63262e2bdf6631b1de1838a6ef842b0a7c903f0b3646e04910b76213df9a2d01

Analysis

max time kernel
102s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eabf8db0c0f8af49320115cd8128b2e0N.exe
Size

288KB
MD5

eabf8db0c0f8af49320115cd8128b2e0
SHA1

297346d9d7f7f649fd5e3d7fe81e7739372a1518
SHA256

63262e2bdf6631b1de1838a6ef842b0a7c903f0b3646e04910b76213df9a2d01
SHA512

1e5f0387eb3bf52d4f34e05059f34e4bd6dced498276e4cd1b5f3484b41658ea154e9955de493cb5c0b391156bf7a333bc0bff4c113f366a26538e0d69468a7d
SSDEEP

3072:N85FMDRhZGKSVT8S3a+LaYthj7ZTNf9Nm2C4smf9vms+CzFW4r2RKihOfr9n:N8rMDRhDS6N+uwLN7Rjr

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	eabf8db0c0f8af49320115cd8128b2e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe

Executes dropped EXE 64 IoCs

pid	Process
4320	Mpablkhc.exe
2292	Mcpnhfhf.exe
4512	Ndokbi32.exe
4936	Nilcjp32.exe
2072	Nljofl32.exe
4728	Njnpppkn.exe
4556	Nphhmj32.exe
2724	Ncfdie32.exe
1916	Neeqea32.exe
3480	Npjebj32.exe
4940	Nfgmjqop.exe
220	Nnneknob.exe
4992	Npmagine.exe
2604	Nfjjppmm.exe
1480	Ocnjidkf.exe
1380	Ojgbfocc.exe
1684	Olfobjbg.exe
2900	Odmgcgbi.exe
4500	Ofnckp32.exe
3188	Opdghh32.exe
1180	Ofqpqo32.exe
4228	Olkhmi32.exe
5112	Odapnf32.exe
5096	Ogpmjb32.exe
1860	Onjegled.exe
3276	Oqhacgdh.exe
4756	Pmoahijl.exe
2148	Pdfjifjo.exe
4324	Pgefeajb.exe
2860	Pjcbbmif.exe
2684	Pdifoehl.exe
1600	Pclgkb32.exe
4720	Pnakhkol.exe
2028	Pdkcde32.exe
1948	Pgioqq32.exe
1692	Pqbdjfln.exe
4548	Pcppfaka.exe
1492	Pfolbmje.exe
4656	Pjjhbl32.exe
1044	Pmidog32.exe
3688	Pdpmpdbd.exe
4684	Pgnilpah.exe
4476	Pjmehkqk.exe
4672	Qnhahj32.exe
4848	Qqfmde32.exe
3184	Qceiaa32.exe
4536	Qfcfml32.exe
2496	Qjoankoi.exe
1668	Qmmnjfnl.exe
2068	Qddfkd32.exe
3808	Qgcbgo32.exe
1236	Qffbbldm.exe
1788	Anmjcieo.exe
4772	Ampkof32.exe
4024	Ageolo32.exe
1112	Afhohlbj.exe
2624	Anogiicl.exe
2280	Ambgef32.exe
2856	Aeiofcji.exe
1160	Afjlnk32.exe
1628	Ajfhnjhq.exe
4292	Amddjegd.exe
1048	Aeklkchg.exe
3484	Agjhgngj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5424	6032	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	eabf8db0c0f8af49320115cd8128b2e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	eabf8db0c0f8af49320115cd8128b2e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Ampkof32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4320	2996	eabf8db0c0f8af49320115cd8128b2e0N.exe	84
PID 2996 wrote to memory of 4320	2996	eabf8db0c0f8af49320115cd8128b2e0N.exe	84
PID 2996 wrote to memory of 4320	2996	eabf8db0c0f8af49320115cd8128b2e0N.exe	84
PID 4320 wrote to memory of 2292	4320	Mpablkhc.exe	85
PID 4320 wrote to memory of 2292	4320	Mpablkhc.exe	85
PID 4320 wrote to memory of 2292	4320	Mpablkhc.exe	85
PID 2292 wrote to memory of 4512	2292	Mcpnhfhf.exe	86
PID 2292 wrote to memory of 4512	2292	Mcpnhfhf.exe	86
PID 2292 wrote to memory of 4512	2292	Mcpnhfhf.exe	86
PID 4512 wrote to memory of 4936	4512	Ndokbi32.exe	87
PID 4512 wrote to memory of 4936	4512	Ndokbi32.exe	87
PID 4512 wrote to memory of 4936	4512	Ndokbi32.exe	87
PID 4936 wrote to memory of 2072	4936	Nilcjp32.exe	89
PID 4936 wrote to memory of 2072	4936	Nilcjp32.exe	89
PID 4936 wrote to memory of 2072	4936	Nilcjp32.exe	89
PID 2072 wrote to memory of 4728	2072	Nljofl32.exe	90
PID 2072 wrote to memory of 4728	2072	Nljofl32.exe	90
PID 2072 wrote to memory of 4728	2072	Nljofl32.exe	90
PID 4728 wrote to memory of 4556	4728	Njnpppkn.exe	91
PID 4728 wrote to memory of 4556	4728	Njnpppkn.exe	91
PID 4728 wrote to memory of 4556	4728	Njnpppkn.exe	91
PID 4556 wrote to memory of 2724	4556	Nphhmj32.exe	92
PID 4556 wrote to memory of 2724	4556	Nphhmj32.exe	92
PID 4556 wrote to memory of 2724	4556	Nphhmj32.exe	92
PID 2724 wrote to memory of 1916	2724	Ncfdie32.exe	94
PID 2724 wrote to memory of 1916	2724	Ncfdie32.exe	94
PID 2724 wrote to memory of 1916	2724	Ncfdie32.exe	94
PID 1916 wrote to memory of 3480	1916	Neeqea32.exe	95
PID 1916 wrote to memory of 3480	1916	Neeqea32.exe	95
PID 1916 wrote to memory of 3480	1916	Neeqea32.exe	95
PID 3480 wrote to memory of 4940	3480	Npjebj32.exe	96
PID 3480 wrote to memory of 4940	3480	Npjebj32.exe	96
PID 3480 wrote to memory of 4940	3480	Npjebj32.exe	96
PID 4940 wrote to memory of 220	4940	Nfgmjqop.exe	98
PID 4940 wrote to memory of 220	4940	Nfgmjqop.exe	98
PID 4940 wrote to memory of 220	4940	Nfgmjqop.exe	98
PID 220 wrote to memory of 4992	220	Nnneknob.exe	99
PID 220 wrote to memory of 4992	220	Nnneknob.exe	99
PID 220 wrote to memory of 4992	220	Nnneknob.exe	99
PID 4992 wrote to memory of 2604	4992	Npmagine.exe	100
PID 4992 wrote to memory of 2604	4992	Npmagine.exe	100
PID 4992 wrote to memory of 2604	4992	Npmagine.exe	100
PID 2604 wrote to memory of 1480	2604	Nfjjppmm.exe	101
PID 2604 wrote to memory of 1480	2604	Nfjjppmm.exe	101
PID 2604 wrote to memory of 1480	2604	Nfjjppmm.exe	101
PID 1480 wrote to memory of 1380	1480	Ocnjidkf.exe	102
PID 1480 wrote to memory of 1380	1480	Ocnjidkf.exe	102
PID 1480 wrote to memory of 1380	1480	Ocnjidkf.exe	102
PID 1380 wrote to memory of 1684	1380	Ojgbfocc.exe	103
PID 1380 wrote to memory of 1684	1380	Ojgbfocc.exe	103
PID 1380 wrote to memory of 1684	1380	Ojgbfocc.exe	103
PID 1684 wrote to memory of 2900	1684	Olfobjbg.exe	104
PID 1684 wrote to memory of 2900	1684	Olfobjbg.exe	104
PID 1684 wrote to memory of 2900	1684	Olfobjbg.exe	104
PID 2900 wrote to memory of 4500	2900	Odmgcgbi.exe	105
PID 2900 wrote to memory of 4500	2900	Odmgcgbi.exe	105
PID 2900 wrote to memory of 4500	2900	Odmgcgbi.exe	105
PID 4500 wrote to memory of 3188	4500	Ofnckp32.exe	106
PID 4500 wrote to memory of 3188	4500	Ofnckp32.exe	106
PID 4500 wrote to memory of 3188	4500	Ofnckp32.exe	106
PID 3188 wrote to memory of 1180	3188	Opdghh32.exe	107
PID 3188 wrote to memory of 1180	3188	Opdghh32.exe	107
PID 3188 wrote to memory of 1180	3188	Opdghh32.exe	107
PID 1180 wrote to memory of 4228	1180	Ofqpqo32.exe	108

C:\Users\Admin\AppData\Local\Temp\eabf8db0c0f8af49320115cd8128b2e0N.exe
"C:\Users\Admin\AppData\Local\Temp\eabf8db0c0f8af49320115cd8128b2e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\Mpablkhc.exe
  C:\Windows\system32\Mpablkhc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\Mcpnhfhf.exe
    C:\Windows\system32\Mcpnhfhf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\Ndokbi32.exe
      C:\Windows\system32\Ndokbi32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        23⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3384
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        32⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        46⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        59⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        63⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:508
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        74⤵
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        77⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        82⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        84⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        86⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        92⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        94⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        95⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        99⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        107⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        109⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        110⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        111⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        114⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 396
        121⤵
        Program crash
        
        PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6032 -ip 6032
1⤵
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
288KB

MD5
1eca99f7a7d9d5b59943af525a9216a2

SHA1
37a64bf98acb803f217e823fe6e0ef93d5656ff9

SHA256
2d3e1311d2f2de4c6dadbd0c72733e43c30b794d4c8d671f01341421601138d2

SHA512
3471029d40ecfe43dd9585e57270ee965587aa7362c634805a19ca0bf156e8156791f5bd963b3c5ab7dd83d969e47e441a61dfbdeb8c1e9fe138b98bfe941ada

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
288KB

MD5
dbeca7350f18891659217272a0f61898

SHA1
8c292694307b0769685b4a19362dadb4ba25bcbc

SHA256
ba1a983ea186e3b247e947783f9a71def9953902b76855b685caff76adb57738

SHA512
aa68cdefcd12ab7268710d9a375da52c1edc5140c65e619a22514409246057f0f9f00258dfe672bcfa59c8ca5b82f8fa9de6a43597bce79f0286b84fcf8277da

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
288KB

MD5
6c8a67ce5bcfe551e1aaca29aaa82f9f

SHA1
ab07339bfb44822d6e6f36dab76ff9360e18bc83

SHA256
507dad1362686ad1e12ae05e1a413d7d06169cb6df94b273dccaf4571d8cb644

SHA512
534eb65cd60b3253b0ec49345de90d17534559b78a4306fb40830d0e1554b2fa21413d164044d587ae3971099d78c58a165c67cc3a597780e46c49f6730fc6f4

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
288KB

MD5
25a0f88a682188cd6cdce3bce3a80839

SHA1
0a6e96432d1032b3d0226d61681fe848f1d1b7d1

SHA256
6674fbf4a284b0516a827188ea0e45943be8e8455c766acde2b366e08a453296

SHA512
60563504d24f64fb764e52e47243539d04f31908201bd62e5d47a22ab069c2b92bbe7dadec84c539144b07b597b6ae6699c1b5adeab4f2db91712fc098430cac

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
288KB

MD5
3404dcf6ddace431061cee1701ae6ac5

SHA1
ff83564ae5f938a0a800c46eaecba13d8b823d5d

SHA256
8314ed1b75e9595f36dc86bbd35a4bfc0d60cd3c20cd79f65bc1d3c1ea8eb2ea

SHA512
b600512ee34299a849b0421f7e9a6047357767b455aa4ed5d14a36873acc37ac6b9304963cf8b1ad0f18d9c271785a8c45a521f3fdb5e2f539fd7a26ec8fc517

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
288KB

MD5
83286913c12fc11838619ceafe2a540f

SHA1
f1c6e7d1a9e1c4a71b8b7368f074c42a4005b8bb

SHA256
92fdee19b406e3f270b4e80e03fe370fcf0f8ef8b527e07d0a10c39f9428dfbc

SHA512
3919dd4178f06914bcade8140d098cab28df2a66622557302b9ac6147617035d145e51023df56b45520c92db7b73bfbd46bf2b0ebe753f4935861d56e1406be9

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
288KB

MD5
2721d10b9d7b5350019cd131716dcf50

SHA1
9edda9907f73b82345e2d1d973561e0d42fcd769

SHA256
4b9d24a4a47912cacab018baa69cc0846700dbd4b7288a4117f86bff76b3bb78

SHA512
63a6686cf6245699ef3c653eccf324557ba931457610d89bec5612445e1f24eadd372f76de2f9cc8f4b8458a0e2af57e6e066156be505d0554d23c59237c5161

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
288KB

MD5
a3f0c5032fd8e10d57c6b6be8b88d15b

SHA1
577e719ba15f623f2f0acc9d0f94a774a1669cb8

SHA256
16807178f29f63540583208090e3b7935f6ce1f0f409a098433ec8e32818b164

SHA512
04388355915c5bb34eb62c74b17bba38a3e58fd3d9594963641c79181cbab10f53bae519794a0fcd27076eb9369d1ab3407e6669ad2d8922986f4a3b16419a99

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
288KB

MD5
6c51cb9bce16a00008fd12d11c3fcfc3

SHA1
6738f6483339803e9d4e5bef6d2fbf8f1438c165

SHA256
1284eb80089b316b297aafc131f9f258dde5a83d108c498fa612293302d0bf55

SHA512
21f28e4234f2dde82f0c9119d845261b38dbd2ffcda8b3ae69b30895d148b303de8efd5098443977d112b1373c0b48291a14916f18b18166d4b987451d5e8963

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
288KB

MD5
37842e055a713c002f88964b0616c922

SHA1
80b34dfeedadf0d588ebde139697920736625a9f

SHA256
3e88b4ea325724e77c1be874bdda7799141c7560951dec1631b4b1ccf3c9f2e3

SHA512
28a02cbded0792da072f72138a87279199e4ceefd81b630d8c3005c4b270a59e319ba8feef45982c0007d5a4f5b9ce842f1090407e0c191d5fbe0d28d2f87d32

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
288KB

MD5
4608f20eafd90bbe98b7972a1628a3ec

SHA1
766c0d04e008af90113755c14ba7b37bf02521f4

SHA256
d368fbf2c10dc1a3495d00773ef1a2e22c01e0fa60ad8f3a80f1f10708446869

SHA512
d16bd3299068770f7071b1ad991ac381cc8e0b46fcf5920313eeaead11662f61d3743e13559bedfbe3d12e567c2be25168432c665db68dae8dcd9c7ab7694df7

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
288KB

MD5
788bade4c2c8d6ad37954b649a3193a5

SHA1
c2a518b7684720f5de214ecdeef56fe141901fba

SHA256
628f005997580129c8dbd71596d73cc58bb5c3c1e879d8afeb0bcb0862cce84d

SHA512
69555428c2a5428d434cbecd2e4241fbf9aab17bd4e84bb44033aa3b13fb78cd900d3e87b073a4d40bd16381b5e8781e0a19f49c9b3b4aabece11c19ab1786ab

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
288KB

MD5
4e07337a0de6d817310443af35ae1241

SHA1
b81de3c99b701eff2fb864e24db28d884031fde3

SHA256
b10ebb7c13bf84f67a1f84bf6febb249128d4a8204de6c060b47bdcbc2f505a2

SHA512
4bf0972c1357a0a28335ef5a42a7fd3f69f3d28678cb1467d4bbac5af7769d0c50310282cd1d497ee4b45dd377e29093dbbf0491748edd825c72199a6c2fa72e

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
288KB

MD5
97b56e39ee0add3c968e2291399b7920

SHA1
6d18a5041fe716946c488b1fec68100f6995af69

SHA256
109b8fe91f35b69117050671a777326600f31a223ef3463d6afbfdc50daba34a

SHA512
1d55c4a17c800759c166ec5935f4afcab143afd0e5696332f0738838d261122300e08911a66e1d9aed815d84a9be2608ab7c18a0d30717f80b5cfcf6776960b2

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
288KB

MD5
f07973a8862e7044c85302789ce159eb

SHA1
3095e0b9bcd72b55311321cee06a40075071b8d3

SHA256
99de2611f592e19341a17db89f9b3add08d84cf9662c1c015bc19190273d91ef

SHA512
d8151749c63743703a56b61777e4d99244a00e02705b52c4ab5166bc35aee81038e263314c8b7b879271ea406df03b8f44ec7f86095bad69f88fbce521a245be

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
288KB

MD5
c4d4cdea3f8589275e7b2a601810d95a

SHA1
01bd4a869a67ac2f6fb44966d44e171419575d0c

SHA256
82291ae9341240ad93581a78db544c602301ada69daaf5d9fa1feebcaed13af9

SHA512
800977451ec28962826b424cbd7d0e2bc446f7dfdb79df1edc0c0be18e48de1f0ff8b81024ca34680d7eb927a7f6ca2f1f0118e3b1bd8a82cc16450c5f730df4

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
288KB

MD5
353c4555784e7c8bfac6eb106dd4decb

SHA1
9a4d5942c1874fbe3dd2dd2aad5f582686729c46

SHA256
c543be660e2daf3ec008d9f1cde850e4cd9bfbc52b4efe18c2aef356aa9a8bca

SHA512
f6b50319c104fb5acb5a6aec6a93838c0c6f56f960faee3331d2442f727725c393d3da9ed9344fb9f316cdf229a3a0778c903e870380a1f19fd8c36a482fb95a

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
288KB

MD5
faf7082b37fa6ba91c01104f732cddc6

SHA1
94e474f4abb4691e86427812dde553c8314a0918

SHA256
86a1e460ca8157764109db9e7a2c4526bf902753681ffd0361a6bbd5b9fe3dde

SHA512
68763273f2cea7de869c426aaeef0c1a0d65f5c30eea92eba6548dd454d4f32d53a1e8ca93ed8d93459e67e5e73379b93228ffd6a7c039fa9c31d275df38e0db

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
288KB

MD5
cbb0afe80a2da9da9b5f3da4e3437f48

SHA1
c1a9988414bed19c5717d64a11500ce22da6e46d

SHA256
ecdc1b04bc0c03e6ed6d1e88f76557a090972318cbedd7846444fd7c10a5a297

SHA512
33e07f92a09a0415d5e547fc0e877bfca92eb08981d3a7e9749e9dbb5ff1f718d86124aef365073ec0e4a47fda11b2bd0634e057e1d6cf90ed970c493fe13a1f

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
288KB

MD5
fde7a0751528cd0ec501ee5729590350

SHA1
a783cd055009efc9e68f53a33c77e779aaf57f82

SHA256
5fd22ee3686b7c7c7ca9e3d160c9c952523240e5ca76490dfd27af74f8329e5d

SHA512
5671de67a85781e8d61d17fe013bbd091cce8ed1ce4bc3491495c7c7ec6e3429edf4e038d83646d3d564a3734d30b0c9c79c34d805de1ba6f8c7289afb7b7284

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
288KB

MD5
760c43f6f1730a18d4a46f96b8b589b6

SHA1
b59db9d67c5d898cce931350ac6f2620c8998fad

SHA256
1f428b44833f2921afbbcba5d5f2fe46f43f274fb60a73b3ebd3888deaa1e8a4

SHA512
446ad3e93e16eb125951193719d586e46b98f51a0eba871121bfd7e2787b588f26d030ce1a16c149591004a05bde8fa666a872ad9efd39a688fbc8ffb34d66a2

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
288KB

MD5
9808e68155876a39ba5478f1bd5b532f

SHA1
d856c3c76fd31bc3d61631327c48dc1e608c878c

SHA256
bd337e783d0a49c7a80fe8b039037d9f20e90dd2ae620550fc781a3ace9e6022

SHA512
3c55f7bf556bb814d6edd1ce196a65493a48e0f4a307559050059a5305d849a80ee69c47de9d7f92210d8aa298f17c030bed27f1d21eaa65fc780e461c15b21f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
288KB

MD5
32cb9e5b2142243392aa05cb0105b955

SHA1
5533ccf12c2ea3ac2697bdf47d349596d22152f3

SHA256
884876bca4e615c2efe6e7bacd22771103f22ecf41c18c22031d24efc8278936

SHA512
2bdc4a07449e8da198baf7255404edefac0e2d17d17d20631313f16a89a082dd2cf618c64197968dd36e8cd8de2ade3ba055a3b6f60c8b947cd80e8d2b48ddb4

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
288KB

MD5
877845e0e4e620d534339ad818186a27

SHA1
769c0ded1ecba7eb5b74642d29b5c6e593a8bd8e

SHA256
d4e99e611f365c42d0d193143c67e2c3814b32cbd027b0add1354c469433287c

SHA512
00f06f6d1cf703fe8826b9b83ec3415ef021a8eb3ac7f2fc5edad59d25d8d574f41bb524eeccdf3cab275c23ed11374a7637eb351b2fd259a80278678b3f846f

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
288KB

MD5
1a6cd5cfba9a6aab6accb2cb7c9e3623

SHA1
9fcd7c69a2933f85bd13346015c1d031428e201d

SHA256
8dcf437964ef1f3532ece66a0d8f30ebc0f09014ca9c4bd49f6703065db782cb

SHA512
81e7220ae5af2de3bff891fedc2679cdf60afca0e711efa34fd3f21b017b7d436eaef8b53fcc579452850a234d25ee49f2258393fa114b4f0f1a42419c16fad8

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
288KB

MD5
0f2e6fce62588e8ac0743a92712f086d

SHA1
0c1dfe139acffcd7b7f2670227c16dff7b9b41dc

SHA256
58433e7060c8caa4e1d21b0ab394282a8db91c9fde47702ec7c14ccce14497db

SHA512
b92c6d39cfc1827c7e1b43e123cf3e47f9802c5ed2d2bc768bb88379dc893b34b280ac4985b5ddf41d963346fc39442197fc34b5ecd6c78c123440939cdeccfd

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
288KB

MD5
8e37d7031bde9eeb299f1ec63674fdc5

SHA1
29576dd30e5bb13548cb734d16f479a66912e538

SHA256
cf44b5030981b88c6bc58cbcf561ead114d60273757c5e923f92db004704f39b

SHA512
48d6ff43896dc00a80fe2fcdb851d67bd609b3ab129f53c69679233de475053310ffe4e7337a1ccf5090f6daa8f4c807cb590b7e0b41ed24df26e515653f10b8

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
288KB

MD5
e4f6cdc163ef0998b8c1373f0c83b15b

SHA1
2808f76054f2b5103526382d84e4d85d2ae4effd

SHA256
78d34614fb18ce392ce2fa866aa0168a49abfb264a25c4db2a3b0a0af34e8a78

SHA512
227915260ab8e4707b4a0170ae8554c0f4cbbd92c71487bd348f04491f9804f7f0f684f1b6fb793266332015f319a4b3639af7862b7842de9b8c93d95033abdc

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
288KB

MD5
1ce047dbca221d6bc3525acff2571fd7

SHA1
707882e5ded8e15f4771fccaeee90ef5535d5c54

SHA256
775af0f5c788eefbda52afb3bef403373b2e18cd7ce4c19a9c9f981a0b0ca0b9

SHA512
7e66b0b0b2b326060f320a0aa199cd9f6f58f2a239ebcddd119c0e4d4a0aa017698893d797ab9ed61cb85645a38e40888cea0fbcf539722c2ab31491be97a42f

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
288KB

MD5
aacac97f35b23b82500382ca44ebd971

SHA1
68226c80be61e3b3ab1299e77f3b3eec4bc94aa7

SHA256
bd49a796c84b6e8c1c8b86b4519c1ff4e36b536e4fd26caca848f87e6aac5eeb

SHA512
5f262de8a25e3e9503b5b26d33a549426c01412ab9d68b1026fffc05b862667d0553bb10d38abd48e29c9a6ee8749c962c9c590303243e414aab13cf88f8e1fe

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
288KB

MD5
3756deaca44361370ba3f0dcce1da319

SHA1
0a350be33a4686791b5d790c620df248805d8d2b

SHA256
23463c70155ddf45c07c2415dd8f682568d849aee955d9a6501542725b5b99a0

SHA512
8ccbad8f14c9957b01d097cdee3c7601492011c5ddd230779568b0c7269e971a6b06415acf5383cc358925e80e4b84c6de9367270c0ae45e1d435c79ef0e7599

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
288KB

MD5
10367bdfb5d579ff6a8a7c5154abd11f

SHA1
a38f1ae934e3bfb06c57dbf99b7095dfe7d3b0de

SHA256
dfd35e8403547a1e2eb4c5d7181bd71e183980797ce9b865a28d86609cde42f8

SHA512
66c82570ef4e1abc39432a5dd0b8f4cad4560653aeba1d7b48dc51216ad1cd5db86c26c6118bc74d5abebc0dad90c8142b11caaf8f618a6671ae89d0104a8f77

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
288KB

MD5
cbfb67ce7738a7d42daa50f8831bda88

SHA1
4a3f199da3e4123876ffcc7c21d5c13a3ce1498c

SHA256
a742858fd5410cdb84285eac63cca2f429da6daab205209c41600e91a9a1f802

SHA512
b4c612c713b0c704511b2c6784bbe94179fbbac26c3a54a2dbd96dc5761a937ab6955a1ea4d69008ec46ebd26cdb43d770903c627e67e144df641b7679c7996a

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
288KB

MD5
0dbed51363bd741740515a156bccce37

SHA1
d683b61fd45c22d184c0293b48d75965c646571d

SHA256
bcd4545b5092d6d869062a09c4a1ef7c7ef5e91ce8ded9c3f579bcbe75973362

SHA512
33ec273791c42fe6565644f11ec26b0019ee074325a0931b78657b19dfa356e3aafffbd1212d402543d072a4bb2541b2c2573a9016e1692a3edd0831c5d82f55

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
288KB

MD5
f3c785741122b8b9bcbdbe311067cf24

SHA1
6906bfadbd41090fd67da11c557e0073e6ba7279

SHA256
2007fff649bc63b30c26c922b46966b629239e3db6bb755578c9fc4a02574945

SHA512
8570b4ffce9a54cd80b864e246bd1c789fe2038dc24cc41946ea50b5ec5817956ed865945241e6ab8e122bcb41265e8e5b09e062d6110c84ae0d70faab22248d

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
288KB

MD5
21635d4cbec81fd2630cc2127b9d50e9

SHA1
7f93a3aeabcf5808d464aa33bbfb1d96d267afcf

SHA256
a479f87e06fc12d8223c77a43921fd5162be4e3784192d8b07975231e24500cc

SHA512
6c28a6e00c538f92618119998dee8b8513fd9404091fc67098c76c7c307f7c1e69443434b6a987d1c940b81a9c648a75720cd5e069578f4e74e43b17dd6ef9a9

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
288KB

MD5
a6b62a272a0acb8d0a5d8d31e9a4adfd

SHA1
9171d5c2aa551e378652016967d95e596c410536

SHA256
0215f43c224d3124abed50a122fb00e37074b0f0a13846836be89b97eed6963d

SHA512
a67fb54968c916ee523a309b10a02748183c66c3c08d9969afed01735da77660711f7c018be1eec695b678b5a4257efd69bc555c15b15beab85a4b095f644f1b

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
288KB

MD5
ce2a8d5b5336b5c80231919c5e9a207b

SHA1
6f6de8c114ede2b044930611335949ece16b3e71

SHA256
e7f7e539d2beecd93c973d27b0a80c159716f54b298295c65fa34afea82ea420

SHA512
df68c9ab961877b042bdc83a246f8c96a16bcb2866f81e3cd21d89063d04e1d11afaef3233f06eecdf4629ee51f30001b5ac0df2c0ddc2277c2bc230dc29a765

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
288KB

MD5
bb7ab8595f43983bc91056bfd7275ee2

SHA1
d92acb40a1c52c2f9fe6fcbc74c3c621face3234

SHA256
7978867bf0ae773a7cc306ec7303b23de068803cf2fea9956f20bd4eca6f9a3f

SHA512
e0ccc3bb74ac2e830fc913d3d6b0c611994c074a75382d9805b1d26846dbad32da192181acdbc589112acc731bd675647cfa2e9a1abc5e64cb4f43ae1040387f

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
288KB

MD5
d3b2cc5ad465581dd290d838740341c1

SHA1
29e32c04337b0fe4b55b06aaf6d87030c18ebd01

SHA256
0a0547b8fd1fda11481474ac405e1fd4968216fc2c44ebd6d6ec9190b0f020b1

SHA512
d920c26c8366436075c526085b02556c8a21442ee024eae76be0020c04f223a7ab0c4d27717366f94223d291b365534501ad9a98980edc18df573a80dbea7e9c

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
288KB

MD5
33ee014667b479fc7fc58a35c0d8ef13

SHA1
e417d9fce005f1f12fac0bfa841f61fc9eaae405

SHA256
2d0e741101a551e604ae5390dabf7d0c8e8f48796e47d089d6d7a32441ba04fe

SHA512
3f44092d98d1ff3df43dcf24b5cd4a342bd63f59e20af36651248fb072227851ae1635ffff47ec963bd39985b0bfacb4f1afdae8c5a2cb395d40d26c8cd53a79

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
288KB

MD5
73a415bae2c9d7259b2995d39766e542

SHA1
06f4598eeb7b42a4f786d12f6758c974e9390a28

SHA256
b9870a96e388cd5e0630cf0fbcbb9583fc5008101123aa6ebf27ee43fd80e066

SHA512
cc20ca48f0ab6cbe993d0c3b0c887bb95d79f8b6c2888e5853af3e71b09c09065bbef2b35ae54775594ca628c1e788f7f46ed4d2e7e1d570518e2ffcc3817806

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
288KB

MD5
d396b27913b64e8c4e0407f2e5578d4e

SHA1
3576166dd6b9e63dd69802e834844630bf7b827c

SHA256
9967a56d2454dea8fbf48f55b9a2d12385cfd259d9439a3380be214281da424e

SHA512
ee275543757342ad64fe66d87f559aad802adea98273f57c2c7ad9a377ea8275c1b1c2bb894c36cb33d5e88b31faa4fc0750af4c3d419411fa9ad143e5f9ce28

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
288KB

MD5
bfa9a8d6d92c9a4320d2ce38ec53e42b

SHA1
2a97d6cecbdef1124c436fe8f818594953f7034b

SHA256
c1e105f842ce2339a135b9af82f33449a5482669118861162c95947189dbc275

SHA512
d4282267185c3ee4e6645ae380f8688fd4be3d10c668689f63e42ca2299ed00de35430dcedd8c8943396b712420074932a5f1f880e8a9b7c5b147c404f69d728

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
288KB

MD5
0e8ee29f9e67a2da4253f4231b12b1cf

SHA1
655733a576247fc7ac3f24f060a325a25e330909

SHA256
97e2b61752601984cdcbca3cecd82273f9a6927b76f902eb4e4df6d799f6d895

SHA512
7bd9d1d55949c56729dcaf12cb873ddbe32656a543ca51ec539383d23b967d075bf27a3cb60209478466393190f482a06ec18c56482ae7f80e68a4aa061c3b57

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
288KB

MD5
e72c8ff8c8ff80b62dc31bab63543376

SHA1
1879e3264895ae184588faee1f44b10079fca078

SHA256
098c1b612844a4c79f628af66e9547692cd08d44ae90516c6226781cf1b1259d

SHA512
cf7802d2d60fb148c63a0e57f3d656c30dd1891ccd00f7e1fb6ffaa057fce938ccc77b4040a8e3b8a866701825336e637a4ec1741ba5153544f0c1b7919a023f

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
288KB

MD5
b23a135e96cb4f43c14e00c3446346e7

SHA1
55234dc3aa23d7bccc6d00a5eb83eab8a9e182b2

SHA256
73408695acfafbf47cd0b3759b93f23f0b7f242f00e097623cf2cf481ba605b0

SHA512
dfdcbcc92b2f9561dca8d88288804f66d9094195780f47193aa9b54e5e780fd42a3a6dc7b6f3539d77a2be5f46719f03d549e0706d831ddddec18e0158ba91c5

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
288KB

MD5
a34fe6e9fccae51820a700836ceb702b

SHA1
8af01e78ef24dad95e27597d6f6c287faa86e0a0

SHA256
45eb8ac88761364a87fb60150a39ba88a1fe4b3fe838aa84bfb628820b2249c3

SHA512
b9511b8c92d833f9041c866fe957f302e22bdc7d9867a003533f9ccad71ed457003dedfc2de1d5f5b96526e8f5b35f4f22c6edecb51f9d7e9db89662f265d280

Download Submit
memory/220-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/508-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-902-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-919-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2996-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-908-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-905-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-897-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5584-868-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6140-822-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads