d9ac092ce1a96d0fa0ea667f613dc1454f0e833e10ddceadef4817ce6c71700d

Analysis

max time kernel
113s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4c281068c3657aa37804b0c9d30eb50N.exe
Size

96KB
MD5

b4c281068c3657aa37804b0c9d30eb50
SHA1

f71c21472d46af7ab87e5b2006d547695b3e4e8f
SHA256

d9ac092ce1a96d0fa0ea667f613dc1454f0e833e10ddceadef4817ce6c71700d
SHA512

3a3c7783f3f7c14aed49414fbcb86746320851922f2ce37332a5d6bbc5e050663a7fc45a5071fbd20751b169fed165c02bbb6ab46594cc459ca75393b3d7aab3
SSDEEP

1536:aFB98AdOFZAb8b8DxtoYWMUgeuuYtrXIuckkiWaAjWbjtKBvU:a39HdOFZAgotEgeVYh4uckkrVwtCU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b4c281068c3657aa37804b0c9d30eb50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe

Executes dropped EXE 64 IoCs

pid	Process
3504	Meiaib32.exe
3336	Mmpijp32.exe
5056	Mcmabg32.exe
2112	Migjoaaf.exe
2624	Mlefklpj.exe
1812	Mdmnlj32.exe
2688	Mgkjhe32.exe
2348	Miifeq32.exe
4364	Npcoakfp.exe
2224	Ndokbi32.exe
2996	Nilcjp32.exe
4700	Nngokoej.exe
1192	Ndaggimg.exe
2296	Ngpccdlj.exe
3020	Nebdoa32.exe
4596	Nnjlpo32.exe
2952	Nlmllkja.exe
4208	Ngbpidjh.exe
4360	Nnlhfn32.exe
1656	Ndfqbhia.exe
3452	Ngdmod32.exe
2096	Nlaegk32.exe
4932	Nggjdc32.exe
4784	Nnqbanmo.exe
3384	Odkjng32.exe
4668	Oflgep32.exe
2072	Olfobjbg.exe
4860	Ocpgod32.exe
4428	Oneklm32.exe
2104	Odocigqg.exe
2136	Ojllan32.exe
3632	Olkhmi32.exe
4424	Ogpmjb32.exe
1800	Olmeci32.exe
708	Oqhacgdh.exe
3184	Ofeilobp.exe
4732	Pnlaml32.exe
4872	Pqknig32.exe
1368	Pgefeajb.exe
3796	Pjcbbmif.exe
3560	Pqmjog32.exe
1464	Pggbkagp.exe
1272	Pjeoglgc.exe
2748	Pqpgdfnp.exe
4344	Pcncpbmd.exe
2640	Pflplnlg.exe
824	Pmfhig32.exe
1700	Pdmpje32.exe
3332	Pfolbmje.exe
1332	Pnfdcjkg.exe
368	Pdpmpdbd.exe
5112	Pcbmka32.exe
1924	Pjmehkqk.exe
2028	Qmkadgpo.exe
540	Qdbiedpa.exe
2592	Qceiaa32.exe
3296	Qfcfml32.exe
4604	Qmmnjfnl.exe
2620	Qcgffqei.exe
4644	Qgcbgo32.exe
2976	Ampkof32.exe
1460	Adgbpc32.exe
4064	Ageolo32.exe
1996	Anogiicl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3812	5720	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4c281068c3657aa37804b0c9d30eb50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b4c281068c3657aa37804b0c9d30eb50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3504	5048	b4c281068c3657aa37804b0c9d30eb50N.exe	84
PID 5048 wrote to memory of 3504	5048	b4c281068c3657aa37804b0c9d30eb50N.exe	84
PID 5048 wrote to memory of 3504	5048	b4c281068c3657aa37804b0c9d30eb50N.exe	84
PID 3504 wrote to memory of 3336	3504	Meiaib32.exe	85
PID 3504 wrote to memory of 3336	3504	Meiaib32.exe	85
PID 3504 wrote to memory of 3336	3504	Meiaib32.exe	85
PID 3336 wrote to memory of 5056	3336	Mmpijp32.exe	86
PID 3336 wrote to memory of 5056	3336	Mmpijp32.exe	86
PID 3336 wrote to memory of 5056	3336	Mmpijp32.exe	86
PID 5056 wrote to memory of 2112	5056	Mcmabg32.exe	87
PID 5056 wrote to memory of 2112	5056	Mcmabg32.exe	87
PID 5056 wrote to memory of 2112	5056	Mcmabg32.exe	87
PID 2112 wrote to memory of 2624	2112	Migjoaaf.exe	88
PID 2112 wrote to memory of 2624	2112	Migjoaaf.exe	88
PID 2112 wrote to memory of 2624	2112	Migjoaaf.exe	88
PID 2624 wrote to memory of 1812	2624	Mlefklpj.exe	90
PID 2624 wrote to memory of 1812	2624	Mlefklpj.exe	90
PID 2624 wrote to memory of 1812	2624	Mlefklpj.exe	90
PID 1812 wrote to memory of 2688	1812	Mdmnlj32.exe	91
PID 1812 wrote to memory of 2688	1812	Mdmnlj32.exe	91
PID 1812 wrote to memory of 2688	1812	Mdmnlj32.exe	91
PID 2688 wrote to memory of 2348	2688	Mgkjhe32.exe	92
PID 2688 wrote to memory of 2348	2688	Mgkjhe32.exe	92
PID 2688 wrote to memory of 2348	2688	Mgkjhe32.exe	92
PID 2348 wrote to memory of 4364	2348	Miifeq32.exe	93
PID 2348 wrote to memory of 4364	2348	Miifeq32.exe	93
PID 2348 wrote to memory of 4364	2348	Miifeq32.exe	93
PID 4364 wrote to memory of 2224	4364	Npcoakfp.exe	94
PID 4364 wrote to memory of 2224	4364	Npcoakfp.exe	94
PID 4364 wrote to memory of 2224	4364	Npcoakfp.exe	94
PID 2224 wrote to memory of 2996	2224	Ndokbi32.exe	95
PID 2224 wrote to memory of 2996	2224	Ndokbi32.exe	95
PID 2224 wrote to memory of 2996	2224	Ndokbi32.exe	95
PID 2996 wrote to memory of 4700	2996	Nilcjp32.exe	96
PID 2996 wrote to memory of 4700	2996	Nilcjp32.exe	96
PID 2996 wrote to memory of 4700	2996	Nilcjp32.exe	96
PID 4700 wrote to memory of 1192	4700	Nngokoej.exe	98
PID 4700 wrote to memory of 1192	4700	Nngokoej.exe	98
PID 4700 wrote to memory of 1192	4700	Nngokoej.exe	98
PID 1192 wrote to memory of 2296	1192	Ndaggimg.exe	99
PID 1192 wrote to memory of 2296	1192	Ndaggimg.exe	99
PID 1192 wrote to memory of 2296	1192	Ndaggimg.exe	99
PID 2296 wrote to memory of 3020	2296	Ngpccdlj.exe	100
PID 2296 wrote to memory of 3020	2296	Ngpccdlj.exe	100
PID 2296 wrote to memory of 3020	2296	Ngpccdlj.exe	100
PID 3020 wrote to memory of 4596	3020	Nebdoa32.exe	101
PID 3020 wrote to memory of 4596	3020	Nebdoa32.exe	101
PID 3020 wrote to memory of 4596	3020	Nebdoa32.exe	101
PID 4596 wrote to memory of 2952	4596	Nnjlpo32.exe	103
PID 4596 wrote to memory of 2952	4596	Nnjlpo32.exe	103
PID 4596 wrote to memory of 2952	4596	Nnjlpo32.exe	103
PID 2952 wrote to memory of 4208	2952	Nlmllkja.exe	104
PID 2952 wrote to memory of 4208	2952	Nlmllkja.exe	104
PID 2952 wrote to memory of 4208	2952	Nlmllkja.exe	104
PID 4208 wrote to memory of 4360	4208	Ngbpidjh.exe	105
PID 4208 wrote to memory of 4360	4208	Ngbpidjh.exe	105
PID 4208 wrote to memory of 4360	4208	Ngbpidjh.exe	105
PID 4360 wrote to memory of 1656	4360	Nnlhfn32.exe	107
PID 4360 wrote to memory of 1656	4360	Nnlhfn32.exe	107
PID 4360 wrote to memory of 1656	4360	Nnlhfn32.exe	107
PID 1656 wrote to memory of 3452	1656	Ndfqbhia.exe	108
PID 1656 wrote to memory of 3452	1656	Ndfqbhia.exe	108
PID 1656 wrote to memory of 3452	1656	Ndfqbhia.exe	108
PID 3452 wrote to memory of 2096	3452	Ngdmod32.exe	109

C:\Users\Admin\AppData\Local\Temp\b4c281068c3657aa37804b0c9d30eb50N.exe
"C:\Users\Admin\AppData\Local\Temp\b4c281068c3657aa37804b0c9d30eb50N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\Meiaib32.exe
  C:\Windows\system32\Meiaib32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\Mmpijp32.exe
    C:\Windows\system32\Mmpijp32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\SysWOW64\Mcmabg32.exe
      C:\Windows\system32\Mcmabg32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        28⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        42⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        53⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        61⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        69⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        72⤵
        
        PID:428
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        79⤵
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        93⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        95⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        107⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        110⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        121⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 408
        122⤵
        Program crash
        
        PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5720 -ip 5720
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
0200a27f5df93cdf691267655f555ec5

SHA1
dc0451c07c8a73c62588a33074cb5a8a5e225889

SHA256
31131ed34e8c122a92cf084eacd6c4d4c5c1599f6e0a2b2f4f8cc07ffc914cee

SHA512
68bcf85ab822ba538f7d36347e4570fc4e733543f3fc7e00d58e563bb6e95158595c63eab4bd30c502e28cbf1e48e710bbb5e08a6deae372660e5396e5f6c944

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
fdd20a92bc62a8e97ad1e84e9c7a7b67

SHA1
52e4f3a1c962fb1b7a32b37748dc9c2160559c60

SHA256
85eb31c9048c8fb5194eaaf6d2aec12d01e5c15b9e6bbb144255778b5d7e6586

SHA512
77e733f01884fb3841863612d7dc61f3c6f281d93a8e9dd61edfffa6519314cf440748ce14e4827e43606a0646a84ecac0839c7adc17b0aaba77c7bfc3ae71ad

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
b867ca98dda69f6f0840d22f22f8e24e

SHA1
2514ed0b79099a3c7223f98eb472a2241c95c4cb

SHA256
1ccae0327a4783cf7761caf8dcdfa2f644d01ad142842ebaeadb50a3ea18ab57

SHA512
3ce43563fb62d59c763cca3dbf8643782195e5984f45be23b69a39a349a04b75a5bbb4a1e3a9087469f5f5bf43b71f7e6d043342904cc14fcf79220f3e0fb06b

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
96KB

MD5
04158e20b40ab58b41cb7a16ee8e3abc

SHA1
7369e5475f23e9495343c54ac3b51fab09d8b0b9

SHA256
6cf4c042c993b73ddd832bea3b8e35723cbfa8991fd7adc5bc30a4e4576efdde

SHA512
8538662efe591e2f6bfdef70dde8bdb4fac7695ab3155c203ba39da20ef7fc3927f4e2233426258d6b29e178e0253181dd1e4b5924a7919fab1ff2ced72388cd

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
27877f72b6b1276a7b1a119e4cd0e6c9

SHA1
5ff77761e5ec5376f33a4b61ea78b84fdba86fbb

SHA256
255409435624efc7aee9040e66c44d7d0d671273879f6c53c0356100c1386817

SHA512
1ce63eeb1727ac7a5476523fd51fcbdb3597bcd2de0dacf6ce50a52c98f7955766ee2ba7a872fbd90ef6642fdd81833888e2cc008f351cfb19bdc7ceeb477226

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
2b190a007f3e4462e38c86f625d273f9

SHA1
fe155d2f5e5d487761e5b8d2166d692adb0682ef

SHA256
08650ce5f7c8ecd6ae8e71bdfea509ba047415792b8e52cb8fb3bf686fb68a90

SHA512
d401097336f60612094588e4867ea1dbf5cf29f416bc32f41a07dceef05b4c11dd662b8452d7935e1ed535fa6769dd1c58e305a9d2416b01325998c9c0030a43

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
11bc241ae5d8c5406c653db928a49dc0

SHA1
c9d751177daed52dee919b564a9a0c7d06703007

SHA256
ca1d2be9d28d93f54388de2ce7053468dd80e7e3a4abba06a75aab6219c0549a

SHA512
518adf454ec6d3fcda8ba0a2ee0f144d9e1072ddf9cb6cf9af0930806b1aa0e7f0f26e1b632c6226f8cfdd403698a588f40f9d5066dd4c2a5fddce18f68d258d

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
825ae563750a55465210888f344eb0ff

SHA1
95a976e3372735779b3d828af36c596de6948b91

SHA256
6308fa7d34c1cc86aab33a4d15ea94ac27b79b89a85a4db757e692b46c39797f

SHA512
1783b291393775729e6f0ddcb934ea5106b781ce3c7f6c7ec07008db2eb519f9b62e6c9fd76cce29e1035df28a2f705a62c40a232162b72525dcba8eb9fb546c

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
e071da1d2248d5f603cbdc92064902a6

SHA1
7752d9d9e0c349d8784f965a4302256615eb5848

SHA256
cb79605d4bd76f0386e837d63815b4bcecf2ed76e36bdd054aa1db953069d1ed

SHA512
c50498a0d42c4b5212f86879dd261719a56bfdf08c8ce301611d0803ced5c187ccae7569277f85752f5ecbea949d1f0d2bced2c95a27bed20e8409eea6e18772

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
f3d718238572d73255c8050ac1fb8dbf

SHA1
bc7071f16bd4d5ac5d2573975325a67b1bbae9f0

SHA256
fbb658fc625192dbe93c2ea5c97159328bfda2b3b3cb1f0bae4af3a7493e5d3f

SHA512
49b58ed29cf75407195adc9df76b7963098b4ffd8643c601b6302f79bbed55e22c1dac3b71bf8792f44ffa3d49062f4bfcac9a9698a768a5005e50c38214fa48

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
f0d45b76319b8effbbe756e41cda442f

SHA1
d18bdc2dc8161a9cd5849ff970e218716b656462

SHA256
b119f36d8de3c1d50f38756b1e882d392256c42cc4e2ce827f219a24c31eeba3

SHA512
da2cf3fb39e90b80c9d4da835f8d86275b760a32ca6aa9a9dac7079fca7f902122fba3434889c78e6ee266c2165116a081b178ce1c10f2910dc24c627d6c154b

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
dfc2b848e02ed5246566ba717090476a

SHA1
1d08ac1cf9f8ee8404a335eabd298bc77feba082

SHA256
a16dadd14f2ada491ee6162f8d18b67ff70b1b37936bd6b99c9d3cd79dd964a4

SHA512
674d86cc91fe8b6699afdeea036bbac961e54a5ec38fb439fbb8186bd08d66ca7f955a928f411533a184c1eeb9183d598c0606e3e976553c99e241f181a3d05f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
7eddb8bc8fd4d097e331bc13d37d8446

SHA1
737d5ef9fc5f9035656c0c4c3612f800c4c38051

SHA256
0ac97d311aa916e3d36da149108337b0216cc7853a63633e24072b47e41de0fb

SHA512
7419b6212d92bd698a7536fe18493b3e40341ab847dd1155b8b6c65076f5417880328b03a7c2dd59ae2ebbb9ec409adc1177b310461a7288c1445a470e913652

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
587e3271c3d07e25ca34a1b1b9a95884

SHA1
3211dde96b1982b51a39d6c7bec3ddbe9a6d7df9

SHA256
e104cb2d61820cb6550baf049df91b72ea70a9bd1db7cc5303fc4b8b133fde6a

SHA512
92ddc29c3dfdb9884abdd166ad54fc533776472f6d626b3fe1af43c4ec3dd73571d502a900b6887a2a8cbf5c8d33d93c634b42f15572fba8a41a1b9631be65ea

Download Submit
C:\Windows\SysWOW64\Kjiccacq.dll

Filesize
7KB

MD5
6a6a77b690b4c0d480d9274d79b5fdbf

SHA1
463739394481931522926feb4a4dc70dfdfc21bf

SHA256
f84e4d584706593e982d2d62b9657cc94173ae914fef18f318fd526915a520ae

SHA512
d373edec5f893bbfb7988054c0cdf7af1552fe57788e15542b86716b4fcc900852bac0b4cacd95b32f12c3b01323d3ad6fc4397b72bbb298fb0bfbef8dc186d2

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
96KB

MD5
c8fdb88f3ec5d380de3f9b1b7a3084de

SHA1
bc1dca2d131f9695257707e433a721fb42a359b0

SHA256
f016e1cb1e2a2a19808be7c1bbc56f3b48492d4ab8bc1ff2254219b79793fbf0

SHA512
35c71e95fca718ec7e27d998fde6a547b87176c3952921b1124616c1e9535d2e520926b0a96c549ee6c62372b8b0423583fb17971a898183355cefbc007d2e06

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
96KB

MD5
83b4446807a729b6a5b74c8e33f2ff94

SHA1
247eb9569209097c09ca43498318bf3ee612bc5b

SHA256
3c90565ef5349bf308474476039e4b4b3b436a5b32e303bbb7a92b33f9768df6

SHA512
d65b46dfab9e7ca753541d60cc94df138cb70d4a771a3487fb21352dd424013cf8979deb87411e1785b52bc78385361dfdcacb55b0bb128f20b5c1e72157c22b

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
18a12ec4b919221197d0d7d9d3437c1b

SHA1
d52bbeda08f38498f5576fe99df90a7837b38a49

SHA256
af8c8c2f4a2999959f3b71f901868acdd178665bbbefbe1f6acae079d19feeec

SHA512
79ca05d565d114a4b054050e8de76f2e954b4b5c7b2a1ab304ff44dd77fbc7306bac5ef152b232030f33a2f65a3ad58966aa16857507ecf06f7039b87df62aa1

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
96KB

MD5
e66b506e55ed130203f8058b2a3acb34

SHA1
03feb6ed3849ed476157ae0eb36789a778d4be41

SHA256
9401d980b928eb0433f0308ee73da5e313636dcbdcd6658dbc9d471934526205

SHA512
e6c1af608bb4b0b01656779b3d8816328d50fef3eb8387fbcc499f7bbd5bb24b42db8df6190ee3b6467a02911ef655468fa5c46c46b27a7456a7ffd1245a1ddb

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
050791f465a7feddbcd47440e1756c55

SHA1
be4349350e61b98a41feab006e7a70bb26864c93

SHA256
1e4ace24493bc0c609418db4a26d75faf9e728ffed91113d7ab4a1c1abd66e3c

SHA512
bb920a2589c8896d7baf001810b9110f6438b58240eb5ff3e819bf3b412769796075718d31ae0e3743e84ae0d0bb79307d6f3b7ffebfba8954d41110069845c9

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
f1f4e55aca759f140d774546db985580

SHA1
d6091fed77f395ebde8d8bc6c52817a108d98612

SHA256
19c0c6e618a5811f85195ad429f0c6b861cb42a056fb6ad0f7e05857bd7e1b43

SHA512
7cf0cef755ff784c7f2d58d3c15f4e0515dc7c4f14e1dbcfb01aa3d6e624126bab6cea0069c24c696419b907e58cb5a9d55e8d869bbc099095b40e901ffc93c1

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
793500cf3dbdae436305c9e5e9caabc5

SHA1
82e209c45297382347feb31e9c40d8b8e301e8cf

SHA256
18b53ab7d634e91f4b27e4bf6fc4f9511d3fdb9f6d8f8c4c56c511b75334969f

SHA512
711afb2f269c9788a3931d36c0f7145eaf8bd6738cb0e47933216a27d99c2bd2d0b9ab8faba0824e5a7ccf18cbd9f1682a10d836c870ddc1c7cbfd60cb86952b

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
96KB

MD5
fa91147e138d752113db10136d1c3c58

SHA1
11bdb31593e6e156833629768d07eb8ded7d10de

SHA256
bd7720c5705ee9865e53a2edbec0dadb684995d8ec48565fe81d711a4029bbff

SHA512
49445917f44a4b5eef39354eb62868514e3d052062c8c591b8167ed4fceafedb22b5d72a6856411d4a6bd13fcc18a4884be89e15dbac86317dfd9ed4739d1d34

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
67844449bd722d3828b2408e39ba61dd

SHA1
293f9a4e6b41f8d79cd6aaf027990350e8cdb55c

SHA256
8d19751a8337264355aafaed56377debfe7cdff9f352da1d677b114063556f49

SHA512
b9ff7d6319fc0b422d34f14889ceb624dcfe82ac1bc6fbf7a339028143ff07eb399f855347a5539e9c01f53a3bfbff09efd78a3d3fe1590ad240cf8c165d5e77

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
96KB

MD5
1730681a68d3189abc31160a0bbd0c1c

SHA1
31943f7f387b0e2219db610a0ba64c51c60f5cad

SHA256
04057469cf608313a74b0d525e3e1c1b4d48a65dabcfdd87a463643e80c35a54

SHA512
e67c7d605f4f6508ffbaee0306129cc39bd5587d193b2d66954c88768646601d4566b1620d9ed0d7dacf95faf691e4b7c7a44a58905d5d4ebffa111867bb8867

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
f2a9291c02ee6737b093fb2c62264715

SHA1
c73612866efb8903f6e58dac7ec2e3248d0c67c8

SHA256
619c9ad2bec280a5c1aec2fd72e816654df2a24448cf5be817022818b3c1c6dd

SHA512
e25537cdee12effd4173a8d4a0448377c290544e3236b94748eeb3de1a9a7f60185eba2f7291a410e5be9ee897f246eba3d2dea7d82d278036819b63668850bb

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
99e593a992bd14c3a7c375ef3d8e1c20

SHA1
605880c56f284879f06e915e8e0baaf36db9422a

SHA256
29553ad1f8694c138c5fa8b50be5c9266d5d721651f7221fe33f15f59aa10bd0

SHA512
58456baea01f76c0ecabb2d33ffbf6f6a0f5a4b5a1ae1064c14279757b77683a9a7cb7f5224e7ac2187fd154fd07ddfb98520479134297cd9ba91ee3a81ef6db

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
96KB

MD5
b441960d6f35d5a950fbd053581d3700

SHA1
878de849e0b82b3ba9f718424aaf1359b6449f4e

SHA256
54a4a8d3c0c1df8604a6c425718ebf8c2d338b5fc0fc6c30879d60c22988dabd

SHA512
95a283ef00b725798b406d6634a5e2f28616c9e0006d3f4251928296e50212fb8440ff138158077355c59b030097710bc903539809cf2398265a78862a467670

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
96KB

MD5
328577b6f4bf6cc188e268ffaabaa8c8

SHA1
0fd25e435ec710d8895a4b9c8513289468ea4d10

SHA256
6b285c1e15ff3c7ee6f02dea87b7a8482e6b23580a6031b5c816e26945b7cb8c

SHA512
e5dc69cb8315d77b82c9bd9d846fe813f8f02825cc97871dde2ec1ba5226402c844f433e05b1a28f6672d662642dff7cebde737a75710919d8508bb9a63d1597

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
96KB

MD5
f5afcc07fbfc503d99367bb4ebdadb57

SHA1
c511a2c7612b21a762be531372d729fe2219d89b

SHA256
2202809ed4094311138d8ce6c129dc98aa6238d7bbc105b1518689f4cfb46138

SHA512
62bddfd1b8673e2d29224354410866e1477d17104de72522ff56235c28c4d77df08ca7b2e5d854f4b04f87f09f4fb7b20a8b894e0dd82ff5bdeedee946d86f7c

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
9c3c597c8861341992c23bedd8988cfc

SHA1
6bd3778e21e02a90e4182250ac92b00532d30e6e

SHA256
07dc06ee5e4c24e47ed2658e65c44505375e437e6434205de522166aa0e7339a

SHA512
f9d9f912d289945aeb9a175a3bc4b1c56721b188a9991bf69445473546b22932bcec1444c5c2b157f70d1a66a5c09fe84be644153df5b83be7069ce28d8caaab

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
519829349b9ba0e229be00541992c50f

SHA1
bf6ec7e02b6a50eb688134c3632d9e404350cf95

SHA256
e692e885b14842709659f4a3c863d8cd01227be4b7fafd1000ec7cefd1d82394

SHA512
4ad512775dad2dc09c0b6b2d1f9b76f30c891d72583e1c4511a6ddfe2ace93f89d3bc7585431d13b5b40257695429cda3dda9dab05234581867b5da0b07a2b6a

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
3cf6dbf715227265314d870daf2531f0

SHA1
29a038c21d891c327d6a31f0d0d83c3caf96d25d

SHA256
746141d54ab8c8d04c27675d5134b5bdea96ef8266afef8726fc14c0d811cad6

SHA512
ed66a5bb5cd25df394638f78aa4105cd7f563421f1ea110720662bc710c083fd1411711456c24dd11a3055af32f43e60f684ecfc11e412e1808dcbbea4021fe6

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
96KB

MD5
d487acb00a81998bd913c4ddf9389a87

SHA1
94822a3fd73ac22d6a3042e600c4e5ee24e3b96a

SHA256
4376d6b180a6ad093ef4b1d6f8cc5172fffa29585c8a28911a7c5a884ecd7ad9

SHA512
6f637478a89ed069dacf23e4ec365bf52ca68358dacdb6ad30eb24b05a449dce1175ef50da3e47bed9ab90377005c857ee330aaf846b29f34a13b732dc43c54f

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
ad830973de6ec9e46add87eab4faf2e1

SHA1
1758325df3528de6fb5e516f02075ebf78e31adb

SHA256
f959ac8dd43262574ef0b16dd5c68457b9e40781af6b73ec44094a12aaf188ad

SHA512
df19360cda70c234d4da04d706887b9f0da710001e73cd5d22313675e1fb2315c89699ec48876526e99db016f9c12a107587d0b9b6d3ebb274c4ff5836c32422

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
96KB

MD5
b19ca54fd4ca80c729dd50fd9a668eaa

SHA1
e5a35e69b4e41c2275dd939d063b3761628e6936

SHA256
ead6902cb4d451ec197fe2f4b76dba98da50cffc80c533fd59e6dfc2f4832dfb

SHA512
6cf39f16fd2beda494490a60cef7abd7cdfa4fc787651d72b4a1bce6fc638a7e072b7ebcad94dcc25963164348c543b4aab4dfbf3d330403f22a1f7728459236

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
96KB

MD5
47e4cf95356530f046ba9ba888970f0c

SHA1
e6d112dab50358482e283fab842843efa8233574

SHA256
fb5ab363983d19309731ed80eea37028c966612641b09b4c07f4c936d5ab222d

SHA512
fa9aa4abde84b449b17ccc827d8c41fb578cd29edf1bad40ee80478166b18a15db011fc969bcef950e49f7d31caf051873141f5a8f9593977a3bcbe38539885d

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
96KB

MD5
245e524c27bf53427e0cd67431639f21

SHA1
b31f81beeeb13703e907cda18b78389234371061

SHA256
0840828ed9ba3b37a74ad95409a4dd26c8112987f2c74ff2f171ff5ca95d3e41

SHA512
42b4b9b1f3cd5b1940178f84bfc7adbe7014f640f6a10681f14fae004570c20d97ec930b98ed41c4562e55457f4f09b7e67b07a3dc0374baeb2d4407c92d5bdd

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
96KB

MD5
36f6854fe39010eaa98d9686c68d952f

SHA1
2d3e481f6ee04328bb25f11b500a742b457497d0

SHA256
c6cfb0e63501bd259c58ac02fa107740005a1b6685abf745d223314247e7c12e

SHA512
264f19087a7bdbe3a235c6f9112926d70d1ff910847e3523941143c09ccd13c813b58f953b15ca0a422894c596732d363febfb4181743e547e0a2a127c5680c5

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
c6d127ba84ab27caa0a9b616e84d8e6b

SHA1
91315d19c38762c124cd564de103a1540dcf907b

SHA256
22523adf911cd0ea089f37db4be92a9063270a2d562e6d5f4dcc5c923ade890c

SHA512
0b29e1e5a9165f84b25ae3416fa7f93f93b9cb586fbc68369c30b76db45bd1fd90937b43113d84f6d4e71f922d3edb95e77bbb6fe63798c81f9b9ac9d3679dfc

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
96KB

MD5
1171e5ec7ce3348a9693b6b825808e35

SHA1
603164e4067dd01bba15608c1236d4b8acd734a5

SHA256
6b7f7b9b0113a980bf398d6c8ee82cb69e7cd5a95028f79c93d387b43ca16e2d

SHA512
23b76fc03d68d7b04e120235989251e99cb5dae9215c8764100904577ec69f081f071638708f306ac88c19fcaacb79aa68450845d5c2be4f39f23cca19116611

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
deb0f4b872749e8882460996a25dd237

SHA1
2d1ec6d2d6fb08ca45c8cbc7ab9717f24716a43e

SHA256
b93d31e30f28de124c53f228145371de14fbc4a8d3281855624cf37c2fa94d58

SHA512
2294731a1d567ce32ff0935352c6bd01f5de4ad4580c290d0b1d0039f04c0492a32333edea19e97f441b2f160ed1e7feffd0725430faa4410c3eece931e4ae5f

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
96KB

MD5
706071474cde631ff24a2c52c9303dee

SHA1
c8e1720524d52aded454ae1e51b27948309fe133

SHA256
8d0e506a22beb335adedb4c667f07b693010cea818ab3943530ee6456d992cd9

SHA512
4cf6165cccf630458b7254c8ac5f0dea816ac566d625291edce94ae9b7060ed7d645781a22a7b89e5ea17106fe7780cb7e5ee0f8b394c1eb845df4533e89e16d

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
2b74bf8aac0263d6ea5b0d297d3914c9

SHA1
409702e2d674d8422f2178364a1a7942297c7be9

SHA256
89a4e71d95fb199ce78252428a85bba0d2c246f7a91bf8bc85f671a2b476f328

SHA512
fccbc4a819c2794e888d40c3b28b7e8462ebcaee6e0f4223a8b6d433feaf94981413d05d9884c2f1905683381df52eef8cdb4c044c298b279cd351302220d4e0

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
0628f9540e7ac86a7d1372a8af8357aa

SHA1
a444750e9a3cb1812e528a90c447050bb8ebe716

SHA256
1173c225db7417b7c23b2e975957ef0f28b4c08c51815b65de7e538a9773f4f1

SHA512
a3344d2c47df6ca1e820def4816a69a026f6e7a31eaeed7adca0069d5b480edf8f356bd7a08f559e772d66299f089bdd3960da4bb852dc5e7e4444b329dca35b

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
96KB

MD5
b7bf4d78edf2a311e4dcdc7c2ea80fdd

SHA1
78108767b3ae8ee0ff5b9edf21b2af1f22a6cc32

SHA256
d418e908ecfbc3c09f1b3b36475c24ede3bff85bc981be5388cefeaafe318953

SHA512
72a1d0a0fa124e61ff429cf5e43b8db946b3a11cdf99b544fdc420ad6700565bb8a11ded3f4aa229efa3da6bd1dc96f3f4104f19ac55e66c8a08dc3b1d368b3e

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
96KB

MD5
e2205219c7698a37548ec257890138cd

SHA1
f1c8d90f15f50d06f10b814cff552e69372bd763

SHA256
041bb4fd7b6e8132e97160e688e65b3d1cf811b110b9c4562e9e66775d923f11

SHA512
60936794ac4522cbb09453b3fb53855c3ff51002c99cf3645f331d7ac2196ee3a2fa6c7c1439039980eed38e7df77dec5d8264d3ef3d3d3ee07fd262638e7ff2

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
2816bf9f34ed223d90a84ac3ab72c59b

SHA1
91811de7e51c19d09d54edba9f1b8412f2140960

SHA256
87ecee4f09ba209e8e9e8d2f1a0b2ea4717ddf66407d4eff2292f5b01c0f20b7

SHA512
4f08a2275d7dc547b174752bef8901705b8e69f773c50f2c47a0378fbcf9932a3cc0abdd6a388a7badd2c00c223a869cd58cf4c72d8a15ac5d77a0f19031f816

Download Submit
memory/368-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/708-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/708-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/824-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1192-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1192-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1368-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1368-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1812-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1812-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2072-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2072-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2104-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2104-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2112-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2112-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2296-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2348-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2348-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2624-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2688-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2952-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2952-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3184-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3184-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3332-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3336-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3384-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3384-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3452-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3452-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3504-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3796-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3796-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4360-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4364-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4364-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4428-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4428-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4700-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4700-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5112-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads