Mjkiephp.exe	101
PID 1980 wrote to memory of 676	1980	Mjkiephp.exe	101
PID 676 wrote to memory of 3144	676	Mmiealgc.exe	102
PID 676 wrote to memory of 3144	676	Mmiealgc.exe	102
PID 676 wrote to memory of 3144	676	Mmiealgc.exe	102
PID 3144 wrote to memory of 864	3144	Maeaajpl.exe	103
PID 3144 wrote to memory of 864	3144	Maeaajpl.exe	103
PID 3144 wrote to memory of 864	3144	Maeaajpl.exe	103
PID 864 wrote to memory of 2884	864	Mdcmnfop.exe	104
PID 864 wrote to memory of 2884	864	Mdcmnfop.exe	104
PID 864 wrote to memory of 2884	864	Mdcmnfop.exe	104
PID 2884 wrote to memory of 1736	2884	Nfaijand.exe	105
PID 2884 wrote to memory of 1736	2884	Nfaijand.exe	105
PID 2884 wrote to memory of 1736	2884	Nfaijand.exe	105
PID 1736 wrote to memory of 1480	1736	Njmejp32.exe	106
PID 1736 wrote to memory of 1480	1736	Njmejp32.exe	106
PID 1736 wrote to memory of 1480	1736	Njmejp32.exe	106
PID 1480 wrote to memory of 4144	1480	Nmlafk32.exe	107
PID 1480 wrote to memory of 4144	1480	Nmlafk32.exe	107
PID 1480 wrote to memory of 4144	1480	Nmlafk32.exe	107
PID 4144 wrote to memory of 1072	4144	Npjnbg32.exe	108
PID 4144 wrote to memory of 1072	4144	Npjnbg32.exe	108
PID 4144 wrote to memory of 1072	4144	Npjnbg32.exe	108
PID 1072 wrote to memory of 2360	1072	Nhafcd32.exe	109
PID 1072 wrote to memory of 2360	1072	Nhafcd32.exe	109
PID 1072 wrote to memory of 2360	1072	Nhafcd32.exe	109
PID 2360 wrote to memory of 3916	2360	Nkpbpp32.exe	110
PID 2360 wrote to memory of 3916	2360	Nkpbpp32.exe	110
PID 2360 wrote to memory of 3916	2360	Nkpbpp32.exe	110
PID 3916 wrote to memory of 2972	3916	Najjmjkg.exe	111
PID 3916 wrote to memory of 2972	3916	Najjmjkg.exe	111
PID 3916 wrote to memory of 2972	3916	Najjmjkg.exe	111
PID 2972 wrote to memory of 1800	2972	Ndhgie32.exe	112
PID 2972 wrote to memory of 1800	2972	Ndhgie32.exe	112
PID 2972 wrote to memory of 1800	2972	Ndhgie32.exe	112
PID 1800 wrote to memory of 3340	1800	Nffceq32.exe	113
PID 1800 wrote to memory of 3340	1800	Nffceq32.exe	113
PID 1800 wrote to memory of 3340	1800	Nffceq32.exe	113
PID 3340 wrote to memory of 4320	3340	Nieoal32.exe	114

C:\Users\Admin\AppData\Local\Temp\98ed989a3ca9fcbc39ffd4ba17620ec0N.exe
"C:\Users\Admin\AppData\Local\Temp\98ed989a3ca9fcbc39ffd4ba17620ec0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\Mpchbhjl.exe
  C:\Windows\system32\Mpchbhjl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\Mfmpob32.exe
    C:\Windows\system32\Mfmpob32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\SysWOW64\Mjiloqjb.exe
      C:\Windows\system32\Mjiloqjb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\SysWOW64\Miklkm32.exe
        
        C:\Windows\system32\Miklkm32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Windows\SysWOW64\Mabdlk32.exe
        
        C:\Windows\system32\Mabdlk32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Mpedgghj.exe
        
        C:\Windows\system32\Mpedgghj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Mjkiephp.exe
        
        C:\Windows\system32\Mjkiephp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Mmiealgc.exe
        
        C:\Windows\system32\Mmiealgc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Maeaajpl.exe
        
        C:\Windows\system32\Maeaajpl.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Mdcmnfop.exe
        
        C:\Windows\system32\Mdcmnfop.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Nfaijand.exe
        
        C:\Windows\system32\Nfaijand.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Nmlafk32.exe
        
        C:\Windows\system32\Nmlafk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Npjnbg32.exe
        
        C:\Windows\system32\Npjnbg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Nkpbpp32.exe
        
        C:\Windows\system32\Nkpbpp32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Najjmjkg.exe
        
        C:\Windows\system32\Najjmjkg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Ndhgie32.exe
        
        C:\Windows\system32\Ndhgie32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Nffceq32.exe
        
        C:\Windows\system32\Nffceq32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Nieoal32.exe
        
        C:\Windows\system32\Nieoal32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Nalgbi32.exe
        
        C:\Windows\system32\Nalgbi32.exe
        23⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Ndjcne32.exe
        
        C:\Windows\system32\Ndjcne32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Niglfl32.exe
        
        C:\Windows\system32\Niglfl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\Nmbhgjoi.exe
        
        C:\Windows\system32\Nmbhgjoi.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        28⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Nhhldc32.exe
        
        C:\Windows\system32\Nhhldc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Ngklppei.exe
        
        C:\Windows\system32\Ngklppei.exe
        30⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Niihlkdm.exe
        
        C:\Windows\system32\Niihlkdm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Npcaie32.exe
        
        C:\Windows\system32\Npcaie32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Ogmiepcf.exe
        
        C:\Windows\system32\Ogmiepcf.exe
        35⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Oileakbj.exe
        
        C:\Windows\system32\Oileakbj.exe
        36⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Omgabj32.exe
        
        C:\Windows\system32\Omgabj32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Opfnne32.exe
        
        C:\Windows\system32\Opfnne32.exe
        38⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Ogpfko32.exe
        
        C:\Windows\system32\Ogpfko32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Okkalnjm.exe
        
        C:\Windows\system32\Okkalnjm.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        42⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Oaejhh32.exe
        
        C:\Windows\system32\Oaejhh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5124
        
        C:\Windows\SysWOW64\Odcfdc32.exe
        
        C:\Windows\system32\Odcfdc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Ogbbqo32.exe
        
        C:\Windows\system32\Ogbbqo32.exe
        45⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Windows\SysWOW64\Oknnanhj.exe
        
        C:\Windows\system32\Oknnanhj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5244
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Oahgnh32.exe
        
        C:\Windows\system32\Oahgnh32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Opjgidfa.exe
        
        C:\Windows\system32\Opjgidfa.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Ohaokbfd.exe
        
        C:\Windows\system32\Ohaokbfd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5412
        
        C:\Windows\SysWOW64\Okpkgm32.exe
        
        C:\Windows\system32\Okpkgm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Oickbjmb.exe
        
        C:\Windows\system32\Oickbjmb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Oajccgmd.exe
        
        C:\Windows\system32\Oajccgmd.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Odhppclh.exe
        
        C:\Windows\system32\Odhppclh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Ohdlpa32.exe
        
        C:\Windows\system32\Ohdlpa32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Okbhlm32.exe
        
        C:\Windows\system32\Okbhlm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Oalpigkb.exe
        
        C:\Windows\system32\Oalpigkb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Pdklebje.exe
        
        C:\Windows\system32\Pdklebje.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Pgihanii.exe
        
        C:\Windows\system32\Pgihanii.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5816
        
        C:\Windows\SysWOW64\Pkedbmab.exe
        
        C:\Windows\system32\Pkedbmab.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Pncanhaf.exe
        
        C:\Windows\system32\Pncanhaf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5896
        
        C:\Windows\SysWOW64\Ppamjcpj.exe
        
        C:\Windows\system32\Ppamjcpj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Phiekaql.exe
        
        C:\Windows\system32\Phiekaql.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Pgkegn32.exe
        
        C:\Windows\system32\Pgkegn32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Pjjaci32.exe
        
        C:\Windows\system32\Pjjaci32.exe
        66⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Paaidf32.exe
        
        C:\Windows\system32\Paaidf32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Pdofpb32.exe
        
        C:\Windows\system32\Pdofpb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Phkaqqoi.exe
        
        C:\Windows\system32\Phkaqqoi.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\Pnhjig32.exe
        
        C:\Windows\system32\Pnhjig32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Pacfjfej.exe
        
        C:\Windows\system32\Pacfjfej.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Pdbbfadn.exe
        
        C:\Windows\system32\Pdbbfadn.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Phmnfp32.exe
        
        C:\Windows\system32\Phmnfp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Pnjgog32.exe
        
        C:\Windows\system32\Pnjgog32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Pafcofcg.exe
        
        C:\Windows\system32\Pafcofcg.exe
        77⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Pddokabk.exe
        
        C:\Windows\system32\Pddokabk.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Pgbkgmao.exe
        
        C:\Windows\system32\Pgbkgmao.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3688
        
        C:\Windows\SysWOW64\Pjahchpb.exe
        
        C:\Windows\system32\Pjahchpb.exe
        80⤵
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Pnlcdg32.exe
        
        C:\Windows\system32\Pnlcdg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Qpkppbho.exe
        
        C:\Windows\system32\Qpkppbho.exe
        82⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Qdflaa32.exe
        
        C:\Windows\system32\Qdflaa32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Qgehml32.exe
        
        C:\Windows\system32\Qgehml32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Qjcdih32.exe
        
        C:\Windows\system32\Qjcdih32.exe
        85⤵
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Qajlje32.exe
        
        C:\Windows\system32\Qajlje32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Qhddgofo.exe
        
        C:\Windows\system32\Qhddgofo.exe
        88⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Qggebl32.exe
        
        C:\Windows\system32\Qggebl32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Qjeaog32.exe
        
        C:\Windows\system32\Qjeaog32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Aamipe32.exe
        
        C:\Windows\system32\Aamipe32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Aqpika32.exe
        
        C:\Windows\system32\Aqpika32.exe
        92⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Ahgamo32.exe
        
        C:\Windows\system32\Ahgamo32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Akenij32.exe
        
        C:\Windows\system32\Akenij32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Ajhndgjj.exe
        
        C:\Windows\system32\Ajhndgjj.exe
        95⤵
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Adnbapjp.exe
        
        C:\Windows\system32\Adnbapjp.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Aglnnkid.exe
        
        C:\Windows\system32\Aglnnkid.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Ajjjjghg.exe
        
        C:\Windows\system32\Ajjjjghg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Anffje32.exe
        
        C:\Windows\system32\Anffje32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Aqdbfa32.exe
        
        C:\Windows\system32\Aqdbfa32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ahkkhnpg.exe
        
        C:\Windows\system32\Ahkkhnpg.exe
        102⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Anhcpeon.exe
        
        C:\Windows\system32\Anhcpeon.exe
        105⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        106⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Ahngmnnd.exe
        
        C:\Windows\system32\Ahngmnnd.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Anjpeelk.exe
        
        C:\Windows\system32\Anjpeelk.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Aqilaplo.exe
        
        C:\Windows\system32\Aqilaplo.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Agcdnjcl.exe
        
        C:\Windows\system32\Agcdnjcl.exe
        111⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Anmmkd32.exe
        
        C:\Windows\system32\Anmmkd32.exe
        113⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Bqkigp32.exe
        
        C:\Windows\system32\Bqkigp32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Bdgehobe.exe
        
        C:\Windows\system32\Bdgehobe.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Bgeadjai.exe
        
        C:\Windows\system32\Bgeadjai.exe
        116⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Bbkeacqo.exe
        
        C:\Windows\system32\Bbkeacqo.exe
        118⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Bhennm32.exe
        
        C:\Windows\system32\Bhennm32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Bkcjjhgp.exe
        
        C:\Windows\system32\Bkcjjhgp.exe
        120⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Bnaffdfc.exe
        
        C:\Windows\system32\Bnaffdfc.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Bdlncn32.exe
        
        C:\Windows\system32\Bdlncn32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        123⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bjhgke32.exe
        
        C:\Windows\system32\Bjhgke32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Bbpolb32.exe
        
        C:\Windows\system32\Bbpolb32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Bdnkhn32.exe
        
        C:\Windows\system32\Bdnkhn32.exe
        126⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Bglgdi32.exe
        
        C:\Windows\system32\Bglgdi32.exe
        127⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        128⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Bqdlmo32.exe
        
        C:\Windows\system32\Bqdlmo32.exe
        129⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Cbdhgaid.exe
        
        C:\Windows\system32\Cbdhgaid.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Ceeaim32.exe
        
        C:\Windows\system32\Ceeaim32.exe
        132⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Ckoifgmb.exe
        
        C:\Windows\system32\Ckoifgmb.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:752
        
        C:\Windows\SysWOW64\Cnmebblf.exe
        
        C:\Windows\system32\Cnmebblf.exe
        135⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Calbnnkj.exe
        
        C:\Windows\system32\Calbnnkj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Cegnol32.exe
        
        C:\Windows\system32\Cegnol32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6236
        
        C:\Windows\SysWOW64\Cgejkh32.exe
        
        C:\Windows\system32\Cgejkh32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Cbknhqbl.exe
        
        C:\Windows\system32\Cbknhqbl.exe
        139⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Cnboma32.exe
        
        C:\Windows\system32\Cnboma32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Cbnknpqj.exe
        
        C:\Windows\system32\Cbnknpqj.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Celgjlpn.exe
        
        C:\Windows\system32\Celgjlpn.exe
        143⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Cgjcfgoa.exe
        
        C:\Windows\system32\Cgjcfgoa.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Ckfofe32.exe
        
        C:\Windows\system32\Ckfofe32.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Djipbbne.exe
        
        C:\Windows\system32\Djipbbne.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6640
        
        C:\Windows\SysWOW64\Dabhomea.exe
        
        C:\Windows\system32\Dabhomea.exe
        147⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Dgmpkg32.exe
        
        C:\Windows\system32\Dgmpkg32.exe
        148⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Dnghhqdk.exe
        
        C:\Windows\system32\Dnghhqdk.exe
        149⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Dlkiaece.exe
        
        C:\Windows\system32\Dlkiaece.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6932
        
        C:\Windows\SysWOW64\Djmima32.exe
        
        C:\Windows\system32\Djmima32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7012
        
        C:\Windows\SysWOW64\Dagajlal.exe
        
        C:\Windows\system32\Dagajlal.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Windows\SysWOW64\Dioiki32.exe
        
        C:\Windows\system32\Dioiki32.exe
        157⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        158⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Djpfbahm.exe
        
        C:\Windows\system32\Djpfbahm.exe
        159⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Dajnol32.exe
        
        C:\Windows\system32\Dajnol32.exe
        161⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Deejpjgc.exe
        
        C:\Windows\system32\Deejpjgc.exe
        162⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Diafqi32.exe
        
        C:\Windows\system32\Diafqi32.exe
        163⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Dlobmd32.exe
        
        C:\Windows\system32\Dlobmd32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Djbbhafj.exe
        
        C:\Windows\system32\Djbbhafj.exe
        165⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Dbijinfl.exe
        
        C:\Windows\system32\Dbijinfl.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Dehgejep.exe
        
        C:\Windows\system32\Dehgejep.exe
        167⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Dicbfhni.exe
        
        C:\Windows\system32\Dicbfhni.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Elaobdmm.exe
        
        C:\Windows\system32\Elaobdmm.exe
        169⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Ejdonq32.exe
        
        C:\Windows\system32\Ejdonq32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Eangjkkd.exe
        
        C:\Windows\system32\Eangjkkd.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Eejcki32.exe
        
        C:\Windows\system32\Eejcki32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7008
        
        C:\Windows\SysWOW64\Ehhpge32.exe
        
        C:\Windows\system32\Ehhpge32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        174⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 400
        175⤵
        Program crash
        
        PID:6364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7148 -ip 7148
1⤵
PID:6272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3860 /prefetch:8
1⤵
PID:6436

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6664

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqilaplo.exe

Filesize
208KB

MD5
c5154b0c9039d7702a519dbacb0ce288

SHA1
20d1dec19fd11fa3694deb7d02a87584ba6fbd03

SHA256
28787a75f0f00115337c566c8a685d8f28790059feb3e2e402e0ce0dea1f99c8

SHA512
963ef57205ebe19cafa29b99fa5b50ba5d4cff6b169bcf2f287e95271ea5478d253a4904731311d64e7cdb51f1342c9da487bc80040d59f4273465fd4f35683b

Download Submit
C:\Windows\SysWOW64\Bhennm32.exe

Filesize
208KB

MD5
345dd615a583e45c5fd27384f7e18724

SHA1
c61514d9f93065fa8f91e96076bb8d0c844c786c

SHA256
4eef34b2906b479aafec658fa431f4fff25097045108bd517126c5a917f57647

SHA512
4794ce1656d01e250c188127ff57f0690979babdda7ddc684c579579211b7b8b95418bfc489fb864794e9bd56738d7f18bb3e807a5033920de0a63b95dc55903

Download Submit
C:\Windows\SysWOW64\Cbknhqbl.exe

Filesize
208KB

MD5
17481789232c5bdd4f9f6c8835530d9e

SHA1
ffe989cf87c6b5bdf20a4bc14307cb057964f49c

SHA256
58c3afdaf0e2fe5e5e0e152f6b8c55a891c361e1a7979f1c592c813d7de6c067

SHA512
c9cd78620708ba7aa937c75703a6cf05141c46001d0651f4843d7bdbf9566c1c048f933c3ea4ec7a04712ecff65e9d43d6164d68c5deace314a6ccc7c0817f2a

Download Submit
C:\Windows\SysWOW64\Cnboma32.exe

Filesize
208KB

MD5
b51a7cf51e5f97e16cd674feba5094e9

SHA1
e7ab2a72cedf9fc10f562471c88ac71e23e912c4

SHA256
ffe0dd776e81acc496134359b03bcf588a0828c263917e06e54d8ef8a500bf8e

SHA512
4c460767e0b248526daa252b101ea71c4a2ee9e8b1aeb545ef33f370ceb8e2a7e32f010d366e199befe9178084df2aac471908f8f9a94b202f68b33f778eb81a

Download Submit
C:\Windows\SysWOW64\Dioiki32.exe

Filesize
208KB

MD5
192e0c0ef60cf180153be150fe2de137

SHA1
36f3075401af00f35a37eb80720ba7cfb097fe39

SHA256
cd5164c7b9190fc7a8b832b9029cf68f6c1c325f35d22325d3a6d0419ea454a7

SHA512
781e25850a69cc3e355249a9950e3244f8cf48f9fb0605fb569554cb90790d0eb567c8b30b2a21c0cdabb22f1b32f9bf1381471ef8c855ebf08a4a8f610f4069

Download Submit
C:\Windows\SysWOW64\Djipbbne.exe

Filesize
208KB

MD5
6bcbca0579d60448158c8d4a1b9e4d31

SHA1
04b7ccb1b46a1d78d9da15c260b9c8c2693f16d2

SHA256
d19b71dca69d5ef9ae81f74527897a03951c9edb191b3550e4a447abbd3fe666

SHA512
bcdee1cf2f885d9c4cd3896b44620a2de3c809dd9a84994f632575dbbe97e278bdab5ef13e39eb8b56f9afcd027a4dda6b5a5b24386004fe06fcc21909f238ff

Download Submit
C:\Windows\SysWOW64\Ejdonq32.exe

Filesize
208KB

MD5
5e006bc071d42c05801347810715f42e

SHA1
d58deb00c7bf58e1ce7d835cc4f6c870171754f7

SHA256
75fdfc75dc82e6bcc7a26497f3e279227640480b0acd5c269ce98a4aa1b83f39

SHA512
526657d2d4d63d37d778b18ab5dd90c4109a9df2d3066b5874b41ad1b63ee02f157941ea85e57e591b7afe3155f3d8f0043e781a2e6cf47584eba587d481f885

Download Submit
C:\Windows\SysWOW64\Mabdlk32.exe

Filesize
208KB

MD5
07ba61e45c6fa5d3bf064c464c7302db

SHA1
ded4cf18beceaaed9a28a86e1279a407b2f4d9e5

SHA256
0f7f0950eb631d2cec4de4b4018741c56c8c2d42973f0c92ab5331fe58910964

SHA512
b4a631c3a18d28df3e9fdd5d7db637973d817acc91d8be6e7ffccb4daa0c3f5a41445c5fe1e51521c8cd6b05886bb12cb366b48c09ab080c32faa0d8ffb09df4

Download Submit
C:\Windows\SysWOW64\Maeaajpl.exe

Filesize
208KB

MD5
a03a6ef53a1488b39ad9256d59cf64c0

SHA1
cebe2129c333308b3e0baae58905c0379aec89ec

SHA256
6b40ef202db3525077c0e908f2a7512b8a66cb05786a5dfbc98a471ca15103e2

SHA512
2c732f16476c15ba8c3cb6607919bfa2235eeb649a3bbcfe34f1f1f09b6dc807978788d707143b743fc85b753261a1012d9b999a0dc8587bc66a736b9367e735

Download Submit
C:\Windows\SysWOW64\Mdcmnfop.exe

Filesize
208KB

MD5
026306b8037a5b34abfdb49b7f2ac3bf

SHA1
2dcd1afd48f031d1dad118234d66eb2b9de1c56b

SHA256
91bab5a756525a46e0caaa74513934cd19a9b0abd560dad03b87cfd0f9a3317c

SHA512
8ba54db3b8e5875cd5a9a8630823cbf587a20d3c606779d31573440019880a3855c2112b2b15d45d3ff4bb01affc37f72e2e5bdcd94a70e5c4d26038126565eb

Download Submit
C:\Windows\SysWOW64\Mfmpob32.exe

Filesize
208KB

MD5
741a72204b869cb430a237019902b663

SHA1
64d63ac11bdf63922491b09aa7c88a9a45671dfc

SHA256
e4c183da25441d8f47bdd017fb8d9e0b4c5aa9bf25bd9a561589d5267b74c4ca

SHA512
44a4a656bb74af162f7a3f3e8b88333a691ab62ca22ebd97b92d9b07f9740896a3659b7e0a8d0d88470df64b165fa761a27efda7f8e758d7ae736238f61348a1

Download Submit
C:\Windows\SysWOW64\Mhmmieil.exe

Filesize
208KB

MD5
5e9323e059949a3652fb8809167ce10f

SHA1
93992d65bbb40daa6d2cc3b576f5c4426eeaf39b

SHA256
3d81245c3335421b71038002fcff9638d96431be9000e9d46ab483cf1d942f5d

SHA512
ee80a669ccb10b40942b987c8e5661e0af7bfeee59c4eea7daee7ceda9d72400cd9f3c5477b4aaeaad432ca9095a4b63cf3162b21c77fd766ca5a3267cee19a6

Download Submit
C:\Windows\SysWOW64\Miklkm32.exe

Filesize
208KB

MD5
f8549a66a9e58e9a75f0f20c47eda086

SHA1
906722c78062341a4ee26967850239fef8f7ab5a

SHA256
7f6bb2cef8695b16c3914871ee72cfa26133d863af600eaf8411558c25dc1761

SHA512
d3126dcd5b0b0f7df2926827e00553471ff94379e42c804656172c4b2536bb89fdc8bb8907382a26b22dcf45f6f922f77f9e03e01447e3076c374b7927bf2553

Download Submit
C:\Windows\SysWOW64\Mjiloqjb.exe

Filesize
208KB

MD5
a225903dd7b1cbf33293d237c0909204

SHA1
970f7fe12a513ea9489252dc7a7f452fc02bd6bd

SHA256
94fed11e98e6ddaa14b9a8304891260c65ab47465da47e145c23a96814d9bf97

SHA512
a7836c32668e2d5fe93d7176ecf6dfa72148ef54c73ceb097a85a4933748d844d6ff62a669069b33143a3e13d4e54d1f642d0d9d4a048068072d7a3c4a78002d

Download Submit
C:\Windows\SysWOW64\Mjkiephp.exe

Filesize
208KB

MD5
e38804474e88d74eb740e273acd92b42

SHA1
8f78c5a1a60a1907e80faeebfb850edadf3cfc8b

SHA256
813dd49c20b544dc0596b94609cc1acca59c3410f5893fa6e125f1bb23942881

SHA512
74b60605ee3cbc8fb2b5f4fe1b8084eaf54da949cd29a0622a3b44341caa6c627c3cf0be8aa766a9c6b4594f60587e87625d52362f321afc524a0ff24fdbd5c9

Download Submit
C:\Windows\SysWOW64\Mmiealgc.exe

Filesize
208KB

MD5
15659577709b095331d9a70f7d16c8a4

SHA1
1902232210a2644126e72aea9e5b58095d1a75b1

SHA256
54e5cbc722d030a996350adfe38b0539f2732eb52b29d01ba6cb36693cdf84d9

SHA512
9d96d35f5960b7c018c1f3969912fd190dd1ecaa7b5a62d60079df0b2c6bc8f6cf5a245a8b0a8667c98b057a89d659e18f4fadff55756f8b85018fed661bb7d5

Download Submit
C:\Windows\SysWOW64\Mpchbhjl.exe

Filesize
208KB

MD5
412a57a474605b16f4bb60ab6c6742dc

SHA1
c4992a24b97353d50bcb7f650ab56c1c87f0939c

SHA256
90814a0f0bc5eb96a29ba6abaeb83fd244c1e8b96b538800e4a5f462eb0fbd34

SHA512
b9ec2609538b460121a7c031ea57f322e1add729c01808fb7ac9639c866faa4b3f2f5a4b319b6a63e00401176fbd031ca3f11bae6d1f73e666b967953d78396e

Download Submit
C:\Windows\SysWOW64\Mpedgghj.exe

Filesize
208KB

MD5
3bd1be7aa250b4d1a54c1ba9f8ec0142

SHA1
aa5f24f475071595773ee72de715300a7a432a63

SHA256
d43630b3e2672c70ef044ef55cb20aa84f7347b002d00ba96047129f6ab64ef7

SHA512
7c398c1bd2ab012ae946e6de612e5c2cff4c5c7420db95ece7a5d3e6473d06d279b47512c7f3148aa9311734e4e375e59edc9dc2745c4eadf546d89916ba6e11

Download Submit
C:\Windows\SysWOW64\Najjmjkg.exe

Filesize
208KB

MD5
eccf391d94b1f111a17ce904648cbde5

SHA1
a914e25524098a120685aa4ed80065e3a5f0c09c

SHA256
d761c3f0ad90d49c3045138f2b2ecbea69d0f29311d3432b9c1bda17aadc89e3

SHA512
5aa9570f63414a38c513647453d9366dc5b785a533553ff8bcf42f4096b20d9512408165ed759d765425ef2413f68b0161d34db69383c38ff801d9df3ee9db68

Download Submit
C:\Windows\SysWOW64\Nalgbi32.exe

Filesize
208KB

MD5
716d8c6d383f70ec4cf9be2fdf7ecc2d

SHA1
6308277eb60012c486c2569d65f290266b9e551f

SHA256
5cb6e69bf58b5ec3df62e73b0af1aa696feb2a68487a4769c26410c5c3e6d51f

SHA512
3fb7690c3c50555d6a7fa4f69a2598211b166705bea1e3bd7f051c6614152c2645d5858c1506a08d08ae42ed8edc613600679131b7fad8b826ceebea8826880a

Download Submit
C:\Windows\SysWOW64\Naqqmieo.exe

Filesize
208KB

MD5
b08a0943b0e6a415e134f0792d0b514e

SHA1
521850986018157ca711e632245639c61b5534ee

SHA256
e3ee419ec3686a0387459029c3ddee2dae616759d6295f895a7236936c824d68

SHA512
3a64b12b1938cd08c746e584bcad82ca5db7909a67e0da52f82626ee33c68fc1b603d0a6e526b39f2873e5584e9b329ef8606c6c8b149686fc7e79c46236b6c3

Download Submit
C:\Windows\SysWOW64\Ndhgie32.exe

Filesize
208KB

MD5
8e7329b68731562d456d7812802c1d3d

SHA1
d116d7f75bb22eef80d95525af31ecb35e67aeb7

SHA256
ec090686c2011dd72cdd44339efd2e189395d01ad62dc34c1f5aa4d9f5b09710

SHA512
2cdd5f1ee30d21a795b1419fb49e794915216da710c8ab1e87c35ab34660b2118b8bc2ab3dd0a4b0f8289666d3036898ff3d9afcdd9c1e6eaf2b74f85ee72180

Download Submit
C:\Windows\SysWOW64\Ndjcne32.exe

Filesize
208KB

MD5
3a2bccdeb175c45f714e910a034712dd

SHA1
2b27653bbc1121963b2b5efbcdc1274cdb162713

SHA256
823bb110a9d4792557c9a29e0348351bed19a321cb9516bdf2826f639230fff9

SHA512
75d025dc0175c24ae0b9398024c31c3a3e020fe6c48e824d0a9bd38a1d4934f06ab471fcca586397ae9928c505ebcec0e85af52d966aa4ec4e8d1115564bdf48

Download Submit
C:\Windows\SysWOW64\Nfaijand.exe

Filesize
208KB

MD5
e7099fbc28f60b77f1bd1babe2c5603e

SHA1
4621cd4bc6634ba36b3904da60c36e3a45bc6b56

SHA256
b08bcbf2ceec4634de29b523ea3633864aa20cd5472a6a3331a3800346c49edd

SHA512
58e76e6997cf279fb0434a9569e361aeefa881dc00df33679ca3ee48f67d14de823338145045eff8ad0fe1c4308ed00d6fa678ca1a856e73c09726bd4092c72d

Download Submit
C:\Windows\SysWOW64\Nffceq32.exe

Filesize
208KB

MD5
5a34073c61bfd7b961bc47641026a750

SHA1
a0f06bfe09d07c5dbbb45cc741944da78b1632e4

SHA256
351f41e22413860b33ddf85a2fa5dc2d1862ed70b17a2c12ece52a67f7ec33e9

SHA512
49df12810791a951198a6bd74b91fe522f48e9656a522e14c98815e3a33e7731af0a89b07c0e3ef9cf2eff6b85f1b71b449d9c5ef9183f628728cc0640b2b149

Download Submit
C:\Windows\SysWOW64\Ngipjp32.exe

Filesize
208KB

MD5
3892ac130c4d9767d376a756bb17a670

SHA1
da5ea70734254e44a8c8f4876deef489300652b3

SHA256
e3dd03a649aef56ce7a883edcfada0a3f73e203cadd91be9ba3ac5600b98300d

SHA512
6406aa0d5e1cbf92b927a17f95e29b747d80639da09dd89953c49d8200c5b2e5895aa27cab997a8c0522028071d29d09c386f87581a44a83a163fc503f670348

Download Submit
C:\Windows\SysWOW64\Ngklppei.exe

Filesize
208KB

MD5
471b8f34bf5c706ca1835c981a713387

SHA1
33252a89c4c82c82fbf23b98c2847b8a26d979aa

SHA256
703708270e4e8bf5c0ddcafe64c85490fcfba9d84ae95182efb13d6eec249ead

SHA512
d3966b038108a4f8b86f0e2fc7d5907dcfed78bc768bb88cd4fcd8d8b672cfb4a12cf4a56ad6cae50dc861d23ab84df1ed9981af6d6f7fb4342ad5bd41a5e2f3

Download Submit
C:\Windows\SysWOW64\Nhafcd32.exe

Filesize
208KB

MD5
5e269fe00e4c012fd2442b19bca4ed9a

SHA1
986699163ee175e37148edc2065789edff040737

SHA256
a4fa76feee023e5b8e774326262c58a9512333e8628a2b7197185ffc08f207ff

SHA512
2192dcbd914056c956fdf157f9d63cc1f5e18ddf41600327bc6865d28187be25d36dc39539671c5621c16e1f12c298c5df0c41c88ae83c712adc991916b22f4c

Download Submit
C:\Windows\SysWOW64\Nhhldc32.exe

Filesize
208KB

MD5
3a2c3e5d933a5adac6e4361cd06dbc01

SHA1
3963cbc9cd6d61d6dd3d58e26968259dda53f05a

SHA256
5d9444e2981e77885a0d73a062846a3a5fb3c291da6ee5dcb5adf21abad3f550

SHA512
97a8113426f97653f8cb00621dc9c5f87419869db9863bdaef66f51f061a5c64d5ffcd393de5fc751ee8be59f9ecf444c3447ef32b5333174a1070027503336e

Download Submit
C:\Windows\SysWOW64\Nieoal32.exe

Filesize
208KB

MD5
3a751d6c5c152bd1432166d9db5c84ae

SHA1
873ffa59adcb3d5f5709227b6563c844cf350a16

SHA256
11f19fb9ac1f1761351d12d4eb7165984ab1e36430829396b7eaa3fe9246891d

SHA512
f3768bd6e63381189166002fd6e856a891c28f78b9037df448b7b47156c1341a0f7f3ccc254ca3b5be045439ba329a77fae016e342dfbf200dc650e47bc66493

Download Submit
C:\Windows\SysWOW64\Niglfl32.exe

Filesize
208KB

MD5
f2fb6e8840420dacb34d5fd7a125de31

SHA1
cb8937aea084ccb11adede8b8a598180b343e414

SHA256
dd7cc377e9c12bea5481ded14713f0b61bf8e9f914407dff8546c9260623cc17

SHA512
e133da57124a40b4e20354c412095b490fd7dc679306df189a3dd94a958377072c021eb066dbb9b042ceee464af01a4387a2e4de14d4dfe728f79b65339fe005

Download Submit
C:\Windows\SysWOW64\Niihlkdm.exe

Filesize
208KB

MD5
1231dce0e4b1f8f085a46b6ebff59a82

SHA1
dcdbfdd62c98e4387e858006ccf9817b09fbf23d

SHA256
aacf600c0ec68489289ef7659c439f2b78143e86d8398b33bfd3714076fd61e6

SHA512
b67ee9905620452b5d8aa32c3030763abb3838b5e8f1ac596439a49c636c16a240d963a03df6d31927dc96c55838604f6867c061c742037c070c130aa2c71325

Download Submit
C:\Windows\SysWOW64\Njmejp32.exe

Filesize
208KB

MD5
6d9c7f2936233ea432fddab935244277

SHA1
2c8994b84fbfa7dfcbf90202557e5f9de62dbb90

SHA256
02ff12c4831f37ab91788bbb92a426fd3ca2ea54056aa54a7d1a3f6f26d3bd02

SHA512
1d2bb760caaac4dc84ae04307da1b4ea2de54cc8b76e23b805450ee0f297b617da029128666a974bea78d8dc4869f6bef19dbee9a992ec16ef3ed43de124b30f

Download Submit
C:\Windows\SysWOW64\Nkpbpp32.exe

Filesize
208KB

MD5
ee04df8738893d98e88dcb140c6c7eab

SHA1
9e13ffa1ce91ed5f60d1fba74e5b918303d3a60b

SHA256
309deb22e199d3c14120d0bc01a062e4125ce59843d2535ea2053a2bfad28a43

SHA512
d50fcebda67cad3640db99af1565414e812e90cc4ca9719f286781b44ca13d82d1f330d96c5290e8f08886518b8279d9843dcb206dbd2626f2c62ce5b7d400ba

Download Submit
C:\Windows\SysWOW64\Nmbhgjoi.exe

Filesize
208KB

MD5
65ac502c4ad6e0c7efe4bc629e541a46

SHA1
061bb32dff9a41ed072cdde58bf48262df57248b

SHA256
082867dc4223d9f7cdd55e923f1a51cb2d04f150c183208d9eee35a45ded9c9f

SHA512
1c94500eea651376beee73e6f23b26c47ede31415aad3f79b6ab4803181ab6a8a8cbfc4b65450a4b1fb0f8b22e30a751f85796006bfc5a889bb5e549fb40e834

Download Submit
C:\Windows\SysWOW64\Nmlafk32.exe

Filesize
208KB

MD5
b7dc83c374c5f75cd54335a5c411ae1a

SHA1
293eb90f617018a4cf819734fe9681981462f725

SHA256
845371f03b630a39c1291216d6ce3967f122ac300465fd7ad447de969fa057a9

SHA512
05efa20a0fed19e6c7031d6ff9040c69a2dc80d6a634dedbb9ea8c428136632e52e6dbb6a3777d7674a2b20c826c529725e64c2834fcb06e87e420c76b04eaa9

Download Submit
C:\Windows\SysWOW64\Npadcfnl.exe

Filesize
208KB

MD5
06097705ec29fc7d8c89bc7ea49bd6ab

SHA1
3f68d7ed2648e694cc6f0badd1c8ef08a0167398

SHA256
fa64e7b9251e67324f3fddfae2739223d68e229e6f3a05958f6c1e1971918648

SHA512
139d61ae320b06688b35b6f02e18342a20061c6ce7abac8fafbeff1b75661e1fbbb46dd5e22152bda2e2d3d69c6f011395d9764c3e00c71ed4937d27b6c2f95d

Download Submit
C:\Windows\SysWOW64\Npcaie32.exe

Filesize
208KB

MD5
b52963de2ddcf5bffdfc94a7c48c7f0a

SHA1
d2bd02f7521adb48338610b0a4d7df9cbcdb9385

SHA256
3b66428897bc90c6fa0c7629bb469ee96d51b7d0423efd22709c60b7f23df271

SHA512
d2e1d2e2e15bbe918ed7f398eb5b4697ffea8bb15ab735557b2d9b7057fc6ad2e3664e7aa0abe8f3a7b905c1089313ce1d124bec6da1720c4fa21d604cffe3dc

Download Submit
C:\Windows\SysWOW64\Npjnbg32.exe

Filesize
208KB

MD5
8e3b3a59d712df1d66169b406d540d4b

SHA1
2a618b978dab048b33f07665f6f3a78c0b9147a2

SHA256
5ba2d953df44321ff8d01a9314e26e5dbdd3290c117d07cefb7eed3bb3951cad

SHA512
7d17cf5bf153ee7360b8e8d6efa4058cf0f1cfdd1d8ce7c1aeb5f7558e85aabf18f6a9523e656e2f33622ab867bffdf382967b768a54e81686bcbd00a6e40c4e

Download Submit
memory/676-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/864-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/872-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/892-484-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/904-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-206-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1216-532-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1340-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1480-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1484-267-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1504-577-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1544-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1564-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1736-109-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1800-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1872-273-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1904-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1980-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2268-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2360-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2820-190-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-102-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2924-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2952-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2952-556-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2972-158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3144-86-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3340-174-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3600-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3616-53-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3684-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3688-538-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3788-601-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3904-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3916-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3964-508-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4016-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4144-126-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4228-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4228-570-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4236-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-182-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4388-496-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4424-253-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-619-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4528-543-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4560-502-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4720-304-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4748-478-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-490-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5016-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5032-230-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5060-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5064-545-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5124-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5132-514-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5164-328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5204-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5212-520-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5244-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5276-526-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5288-346-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5328-352-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5372-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5412-364-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5456-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5496-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5528-551-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5536-382-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5576-388-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5604-558-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5616-394-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5656-400-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5684-564-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5696-406-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5736-412-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5744-571-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5776-418-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5816-424-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5852-583-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5856-430-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5896-436-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5904-589-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5936-442-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5968-595-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5976-448-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6016-454-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6056-460-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6088-607-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6096-465-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6128-613-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6140-472-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads