243c1eaedfee489eadccf0f4ce11d342b68f45287d0b0f7e5d34b5e284260f2b

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaee6cfbc0db4f7eb7907a03d95aced0N.exe
Size

661KB
MD5

aaee6cfbc0db4f7eb7907a03d95aced0
SHA1

5710df03a0817f1f9d1f07bb019b7280414668cb
SHA256

243c1eaedfee489eadccf0f4ce11d342b68f45287d0b0f7e5d34b5e284260f2b
SHA512

9f1ae6c68877603e114f8939e08e08c4ef64f58fe3d5eac847140aa38a756bc1975b4dfc95653d9b7db1a378e747159a8cd42f5cd5d05331aaff628483075fbd
SSDEEP

12288:60OthnjpV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYL:6ZW4XWleKWNUir2MhNl6zX3w9As/xO2E

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	aaee6cfbc0db4f7eb7907a03d95aced0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe

Executes dropped EXE 64 IoCs

pid	Process
1980	Medgncoe.exe
2592	Mmlpoqpg.exe
468	Mpjlklok.exe
3824	Mlcifmbl.exe
2888	Mcmabg32.exe
4952	Melnob32.exe
4428	Ndokbi32.exe
2228	Nngokoej.exe
3000	Npfkgjdn.exe
1016	Ngpccdlj.exe
3320	Njnpppkn.exe
3308	Ncfdie32.exe
2364	Neeqea32.exe
4812	Njqmepik.exe
2296	Ncianepl.exe
1212	Ngdmod32.exe
364	Njciko32.exe
1608	Nnneknob.exe
3540	Npmagine.exe
404	Nckndeni.exe
1008	Nggjdc32.exe
3964	Njefqo32.exe
3264	Nnqbanmo.exe
2816	Oponmilc.exe
4312	Ocnjidkf.exe
3052	Ojgbfocc.exe
4872	Olfobjbg.exe
2736	Odmgcgbi.exe
2812	Ogkcpbam.exe
920	Ojjolnaq.exe
3440	Oneklm32.exe
860	Opdghh32.exe
3724	Ocbddc32.exe
2496	Ognpebpj.exe
1572	Ofqpqo32.exe
4660	Onhhamgg.exe
428	Oqfdnhfk.exe
4368	Odapnf32.exe
772	Ogpmjb32.exe
2700	Ojoign32.exe
3160	Olmeci32.exe
312	Oqhacgdh.exe
1520	Ocgmpccl.exe
5068	Ofeilobp.exe
3468	Pnlaml32.exe
3416	Pqknig32.exe
1724	Pcijeb32.exe
1100	Pgefeajb.exe
2320	Pjcbbmif.exe
3436	Pmannhhj.exe
4416	Pdifoehl.exe
4712	Pggbkagp.exe
2208	Pfjcgn32.exe
4652	Pnakhkol.exe
5112	Pdkcde32.exe
4148	Pgioqq32.exe
4848	Pjhlml32.exe
5088	Pncgmkmj.exe
1912	Pqbdjfln.exe
3996	Pcppfaka.exe
5056	Pfolbmje.exe
2728	Pnfdcjkg.exe
1444	Pqdqof32.exe
3576	Pdpmpdbd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Medgncoe.exe	aaee6cfbc0db4f7eb7907a03d95aced0N.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6280	6164	WerFault.exe	241

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaee6cfbc0db4f7eb7907a03d95aced0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfjcgn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1980	2068	aaee6cfbc0db4f7eb7907a03d95aced0N.exe	86
PID 2068 wrote to memory of 1980	2068	aaee6cfbc0db4f7eb7907a03d95aced0N.exe	86
PID 2068 wrote to memory of 1980	2068	aaee6cfbc0db4f7eb7907a03d95aced0N.exe	86
PID 1980 wrote to memory of 2592	1980	Medgncoe.exe	87
PID 1980 wrote to memory of 2592	1980	Medgncoe.exe	87
PID 1980 wrote to memory of 2592	1980	Medgncoe.exe	87
PID 2592 wrote to memory of 468	2592	Mmlpoqpg.exe	88
PID 2592 wrote to memory of 468	2592	Mmlpoqpg.exe	88
PID 2592 wrote to memory of 468	2592	Mmlpoqpg.exe	88
PID 468 wrote to memory of 3824	468	Mpjlklok.exe	89
PID 468 wrote to memory of 3824	468	Mpjlklok.exe	89
PID 468 wrote to memory of 3824	468	Mpjlklok.exe	89
PID 3824 wrote to memory of 2888	3824	Mlcifmbl.exe	90
PID 3824 wrote to memory of 2888	3824	Mlcifmbl.exe	90
PID 3824 wrote to memory of 2888	3824	Mlcifmbl.exe	90
PID 2888 wrote to memory of 4952	2888	Mcmabg32.exe	91
PID 2888 wrote to memory of 4952	2888	Mcmabg32.exe	91
PID 2888 wrote to memory of 4952	2888	Mcmabg32.exe	91
PID 4952 wrote to memory of 4428	4952	Melnob32.exe	92
PID 4952 wrote to memory of 4428	4952	Melnob32.exe	92
PID 4952 wrote to memory of 4428	4952	Melnob32.exe	92
PID 4428 wrote to memory of 2228	4428	Ndokbi32.exe	93
PID 4428 wrote to memory of 2228	4428	Ndokbi32.exe	93
PID 4428 wrote to memory of 2228	4428	Ndokbi32.exe	93
PID 2228 wrote to memory of 3000	2228	Nngokoej.exe	94
PID 2228 wrote to memory of 3000	2228	Nngokoej.exe	94
PID 2228 wrote to memory of 3000	2228	Nngokoej.exe	94
PID 3000 wrote to memory of 1016	3000	Npfkgjdn.exe	95
PID 3000 wrote to memory of 1016	3000	Npfkgjdn.exe	95
PID 3000 wrote to memory of 1016	3000	Npfkgjdn.exe	95
PID 1016 wrote to memory of 3320	1016	Ngpccdlj.exe	96
PID 1016 wrote to memory of 3320	1016	Ngpccdlj.exe	96
PID 1016 wrote to memory of 3320	1016	Ngpccdlj.exe	96
PID 3320 wrote to memory of 3308	3320	Njnpppkn.exe	97
PID 3320 wrote to memory of 3308	3320	Njnpppkn.exe	97
PID 3320 wrote to memory of 3308	3320	Njnpppkn.exe	97
PID 3308 wrote to memory of 2364	3308	Ncfdie32.exe	98
PID 3308 wrote to memory of 2364	3308	Ncfdie32.exe	98
PID 3308 wrote to memory of 2364	3308	Ncfdie32.exe	98
PID 2364 wrote to memory of 4812	2364	Neeqea32.exe	99
PID 2364 wrote to memory of 4812	2364	Neeqea32.exe	99
PID 2364 wrote to memory of 4812	2364	Neeqea32.exe	99
PID 4812 wrote to memory of 2296	4812	Njqmepik.exe	100
PID 4812 wrote to memory of 2296	4812	Njqmepik.exe	100
PID 4812 wrote to memory of 2296	4812	Njqmepik.exe	100
PID 2296 wrote to memory of 1212	2296	Ncianepl.exe	101
PID 2296 wrote to memory of 1212	2296	Ncianepl.exe	101
PID 2296 wrote to memory of 1212	2296	Ncianepl.exe	101
PID 1212 wrote to memory of 364	1212	Ngdmod32.exe	102
PID 1212 wrote to memory of 364	1212	Ngdmod32.exe	102
PID 1212 wrote to memory of 364	1212	Ngdmod32.exe	102
PID 364 wrote to memory of 1608	364	Njciko32.exe	103
PID 364 wrote to memory of 1608	364	Njciko32.exe	103
PID 364 wrote to memory of 1608	364	Njciko32.exe	103
PID 1608 wrote to memory of 3540	1608	Nnneknob.exe	104
PID 1608 wrote to memory of 3540	1608	Nnneknob.exe	104
PID 1608 wrote to memory of 3540	1608	Nnneknob.exe	104
PID 3540 wrote to memory of 404	3540	Npmagine.exe	105
PID 3540 wrote to memory of 404	3540	Npmagine.exe	105
PID 3540 wrote to memory of 404	3540	Npmagine.exe	105
PID 404 wrote to memory of 1008	404	Nckndeni.exe	106
PID 404 wrote to memory of 1008	404	Nckndeni.exe	106
PID 404 wrote to memory of 1008	404	Nckndeni.exe	106
PID 1008 wrote to memory of 3964	1008	Nggjdc32.exe	107

C:\Users\Admin\AppData\Local\Temp\aaee6cfbc0db4f7eb7907a03d95aced0N.exe
"C:\Users\Admin\AppData\Local\Temp\aaee6cfbc0db4f7eb7907a03d95aced0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\Medgncoe.exe
  C:\Windows\system32\Medgncoe.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Mmlpoqpg.exe
    C:\Windows\system32\Mmlpoqpg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Mpjlklok.exe
      C:\Windows\system32\Mpjlklok.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        44⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        45⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        46⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        57⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        62⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        67⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        69⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        72⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        75⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        77⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        80⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        85⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        86⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        90⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        95⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1416
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        100⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        104⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        107⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        111⤵
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        113⤵
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        117⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4504
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        125⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        131⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        132⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        133⤵
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        134⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        135⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        137⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        140⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4876
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        145⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        152⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        153⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        154⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 416
        155⤵
        Program crash
        
        PID:6280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6164 -ip 6164
1⤵
PID:6228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
661KB

MD5
2fd98ff6f0d8f1bb553184199a174614

SHA1
31fd9dad0e4c428f7e8bade04ed01df9e446b4c8

SHA256
88f76cc4d2973ffa015c71ca0c84b7423e8c003bc0155dbfb19e8977fbf0a1e5

SHA512
a9da172e68f8d99971626abc4759efc5b8eb611bbe6f5614c1d39030b286cd963b2ca2dd5809135e8f04e919ccbda9202ad404e2661ae24b30db013ff316181d

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
661KB

MD5
ba1929d60d1ae183ae4b07436123c0d9

SHA1
0e7b7455141d009f175b3877a4c0517fd583628f

SHA256
7cac5b072a8fd429ea7aa190d939ed0f64218a92d80a4c6890fd2a3ac93acadc

SHA512
2c0550b0a00b60e41a88e45a37e923f5698bed16c6452b70a5ab3f73a97aa9cba9958480931a4335a164423db29e73a0283aaaf3e9b080b4b430990ec4892078

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
661KB

MD5
1614541b9f9ecdab283f5e73f5fa257e

SHA1
983da9b543413b332719d094380a1cd28dcfb839

SHA256
5c2474b38d93e79628f3e0a1eb872912f88d31ff93a7bfe5f6aa03544eb958da

SHA512
046b1cd78eaebe4dfc1be23f337b55367319686cc056e7f8705ff69dc4d393af28e3716d82e703f3ac44eb53a530a6803f953055b16153f8d27968a928f8c440

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
661KB

MD5
383604ad6a041dbd807bca0973d1cb3c

SHA1
8505e89c5baa4dd876b7eed36e06d1ff9fe00ef7

SHA256
48ffdb60892c4c9dac6caf0adebd3f2d44126fec04e597f8a764cb2ca8499d3f

SHA512
176cee0df823e6931555cb7cdbc64cbd471420bcc0de564fa78dd34db155c8134a781b89b2d8afeb4dc7ef6d290498211be19a3005832958218950104ad0395d

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
661KB

MD5
790cc4711ea67750c2311bcda08e7c4c

SHA1
b55fc9969fbc45827f3be5ad488cef590c559c0a

SHA256
d8d5336758bb51d92d03f5b254045f94f921d22dfbd0f6d6dd7f69c1338322c9

SHA512
7a841958d28a63d127b7849a0f70a502e7695602c93baa9273584a4a741d788840dcc1e5e2226ff964f2759d8a7c13f6674e8d61eea3db21199d7a1b3e344564

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
661KB

MD5
7b875d757058b47ebafc3e44c5842ef8

SHA1
ea8d300b2ec4c84da72f0e6e27215a233990d564

SHA256
192d9d37fe0500323b23165519f1fc9ad58f93d04e0fcc926005b6c6a7ff7fda

SHA512
19a5c51e421fc5c860882bbc7e5341e0ac49e1927159f0f8c58cc488cc444d1ed0bd6e5e613ac79d669bc2f79ba888a7520c3725fcd66651357766b2aba5ebe8

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
661KB

MD5
085e87d6aa8c4386e14fd621a21b60a7

SHA1
f8e0dccd38fa0d3b11cb60abc1b3d9c345750feb

SHA256
10be9005c320b04563914a2aff11e1fbe0ad5fe980b0471c41b3732362463be4

SHA512
23e07401ae72388e03da19f80751536a3634e2719d2298cd6d2c8291c2728d2ef8e1b9572e5425ff5a709166a8ea77b46b61779b2bceb8707a1dc62c086e6a58

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
661KB

MD5
8b1ec1db0a3c2fef4cf3f008730043a5

SHA1
4e7cdcb66ac806eb2a6944ee0d7cebe62d91a855

SHA256
dbb6ab8624ae0b270f3b654805f8ab6b7af082a1874908066090d50db0dca85c

SHA512
84218fa28a522f12708e45c41dbd6da0b628cab0e9794a10dc0d8809346fd568c7edf917773ce1dc1dd5d12257fa103ac411b83278125cb6d1d7b2dda173db84

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
661KB

MD5
180ff2429bf1bc6a5765d6471b8d1200

SHA1
e27344eb8637622889d1e2ba679222b55a220c9e

SHA256
42b2a9d9ae7990730023e512c4f21654ffbee36a1364f9fb688bf3210e438fb6

SHA512
29209af0513d1f2b32961da5e10d8f3e57db4b5ce94f6f73d8b61bbf9542cae9685b4f55fc7408393f1e7d57572d2204e35c260325d77b2ac79490d5c7890145

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
661KB

MD5
226193bc1af001169135961a21d990f3

SHA1
daea6a1f799f6147e3af49e9099812786c848d99

SHA256
c57fbf06e56e1395c03909d055deb67e4c990499f86fc5b6885398cf4a0ba446

SHA512
ce803eee43f7a822f7f562d1ed065b93de97567d21a71dd46f8b2ff00de4dae90a3b182b6a9245f6ddfc222e9c007a037b96d82f66d75c699230b5e206e677f8

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
661KB

MD5
22ce66fcce27f3aad910793ec6d28ed2

SHA1
4137805f14b65b59d60d4e1bbf8ea51b01a79115

SHA256
84c69557303bf38eb2fa881c4bac0e7fd228030be37c6bfb6048e288d471cda1

SHA512
15ea74857e563cd29aa377d4f8ad87ebb6eba4dd3fcaf66937d2e2ec89e9da653360e76c8214fc776e37dc4cffc7c36f50d2e6aa7972245f571622b82954cd51

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
661KB

MD5
f7434e26360c3499530accfa88a916ae

SHA1
4e123f47b0c18954bf80a78f8844e8829cb7e9d2

SHA256
b8ad39198dcc31a750cb876a691a59f3c0cfdb1143df3289f2f6c4bc80528058

SHA512
df0b30ec38b2d276a658f470f2781562e52041680fedc3e6e9c9c2830d454f93f2b0c968d5b40b46e1cff1294633049ac4672eae2742a82efdb34ca6c71cb485

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
661KB

MD5
95399c55f021c3397ccc2f2b5b5806fb

SHA1
fa669bc7b6f4ec42aac071115c676de3ae55f5fd

SHA256
efa18309d4fc941f477d08cb5460c3d3f6a26c82671b936cf2a429e3d4e828a3

SHA512
f607d85cd1481ffa27a9397af0c390d0be2c5331e2607f99a3b6d695cde5ef5b87f39c5d331dfbac5ea4e780aebcd6af8d4bcaf63d7cc8b180c763c6f971c79a

Download Submit
C:\Windows\SysWOW64\Mchqfb32.dll

Filesize
7KB

MD5
1fad3ff3c01cbe20014d17237e530e46

SHA1
1234f91a1339389b7f6b964ed6d3c5417b7c8485

SHA256
b56be58571629fb918fd444be8effc857077d4b5c2ba766a99889601238c6c5e

SHA512
9671f6b6ac7608cd0872867a736d44a4c686aa693c17539a8e1e80e8eaeb83ed9c6f71f145d21129a7b0f28bb9a1216151ec793d491aecb19bbab565f2850f85

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
661KB

MD5
6b65d601543631b943e647af01b746f8

SHA1
22700d66a78279bb64145eebc364a58232cc6b62

SHA256
90ad30eb3424039034840e4a40dd61a309c7a6f38a29a887fd91fc3064f91494

SHA512
a326186c8aa4ecb60d6027ef52b03086c096ccc20271b7950f2864575730a527b0bc4bc935c48403183b2751e08ef134ac7827a6a0eb64e58a4341bdc6cc0473

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
661KB

MD5
dd6656e08aec7dd25cf5434f68b5eda3

SHA1
54514a4328fd43071c037f95e4db121da8bb197f

SHA256
126c3ec5895a461c08b424baf849e02830502925e01198d64e98a14e729fce34

SHA512
a199b2aeec70e55170761a9461ffc42e8dcf2a26073648b94dfdd59831a1b834fabd900e095c4308cd2d0efb32db342b940f707dd759c843981172e31a880602

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
661KB

MD5
b952bddac695772ddffe881b3906dab8

SHA1
7dfe61143c398a6ddfb16fd452fb32303c7d2eb0

SHA256
16f876c69851b6c7be2b0ef1f9a9d762342d1d86bacd73bd70c0cc72bbd25d86

SHA512
c1ae749c1811fbba59ec5b6ac26a630c7e89414ccf0ca1c0a4a5b17d4d4285ee9f32bc94ca6c247c3fbb12902c04ee4e49360b1cd86e24239d6705384dbdd1ad

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
661KB

MD5
3e655619338dadc216e465c64a0ec783

SHA1
7d2b54d2a9999fa1fd76e7a4519c733b0284e078

SHA256
6558493bd48cead14e77adeb596999ab86c0aa40228474cdbe604f374cc9b2e5

SHA512
eaa2ca69f2f25c1cc4ed3c301214a2ad18e601eea2edfd7301477203b1087f277bd9ff26abcf8956476a4786fdcb22b3bfcf076f912ea3f794fd75622379450c

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
661KB

MD5
497d1119d561bea0a0ddeb2a65d4ce69

SHA1
d9f2bb7d7e8231d84222f058f0c6be91c060a79a

SHA256
163f5c4a57a685e0d0424b76646af923a35432c0f3ec8f4e9649da009dd09143

SHA512
2a9f56fb085ec632e414796d539605ab6ac9cd1defe8e6a92b27aa9ad14fd224266ae9ff726a4a5545231c8178b144efdf778fc9d600bfe214878101fc39e406

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
661KB

MD5
ea6894c55cc7dc0be1513b13c4fd7eb9

SHA1
c376c368fbeb0259241a4c5336e058e79867cb0a

SHA256
86c471c8b60e6a44b8b85364cfb3a953c87f9681eb76d17731fce4578a3f5b05

SHA512
56769ced871236a1678ca571d0dc6d1cc9b0a11b1895f165ad68c44fdee49874a915226814e3954b9ce8daa79d64bbf64fc90c17f44f548ce8e805d3efb6785d

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
661KB

MD5
4ffcf0a8c61aa7adc11431d914f15026

SHA1
dec15db3bd6f83f7d7c4fa20c820e68ac45c6c53

SHA256
e84a8f2c49ee5acec9258bfcffe491c6b509ba864b6a04d9e518d2e0472c6da5

SHA512
375752dd970df28b1675bdd768c2be9d63dcde2379892f5bf7afab66e1e16553ff091387d849981d1d4754d9a3fbc388b3c83c1f058c1805f3a6ffe9769af5db

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
661KB

MD5
55dcef4933094a585c9fe7844e5c3892

SHA1
b1797a4c30da74861e31a4a0861e6b9975d911ac

SHA256
218695644e41002af059666caa4fdfedc1ed35a300bfc31d8dbdc1909dadfe72

SHA512
5cc4bd39efd5d6dbb1b11f59556639fbec2b1f8a90ddff2d28cdfea0b907456d0387c6a3efd7c34e59a45edfd3ad47c378ae6299c35782b99a29632ede43fcdb

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
661KB

MD5
0976d4f659a8b012ce3abc00336effeb

SHA1
4350eda5c984e929c649cf5a2302c4a13faa5335

SHA256
86734e29bc3979cde4980b28e3bd358c254c22709f143066874b3e0a6e1c36d8

SHA512
a683fe3f1a3942a574297ad8b9e6b06054fdf3428f0dfbfc5d570838920b79ff7f216881938994a8a4878f76820dbf754554adfeb56791968893ace550e51488

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
661KB

MD5
84bc434a643895abbda716bd1927323e

SHA1
7e10763934b4e2b6bb56a22af424c18f4b2150f2

SHA256
6ce7969b52c535bf4d3e9fef540138af5b79e8e0d2b8e22c1e6ba9b50c0cd3c0

SHA512
5bf25f4d9efefea9e72c4f5b01a9842ca6389eac351aeebe14559813cec80448b8ba2942026beb34d9b485628f43aba41fad0385a8d03af31b72afafb9962427

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
661KB

MD5
c92cb6f2f9bd4088344f61a209abf132

SHA1
765ed88d53f23470af6d31c2bdfe5511dc75ebf4

SHA256
0ff20136d941528442a44d5e5782e75c1a7c39431ebd1d475e538b61ef0a3feb

SHA512
aff4281eb63a5ac16628b68dc755fa72c8fe1383e1e6849ff87da3205a5bd443ddb336250a35987df350bf3cc0456951c974d3a9776ba6a27d2d7b5eb75328d6

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
661KB

MD5
ff5097ceaf4fd03698e8915715962d51

SHA1
d732bc63e421d0d804c26127beab5369df704cf1

SHA256
cc8a2c03acc88af473b9ca76b5386576c075218b3a74dc953085e36ffe8df806

SHA512
b630a6eb0180c05ed80ad42eee2058d587f020b9ff64b2ecec5831557087b01fdae6876f29b07f38f4f5f7cdc5e9c581145956143b6841952db1a75d32b4dd7a

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
661KB

MD5
507d360c130acdf44bca27b2aac8582a

SHA1
adc3f0a2d8000490d1e8a40ae2f48ad3b55778e5

SHA256
8ce445bd975e5dd90501409ce4fa9ce6f521161656dc5c430cffeb59eacdb7be

SHA512
1d56e5e85cd9829105106b12dc9735854635481cbe0b5491c73c27a081e24491ef45869c661702b571818e79fa4d26a70ada83997ee3a363f2e4ebab8969e361

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
661KB

MD5
c50b6b10516411de31a4eb8a6790fc39

SHA1
8da0ec1db9472e8aeafef138979db5bf5aab4a38

SHA256
24d4758ddd86b7b66471221efc1f602312b0245943c0d7a663917cfcfe0e4959

SHA512
938fe8f6e5791d955823fd670f4f6d11f5f201f9dbae866bcef61876c0f7d2e410bc8220ae7d15715d4a79148ab64f84a07e1173c34a8fc6b7b7dd02f7b1e692

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
661KB

MD5
867466c71fac3d972b8924c4af77e8ef

SHA1
aab6f7922116076af73ee5a880cea915615e9c2b

SHA256
cd8ddafd8a55b193cc52429871a79e6d579853dcfb2d8e6802ed21f72c4a0e65

SHA512
7907711219a6a1d14752a771e472ff3a366277a5c56f34bee604acd9be44d42181c03307da056256d4232339426585f72b842e1f4b09283e885b39da58acaf33

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
661KB

MD5
57883bfbc5b44c0ab7e5d0702189c287

SHA1
eda93518f9831b9129b98f5333ea9248eceed204

SHA256
2b88f4c08b75fbe8cb2c15682e4416b5c37c2c033bd746ab30618b135ab85dbf

SHA512
c4a19945dfaad2245fdecc9f6770cf5076f8affc90a02a5ff957c25bfcc6fa595a2727890a9b478ee9a9791287c37d1c005e59af3eb1ebe62122480145799ad8

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
661KB

MD5
d952a6834c93001efd72b14aeedd7169

SHA1
b71a9e92a40258b9351da9b48b322552447b21c0

SHA256
5c16cdfff834e37be889e8186c5949c7498266817351f39579f0e1fd35c6dc30

SHA512
dbf252b2f4f8c31486a6a6d71241bdb28a3ef1f9a538b5f454823be0bf5d29b95146362387a2884ad8995117c9f4a450ceee76dcad16aa9da7030eaefc1634d6

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
661KB

MD5
8cc2f40241850332779c5df52dac0898

SHA1
bf2a3aa26abb72b9b0ff1e95dcf6a1e716827d8e

SHA256
9148d780bb6d0a68b5ba21625aad7e214dfb68d4c43ceb2f722bad709b062432

SHA512
c42e9bb0f72f240e3b4d9f29ff342f9c65f336496cba22b7bd6fc8da0cdc3708ea6615317de7cab3d9253d159c110629a2bfa5eeacc7dca28c9d473042ee8983

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
661KB

MD5
efbc088b739139e8732416d3a21726dc

SHA1
076869e96535570df0a562252369f88c63014f63

SHA256
edb01437bf2c8a4bc0fe54023480372b714890e99d63199ee0d0bb1484664118

SHA512
f096540f8ccbdd80a65f895d4c9360eec8a57579c5e5cff6c9524a5a41b579795efcedbe08c2372e34931af457453d714247eb0ea7efcf46fd767f57beb9df4f

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
661KB

MD5
4c09de52ef9ea2d8483bb6f895a4a430

SHA1
7444c0e9be7bf1067f738359973f9adaac84aee5

SHA256
ab287a016f525802fb1814dda176af3d30b07fe8ad45f5e53771b98692cf31f6

SHA512
a3e987508411f0499ea9030281aef289e679fdbf266c6ee1f7a6825bc8db12d23584da81658b2b6b088f483d4dc68f7f111106545a278a7da2648e1c2059ea48

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
661KB

MD5
afcb19ef71af2cd173a594495d2c7f76

SHA1
754466d97008430afb7ba1239a29d2dd85f440ab

SHA256
e50e20a44f9cf19ad4c1a08286786fd327de652db02a54095efafb865dad5356

SHA512
a01feb7c40fe197bcf47e1c4a0cd6736aa5ef0172917e4f89a29bcd4929c6cc3ffa92b982932892447a2b3eb148786c7a8c7b6890e79b00febf48491fc3e7574

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
661KB

MD5
75a047e8b5bb006e050153f5ea227d6b

SHA1
3df53af55935b930b8f16b36488e331c9e3a0f15

SHA256
646b4be1c8b54932fe2151f28a2c2f053ca63dd97d320d23c35ba0c1d890cb33

SHA512
04f8642ed44dbd6bead395572a2a9ef1cd1f59340776e2bf3ebf5f6569418f548d082739f7702ea08e2eb029015778bbee428550517218cec36dfea01a2dd267

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
661KB

MD5
8766c4e79ab9fa50f79ed195c94cd12d

SHA1
3c042481f748b4d1db141ce76c03e1eb7154ed9e

SHA256
d48b970a307e0c3bc64907311adf93d71a6fbafa731518ba195c6ee332709b8e

SHA512
3cbbd4b057d84d0fc5791b81895904a1eef05e797218014d2f2b34435192e0e49272dbf979135287874f10c4f465bdbd182abdb855881540dc45cd32cc119ff6

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
661KB

MD5
8d23602400e961a9884de5b516e5b0ec

SHA1
b4d70cbf7fff928d4c640723bb4729c91b2e5e53

SHA256
60169d220054ad18d10e112b99085b5ffbb1db89945fbfe66f45118858a284f7

SHA512
9c37926ec481f8949d32cebe12f8b74e4028256a13835682a5f0ab19ebf1226db9f095a02cc01eea8d6a980144be4cf63cbdc539192bc0f99779dbd1e5454db4

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
661KB

MD5
32ccb9acc5d2aedde615cf3ab5be9937

SHA1
e47b27d062bdad6707eb3a3c4d700d3d8dbb05cf

SHA256
326b02a70eb1b28d2a597b95f69d9b864f9be33ffa767572a238879846fa6d64

SHA512
3c69a9cffbfc3302699ce097c47ab8d97317420e957cf26d40218293c62d95564f8dd3fe3a8bdbd6dd912d6bd246780afee260049590a93d59946981a8d053bb

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
661KB

MD5
7646b1c339125bb343ce16ac8456eab0

SHA1
c6183d0966fa900f1a0dbacf3831d3453daf873d

SHA256
3f0d875b4611a94f8064a8ed880755b77d1f681af12d878e25bbbf3fbf0140eb

SHA512
358ff978a451a37d2e3b7ed09964fa5312aa03835e2c064d4c59901b783f6b107444fa02e7a920605bb6aea5e48d43697a53886fd7820c3ba6cc5383f82060d1

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
661KB

MD5
1cec61831c1ed35066e39f2fff0dd341

SHA1
f2abefef8ee9651b00854871b823b86bd10fb202

SHA256
e2d6a3120aea3ee681aa6eb4eccecee86ce59f932a3c90d148af73a49fd38912

SHA512
8993762120e31ce0817f95d3278ce30fb105f93912f3392b2c6f35c31c4f309aaffa639dcc7701088164a559e62c22b85385a815bb70f91e9e2da8702f1a2677

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
661KB

MD5
0371d713bd5756cc42e87d861385e285

SHA1
913f928b988229c5b33ff1ab60930b65a4499d90

SHA256
1a7f88304e9b9214bc8755eb37161bd6335131a1258037f6fc0c0c0e53e5cde3

SHA512
e94d5c79639cf9b677859bf2129b99dde0ad22478c7c4e1b1e237a51c06c86ff6b075750c8a4b1c4e8ac292a25ea467b8670ecc51232822c36bb1bed1a63e087

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
661KB

MD5
5fd0960cc1fa72d1231a085f46f2a0aa

SHA1
7d683acb04c83c0f1ec06bd08af7bd3bfbfc54f4

SHA256
158a59f212122cc2df69c830b38267f62a028d879f8aa3e9863aac2195642690

SHA512
d1d00a86d37f6121e02d8ef8154c361c94bf4a308ac3bd204a6e20b7a1db5ea3b385f1fabde192e1ae2910996dbceb5404b70dffff77f0c226c55d5499f8b4f9

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
661KB

MD5
4c9c3c60224ced236e68fb9903c0ef08

SHA1
5768f5c5d4db5eaa12715f86ba19d7e6b8ca0b96

SHA256
e199950462622464b962981db9b442d9b4debb02950042669e6a6e52f372774b

SHA512
71b3d456989bad29c4f8fb0aca7dc5be7e57407fd201cd620d005a169f1dd65515b0be48e8738b0583c0070065ce43a676d5ea864f03c5f8e619068605175621

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
661KB

MD5
c7e6a78910555e739ecc723de3f970f2

SHA1
00e90e99c4a19bc134a5c5045646b1dc41412ebc

SHA256
da450b8339e4d7d370b62e90d8b08b4a702e76045710211d8d68a342d94ca74a

SHA512
cf53f3633bb683d9de6bff85b38f42bd266d89782f10f3932b45288c9f0d3ca00c0b59f67dc6faf1e2e16fa3b3c7eb532b6fea1ff17982081125a2d4ac9b5799

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
661KB

MD5
46a2c6cbc00319ec0dc0a3d8a51194d8

SHA1
cc06b5650efe1b46a332943335a9dccde56b3fca

SHA256
08c46d3084d7f60fa5cef5c7eafc19f4c57694bc07cc334e9541a7162b4e8c99

SHA512
e59455eb10207adc4c0bdcd1c527960aade7360e2ccb38e2c559eab2eda2f77bed3ba8ddef23666b9acb54fab7fc6e1561493bbacbd8c4b3ac1ba47fc36ae971

Download Submit
memory/312-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/364-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1008-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1016-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-549-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-602-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2736-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2816-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3416-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3436-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3824-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3824-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3832-465-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3964-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4312-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-596-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5160-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5200-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5240-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5280-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5320-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5360-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5400-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5440-512-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5488-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5520-525-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5560-531-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5600-537-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5640-543-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5680-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5720-557-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5768-563-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5808-570-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5848-577-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5896-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5936-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5980-597-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6020-604-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads