fc0c817f4dcae4bced2b2461e64a16083625914668a45279c2d32e19d2d0d321

Analysis

max time kernel
99s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49cb37f9928f9db26427aa90c8767b20N.exe
Size

109KB
MD5

49cb37f9928f9db26427aa90c8767b20
SHA1

f3eff7b9bc9a6c1857a9527d8f6495e643360955
SHA256

fc0c817f4dcae4bced2b2461e64a16083625914668a45279c2d32e19d2d0d321
SHA512

4cdbef0d7f768aec7c2d2488a5cdc03eb6c5c2b8e76db5ed9c4c11229f7a6650c869e2a727ddfa45d44a620a21e37c8ef2b950425361ad56fac7546ba29cf453
SSDEEP

3072:rSXPTDFlQFk2Fuq3Xn9J9cLCqwzBu1DjHLMVDqqkSp:ivFlJ2P3X9J9kwtu1DjrFqh

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe

Executes dropped EXE 64 IoCs

pid	Process
968	Mlcifmbl.exe
3576	Mgimcebb.exe
4948	Mmbfpp32.exe
2060	Mpablkhc.exe
4284	Mdmnlj32.exe
4428	Menjdbgj.exe
3708	Mlhbal32.exe
2348	Ndokbi32.exe
3332	Ngmgne32.exe
4316	Nngokoej.exe
2556	Ndaggimg.exe
208	Nebdoa32.exe
556	Nnjlpo32.exe
1140	Ndcdmikd.exe
2976	Ngbpidjh.exe
3152	Njqmepik.exe
3300	Nloiakho.exe
2900	Ncianepl.exe
2616	Nfgmjqop.exe
4548	Nnneknob.exe
4568	Ndhmhh32.exe
1492	Nggjdc32.exe
3512	Njefqo32.exe
1752	Odkjng32.exe
1272	Oflgep32.exe
3816	Ojgbfocc.exe
4408	Odmgcgbi.exe
3620	Ofnckp32.exe
4352	Olhlhjpd.exe
2624	Odocigqg.exe
2272	Ognpebpj.exe
2316	Onhhamgg.exe
4576	Oqfdnhfk.exe
3032	Ocdqjceo.exe
4784	Ofcmfodb.exe
4700	Onjegled.exe
3328	Oqhacgdh.exe
4924	Ocgmpccl.exe
4680	Ofeilobp.exe
388	Pnlaml32.exe
4208	Pqknig32.exe
4176	Pdfjifjo.exe
1656	Pfhfan32.exe
2520	Pnonbk32.exe
464	Pqmjog32.exe
1784	Pclgkb32.exe
2748	Pggbkagp.exe
428	Pnakhkol.exe
1440	Pdkcde32.exe
1340	Pgioqq32.exe
516	Pflplnlg.exe
1652	Pncgmkmj.exe
1768	Pqbdjfln.exe
2144	Pgllfp32.exe
4060	Pjjhbl32.exe
2604	Pmidog32.exe
3184	Pdpmpdbd.exe
1888	Pgnilpah.exe
3080	Qnhahj32.exe
1996	Qqfmde32.exe
868	Qgqeappe.exe
3920	Qfcfml32.exe
2912	Qqijje32.exe
2220	Qcgffqei.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	49cb37f9928f9db26427aa90c8767b20N.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	49cb37f9928f9db26427aa90c8767b20N.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5260	5936	WerFault.exe	208

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	49cb37f9928f9db26427aa90c8767b20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 968	440	49cb37f9928f9db26427aa90c8767b20N.exe	84
PID 440 wrote to memory of 968	440	49cb37f9928f9db26427aa90c8767b20N.exe	84
PID 440 wrote to memory of 968	440	49cb37f9928f9db26427aa90c8767b20N.exe	84
PID 968 wrote to memory of 3576	968	Mlcifmbl.exe	85
PID 968 wrote to memory of 3576	968	Mlcifmbl.exe	85
PID 968 wrote to memory of 3576	968	Mlcifmbl.exe	85
PID 3576 wrote to memory of 4948	3576	Mgimcebb.exe	86
PID 3576 wrote to memory of 4948	3576	Mgimcebb.exe	86
PID 3576 wrote to memory of 4948	3576	Mgimcebb.exe	86
PID 4948 wrote to memory of 2060	4948	Mmbfpp32.exe	87
PID 4948 wrote to memory of 2060	4948	Mmbfpp32.exe	87
PID 4948 wrote to memory of 2060	4948	Mmbfpp32.exe	87
PID 2060 wrote to memory of 4284	2060	Mpablkhc.exe	88
PID 2060 wrote to memory of 4284	2060	Mpablkhc.exe	88
PID 2060 wrote to memory of 4284	2060	Mpablkhc.exe	88
PID 4284 wrote to memory of 4428	4284	Mdmnlj32.exe	90
PID 4284 wrote to memory of 4428	4284	Mdmnlj32.exe	90
PID 4284 wrote to memory of 4428	4284	Mdmnlj32.exe	90
PID 4428 wrote to memory of 3708	4428	Menjdbgj.exe	91
PID 4428 wrote to memory of 3708	4428	Menjdbgj.exe	91
PID 4428 wrote to memory of 3708	4428	Menjdbgj.exe	91
PID 3708 wrote to memory of 2348	3708	Mlhbal32.exe	92
PID 3708 wrote to memory of 2348	3708	Mlhbal32.exe	92
PID 3708 wrote to memory of 2348	3708	Mlhbal32.exe	92
PID 2348 wrote to memory of 3332	2348	Ndokbi32.exe	93
PID 2348 wrote to memory of 3332	2348	Ndokbi32.exe	93
PID 2348 wrote to memory of 3332	2348	Ndokbi32.exe	93
PID 3332 wrote to memory of 4316	3332	Ngmgne32.exe	94
PID 3332 wrote to memory of 4316	3332	Ngmgne32.exe	94
PID 3332 wrote to memory of 4316	3332	Ngmgne32.exe	94
PID 4316 wrote to memory of 2556	4316	Nngokoej.exe	95
PID 4316 wrote to memory of 2556	4316	Nngokoej.exe	95
PID 4316 wrote to memory of 2556	4316	Nngokoej.exe	95
PID 2556 wrote to memory of 208	2556	Ndaggimg.exe	96
PID 2556 wrote to memory of 208	2556	Ndaggimg.exe	96
PID 2556 wrote to memory of 208	2556	Ndaggimg.exe	96
PID 208 wrote to memory of 556	208	Nebdoa32.exe	97
PID 208 wrote to memory of 556	208	Nebdoa32.exe	97
PID 208 wrote to memory of 556	208	Nebdoa32.exe	97
PID 556 wrote to memory of 1140	556	Nnjlpo32.exe	99
PID 556 wrote to memory of 1140	556	Nnjlpo32.exe	99
PID 556 wrote to memory of 1140	556	Nnjlpo32.exe	99
PID 1140 wrote to memory of 2976	1140	Ndcdmikd.exe	100
PID 1140 wrote to memory of 2976	1140	Ndcdmikd.exe	100
PID 1140 wrote to memory of 2976	1140	Ndcdmikd.exe	100
PID 2976 wrote to memory of 3152	2976	Ngbpidjh.exe	101
PID 2976 wrote to memory of 3152	2976	Ngbpidjh.exe	101
PID 2976 wrote to memory of 3152	2976	Ngbpidjh.exe	101
PID 3152 wrote to memory of 3300	3152	Njqmepik.exe	102
PID 3152 wrote to memory of 3300	3152	Njqmepik.exe	102
PID 3152 wrote to memory of 3300	3152	Njqmepik.exe	102
PID 3300 wrote to memory of 2900	3300	Nloiakho.exe	104
PID 3300 wrote to memory of 2900	3300	Nloiakho.exe	104
PID 3300 wrote to memory of 2900	3300	Nloiakho.exe	104
PID 2900 wrote to memory of 2616	2900	Ncianepl.exe	105
PID 2900 wrote to memory of 2616	2900	Ncianepl.exe	105
PID 2900 wrote to memory of 2616	2900	Ncianepl.exe	105
PID 2616 wrote to memory of 4548	2616	Nfgmjqop.exe	106
PID 2616 wrote to memory of 4548	2616	Nfgmjqop.exe	106
PID 2616 wrote to memory of 4548	2616	Nfgmjqop.exe	106
PID 4548 wrote to memory of 4568	4548	Nnneknob.exe	107
PID 4548 wrote to memory of 4568	4548	Nnneknob.exe	107
PID 4548 wrote to memory of 4568	4548	Nnneknob.exe	107
PID 4568 wrote to memory of 1492	4568	Ndhmhh32.exe	108

C:\Users\Admin\AppData\Local\Temp\49cb37f9928f9db26427aa90c8767b20N.exe
"C:\Users\Admin\AppData\Local\Temp\49cb37f9928f9db26427aa90c8767b20N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\SysWOW64\Mlcifmbl.exe
  C:\Windows\system32\Mlcifmbl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\Mgimcebb.exe
    C:\Windows\system32\Mgimcebb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\SysWOW64\Mmbfpp32.exe
      C:\Windows\system32\Mmbfpp32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        24⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        28⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        45⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        58⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4596
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        70⤵
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        85⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        93⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        97⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        98⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        109⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        114⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 408
        123⤵
        Program crash
        
        PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5936 -ip 5936
1⤵
PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
109KB

MD5
8ee843d0a53013eed1edb6650408727a

SHA1
0e4b391b9a09c548fa398f435fcc51e75e0f4ec4

SHA256
505963f554bfd9266da99a8fc357b3ce201764f209509bfeec8fef982e59d6a7

SHA512
5e871050b0d47a90840c6442114269edbe03166a03baed09a76ba65c7b825b72d383b7a9135f534770771d78aee08828c29022d403b9ed0f7ac8fe107722bd82

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
109KB

MD5
b70ac47c2a915052f5029b9907f69714

SHA1
4b406e8e4a0d085b1b2bb5a55d6fcc4a0bec71a1

SHA256
f447e2e4d1b26fefe9522fa432549fe917fc0877c756aca3e4427944cde8f6a3

SHA512
9c7695804069340e3f9d9215e98bef49b9e296918ae5dfcb151445c8261a01d845f44478b6ad0711f4373fd5d9294134f131fcd6672004d4b565032dec2d6ab8

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
109KB

MD5
0febdb66f6051f15477bc09d211c3221

SHA1
d85be956bf3efc8374a7dac38083b2b0f8bc6ca6

SHA256
6896d6b97b62a372bf77b4185d356e987ec691036e65df6e75bfdf376a4fc70a

SHA512
2665f819c3a5fe00cd9788ebc5d7f04a0dd01fdf11f7c1dd3e779a799fc3fd623210070f05d6148bda41aa3acdf712e391c5edc4f975589a573bd5cbbb5b2fb6

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
109KB

MD5
5349f0d93661f0850406ef061e6a2091

SHA1
b6cb6cc04a1ac34cc8d68c225ae80953ce47a173

SHA256
b8a826f19c9bbab5ee1e1096050a5d82f16b011412f42ed16517f9fa8120807d

SHA512
436e0f207fc7b085d43da9413a0abdfc5961ece4eeebcffebe4f82986f8ef30e75fca2bbe7faf8ba3d0d0b844e711fbdd75d60225fc3d7680c5cf79db393ab29

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
109KB

MD5
7cc89c39af5119cf8d107a90ea503d76

SHA1
e73824f77449ba871e51f2e07d13bd3e71d80c18

SHA256
5d5f190cc08ca76cfcde36d61da5b4f0b0615472b66c1b3fb4eeacc24a7f9d2b

SHA512
78b54346ba4813abbce71470a1905b14102b2ef273c4e7ac5f5d92e46efccbc9a76c1e17c2fbb8be8cfe804fb0096e2d1855ad4bd93895f6decb500186f8bbc7

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
109KB

MD5
f8ebf9198e2b7c37164b65530b025610

SHA1
9330c5a3baac1a34dcdfc770b2719980602b7e6b

SHA256
40eee6a404e28679fe4075707ab459224bebba0c6f0bef08cf4a2d7018cb3f7e

SHA512
385e58777a64b62e975cf615a41ceb568cb3ea70f4768215c91e08b6eca932df73d66b2eba7892d1f4a566de97520b1f9c4d0180188474f47692d9d11f898e60

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
109KB

MD5
3fe69a360c1ab014456412ea06df6d3b

SHA1
af5a0f4e374010410cc718fcd8c60cf96a0ecbd0

SHA256
f30b3659ebf81df7ce431d20ddde19c8e752102473b41e5d0248874d48d8f527

SHA512
14d22468abdfc6b61de54881c930ca716b28801478ed1b8e4763b655961ba579b2978555ea13f44d0bb5f89e681ce3aa1d4ac4ea7c62cee6f43a06ab2f04f551

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
109KB

MD5
52290406849b3c6056d6676d38d524fc

SHA1
e20fe773bade5215a2f6724262af4b38492aa328

SHA256
33666c645aab550f95103b995c7af5dc99251a65eb9502a3459dd11e175a2b03

SHA512
c24653b274e44bc2514b999242b7be8c84cf18a5cfd1b29b1bbcb1a22150fc604a1bf2ffc3533b26b744fbb7a975775d656dd5c10d361c468c32221843800854

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
109KB

MD5
878278b7fa59d5c20062f7bfa03d42c3

SHA1
ae2000a0963f90e37a80fc65f2eefc00e8eac5d5

SHA256
a9123efd42c9b6a875181a43b560092771e96db3844b6b95d26ac1c84f68c6a4

SHA512
5223830ab1b1076cb443922ee85832ab86fc63b5fa7c6648867efc4bf6f5733bb361e56015aeea8aa5c4b401e4acb14da1f743851423b6d21adce2c6b4417463

Download Submit
C:\Windows\SysWOW64\Jgefkimp.dll

Filesize
7KB

MD5
600c2f6c2b5262fff462dd5ed84aefe3

SHA1
6ebb24f96e8a6901f64a402de81dbb390f14e96b

SHA256
0983e9e3c4e4b0cb3e0b7928eaceecae6c3c593f4df9e79f0dedd95fca67fe4a

SHA512
0788a8a8d29b381917a621e8f4220ab8d58eb8f1ca4bb613db7c71a939e437aa527eff6487d1eca3374bde0f03dda23c993cef3914386a0296cb4a2da8ce76c3

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
109KB

MD5
294855ce118618dbd2e9374c61f19032

SHA1
a55ed95cc9aed01c039905968f58b63962644b9c

SHA256
e7d0cfeb11e6e0731d9bafab29991a62f15125a1ef2ba813f1fb433c7303f905

SHA512
67585edd9e588d2318fdaa726dc2b6a479d2997178d7a11d2e7bf9175901084253d26689862b25c8873cdf07a6d56b5bc378f62eed05cf3d8bf347477ee4f3ab

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
109KB

MD5
cf3e0e4a25be654c7fbc4997c1cd7537

SHA1
84f3fd9a960599f8c4b961ae2742624c24d23e8c

SHA256
890e8e1632eeade9c68cef1973530cbf4e7a2ce00b52a22350aca82fecd0982f

SHA512
e62e53042ef142b0bd9a1e9f8877ecfb6b44b40b2cf601642a628a7fcf3646720b4a4db44ffdfbe0c226c736859f933c6432083e8caa0e16b34ab2bb6f099a9a

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
109KB

MD5
48dd9bb2dd48c56900400b364c4a82d5

SHA1
f9d33cd58c127dea56e4d3b9ea0064d972638676

SHA256
ffbb957ada7123d091cde33a3ce1c8f01efea9a1d7fb0ad0be0a510d21191d38

SHA512
b2d4d3bddfa7454d32aba621024d67c7e09556c4e986250e6fdc8ed75a59139a0c5dcc1761fc78d892344da7e63c58227078e1743c85a6462efd8343c7c14604

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
109KB

MD5
8f688cdfa8a742713804580c57ddb94f

SHA1
03260ddffd2192da4bccbe3c75c3f8e8af475a12

SHA256
6422add0907d853169911c857de8e13a8f646b2f3a45312b436b0a468b6783c9

SHA512
e0dab479be8f6e4df5bad020b9f2da5ee4c5a32c445a1022a0b12943f54ced4c6e82db7b4d533fd9a06d3516524076999b7686789f598784dc8c06d4d42b7aa9

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
109KB

MD5
6316c710d2092eb033e3312fe79ac230

SHA1
2f74cb518858f453b1d417df400b223d05f6a0f2

SHA256
2e0af120d2133768ea95a975a4a39d445f7af68e56e19ab6d8a47c2745386f63

SHA512
3c2c6695b1b1d960faf0daeeafdbbde5040d48c69ea4a48b483e01c120a18cd1bef7e37aa70d221228e9acf19eb0430bda63e84e3087b6b45946963c10e6c47f

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
109KB

MD5
0c1736d0033a78f0ec199aaf9953fa3b

SHA1
f11e925410717e90d6007d25143c487782a7957c

SHA256
c229840e1ad46a0b1135acefd05e44fb32025370a59647428b686a018b5c7a6c

SHA512
d0c1442f56844cda04318d45166570f60025da2c8772c142d7a125628ff5e3671ae060caab02996d09bdea11917a012fd074d85d1037873782685979aea1f555

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
109KB

MD5
a32718c38ad4db06b837181d9eaf32a0

SHA1
fe85a4f499d315be884b5655a9ada07966e974bb

SHA256
167b2250b58890e1199823ae2ecb6464825f475f7e7d823637fbf36e78a95317

SHA512
1b19a36f50710281a6c0cde72d2ca044b96102bc697feb587c11766bfd65d8b978c4b3923f3447fde8a827c629311791f2d1a708bedea97a5a3ea96617ba264c

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
109KB

MD5
9af9426ec1f0051796af8181980d4d18

SHA1
ce59624a3132d502998d4dedcce5e41a89971fe8

SHA256
35d6372e97b7421659dcf5b49385aea7c05eedaf10b910764346c7d1ee8e5565

SHA512
fdf9d791a20a5ca3a32eb5d73ce3d89b333a779cdc19f39a6a1d4f747adf7de66a541794edd03906f47a222f1ab197e0be8797aae7aaac9758dc555c7794cc18

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
109KB

MD5
c12e08fa7c93d04c600ce8a3ed800cd8

SHA1
724319cef46dfcdadf252775ec93878989e77fc4

SHA256
2346a0c64d6ce19ad8573d7ef28fba282c1a778fc0e29cce452994e36452a4c4

SHA512
7e7f5524bce5d6687fba0a3c06cd4dec40a94ae2b6f86bfb52937af49c78b5871ec881c309d4b87126f354f1653671621c391ab48d165ac7b191b693d2207b37

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
109KB

MD5
87ae678109c5a60f097d28b0785e63fa

SHA1
83deb5e87e331082afe71652d60df216c12ac909

SHA256
b5c3dc317e0b00fd325c0dc730a4cfe541ad7aabca93d5039d74e4860f6ae129

SHA512
76a2125285eb52350e196cfacd793730c5c6a5d803d3c0d7a1fbd6cbac65e89e331e3a5f6bb44119667ca7c2244554ea286e3d07b197bcef7b374266c19a6279

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
109KB

MD5
54bacf257c92e19eef35e60b4483fbdb

SHA1
bd13b2847bde1bb9bd165027df6a96a95bab4f6c

SHA256
86d7d7e3e1afac5a346af532070f16c063e7b4d2fc50f560d84c688488af650b

SHA512
d4c5bdf93bc8bbe7b80f2c874258ea5d999c080d21da15202dad92903cc8bc58b226465356defcf9a8ebb4fd46846c1d395482aa5036e80323de26d862238690

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
109KB

MD5
aaa946b482ae523941c9b753c3d3fb31

SHA1
017acfd0de945336a0f51d35256912abee720581

SHA256
f87f5a44c9d4df242e1ff001bdda51c2c585b85f9b5927084d6503a7942e8024

SHA512
49607ffa4e692059ea88d249619af310fe5493398a8d31aab6223564afe5e9022e0a3ace947ac07a7234fe6571d6543f11846c4fa4911e2711534f4c1c278d05

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
109KB

MD5
862d7751b50e333822e5445f269dc8aa

SHA1
0cd1316a18106891ad9c5b933d8151e7d8f470c1

SHA256
e2dbd9e3ccebb1529211f0319595d78534489c9193f32e9c036128f994d8774f

SHA512
df7853b9f0490e100fbe0241edcd22ae8c504d8a151c2b69fbea0ae028b27d7763c9655262465ee9db82194353b0675116f42b480c86913c524a1defb21db747

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
109KB

MD5
cfb169e1183895b93f3eafe6b76cb848

SHA1
b9948ca2a2542951f8dcf6c8f3d81ef66e015508

SHA256
7e6414c3c336f6b69b5d4c5c3b915019e8627133aad7931ec98f1d09eb4b4863

SHA512
4a012dc123bc590da6d945b5c2f692b0aa3e5c2a58165017ad390b44257b06141e8998146c47245816d0e76dcf9680ff157aa66e8711ba77c03609ab06fdc978

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
109KB

MD5
1286eb7953546cc5338b5859e7a50335

SHA1
acd5210fb575f41c9dd2d7aae04133fd4274ae23

SHA256
d287ef5b5689dd95f6bd53375b998bfb1b61090dbe5cca259e20adf2c92e6525

SHA512
d20096d552c9e48e76a8a24837713272608bbe6c91a87a8042fec7194f307dc4f38dbc30d6976c063f0aff257ecfbb5c5d3e740c349fa66ca3c6d4247ff9805f

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
109KB

MD5
bc7b20c6920c207f25339e6607ca119e

SHA1
cea2a3d2ba6e72f0de73878a184e63a744ca3232

SHA256
f2858fb8ede37d1a09c8f1d5bd359ed5644c7367a0f224a683c67cf7c9df2cee

SHA512
227d83520ec518167ac1e541e5e387c2a7ad48334ce1676d527eceaefa3285bd670b06aacc6d4c004c8fec8490a9dcdaa5faae4d3b632b4ad7a30ec5ff445ee7

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
109KB

MD5
2ab2524851fc7603f4395957f08bcd77

SHA1
7049c8b1ac11a1f07ecf135d726185b7d1755814

SHA256
e5853ac5bf2759edef9384b1cda3a75cfc1dc6645baf580f62cf62ab0330cd18

SHA512
7b4ebf8a02dd2274f6f10b5678d9852c81026a5442fcd4462f2ac3ab047cf44ecd6c782f7747761deea8249e3564d35091cbb7c04cf5c8bcbaccee6c842e6f42

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
109KB

MD5
80d9c1fa5d9ab131dd84c96bea152aa8

SHA1
93c695ceb5db231b8082de6faca2c9852b59b028

SHA256
235769af8680c07f673dce6ac6588ef7982c51e38b61157720c5094075458690

SHA512
04b0bd6e12f766370ddc603aeab677e32a79d49ce70fb594f8245c178e21e94a03ddc530c13bf4c6c54b622c12a73185bc55751d1d11b461ec7c1b675d2ba5df

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
109KB

MD5
4fce8bc842dfda15cd6469fdbb8f1c9d

SHA1
180d142fd10e8824f8cb420a7460dd3e7af7fc6d

SHA256
d88fb48a84c6ffb776a5742eaf5b4b87bb83dd5e6f9c90c7b943c6e64d6600e4

SHA512
5a242d2f29abc3da45128e5622af9fdfe4843029d142266436a84bc235ad3ebe206be656e40da529cf49711bd27f55c42803784102363dde90af6404ee809d51

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
109KB

MD5
69ca3db3409cfe9aadb8bf50dc22dfb4

SHA1
c5fdeb6c5cb0d55c741996b76cd03af82bc3eada

SHA256
d7df6a3c7ca04607755bef5d33e89d8f2d993364fd152a37f4d9fc44723cd38a

SHA512
ccf3018c4c49eab2b5a17c52d80d97276f4b8faa913139472c6d31c8e0eaa8602b2c737b0383caa5b0de8c11ffe61d1417b1bfeadb777d88e62abefbb7767c50

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
109KB

MD5
b0d50a92582345d2c344468bf77e43ee

SHA1
48ff72642c296440f862c87b9d2bc57a2b144154

SHA256
39332803f4e0b9dfcce4dddb10bc06f0fee284de83159f4ded0308211d059d7e

SHA512
54fbbf96b6f110d4c0ae115ed2c68db453b64d124b534cabb396cc8c9c3c90768c982729ddc0c8501236b87d317e4c3d598528bac6e4382594d0451fe8e10c90

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
109KB

MD5
69657507433908757f097665cedbcc77

SHA1
067552a041ade7dda4f45cad46a722d5e7d1be38

SHA256
dab43334fced2f8d22fe6a53852d312a06c9fe0a424fde8f49f42511b86f3cc8

SHA512
8510cd60349d7b7c2123842e6897827578689d3ceac2fbd7e1a166d2c53a4f5c6eae16fd40a7495faa15aafcbc3ed5aeccbffca6485603f73dc5b23bb7982cf9

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
109KB

MD5
ad7a4007d5ef7bc177dd98a7ffb970dd

SHA1
0ccf198c9c833f20801c604e8281d8ee3115d05a

SHA256
dad0bceb360128c1bcd72fcefd9ddbd2796b998fab57908671c3b944563540d6

SHA512
c3233bfdd095f2027fdd93a2ff0279e1b7130f34766e49432b42bf85c9ed6da4d6ce10d597a6c43e930e742df1cc88ab336c75ff7d6549c010fe4c4b91dc3a43

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
109KB

MD5
d5095f0e445a12f689ef913258ab3a68

SHA1
ba5e7225ae93827bab0d113fcf31d31d43738325

SHA256
b5bcf2e0743299dbfee58a88075fc2ef524f2a8ecceeeb5a500f92985164cc03

SHA512
0b950e779df97be255bb482214ce382fdf26c85669ade087b2e7ae9ee0c0edba78c427b3bff3074fdd5b32a8236d1c048db0fac94f8c5042f696b0c3a9ef3a9e

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
109KB

MD5
a7500609f462faa356951213858cd57d

SHA1
fcc300186c901db12ace681eac507f67c4f0136c

SHA256
cf04827d0fc0bc1f595da0714ab8c678d40350837aca7a6614e70f5971422eef

SHA512
aa4b9b4ded1779fe6b7faba7d9404ee7778a93ab9814b2d5cc5a05906269eee41e6a7d21fa960258f7f418aa0d87ab9f9bf17075302e1f33d1a4d533989422ce

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
109KB

MD5
de8ced51cd822e3570a8ec5165679a1d

SHA1
ff1b33428f2e5a7cbb8c80ef7ffb5e756b3591dd

SHA256
be0f24356a844ab550f53529982c9667081e49fe7b2a7f8cafc332a190fe2cb5

SHA512
7166455108f2ef7c486f2d2cc919a1874bcd45a7e7725e40f429b498e87584c01b4fad300ed05039307c1db6066214c456833ceddebafed99434d808bd991cc3

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
109KB

MD5
6a2c86942f265eb35d2ec97233b2a6c2

SHA1
e011a3844c9ae5555a75e5b763d0d15246c3b6b5

SHA256
a307cba341ddfab2fc00452ed8f00370233b523437ddd17dca4c288b0c0a8bd7

SHA512
97a244cb18be30251f65bfd3fc796298b78c1d793962befdc79c581eb5f044b613f47e3c1bb09c899c212ad67debd9766db0be0f005f6a969ad102d7d42a9118

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
109KB

MD5
2fc6391fcb11e0e120a17ebdd3689870

SHA1
27939669ff7d89ad64873f730ecdda51b5bf51bf

SHA256
90914cc0828429e020e9a0094529ab4beb2422026aa53df32cea7c50a7b3e25e

SHA512
5473c9b23ec1670b853a843c8d0d17109061c4aeb5aa448d91ebfe6bd750838a8bf328c913e7cbea19bad3b2f802f490eaeba0f84545f7104e4972d68c98002e

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
109KB

MD5
4664c5f65fd46db018def63b5fc211e3

SHA1
aa4be29c548c68360be2ff6db2045d02680e73da

SHA256
072789cc2e0df8373d1dacfb664aa2abb7de49557928a10bd7b69968e8ebe232

SHA512
fd9438e87837cea8cdc7ff388390e8a70ab05e860c16c29677cf52386f5774dcb5077ad1598a86adec407496535870be27f6480091a05c147165da85281a55a1

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
109KB

MD5
fe0cc31d271b6cb5afb791630dac0e44

SHA1
a582b59ef6903a198849ec91e09dcb0a6fd43a87

SHA256
6fa6513f070751a445bfbe35983f55c6930ef57a214283593b034d69a718110e

SHA512
1d858d47b18021c41f3946bd8e97c3092a52c99f11e5ff3b3ec618dcda9c715bcfcd13ad8a47795e7bcdb5c1540b4efee4256587de982083d94707ebf57916bf

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
109KB

MD5
a8ea2e01301c44c6470dac32b9dfda01

SHA1
9a1b0879816705c87b54f295f5d8ec4dc68a550a

SHA256
f5e96d53f97c6776afcfa68481c6f058c67433c6af8c7a07fe2d2fb64207d4a5

SHA512
1898fd31ae5a7250b618e2ad91f37fedeccb0deff5a200bfbe08e85ba9d1ab73cbaf2b1dbcfb550b526e85b8cc6a1a4af3011f9f47444324feab0752c945007e

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
109KB

MD5
11047791424b9d421dde9080b4854c20

SHA1
e4e5c64da32dbb3e4cec8f5b5d9aa82d5ba14353

SHA256
18a473ba029488974fb15fb2110582926da6ca5a5242d0560f7e9c6597725cf8

SHA512
a2a24c1f34d764c2059eb8ffb10ab53d1eefe9d20d792a943ff460ab8b5565f6f24473f5aa4cee1ed828cd0da93726759562b34fd9d3008985acda64b6a94c13

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
109KB

MD5
ac4833113ac78694bd9ccd38a377dde2

SHA1
02ca36e5e64a41ff072b617c73b7223b352c565e

SHA256
c233a3fee7cf6434bd6abbe6adcc63aed0a7bdbde81a845064a4c8e560c68612

SHA512
46991e2825d72dcc206c039df9505788c9e83961f67ccc4293a75d1632c1b05cff465481211839d0e72127afc8e7d93fd3a73fdab3499d87ffb7f4f35b693127

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
109KB

MD5
ca51a06c59006869405d81be57e021bf

SHA1
71964915866a94703f66b17cdffcffd305d5e1aa

SHA256
c54a5903088b60ff68ed721dc09c0ba319bef75975aabf40072b167cf3188e9d

SHA512
91a682053be27a0c2ab955a8c179aa8c5c9b8959714d0d6d28e67aa3139134e1f435b505ce58c305dc906524ed5718046ff90e869aa0e1b4bf6d421f03b1445c

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
109KB

MD5
1f5c16d857e8d5213ce30ef988380500

SHA1
cb9b2a7265f2747238297fcf5b0006c529941493

SHA256
ad61a1c83a8a920af71d3f4d7283ef6788dd80a2d4e8612998ec35cc9afcb11b

SHA512
21c632562aac50a4a69a6ee50e2dd87ae3410d8a911e42f8f8ce90874b9f72d906f832f45dd3737372da2d114c9b42e1ee3c431445467dc609f98d8c0be94cf5

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
109KB

MD5
64c88fc0faec3613bb10f36362102c87

SHA1
061f803bac65a6294a6b18eba965b28234232c5b

SHA256
5b227a42f95d306015a13cf4a3843cb7f45d90011d2add0db65a08bb3d81b8dc

SHA512
a2bd823e41ae4c1df6d1886458916cb5f5b2ab9448141e6ca9d8a603359aa2fc4d98057583e72d83cb6caf4c557cc56b94fba66c68b27103827a9ccaccf80854

Download Submit
memory/208-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/388-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/428-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/440-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/440-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/464-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/516-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/556-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-555-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1140-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1272-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1364-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1440-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1492-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1652-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1768-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1828-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1868-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1888-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1984-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-576-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2144-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2220-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2228-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2272-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2520-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2604-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2620-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2912-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2976-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3032-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3080-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3152-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3184-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3300-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3328-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3332-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3512-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3576-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3576-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3620-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3708-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3708-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3816-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3920-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4060-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4176-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4208-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4352-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4428-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4428-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4452-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4568-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4576-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4596-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4700-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4924-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5124-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5164-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5204-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5240-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5288-556-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5332-559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5384-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5424-577-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5464-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5528-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5584-594-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads