62d0a3b53be3951bcbff1664c74e286279a512b102e61ad2381b0d392e399de1

Analysis

max time kernel
101s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43375f68a93b962824b14041d9e01340N.exe
Size

77KB
MD5

43375f68a93b962824b14041d9e01340
SHA1

b051918bcacadfd96d50bdeaf3d3436b8c16437d
SHA256

62d0a3b53be3951bcbff1664c74e286279a512b102e61ad2381b0d392e399de1
SHA512

7b0c6d2e64b146e10b120e3a3db8d079d15667120ed1c0af6ee4c08bac51411ece8ecd7aba9002b939767cd5c8b966852829f4118132ec52365711c4c3c493ab
SSDEEP

1536:GTjuZWJHxkQuhr3+dTT4IoJ9KCOrMkA42Ltnwfi+TjRC/D:GTyZWcJL+dvoKzVu1wf1TjYD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdppiif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ondljl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe

Executes dropped EXE 64 IoCs

pid	Process
4868	Nfaemp32.exe
3600	Nmkmjjaa.exe
3340	Nagiji32.exe
1308	Ngqagcag.exe
5832	Ojomcopk.exe
876	Omnjojpo.exe
2504	Oaifpi32.exe
3308	Ocgbld32.exe
5036	Offnhpfo.exe
2624	Onmfimga.exe
780	Opnbae32.exe
4476	Ogekbb32.exe
3800	Ojdgnn32.exe
1580	Ombcji32.exe
5536	Opqofe32.exe
4704	Oghghb32.exe
556	Ojfcdnjc.exe
872	Omdppiif.exe
3224	Opclldhj.exe
2356	Ogjdmbil.exe
1500	Ofmdio32.exe
6052	Ondljl32.exe
3024	Opeiadfg.exe
3624	Ohlqcagj.exe
5496	Pjkmomfn.exe
5780	Pnfiplog.exe
5972	Paeelgnj.exe
4292	Pccahbmn.exe
2580	Pfandnla.exe
2944	Pnifekmd.exe
1736	Pagbaglh.exe
3720	Pdenmbkk.exe
3348	Pjpfjl32.exe
1676	Pnkbkk32.exe
4924	Paiogf32.exe
4964	Pplobcpp.exe
64	Phcgcqab.exe
1396	Pffgom32.exe
888	Pmpolgoi.exe
1692	Ppolhcnm.exe
4936	Phfcipoo.exe
5488	Pjdpelnc.exe
6136	Pmblagmf.exe
4160	Panhbfep.exe
1520	Pdmdnadc.exe
4480	Qhhpop32.exe
5748	Qjfmkk32.exe
6104	Qobhkjdi.exe
2536	Qaqegecm.exe
4880	Qdoacabq.exe
5316	Qfmmplad.exe
4336	Qodeajbg.exe
2456	Qacameaj.exe
4496	Qdaniq32.exe
3116	Aogbfi32.exe
5428	Amjbbfgo.exe
4224	Aphnnafb.exe
5764	Afbgkl32.exe
6088	Aoioli32.exe
4452	Aagkhd32.exe
5076	Apjkcadp.exe
4252	Ahaceo32.exe
4408	Agdcpkll.exe
2732	Aokkahlo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Opnbae32.exe	Onmfimga.exe
File opened for modification	C:\Windows\SysWOW64\Pnfiplog.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Ccoecbmi.dll	Bmeandma.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Pplobcpp.exe	Paiogf32.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Nfaemp32.exe	43375f68a93b962824b14041d9e01340N.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Hkfoel32.dll	Ondljl32.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qacameaj.exe
File created	C:\Windows\SysWOW64\Ohlqcagj.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nagiji32.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Nkgdfb32.dll	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Ojdgnn32.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Ojenek32.dll	Opqofe32.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Opclldhj.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bknlbhhe.exe	Bhpofl32.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Nmkmjjaa.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Pjpfjl32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Pjllddpj.dll	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Occmjg32.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Aoioli32.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Dapgni32.dll	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Caojpaij.exe
File opened for modification	C:\Windows\SysWOW64\Pnifekmd.exe	Pfandnla.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Bnlhncgi.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Coegoe32.exe	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Omdppiif.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Ohlqcagj.exe
File opened for modification	C:\Windows\SysWOW64\Pjkmomfn.exe	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Pccahbmn.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Qfmmplad.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nagiji32.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Opqofe32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Ogjdmbil.exe	Opclldhj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6076	3748	WerFault.exe	220

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omnjojpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdgnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaifpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfaemp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pccahbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onmfimga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkobkod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfandnla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	43375f68a93b962824b14041d9e01340N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgdfb32.dll"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbidcgp.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhefcoo.dll"	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Cklhcfle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 4868	2436	43375f68a93b962824b14041d9e01340N.exe	84
PID 2436 wrote to memory of 4868	2436	43375f68a93b962824b14041d9e01340N.exe	84
PID 2436 wrote to memory of 4868	2436	43375f68a93b962824b14041d9e01340N.exe	84
PID 4868 wrote to memory of 3600	4868	Nfaemp32.exe	85
PID 4868 wrote to memory of 3600	4868	Nfaemp32.exe	85
PID 4868 wrote to memory of 3600	4868	Nfaemp32.exe	85
PID 3600 wrote to memory of 3340	3600	Nmkmjjaa.exe	86
PID 3600 wrote to memory of 3340	3600	Nmkmjjaa.exe	86
PID 3600 wrote to memory of 3340	3600	Nmkmjjaa.exe	86
PID 3340 wrote to memory of 1308	3340	Nagiji32.exe	87
PID 3340 wrote to memory of 1308	3340	Nagiji32.exe	87
PID 3340 wrote to memory of 1308	3340	Nagiji32.exe	87
PID 1308 wrote to memory of 5832	1308	Ngqagcag.exe	88
PID 1308 wrote to memory of 5832	1308	Ngqagcag.exe	88
PID 1308 wrote to memory of 5832	1308	Ngqagcag.exe	88
PID 5832 wrote to memory of 876	5832	Ojomcopk.exe	89
PID 5832 wrote to memory of 876	5832	Ojomcopk.exe	89
PID 5832 wrote to memory of 876	5832	Ojomcopk.exe	89
PID 876 wrote to memory of 2504	876	Omnjojpo.exe	90
PID 876 wrote to memory of 2504	876	Omnjojpo.exe	90
PID 876 wrote to memory of 2504	876	Omnjojpo.exe	90
PID 2504 wrote to memory of 3308	2504	Oaifpi32.exe	91
PID 2504 wrote to memory of 3308	2504	Oaifpi32.exe	91
PID 2504 wrote to memory of 3308	2504	Oaifpi32.exe	91
PID 3308 wrote to memory of 5036	3308	Ocgbld32.exe	92
PID 3308 wrote to memory of 5036	3308	Ocgbld32.exe	92
PID 3308 wrote to memory of 5036	3308	Ocgbld32.exe	92
PID 5036 wrote to memory of 2624	5036	Offnhpfo.exe	93
PID 5036 wrote to memory of 2624	5036	Offnhpfo.exe	93
PID 5036 wrote to memory of 2624	5036	Offnhpfo.exe	93
PID 2624 wrote to memory of 780	2624	Onmfimga.exe	94
PID 2624 wrote to memory of 780	2624	Onmfimga.exe	94
PID 2624 wrote to memory of 780	2624	Onmfimga.exe	94
PID 780 wrote to memory of 4476	780	Opnbae32.exe	96
PID 780 wrote to memory of 4476	780	Opnbae32.exe	96
PID 780 wrote to memory of 4476	780	Opnbae32.exe	96
PID 4476 wrote to memory of 3800	4476	Ogekbb32.exe	97
PID 4476 wrote to memory of 3800	4476	Ogekbb32.exe	97
PID 4476 wrote to memory of 3800	4476	Ogekbb32.exe	97
PID 3800 wrote to memory of 1580	3800	Ojdgnn32.exe	98
PID 3800 wrote to memory of 1580	3800	Ojdgnn32.exe	98
PID 3800 wrote to memory of 1580	3800	Ojdgnn32.exe	98
PID 1580 wrote to memory of 5536	1580	Ombcji32.exe	100
PID 1580 wrote to memory of 5536	1580	Ombcji32.exe	100
PID 1580 wrote to memory of 5536	1580	Ombcji32.exe	100
PID 5536 wrote to memory of 4704	5536	Opqofe32.exe	101
PID 5536 wrote to memory of 4704	5536	Opqofe32.exe	101
PID 5536 wrote to memory of 4704	5536	Opqofe32.exe	101
PID 4704 wrote to memory of 556	4704	Oghghb32.exe	102
PID 4704 wrote to memory of 556	4704	Oghghb32.exe	102
PID 4704 wrote to memory of 556	4704	Oghghb32.exe	102
PID 556 wrote to memory of 872	556	Ojfcdnjc.exe	103
PID 556 wrote to memory of 872	556	Ojfcdnjc.exe	103
PID 556 wrote to memory of 872	556	Ojfcdnjc.exe	103
PID 872 wrote to memory of 3224	872	Omdppiif.exe	105
PID 872 wrote to memory of 3224	872	Omdppiif.exe	105
PID 872 wrote to memory of 3224	872	Omdppiif.exe	105
PID 3224 wrote to memory of 2356	3224	Opclldhj.exe	106
PID 3224 wrote to memory of 2356	3224	Opclldhj.exe	106
PID 3224 wrote to memory of 2356	3224	Opclldhj.exe	106
PID 2356 wrote to memory of 1500	2356	Ogjdmbil.exe	107
PID 2356 wrote to memory of 1500	2356	Ogjdmbil.exe	107
PID 2356 wrote to memory of 1500	2356	Ogjdmbil.exe	107
PID 1500 wrote to memory of 6052	1500	Ofmdio32.exe	108

C:\Users\Admin\AppData\Local\Temp\43375f68a93b962824b14041d9e01340N.exe
"C:\Users\Admin\AppData\Local\Temp\43375f68a93b962824b14041d9e01340N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\Nfaemp32.exe
  C:\Windows\system32\Nfaemp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\Nmkmjjaa.exe
    C:\Windows\system32\Nmkmjjaa.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\Nagiji32.exe
      C:\Windows\system32\Nagiji32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3340
    - - C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5832
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5536
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        39⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        43⤵
        Executes dropped EXE
        
        PID:5488
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        47⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        52⤵
        Executes dropped EXE
        
        PID:5316
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5428
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        61⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        62⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        67⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        77⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        78⤵
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        86⤵
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        88⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:544
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        103⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        106⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        108⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        109⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        110⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        118⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        121⤵
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3304
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        125⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        129⤵
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        131⤵
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        133⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 408
        134⤵
        Program crash
        
        PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3748 -ip 3748
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
77KB

MD5
fb9cc7ba201480a155235fe79798f1f5

SHA1
076a968f6af7ecf6cff4fc487f9469200c22d33d

SHA256
13a2deb7259b412b537ed98255161bad3303809655c83d16102390d7742d1d90

SHA512
450c64697a211412b0eae1a912ab3348d2d31136d0c468417f90608c8a11794f20fd87529c9a2dc0d2d85cb15ed8a7a140a33c25a6445c028bc9f6b688217d78

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
77KB

MD5
c3a8ea0bb01ed7cec8cdb52f951d8628

SHA1
bcfe9be47843d4a0645172e974a769ac70ea775b

SHA256
51e24427693fde7f142ce3a759366fb1090120c46cd84163bc14238caeb20130

SHA512
c6388cc8512a04a7f59245870df6971347cbb50b8a340ca0a82334e0c1fbb226becaadb4943f843f6099bcfd9fc5238d56205ad60039f19f6b1325003c3c4ee6

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
77KB

MD5
e6bd0f3445d035f755065c1269514fd0

SHA1
d1591bc4ca878fc6a0436d69a68652eb987f2343

SHA256
2b559f5a2b5e1575200965164308e1eb597d113befa3cbf3bf1ba401c628c1ea

SHA512
b61d35ec26723e732c62f94d246859db9da3839a7a29d80ff7ee21734840027a1e9b911b9c8a1a84e4e811c3adf2f73b6102f6d7a591511f40a032ddc6b52feb

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
77KB

MD5
73d03839892147236235dce085d9732c

SHA1
5b6f4e24176947ea38a53476483f3547662feb4d

SHA256
366bb68b2973ccad1241dfa7c4bcdf48ecb74cca504f8dddc1c3181b59f5b48d

SHA512
77875205533cae2f86abc64ae5e8b401639edceac529178538a2ce5030cceb9f42b0f70ad501772a02d999ec6ebe675cf86d94107d286cc9182d12a7973f9ca8

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
77KB

MD5
b8470e194256e839cc7270965c6812f1

SHA1
22f501b5114aabfaaa5a44325f0a4ac30498a8b2

SHA256
484bcd4c370b2670c75ce29ada74c46d746e8a1160715f2fd61fed57addf77fa

SHA512
0cf7862fe71c4c4e7af02c9da9cd09f36f94d11d220b3cdae0c1362a17c1329d360e0466222101d61dc8094ac8bfb021582f2259b0accc1c618602a8bc3efc8b

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
77KB

MD5
b3a89ca727a53dded84a18ec20a28c41

SHA1
e4f91d14e332ad3fa5de4545a8d3db0336d8bc3d

SHA256
825b4b87735046a37110656f60b950de9d2177841368f94b4be396f2810ae9d6

SHA512
a80b41732f5186bf0a2bddf67fd323081456eccaf7b671b264b6f81fe1b7b6be79b6c4f97d784dea3354caa39c9651f7dd3d8d4bb72da9bcdcf078b4b5e043de

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
77KB

MD5
eed8e9ea749afe29a28908e5fdd5e86d

SHA1
a0442c2d37e0d58104585c811bd8be34b6bad2dc

SHA256
a19ce1f908e75f894464e2c025ccf4028d9da327f4eba999afd3affb7ff3c12d

SHA512
5ec2afa4dc73332e431681497e1413a57d9a6a17f7564a2109737ef4d579aa862064df297b2224c4880a104c8e3c6600849c69de2907f0ff9a5c93c85c37c98a

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
77KB

MD5
f2f79ecff593e2524829730b5e95eb13

SHA1
a4469dbcf38760a3be51505f6e9170919863a0d8

SHA256
db71a0b626b0a9ad0ca8ea83e3430b0b433b8032aaea0b242c184205ffb9fbac

SHA512
5c761c99613f2188bbc5b480217c7b98d83c644d28085d02d29a47269fbae798a222b169f663887167bf4aa02766fe9d8e8c54d5090a9e108e049b8b5117be00

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
77KB

MD5
7f04741e1eb3435161faf0d66f89f30d

SHA1
2aa3478178de59d0ed4b79a7ea53e7c8a59f6cc0

SHA256
e8c29ae82f4db42df4f1f7d293e03c4478c663d9cd2906f523ad222bafe545c5

SHA512
8f0f3360fc7d215145ee6a461cb7ef581c99bf7f178756350e7e6b07f2fecdabb4eea758bf68fb045c322464a6f97241c17f7febc511b90ac20c8297b4a8c460

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
77KB

MD5
6324464d6d7f8bfe35dd2445d6081b95

SHA1
9368e7dbe866cc9f3c7d794c3c903f8743a3f03e

SHA256
8747100b55cd479a624ff571e400b974d68061204cddff85773fa5664e6dd47f

SHA512
6e922f5606ea20d7bf7aac8afa368e927debc22d6cd12c7372b2739ae89656975d33013feeb837a5c7fa6888baa2010261471ae3e7289997d8298b890b7e19db

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
77KB

MD5
b5cf27871e74f41db61a42b51ef45615

SHA1
9bcd3571140afc2f99e34288063d255eb90c13d1

SHA256
cf2d12513f5de75a3073810a82918f313e31cedaa6449e7ffcc7b52931f01b0f

SHA512
beb034433c4c710858e6d8071a1eb89ab952cc97dfa2c3e19124937de87a1f0a71c8964f486bdc5f409af9e8cea19a1c9107b7c0b720c1c9e684871bb2263bc0

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
77KB

MD5
d441dca067da27d88871f786b9276eff

SHA1
7d897e3feae44c289ccef27811c3f5d3c180cb0c

SHA256
05b59ea97e80a6610fb8a41fc27fde6dba73ff766deae8c58f79a65ed185e1a0

SHA512
3c329cd2d7d8bb848f02a0cbfacc773087faa60a8787763474899a08ea937dcf99d0b48de7466a5ddfae6e97885a321bed03c8697d5db50d09eed6c6776f32ec

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
77KB

MD5
e876ce45b620cf4d41542ef78c891239

SHA1
f1acefee75d6a798539b7af5c66a2d6d7d9b525c

SHA256
643e18f23c950ba7e4af467f4507b15de1b8413c7d625d74cbea15daba638ba8

SHA512
9d33e8072f1f36905c4897633e4d4dd79ad368d692824501897512b5fabd9f2b71284b66550762102061c58652f84e385a98f10e58dabc2d1eadc5f464158886

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
77KB

MD5
2964c6a440f3cf000d71ea3d28f928c9

SHA1
268213217f9b7a9e9f4de344cbd674be5d1dda22

SHA256
2bb55c9af74b38f6b2bd2190f1c493464cfbbec8bd920990166bfd96b210b731

SHA512
c438d88e07ff69b2e07a8b9c01064280040c6a38ea044f17231b63dde549512a1dd821e260dff5638304fff59b4216929ead4a6c00d7c89736a83fdc022f4e41

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
77KB

MD5
a5c3a223fab2c6358bcee244f032b01d

SHA1
ef1a663f042d0f65c37974e17319c09615cd534c

SHA256
11500b9eb109a32d41613b6a8b3d30d1c0abba224be629d9da357e048672460b

SHA512
b560010858cdf774759e10b2f78fd19e87035deb3903ef8a3203a0ccc79a439cdd6a8ca722ac0e629a723da30bbf7aeb09788a2dbb5d62cef84e17c1884f0e8e

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
77KB

MD5
ba5b0109cfa4db00b1d80f5eeb97aeb0

SHA1
afd6818942daa289ddd512e9486143bf11df7f27

SHA256
f099917a334694353ec8b222e43edb9e3475d5f427ef11feb387b57617f38766

SHA512
6a490a3ff1a75cd0d846a7c6e0703ab56e1d85ec57412f59457fe936c33d012674751396b7cf19f7c21416e48a4d547bbcd03ac5402b1ed3efdcf58089a82061

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
77KB

MD5
abf22f7148f5086635c4a741d6061b13

SHA1
91c8d4032e325dc30551b2f08414988be0373d0b

SHA256
c57fc1d43f590b65dd12ee31bf4e4aa9ba59715f0a4c4319569b328d6b53a1c7

SHA512
68cfcc7ef03501b510ba2027b52a703c8cdaad5b0efaf7f582eaac3870bd8d39c51b19fb0c9abac90528da174a7be6c10824dd47f4494bcabaf4d4d113986319

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
77KB

MD5
7b4b9f901ac046e47dc84d50b8498409

SHA1
fc4d7cef32d93fbf1a6828fd22fe03c5211143f7

SHA256
b244750ad36966f59359b96b005222b69bce1c31fa2705a141384ef152f4cfd4

SHA512
78b25af0c4e1e83e4d5860abcd0a97f72d738045e9ff100b26c0125a65f59adeb389cd1c648db47975cdbdd6eefdc28457c4253dfad489e2dcaf1455af678aad

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
77KB

MD5
488d772e436097a9338fa5b3d80100ab

SHA1
f63eb0b2756a21a7dd8f3371bbe7dcf84a75569d

SHA256
bb069b1a6383b1f24b9b1446edebeb9b1366dc53d9749ca499d2f3c37206f7cc

SHA512
4ac18233170fc832139d6bcf3574594249d09e109a15a1cd1d5872ff8fc4ada4ece91b890651ce20e1b0a9952efc2fd6c0eb632f7fbf1ed7f483890d468a40ac

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
77KB

MD5
72de60a4f9071cff2fa9a2693423e0bf

SHA1
122060397e26d3bbc526dc01098dd82ea7b96593

SHA256
b3acf122b65e64e2553885e83f98b945f8717b295f4a414a4eb1d146786a640b

SHA512
7493be5e6f292e4a5ab6cf9d41508a09c4231bcd9d1a9c3fa16657de9196577181fcbce29b3545e069c52e362fd5556e622cfd4d797b36f607b245a3c7d70454

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
77KB

MD5
ebdc96097479e20511eae5fdb861c30e

SHA1
97d05adafa740c13f2bb29f51ca9e7a42db89feb

SHA256
5a294c710249a3b1b87eb2559b9d6bfdec5ac4b6789697f2051f230216419f9b

SHA512
c90f51d6075c536f6d298e6018944f6282672fc26ab2e515f9c884df095c65f96d45f75a544c4d1db7f3cc64ff2d6fedd2ec0dfbd851764f5b682c946eaa2da0

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
77KB

MD5
26ba8d1870e913dff7ab6e103d909d35

SHA1
c72c761f7b933f96909ff171ef55609358036490

SHA256
755a49337addefc672679a37928e6fd5caa78c078a9df3b5ba2f55b46d4d2cd8

SHA512
4093f7be4efbc5ae992b88356f3c1202ef666cad9f98eed82a9579ef85bfcdc6275bf0260c9c3e680e5b686da8bbe3bff31e0bc8de380125c02e501ded383ddb

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
77KB

MD5
678729b3fc0cc8e124fba3f50d250019

SHA1
7df44a89c91baa3e3c0a2816a16434feff503f2f

SHA256
879d0433fb3919608c58b8c244a17c5f73452cbe40c8457b63f5f00076eb3a12

SHA512
2c879af8b43e181300a78626820f10747856b29132199af73d4dc5a705a140947da67e3f8f5bdf0e8b39ecaedd40f8ac4936dd73eeafa91b00486bec969403b2

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
77KB

MD5
67857c5096220df76c53edca3bf54400

SHA1
2d871b23f41168ea01a244d8ab8bfd0cf1ec8874

SHA256
fe23ae52e3b3a79a6fb8f71dcec932f47d0733a1906d8c2f67d4cdf111bdda4d

SHA512
604ef7b19f1a51a35f7569d9fedc15d55674d979aea2d7f7652405f9172baea0d2fa278b7baffeac8edd1cb8b41ebd5dc9bea06edfc808833e46415802c1a6d7

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
77KB

MD5
c98361fd85c6657ba3b48c8c5dd71dbd

SHA1
8a4599d2690346466d71ab4bb239b0cbb0a7343b

SHA256
e793406e4b5a8583b9590c598036143c00940f3801a1182ac22d07e2eaeb2a67

SHA512
4fa1f6cfc2c380b24a349d3262cb263ebba73322da8c0d42c048fbd5ca894e3869bfb01aca92b333a6a1c43d0015be3e673c7f2b0bb9a14b7adc62afdba4f2c8

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
77KB

MD5
f86bb967ef8c748894c46a627a267c59

SHA1
dc7d9dff049d439a33e94a7e9e6e06f56e8098a8

SHA256
5dc5e4ee8839b50338b0791f36dc93030d5e4142d2dcfac41c48d292bf164aea

SHA512
c8a394f74af52b6d60fedb27149680393438b228d7e77078e2bc2ca977f35513b4d52c24a3d94c28e23b1ebf7fc5e7cc44c338875ccd45f9a746bbe9589d727f

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
77KB

MD5
e7b7562f231153d6aba14d6defbff5a7

SHA1
7a9261872c179196d0f49a01f05e4d52ac69e3cd

SHA256
273da56f1482be46c80d5a57c5edd91249cdc8759d5b4ccceee1e5f31b975585

SHA512
dfaeab6ee9596693ffb75b08a9b2a4a22c0e8c4af0b643759a91ba80cd708f03dc3acbeca335f000bfe1f38333430cac828cb705991fe159e268831c14716d6e

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
77KB

MD5
ffffb1aa9616f8aaee13cd088ee092b4

SHA1
f27fe475e91c5aa9f9a077722cdfbecd70a51d32

SHA256
ec9bab3026626e2fd6edf21090dfde003650422253d09fbe0ff65f04c5b3ddb9

SHA512
c0b72dca5a6657c002b3038bb8d0cb802523dc878490646b58c7b98b5d8da2dfde44c5edab543fd11a21799175da868706e2ecce204b32821a3607578b55fa0a

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
77KB

MD5
d7ed2e23958f8b593dcd3cf99ee67afe

SHA1
04222b30fb36ea43719c63f3756dbad7347e90cf

SHA256
9af502f617d86ace2b5214025f32741eb9a435298031ca6ab21a32efc84b35f9

SHA512
60545b7443bb13de4f56821ce52e1aea79fcc21f6040cb260390b1ddb20e9125214c79de10a75f1e19261327c127af899c7cea3897f5bc1b97c6a9b56f3caf0b

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
77KB

MD5
b3fa06f9334ce7d116538021e3e58999

SHA1
32c934c0520aac275277fc25506379dc74866bc2

SHA256
7dc6b16932ce28fa891ff86a1f42d57f449791e5b2f29a2a2fd4acf13fa2dc58

SHA512
a0410b0c9f693f694b4991f25385d7fec5328c1ee9d0c02e8a1f3d1f88429b1da1733b50f9fde0f524b2d70b8179321d0c5f242f29fa9f00b1a231e8d9da443c

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
77KB

MD5
9e72e490defc6ff36eeec053f39a0bfe

SHA1
d806543247e543c6f9f167f4de410097ff7c4e7f

SHA256
d9a37a8108aa9a671acccdc44051116b302d1afb49110daa58536dc634ae6963

SHA512
5f8303777e801657ef9b93e7ef1d12a6a8b23fba0c81fe6de70ea4cb3d6fcd4c5add6ca82ed57e0baa291917f2f6928d11183ca66dc60a933017ce9f20b06968

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
77KB

MD5
5912979b81230918477834bbd89c6806

SHA1
28e432162fd861c06981467b0e1493d82ce7074f

SHA256
03c9024ca8a0b7d86f49c60d0736349dd988d2536fc97bffb6c6c6444218224d

SHA512
9a1d2d6ee752483b4b80e117f899ee88b72e687a81048005348757bab5ed97f2d3eb5d3b6497d58d912e8f41e51beea32c482584d6203a39ce5197382eac3275

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
77KB

MD5
96aab3adc2d0f6581f0f51b939ad8847

SHA1
ce31bc95b107e6ade0ee6f3a07a7cb113a9f7e4a

SHA256
607ebdf82bcee37ab8f34ddb6051b63932670aede4e2473963601dccbcb79d9f

SHA512
ac6f5fdc23e8353cfb73a07e6e0c2c6511f70e7354a258dc6eb5b3da312093c839f9215d82c6502e691513d9680aeafe76db191e3ccac3f2bd7abd5bbbc57e4a

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
77KB

MD5
76fe3c9ff5c088f520eaa7eb83f72a44

SHA1
a81c502be3666cc0af3ebea4a93ce1627fc2bdc2

SHA256
c6c3d4584c62842014f84ab6d4a65188d8d0abb189130642807fc3d71eef59f2

SHA512
b99df5ee701706c94e73a401470903daecabc3cd1d8d2d345d489b21fd8b3e56cb33d3be03d1cc8f288c478cc37d0e4952e32020665d79986ed837cb05586928

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
77KB

MD5
83653a6dc881ae17fe05eb3034f224a5

SHA1
43cac788f621986cd8411aacb6002c424cb51ae6

SHA256
0a98d584139af37dc27ef8b8fdf0652a3f28932cc1e02830d5b594560677ea3a

SHA512
35d24d87e06cb9771d378c9d1dfdc5b6ff6413e673b8224bbe53698fd3c1d3b6b0cd20b36e30781a93dc1e44124c942c24a4df871df2cc62a613e9d26fe66e56

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
77KB

MD5
b3d21b81929c850effc49c7a4df01cc8

SHA1
032d7ae67a6de36c5d95f5f8b1b56db8118ae2af

SHA256
70798ee46cd475f64c39fcdab347e9c52ef2f34d6e829fe28f1e9b4141a671f8

SHA512
6801a2678369a30e651f5426d6a8aa8196490c36975ed6c7909489ec11148e4a31f6e1f6b08e51b5f3311613114299a09d705235100bff81a92d479caddcd834

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
77KB

MD5
2997ef5c8e86ed55d35ffae62d306caf

SHA1
dbd736f0840ec5171d778e69ba09828bd68c6c76

SHA256
14c3ae26a1af876984def893cc6b16fe1547d6ea456fcbd751c35e49f0b8c4ad

SHA512
2cd774f587d03ede993fb4eff6c33a35c2886df163c3259f9b48c6c76bfb8f3ff212b695b7b125da7a8110af300829c4d6c913da9371783204368681bd33a883

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
77KB

MD5
2d463347a033d9683b0472fd15bb821b

SHA1
f8a0709291ec37831902b64df8d65f8d1e5b142e

SHA256
98f8151351c3b90e5d699d1caab1fd3a4032f78908e89f45746ee508495022b3

SHA512
df40323408b6966148f76beba0f6d167d9f40e616bfc66a1ebf5fbd2dffe73f759f31e8b1c27e7a1e2e79a202d8118538d2ec67e142830bac9b55d3608f25cd1

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
77KB

MD5
95637d082bb8c778833fded50377e546

SHA1
b63c89e90556507bce8195ea9e7cc4264cb1c1ac

SHA256
dded63ea4fa30fcfb5651eec406eaa5c396378b46597b34df7328d274256ebdb

SHA512
9d087e94acbf8b207fad3749d663a6451e65c3bc186ff8fd9402c419e9c176d1a30740fe1c7acf4de3c43d8dbd7734e5c8193238292fb643b82ef1e94a711843

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
77KB

MD5
66ac528eee239e73a4486d17f8e6431a

SHA1
f5bada5ff3db6ed87989a288d9ae8b308613e4d0

SHA256
d9c1fe26febbb81632c607b95111d368fc92cb1705f557edf2c6d07757432905

SHA512
a26ad68fbba6b077f9661135067527dc5f7f386a48870c8f96c278937f449715c6d9d765666efd0e7a8ad2a0aea8c57a8ed68473bc6a8851bfa6b53b344e3ba2

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
77KB

MD5
f555d63e43fed7a90d3ee3d1d15317aa

SHA1
eb269a37e5c834bbada57de671093a566edb1bd8

SHA256
58ae2a9a06e00d9dd64a71db6be74f91554b7227d7b0faeb1571d4eb62e9dcc9

SHA512
fe0dbae501275228cdbaf5ad3a5e73f1c8e0b83c92f23666ede8e3af8e24b429aadf6e8956f76e62c697c613689650799b69877ffcaf28e23717f520bee9c748

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
77KB

MD5
9d827b331c18364a32dec9b46cbae61d

SHA1
b1b74837100ac021464bb2155299cb9a7574a876

SHA256
072522177ec5650d289487c95e6993aca036f47e782c36cb6bf988b3b83f3b82

SHA512
62d2b4e23a92d4ecb6a84008212c42e30987573271b32de626532f532c2d5c64790cad9c04c768df5eac3f1f500503a34690c236a388db27a97182dca707fc46

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
77KB

MD5
fcbb603b65f09c9444d64b1717df231c

SHA1
b3584b9a7072e876e7bc27a73ff64975d0bb0fe0

SHA256
dbecaade9d415bd2b2f62ec04df724cb23a4b8a95405d2179ecb9cad8f18ed16

SHA512
89178d5fc4319093d27a048a67ecc3f901e8b6a8b3e96f429f3601410cc3ef11db236e2c07f71926bcb67dfd7f33abfebd43c2b328132f41e4106b9b7348763f

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
77KB

MD5
1a664ba227706933fddef25fcea0db02

SHA1
4d94ba3fb3a499f5b8ee3564c6bef7975b476213

SHA256
3cd9f41b556eb8abea89678eca545cc079be0629d5c61147757875d7f54b0da8

SHA512
a24f3279d29b9f0d058a3d83c1762f9ed2807af8b57c47039589507730f75f59b0d252f1d557b10dce6835c919412cc7210ee5f36275c5f027f1b3bc2c79b2c5

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
77KB

MD5
1a5e8a97f3f558689a3ea3484ccf0320

SHA1
f893dbee0da251373d88439f27ae97ec72a3ba84

SHA256
cd443e3a62002946f9af315f3c1903221b5f61dab668d364dd6e7a7070bf5216

SHA512
569b52a96a8b072685d0d6cdc3ff7611fa5f8befeb89446be4d17a52d2b1ad41b89b491d538be592afdaa6f926ff18b24118cd0576c12c6181bfd3f7a05867ea

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
77KB

MD5
0a15eb7d3dd52e6db44ab65a83979cb8

SHA1
a4d6c0ea71a59907c848844276236483de26efe7

SHA256
d8b673f58761dc138c08e37ab6a6ba4463ea0612d0614289b3031c1f414ac65a

SHA512
a650c19c2169c3977c7c79949bf751b95c5cf980f098a4e55d2cb0ec0e8669bb533100c4c815b546949ae7027c407dbcb4ddcfdda2022962dc0c62bf8ed5642a

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
77KB

MD5
af143e089c1dfc4ee9dd1723a0cbc15e

SHA1
73fec82e5a4164a7e9e7addba17ab5d8b0872639

SHA256
f9e6ce0ff9300f29ded3ec389cac306f47efb6f5802106d24277e26b448f7c90

SHA512
3bec0e0fd81f479c475823092c42c8954e07c1c8353aa40c80e53a9ea985c91afc070314eddf781e150c41106ba0e5170706090bc1ce4853ae02f9f9951d941f

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
77KB

MD5
ded17c8f97538c0c57ce62f248c4b423

SHA1
ad01901db03c237a7d5cd9282c17cefad4c5e8f1

SHA256
c33b242cf391d52a7001c7a90b608e2ea16f125a351a21fff0d17e56e94b7fb7

SHA512
4227efde78d11b420495cfc74a0260a8cb269cdbc1d6afd5d34a7335499c77397de42bfd63fad17aec2a466b58d6de121d3129bb2bdb4a8a402c527c6cfca834

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
77KB

MD5
5d2f38804abe0291bba8e5b2184133f9

SHA1
2dae6460de8ba0c53a12e15dcceb9f7803ceb78c

SHA256
9d67adc50a8cecc9b62cff32b18eb55f7eda4c8bc79c71237a621dd25a18394e

SHA512
7b7f82478d1355ff475b93e16327990a842c26c16b54697fd11b9298cebcb964eb8c3cdb29ca5540c3d0264885638aec212936820f1fd6b604756fa2acb11a09

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
77KB

MD5
476e321c9b112ddc3a252514baea205d

SHA1
0eb22b65331e4dc4739ea99eb414cd3a5b94c4ad

SHA256
8b7fc6990f2d34347e8735099955b5da59a7996b8a230003002b928860c7f041

SHA512
25638a3c14de49aa2280bf3965de6ca30d0f40c21ea91712ac972a25e794a0ed32f55d58ba659a3c20b5eeac028cc77f07ed458c2fa4739ebd5a39489e45e625

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
77KB

MD5
5f5c84136b4e43545dc32b1156c07537

SHA1
def5e553bd77f66457800dc63a90f80cd8b3a976

SHA256
b89911a64730604608382bd9f84e1a3fefbb01452dc23f17f09d870ee087125e

SHA512
258c80e33dde319d5dc8ca7f0bf13ce25904fc7bf9ca5f34227efebf1e0d88bce883ad90f3df73764baec1b81e1468febc0965bc8204bf292373b2976b55053c

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
77KB

MD5
69068c2952f8f84dff0ae84273a97078

SHA1
7b518e4d52a8a283a6ebd423b2676d9c965d916f

SHA256
b7f2a2311ba867a2d0007a9d8998151d2eb37ee01d5f22a5da63a6ec67709319

SHA512
ab98c8614d9bbc1efa37c154ce8e242e9be1337c3b2b9451e340db10c5339c4b09b1a266b890faf0e5ab6f4e2f6bdc2fde060390754720e3a055b83ad14dca5e

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
77KB

MD5
ddd1a51f13120ec452c626ffff9c4526

SHA1
bc64231f893b8e8a5572ced0acc3ee45702bac83

SHA256
485cdc92a60f96ac6cd3ef9fb30e9407375026dcbf3ddf842dcf77989046c3c2

SHA512
f52ab5b4e202f61cff68e35383d7968b0f5efb1098575ab36635add170af059602820b1ad1abf3e95595f695a9672d9d7d995f5b519ce542e673846285143c91

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
77KB

MD5
ef941e6c19b3b074a42ba7cc3852c26f

SHA1
a934978dd1f9e2a55d6c1252a311be821680f063

SHA256
518402a5b34bc4b3ca88d045adc81b056cebd0dcb7884bcca2d826040019c231

SHA512
b4f9930c0065f82c80d85b303766aea10eed5579f8e07f07898ef5c862b226362144eb48bb9a74bf319ae2b60b1968206284264f12e0a9e689bc4d9a7ae06aa6

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
77KB

MD5
8e00b36676a87b4f030d9d850e72a3ba

SHA1
9405d1b12cdae8ef2ec26e0f3d42def1ba561621

SHA256
681cbcb3413072808b9aa3220b49e4d3be956930fbb5c089611eea1c2c3f9319

SHA512
ca51afe7392b3c67ce4adf4b6a42e3900ac5aa4f0773f7f08b1a417a67915acdd426eb494c8cfe4772630efe45407f24132429c23fd384478f73dd20933c72f8

Download Submit
memory/64-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/556-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1308-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1308-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-571-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2456-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2580-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4240-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4964-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5196-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5316-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5428-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5464-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5488-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5496-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5524-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5536-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5656-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5748-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5764-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5780-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5832-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5832-584-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5972-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5980-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6052-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6088-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6104-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6136-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads