cc32dde33fb156125fe78d484a322c6dce1179c0a71ad1c3a74095b33cddcae0

Analysis

max time kernel
99s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71532c6e48561376056e57ed63c8b1a0N.exe
Size

93KB
MD5

71532c6e48561376056e57ed63c8b1a0
SHA1

6d03270480441a6b715e400ad4b1674b099f253b
SHA256

cc32dde33fb156125fe78d484a322c6dce1179c0a71ad1c3a74095b33cddcae0
SHA512

951337ce42752317564f2b73563f4e75f802d8ee457db26a16488bee6eb29b0ba6618b6b592c536bd54fe1deecdcf1453666592b3458a5516d6c04d7d14e01fe
SSDEEP

1536:rv44IUW4WVlvTxaKIb9PorOaZ67tHAu0XN11aQhJkiAsRQjeRkRLJzeLD9N0iQGi:B6XlvTEKImOaZItHUXN+QJeiSJdEN0si

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe

Executes dropped EXE 64 IoCs

pid	Process
4604	Meiaib32.exe
3576	Mmpijp32.exe
1432	Mlcifmbl.exe
2112	Mdjagjco.exe
4284	Mgimcebb.exe
4304	Migjoaaf.exe
1736	Mlefklpj.exe
2696	Mpablkhc.exe
808	Mgkjhe32.exe
4364	Miifeq32.exe
3144	Mlhbal32.exe
1396	Ndokbi32.exe
2668	Nepgjaeg.exe
4544	Nngokoej.exe
376	Nljofl32.exe
4452	Ndaggimg.exe
3396	Ncdgcf32.exe
4472	Nebdoa32.exe
2968	Njnpppkn.exe
1368	Nlmllkja.exe
2088	Nphhmj32.exe
1656	Ndcdmikd.exe
2108	Ngbpidjh.exe
772	Neeqea32.exe
1508	Njqmepik.exe
3816	Nnlhfn32.exe
4000	Npjebj32.exe
1916	Ndfqbhia.exe
4644	Ncianepl.exe
3336	Nfgmjqop.exe
2336	Njciko32.exe
980	Nnneknob.exe
2608	Nlaegk32.exe
448	Npmagine.exe
3464	Ndhmhh32.exe
2136	Nggjdc32.exe
2812	Nfjjppmm.exe
208	Njefqo32.exe
1192	Olcbmj32.exe
4924	Oponmilc.exe
3140	Odkjng32.exe
3920	Ocnjidkf.exe
4564	Ogifjcdp.exe
5032	Oflgep32.exe
3204	Ojgbfocc.exe
4420	Oncofm32.exe
1924	Olfobjbg.exe
4360	Opakbi32.exe
3924	Odmgcgbi.exe
1748	Ocpgod32.exe
2876	Ogkcpbam.exe
1344	Ojjolnaq.exe
812	Oneklm32.exe
1172	Olhlhjpd.exe
3124	Opdghh32.exe
5012	Odocigqg.exe
2172	Ocbddc32.exe
2604	Ognpebpj.exe
3952	Ofqpqo32.exe
1464	Ojllan32.exe
1232	Olkhmi32.exe
3300	Oqfdnhfk.exe
4428	Odapnf32.exe
3460	Ocdqjceo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	71532c6e48561376056e57ed63c8b1a0N.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	71532c6e48561376056e57ed63c8b1a0N.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Odkjng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6948	6720	WerFault.exe	266

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	71532c6e48561376056e57ed63c8b1a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Odocigqg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4604	2184	71532c6e48561376056e57ed63c8b1a0N.exe	84
PID 2184 wrote to memory of 4604	2184	71532c6e48561376056e57ed63c8b1a0N.exe	84
PID 2184 wrote to memory of 4604	2184	71532c6e48561376056e57ed63c8b1a0N.exe	84
PID 4604 wrote to memory of 3576	4604	Meiaib32.exe	85
PID 4604 wrote to memory of 3576	4604	Meiaib32.exe	85
PID 4604 wrote to memory of 3576	4604	Meiaib32.exe	85
PID 3576 wrote to memory of 1432	3576	Mmpijp32.exe	86
PID 3576 wrote to memory of 1432	3576	Mmpijp32.exe	86
PID 3576 wrote to memory of 1432	3576	Mmpijp32.exe	86
PID 1432 wrote to memory of 2112	1432	Mlcifmbl.exe	87
PID 1432 wrote to memory of 2112	1432	Mlcifmbl.exe	87
PID 1432 wrote to memory of 2112	1432	Mlcifmbl.exe	87
PID 2112 wrote to memory of 4284	2112	Mdjagjco.exe	88
PID 2112 wrote to memory of 4284	2112	Mdjagjco.exe	88
PID 2112 wrote to memory of 4284	2112	Mdjagjco.exe	88
PID 4284 wrote to memory of 4304	4284	Mgimcebb.exe	89
PID 4284 wrote to memory of 4304	4284	Mgimcebb.exe	89
PID 4284 wrote to memory of 4304	4284	Mgimcebb.exe	89
PID 4304 wrote to memory of 1736	4304	Migjoaaf.exe	90
PID 4304 wrote to memory of 1736	4304	Migjoaaf.exe	90
PID 4304 wrote to memory of 1736	4304	Migjoaaf.exe	90
PID 1736 wrote to memory of 2696	1736	Mlefklpj.exe	91
PID 1736 wrote to memory of 2696	1736	Mlefklpj.exe	91
PID 1736 wrote to memory of 2696	1736	Mlefklpj.exe	91
PID 2696 wrote to memory of 808	2696	Mpablkhc.exe	92
PID 2696 wrote to memory of 808	2696	Mpablkhc.exe	92
PID 2696 wrote to memory of 808	2696	Mpablkhc.exe	92
PID 808 wrote to memory of 4364	808	Mgkjhe32.exe	93
PID 808 wrote to memory of 4364	808	Mgkjhe32.exe	93
PID 808 wrote to memory of 4364	808	Mgkjhe32.exe	93
PID 4364 wrote to memory of 3144	4364	Miifeq32.exe	95
PID 4364 wrote to memory of 3144	4364	Miifeq32.exe	95
PID 4364 wrote to memory of 3144	4364	Miifeq32.exe	95
PID 3144 wrote to memory of 1396	3144	Mlhbal32.exe	96
PID 3144 wrote to memory of 1396	3144	Mlhbal32.exe	96
PID 3144 wrote to memory of 1396	3144	Mlhbal32.exe	96
PID 1396 wrote to memory of 2668	1396	Ndokbi32.exe	97
PID 1396 wrote to memory of 2668	1396	Ndokbi32.exe	97
PID 1396 wrote to memory of 2668	1396	Ndokbi32.exe	97
PID 2668 wrote to memory of 4544	2668	Nepgjaeg.exe	98
PID 2668 wrote to memory of 4544	2668	Nepgjaeg.exe	98
PID 2668 wrote to memory of 4544	2668	Nepgjaeg.exe	98
PID 4544 wrote to memory of 376	4544	Nngokoej.exe	99
PID 4544 wrote to memory of 376	4544	Nngokoej.exe	99
PID 4544 wrote to memory of 376	4544	Nngokoej.exe	99
PID 376 wrote to memory of 4452	376	Nljofl32.exe	100
PID 376 wrote to memory of 4452	376	Nljofl32.exe	100
PID 376 wrote to memory of 4452	376	Nljofl32.exe	100
PID 4452 wrote to memory of 3396	4452	Ndaggimg.exe	101
PID 4452 wrote to memory of 3396	4452	Ndaggimg.exe	101
PID 4452 wrote to memory of 3396	4452	Ndaggimg.exe	101
PID 3396 wrote to memory of 4472	3396	Ncdgcf32.exe	102
PID 3396 wrote to memory of 4472	3396	Ncdgcf32.exe	102
PID 3396 wrote to memory of 4472	3396	Ncdgcf32.exe	102
PID 4472 wrote to memory of 2968	4472	Nebdoa32.exe	103
PID 4472 wrote to memory of 2968	4472	Nebdoa32.exe	103
PID 4472 wrote to memory of 2968	4472	Nebdoa32.exe	103
PID 2968 wrote to memory of 1368	2968	Njnpppkn.exe	104
PID 2968 wrote to memory of 1368	2968	Njnpppkn.exe	104
PID 2968 wrote to memory of 1368	2968	Njnpppkn.exe	104
PID 1368 wrote to memory of 2088	1368	Nlmllkja.exe	105
PID 1368 wrote to memory of 2088	1368	Nlmllkja.exe	105
PID 1368 wrote to memory of 2088	1368	Nlmllkja.exe	105
PID 2088 wrote to memory of 1656	2088	Nphhmj32.exe	106

C:\Users\Admin\AppData\Local\Temp\71532c6e48561376056e57ed63c8b1a0N.exe
"C:\Users\Admin\AppData\Local\Temp\71532c6e48561376056e57ed63c8b1a0N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\Meiaib32.exe
  C:\Windows\system32\Meiaib32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\Mmpijp32.exe
    C:\Windows\system32\Mmpijp32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\SysWOW64\Mlcifmbl.exe
      C:\Windows\system32\Mlcifmbl.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        30⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        31⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        41⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        42⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        44⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        59⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        63⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        64⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        67⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1404
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        78⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4836
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        84⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        97⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        98⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        106⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        107⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        108⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        109⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        111⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        112⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        113⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        115⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        116⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        122⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        123⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        139⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        142⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        145⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        146⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        152⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        154⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        156⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        157⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        158⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6648
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        160⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        161⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        162⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6932
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        166⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:7064
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        169⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        170⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        173⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        174⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6452
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        175⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        176⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        177⤵
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 228
        179⤵
        Program crash
        
        PID:6948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6720 -ip 6720
1⤵
PID:6896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amddjegd.exe

Filesize
93KB

MD5
59b3aa60d8e8982c1f6271be10b4d7d1

SHA1
a03f530a3f75778eac05b0efa3ad9b60ade0fd16

SHA256
d8931c910f136a1b162216f30b6947cf349434f291ad596419409aeecfac8d7d

SHA512
f8fb3cfb59e94c1317a73ef0084b4ab2524e197371e8963132cbe4ad265075a985ba7a9a3d715b626735918e2eed327b9ef48d048348538f2cea535699c8919b

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
93KB

MD5
7a25769c9804e1404879c740014996c2

SHA1
f0d8bfb93aebe63b694c942e9ac73d890aee64d2

SHA256
9ef5b99d8a07bb6a392d84817fec5d4c9cb08e4a13e2b1d5f896fd945932b691

SHA512
3340a590c6e1af8b0d6734215e78fb3a1b263c6584e775ea6f3e5d62b20d3521afbfe5dd0235838343ce607823e33be42477ec509f01244b2706ba9435e5b5e8

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
93KB

MD5
75e4d145a60df9ce8782b610ded60fb0

SHA1
46fcbd610b3df65502d6f9a2b727d96a36d3802d

SHA256
3ffaab2f364d9c14dc65d2308df8fa7b6197d58562b51892eecabc622f2c38b3

SHA512
c6d7aeba0dd8f3aa883d49993dd6b5c02312c04bd77ba5f5ad1ef2d9eea54833530c93b92d362a012d09eb4597e5f410145a51a200af31ba9ad1ad134345cc4f

Download Submit
C:\Windows\SysWOW64\Cmlihfed.dll

Filesize
7KB

MD5
811d6a383150065c78450caa68a01c4a

SHA1
a05421d29cc6fa8ad44f039ceb621a24dab39a57

SHA256
3a6b958c6544ce8a36a4fb944a75e84e4100ae5683c3f6ef5458e756cb693cda

SHA512
09996557b7d8179316b070abcceb5746ef267accb6e5cb7ca88e872ee32cacbd161540ad6b98a0fa825108e2aac5a2fccd547952542ee1942e3afff6680aaab4

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
a81c2eec4a9f88743551d3449d0c3d46

SHA1
0f76a55ac5dd86bbecd846f78cb6528750538015

SHA256
1679145f71e611fd61576f90724b4bf7e895b7f0e0e31297bfed9a7037dcf0e1

SHA512
e53e204e284a7e47a61e43e8657c2809e922adcbbc98931f4bd572c22e147c396bb58e41ac29ff828fa7ee1dec6312d16523666498538fa7df7e625dfdf61b28

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
93KB

MD5
9ca060131eb461df9626a288973d3197

SHA1
39d83833811c6f93ba41ee6859ef2f5b9991ab59

SHA256
a0fc7b1c01d89e77ab536c0260ad458a07fce92a27ecfaef5db7859920be556c

SHA512
66eff096ea6b196c18acd6c97d9565bbeb6dd9fe986b8d41fd970d03c4b26c7d691cc4360c2ac7feea6456a9c90adc7c5fb44b8366bc33bdfa1afe1554731fed

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
93KB

MD5
cbdf294b0be7c6a9dde297f8bb2efc10

SHA1
002a270a9d57aec53f39fbb1d43a0feaed85f76c

SHA256
3cb976c2299101aaa2932e1df5f0a999f6c922bfbbd216d27cba7166da638f1a

SHA512
b7092027d1d3fbcfd5817cb29aff78a9ca3e0262544844652e3cebed2f0c75ed8b7712026eacfa87effaa5ed72ea9f9af3eade8799a17e294cb9929828a12415

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
93KB

MD5
36ba4756faeb408ed2e492265d56b493

SHA1
0cf7f641338337d91a3647bdc579c96ca9f4cb13

SHA256
1fe353275d1be76bee33a6f4f674f30d4fee2a42aa2efaec12ff0185ea4157bb

SHA512
5ba2bd5a8b207603a3611763f996731dda8ae3f3548c5ba3e1a6a8b306599801902a812e8c28a3d0c8960f89af60aaa961502e78b90eea91f59fde57c0c16ad0

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
93KB

MD5
27859591a925b93b244cb74a3d0e57f6

SHA1
6177dbb8455154b17c4d238c2f8b44f07f8be5f3

SHA256
82edf085b036890c0eda58f42dcf0fea66622205c8a0cbf9d08d233dc148d24d

SHA512
d61f4dae1ad07689e3e1c90af936542ed1a598f29eb1fdd8a2649ad71312500e35a4ed533743bfced655cde3e80d9797bc6675599d6d5fe59157a0136f248546

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
93KB

MD5
e3b6f20bb557adb938fe3b648aefc952

SHA1
73ef492b3df8094f70b2f008aeed6ba0314a035b

SHA256
351e266865b629c3f36e993576fc9f05fed6a733f83d0f44c45763cbc51f5f7d

SHA512
809d2d3ec0441dbb0e1728ff5a122cbb0a7c0865bc1479b0f59ed3cc631642141acad64d7dcf762ceeea3186a77fa11fb08fb1810c62a4d0f7e8d98924a032cd

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
93KB

MD5
6f6a1392ee76447b1bb74b429fbdeb91

SHA1
886a081a68388584d8511d82ba3158a02b13a40c

SHA256
4bb35241b8c69bff54a8c04e006bd7af21438a3c0ed5c2d7785d2e07d103dd39

SHA512
2d088d621a1ca99f7ca54ab4f8bda0bd6b3061a6f61165caaca7a0c2d1334f454cc3708138a80f37bd16ef7c9f71ca221739a219dcbc0c8244103f80b3da4845

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
93KB

MD5
2f9eb916e1b51cd00eb14f247e495070

SHA1
98a0e61545a4b2e45ed59c637b297b0a1af0603a

SHA256
6e8c9f059dad818a246c470ee411cff0ce859aed0010f1e297fc7b1c05e002b1

SHA512
e9be1fcbf022ba7aec77e0ac99aa8a1eb4e2c2992d9087bf056567b45b021f6bd2abdc29261cbf768b2c13e2409fbf20a51a0e20a32d04882b0268d0a435efc5

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
93KB

MD5
0e01a3eabe78ff1b391b2722d2b8ad99

SHA1
0bc1e89a38b715fbbe46640a788314e4ebdf25d0

SHA256
e1ca75aa699e07afe294c511d5fa53d398a12859a06faa6769d88a0b54201a8c

SHA512
44b4bc8e2f7b72cf97dd933ac2131a4ddfbc76512dc7a974e1da83a7a63cb43ebb6228a8fc308688176911082cbd6ce0289876f6309be5eb6d176662b02a4a84

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
93KB

MD5
5391b59856387997a3e6d56fd2f9fd81

SHA1
444329f717c3fe5ff49b89d06550ce2029c72e27

SHA256
573a547f89ca169ee10812c664ee6a0e037bc706d5715dbea4f3e521ba658860

SHA512
7cc3adaca31e7ab3a3dfe5d3bd27ccc4e2b8868e804eb5d041becbc7141ea601ce7673fa808eb46d7a9780d32bf98d7018bd8b985e32da905d23bee6a9e55988

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
93KB

MD5
b719e99a499fffbb62872add649afa10

SHA1
3b3dcc13ddc8d33515a715ace7b03f0e96c20754

SHA256
f397f93fa7c910b0d02cf202252906601d7687d1fccebc300944b0980f1c243b

SHA512
3ab38b8aa1ae5220399211660f9827231e469b8dcc404f9166ef883b79624184e3ad07e8853d0a7895d69e75cdf6851e4923e3ea5eb1a601183c39c528b9feb2

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
93KB

MD5
3aa36308b74e1766a654974f32e077e6

SHA1
83d07f1cbebdbc226bb431cdd967c7e4e84a0f25

SHA256
90fea87f1d2a11cad9130a7fe506f380b8e40e1f05e3bcd02f466b2ef6960ad3

SHA512
d281552dfb57f9564d60a9834f5a907e539bc1dc4451e580da46b82d0d11bda4eb3205075381aa5531bb494ddfe341a3a4fa6a5783ccce00e7a2fc91f0e5a2f7

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
93KB

MD5
9e9cd052f9c2731ca2b8473d4f4ca4a6

SHA1
4eb5e1eb65d79cad2ecd499939223fc3b4e29eab

SHA256
ec695f13af6ee315a06b0b165711753b2c146ad8ccc53c898a085e1becbce126

SHA512
b9daa2343d5e1658ee7ffe446f33df338de6c24ae254bce11a2142a90d3ef5d3eb6cdae7fe77c68f445d2d3d18d615e498022aa3d2c26755ee26e9bd88d75607

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
93KB

MD5
a7a04b9751593ab8150951f76228f4d8

SHA1
53de3e29ea0840888599725feee6a681944ed348

SHA256
ee642ec74b78fc0ed9f9f39941e110df59a1f9326cd5c70ec533cfa152e1d0fe

SHA512
1e64ae163deed732f040ec49d3cf9ebb2e54fe91cefd0c2d0c4c4f41a88ce674b72ca95b58aa11debc6f797a5da21ddfe2c6b5f14845486fa96d3db3cba406b4

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
93KB

MD5
27ae0ce1e784300a6987beafaa506298

SHA1
9544bb75a1283d1e577335aa2b7c28463959115c

SHA256
e98e8aa43d7efd8ad4dcf5691cc3a5a7e988641640e25e4ff8469542db246cd6

SHA512
ef24729ea863551d47a03c65b04b7b9f089bf498fa23111dc3534aa6a44ec2e28ee8bf13ebb224ba6e6b1f34708efa2b2c82bb558a526ba056b97f8cab209f2e

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
93KB

MD5
d585a3de6622cd0e7f383fb15a79811f

SHA1
ac0b50f722d07200773c6770146131cbfed3cdb7

SHA256
5b2086c5028e993977143d677b48ec31e2f4ed0496f6ddd77eee07e5f09a11a2

SHA512
f9a1e080ec2d5bba07205fcef0012a391ccc1dc874780833d4f7ffb70f12dc03da357a79cb5fd37bf5177f2c85614dc24e6e7cbc7a6c80049806835f2a2266e5

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
659ccae6fe9a7c43f0b97557544a4361

SHA1
bae7e8d22d669bf90451de728135160453a680b1

SHA256
6f41ab8bec0bd9f9d4024cdef34dc37fcc69ba8279eb9ac9e54ce77829f70d54

SHA512
d53fd47b8b19fcc989e2a076cf6607ed1f5b9cb7dcb71cb41370a981a10feabbed522d435749a48429b2ef301dc3b79aa1ddf4ce0ab59bd9a65ce35319797f5e

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
93KB

MD5
a4e3e729fbf71a480fdbf77e5e299905

SHA1
5f427e71e65c056fe4ef04b3d1347ac9231cd4b0

SHA256
dd3cfa7cc15dc1de63eaa008e48cb2fae0c543e4a23ca9cf814c6d03ad110f66

SHA512
ecfa25b336f323ea4cd19d87a7c2fe4cd76e2d7feb2db8c4b431866a2f5ec4a8ebcc4817caccb85c4ba02741944c5b74b22a5424ea8b815b135491b9ffa4eeca

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
93KB

MD5
f5bbe3baf90a0a1ea4371cb716f83802

SHA1
4a4f04362b58d0ce767062f0b6f197fc29ef5ea6

SHA256
db556a9a3fca01b12e7fec18b64aa5f44f36feca4ca8cb738cdf7af24cacc475

SHA512
cc51a7325a7321a301c02b6681bba057e51f7541c885a1d9bdf36305ef46947fcc13aeac53d0197130b0fa65fa77c3ffa9a486e1cc999d4c8d9dec1297953d9a

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
93KB

MD5
63ad8537186fc48bdd02e71d1b7b5094

SHA1
ef41231033d6929693f345ac7d5ce59b1669ed7e

SHA256
1156ded0ca66ac7dc49534d096d160d6f5139accfa1c6b0685fb237df29b588b

SHA512
65e07eca5414de64ac1f2547d0e43fa1bdfdc949dd85ce9d720e6f43df4bca5c727d59a5c4008614e3a511b4f61661d87e49f5815e753dd3fae4710ca78a03e0

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
93KB

MD5
7b57964f4fdab5dd5c8475f40a4d935a

SHA1
f63a04b179ab0238cc2444973c4676a90730677c

SHA256
8ab40887a656216188f393676eec3ccc2fd64b609a50d2e0b20a3ac83f501080

SHA512
fd4da931182aa3a2ff96092d67c82f4b567526e098738685562f255e391c2dffca651f456bd7d93fa98d8d647d0bf5ddfe6063d38fbcdcac400f3ca7339643ff

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
93KB

MD5
dc40e4f57498c4bd16269052f628d039

SHA1
b8622a423d49c7d5bc922ebf7c1879dcc9a9f8ac

SHA256
b2ea70647561680059d018778fbbd5252d4ff7054831a4de2e30f9c54ff458a5

SHA512
e494dc8eff6e6c342ba30175108c19add87f95cc88c945781b2b3ed0184402cee02870599705de612dda6f876df0b2b3a5a0cf1a38c0ac9e0f9a0cc391bb1b7c

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
93KB

MD5
cf75a357c761a0d7dcf49f074b096d89

SHA1
bbb36cebfada156bcb8bad2f1da307f77917f41c

SHA256
197e6ec6d8816874fac9aac50f5688025f12c30345f60e9944d8836210465f8a

SHA512
b454527ac91f80737ee3c0427cfd68a85b64837108672ba8a6894895af3269c2bca9ba9d4caea58e218a8d6c3782d90c09b27b43edb079b577ed859e5732aab2

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
93KB

MD5
7355ff1a2b5ee072ece5a0f9ec23de10

SHA1
39e00eb8dfe825c7592c6204fb0ed6543892ff52

SHA256
e313867024f6fea5ecdeba9ad66d0897de26a1d7ceb30623f5854a594aa4f53e

SHA512
c21de9542ee46f7236d16c61b062dcc7f47d2eccda69870471804a75f5e567ec11f6ce89e80941ebb3b87bbbc8712f6b321328e6b0bf0179c35d63400b2fa1c0

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
93KB

MD5
8ec56a760024590186c37b2b704d208c

SHA1
211574a05986d21e8e81400d40ccd34860191b55

SHA256
fc769a34a0f8a07bf2ae2334a373d009ec35d2a01dddac9607789e5f5267a3a3

SHA512
e4b3ae89e6c4b965c651cc8c02bcf938058ca13dca397a1b29b95ecfd1df387969af377dbac02791c062fb9e761de862df6b0655dcd5301a737b65ef23c191d4

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
93KB

MD5
09e35e3fda0b17505eeaf93cc95e5e00

SHA1
666ea068f6658ea81f05d28d677fffc75b98d2c0

SHA256
5f026936eb41f7c3c0868c7c355ba48349c267d21a3bc8497c965b392b74a709

SHA512
f6432b595a0acca585b9e30f935c73062d4df0fa7b8920e505d53f9b46482960e32b442943932a078b5a46360e32d484b8b90d894817dc540c17d4d6b54832a4

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
93KB

MD5
76c5bb29c12677715470568bf2473e87

SHA1
f6a3dbc393d486ec5b4bd1f0d688e0aa432b3539

SHA256
24e5f586c36e7c7bd09069ef14d70cc4da8460a00f5fc741e0aab25199df026e

SHA512
dfedfb0eb15d18dc5dda5a71a9282742ab4f1432dce02441872b18628ee70af62f83bfe321ebcdd6a7de7aba08176c312aeb91aecdf0f717fbbfc3e0b5219eab

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
93KB

MD5
171076f46faa9278c2a571c2a422f9d7

SHA1
a6f2fc6a89cf7b44daa74a3a3c65ac29be2b797c

SHA256
fe820598b7cd63ae5e80f0ee7571097cdf1b085be5a46511c30c00fcd7daa2ea

SHA512
028d3fa7ea9716d428c2f415abc2207b51a37836438155eaeb0cb539deda11c4511731fb00d50d1c6003d08daffac7b416543ac3d36dd82fb77e34eee743d927

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
93KB

MD5
2bc292bd12bf1f54929437d1ea075287

SHA1
9c1f6f9c45d03db29996e78600d4da43ee278685

SHA256
47c2a0e85ba7111fcdcf90b3c9c68beabb9e46ff549a02e59e4718cc36da932c

SHA512
c2ca1cc27f20432cde0da43d58b0764d9172f830a37874c35e85644aca5442d9cec3dc2a9d52f66a2501b3a2b99d955f6203cc8a282d0421279b7bf8589b197c

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
93KB

MD5
515b7154a08c95ebd2bbf3848e25e5a8

SHA1
56f398d181ea5b3b7ccff9da5d28a404c057c922

SHA256
ff10caee3e74b6f7ae71edf476b97eb61ecdba1425f41cb0f50dbc378b8bfc4f

SHA512
0081575e9d58ea35af156711753b49a8cdcb22d3fd97f14b7b4c6b37fedbe2d136c7cb21a97870df1d1442a5e8cf678dcfea2c8d3b5f50e33cabfcf231e062fe

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
93KB

MD5
e2ce7a6b97831e2b832f24bc54507c0f

SHA1
8d36c1d95e9df102fce9671223271b1021668f70

SHA256
67723aad68889b7ed912719d49c1de1593f08dbeaa169f67435a3a2908bbb871

SHA512
dfc043dbeabf407c79bd7fa9e596f50e0fe1b9a9227e41b236e24e857e4356049363bfb23872438fe0fdc04dfbc081f15d76267fb4e4163e46cb357690cb51af

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
93KB

MD5
ddd023c163bf29c005c40cbb96e7f743

SHA1
c4e4adff2a421018fe539cfeb612f7771f059ffe

SHA256
40b2f592aefd2db4f709fdd4be521b0e6608591dc3d42be604886bfd3d369d06

SHA512
0667e9f81ee45481cdc125fdc3baef3fa94b45b90693a8eb838ee0e96488e211560cabd065f381ecc8f227bf1972d26cff601fc318dff16fa72254d5657b4730

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
93KB

MD5
cabd43bba982b563b4ae87266b43c2e2

SHA1
9f8993c884795f33c9a65dbb416499bf114a474b

SHA256
8f6d77621d9946fcadf6363ac00518c81a0b6914774bdca79f4b555a19deca35

SHA512
824edf6f499e40d79ce1a0172d8ce760ebdad030b4ead7c24bb180011c21e0ccf9e3e8be11c7177fb5736b511fd24a9dd807229ffc1b62379765c2f8fa4b2c09

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
93KB

MD5
f20929f96b060e605ef93a5ef5a054f9

SHA1
d5cc8e71f1654c369783f04101edaadf4f4aa458

SHA256
30acd670295201c2c6dffd4d750da8e39f63c1cb5c1886e5bd488f0d597ab080

SHA512
5e277f837482c79ea46606b4873eb8b77fb095a73575b77c6edc22cccb21dabd40712203084b595f6e30006d51d425c7f97f07edd065ad4fe8e154442c2e63a0

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
93KB

MD5
a3d1cf5ceef64a7031932be76ed4d4df

SHA1
fbf17570e120f1aa76ae1871a4b3349abe41823c

SHA256
d27457375ab2d805e077bb28a291cacdcb53ff63312075acb9ad16e07c20551a

SHA512
689364c660eb832f923a092c0aff8fa5719574f861c9b4005879d28df174b3f7f817a8bbed3f6d2a82a671f729dc4be264c800dd0e9b254ee36a73d9c23150da

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
93KB

MD5
f0736a73a7473d2ec2e2ac9901bd80c4

SHA1
e9dd50e513e3fddbab1af1d63bcd1e28cb61e1a9

SHA256
3c0818f57f9630dd31921add09e6e4eadc68fbab6d8b7c0a77051fec02dd5943

SHA512
1ca0bc072ffe2674a449f204ad3c644d3ada24e8072c69b9f6dd3b15d5cc40e51178df86a68850ba2f52bc75a2a255e2e27f603998414798f8929ee8b442f110

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
93KB

MD5
507c9f548824a35a6aaa6039ad3ae450

SHA1
d3b726e71c66c1274ebf1edc542b606a19257cde

SHA256
cf386b7ef951e83271518b340401a3051a4aa34b555401014d4746807aa529a2

SHA512
022de3b387698b27ec31f0d9100a045d91405f00970b76c5f4bd3fcd5a592811bd5906dfadb19c2beef19067fcb00420f17b8c2bc21c4f9ceea04401ded03bdd

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
93KB

MD5
0e3e42f1c02c045ecbfe5631b905f16b

SHA1
289be82bdce24f03c22aaace6bbfbd001608b9b4

SHA256
5ba3a9345e60465e4cbcdd52053b16d14dec890e496824fa036601dc05e355c0

SHA512
70c2cea1b5bd7b1a6f93da9b65722e58d8e89993b79f4aa4e1219576342c2202f405312fadd4b957309213fb09eab45e98cc36ff887b0f0b3e46d37d105c7d03

Download Submit
memory/208-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/376-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/812-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/980-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1192-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1368-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-531-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-537-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3144-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3204-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-530-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-536-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4428-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-517-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads