cb93ac8f997df3126c270bc06631a93b0890ba9f9b9310da1ad7fc2151c6eec8

Analysis

max time kernel
105s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41f1782c50d0454ae52ba5fbf78442a0N.exe
Size

91KB
MD5

41f1782c50d0454ae52ba5fbf78442a0
SHA1

b94569738f00ae7ea8393a9687545d74474504f1
SHA256

cb93ac8f997df3126c270bc06631a93b0890ba9f9b9310da1ad7fc2151c6eec8
SHA512

1d931f96a83c3ff1339e0fd22c8358599d8ed27384b6376861397f10f945481c684b46c6dfbb3bfdd820cffad73d6439de9aefb576e35d77875179eab2042c2d
SSDEEP

1536:oTANhPOKV5LUnYrw3KRVEDrs+1ghnqObmVy9Zt9cx0XBQZFo:oKhPbLysc/CkEux0XBQZu

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe

Executes dropped EXE 64 IoCs

pid	Process
1512	Menjdbgj.exe
4784	Miifeq32.exe
1608	Npcoakfp.exe
3412	Nepgjaeg.exe
2224	Nngokoej.exe
1448	Npfkgjdn.exe
1576	Ncdgcf32.exe
3252	Nebdoa32.exe
3500	Nnjlpo32.exe
4248	Nphhmj32.exe
1168	Ngbpidjh.exe
2448	Njqmepik.exe
3956	Npjebj32.exe
3640	Ngdmod32.exe
4456	Njciko32.exe
4244	Nnneknob.exe
3940	Ndhmhh32.exe
4560	Nggjdc32.exe
2444	Olcbmj32.exe
3928	Odkjng32.exe
4376	Oflgep32.exe
8	Oncofm32.exe
4852	Opakbi32.exe
4228	Ocpgod32.exe
4252	Ogkcpbam.exe
4308	Oneklm32.exe
2952	Olhlhjpd.exe
400	Ocbddc32.exe
4056	Ojllan32.exe
4928	Oqfdnhfk.exe
5116	Ocdqjceo.exe
4440	Ofcmfodb.exe
2176	Ojoign32.exe
3040	Oddmdf32.exe
3192	Ogbipa32.exe
3076	Ojaelm32.exe
4788	Pmoahijl.exe
4052	Pdfjifjo.exe
720	Pcijeb32.exe
3100	Pgefeajb.exe
548	Pnonbk32.exe
2156	Pmannhhj.exe
4444	Pqmjog32.exe
2376	Pggbkagp.exe
3736	Pjeoglgc.exe
628	Pmdkch32.exe
2300	Pdkcde32.exe
1744	Pcncpbmd.exe
4388	Pjhlml32.exe
2440	Pmfhig32.exe
2912	Pqbdjfln.exe
2384	Pcppfaka.exe
1348	Pfolbmje.exe
1260	Pnfdcjkg.exe
184	Pmidog32.exe
876	Pdpmpdbd.exe
4016	Pfaigm32.exe
3172	Pjmehkqk.exe
4260	Qnhahj32.exe
4744	Qqfmde32.exe
3596	Qceiaa32.exe
220	Qjoankoi.exe
848	Qqijje32.exe
5000	Qgcbgo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6532	6436	WerFault.exe	228

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	41f1782c50d0454ae52ba5fbf78442a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1512	924	41f1782c50d0454ae52ba5fbf78442a0N.exe	84
PID 924 wrote to memory of 1512	924	41f1782c50d0454ae52ba5fbf78442a0N.exe	84
PID 924 wrote to memory of 1512	924	41f1782c50d0454ae52ba5fbf78442a0N.exe	84
PID 1512 wrote to memory of 4784	1512	Menjdbgj.exe	85
PID 1512 wrote to memory of 4784	1512	Menjdbgj.exe	85
PID 1512 wrote to memory of 4784	1512	Menjdbgj.exe	85
PID 4784 wrote to memory of 1608	4784	Miifeq32.exe	86
PID 4784 wrote to memory of 1608	4784	Miifeq32.exe	86
PID 4784 wrote to memory of 1608	4784	Miifeq32.exe	86
PID 1608 wrote to memory of 3412	1608	Npcoakfp.exe	87
PID 1608 wrote to memory of 3412	1608	Npcoakfp.exe	87
PID 1608 wrote to memory of 3412	1608	Npcoakfp.exe	87
PID 3412 wrote to memory of 2224	3412	Nepgjaeg.exe	88
PID 3412 wrote to memory of 2224	3412	Nepgjaeg.exe	88
PID 3412 wrote to memory of 2224	3412	Nepgjaeg.exe	88
PID 2224 wrote to memory of 1448	2224	Nngokoej.exe	89
PID 2224 wrote to memory of 1448	2224	Nngokoej.exe	89
PID 2224 wrote to memory of 1448	2224	Nngokoej.exe	89
PID 1448 wrote to memory of 1576	1448	Npfkgjdn.exe	90
PID 1448 wrote to memory of 1576	1448	Npfkgjdn.exe	90
PID 1448 wrote to memory of 1576	1448	Npfkgjdn.exe	90
PID 1576 wrote to memory of 3252	1576	Ncdgcf32.exe	91
PID 1576 wrote to memory of 3252	1576	Ncdgcf32.exe	91
PID 1576 wrote to memory of 3252	1576	Ncdgcf32.exe	91
PID 3252 wrote to memory of 3500	3252	Nebdoa32.exe	92
PID 3252 wrote to memory of 3500	3252	Nebdoa32.exe	92
PID 3252 wrote to memory of 3500	3252	Nebdoa32.exe	92
PID 3500 wrote to memory of 4248	3500	Nnjlpo32.exe	93
PID 3500 wrote to memory of 4248	3500	Nnjlpo32.exe	93
PID 3500 wrote to memory of 4248	3500	Nnjlpo32.exe	93
PID 4248 wrote to memory of 1168	4248	Nphhmj32.exe	95
PID 4248 wrote to memory of 1168	4248	Nphhmj32.exe	95
PID 4248 wrote to memory of 1168	4248	Nphhmj32.exe	95
PID 1168 wrote to memory of 2448	1168	Ngbpidjh.exe	96
PID 1168 wrote to memory of 2448	1168	Ngbpidjh.exe	96
PID 1168 wrote to memory of 2448	1168	Ngbpidjh.exe	96
PID 2448 wrote to memory of 3956	2448	Njqmepik.exe	97
PID 2448 wrote to memory of 3956	2448	Njqmepik.exe	97
PID 2448 wrote to memory of 3956	2448	Njqmepik.exe	97
PID 3956 wrote to memory of 3640	3956	Npjebj32.exe	99
PID 3956 wrote to memory of 3640	3956	Npjebj32.exe	99
PID 3956 wrote to memory of 3640	3956	Npjebj32.exe	99
PID 3640 wrote to memory of 4456	3640	Ngdmod32.exe	100
PID 3640 wrote to memory of 4456	3640	Ngdmod32.exe	100
PID 3640 wrote to memory of 4456	3640	Ngdmod32.exe	100
PID 4456 wrote to memory of 4244	4456	Njciko32.exe	101
PID 4456 wrote to memory of 4244	4456	Njciko32.exe	101
PID 4456 wrote to memory of 4244	4456	Njciko32.exe	101
PID 4244 wrote to memory of 3940	4244	Nnneknob.exe	102
PID 4244 wrote to memory of 3940	4244	Nnneknob.exe	102
PID 4244 wrote to memory of 3940	4244	Nnneknob.exe	102
PID 3940 wrote to memory of 4560	3940	Ndhmhh32.exe	104
PID 3940 wrote to memory of 4560	3940	Ndhmhh32.exe	104
PID 3940 wrote to memory of 4560	3940	Ndhmhh32.exe	104
PID 4560 wrote to memory of 2444	4560	Nggjdc32.exe	105
PID 4560 wrote to memory of 2444	4560	Nggjdc32.exe	105
PID 4560 wrote to memory of 2444	4560	Nggjdc32.exe	105
PID 2444 wrote to memory of 3928	2444	Olcbmj32.exe	106
PID 2444 wrote to memory of 3928	2444	Olcbmj32.exe	106
PID 2444 wrote to memory of 3928	2444	Olcbmj32.exe	106
PID 3928 wrote to memory of 4376	3928	Odkjng32.exe	107
PID 3928 wrote to memory of 4376	3928	Odkjng32.exe	107
PID 3928 wrote to memory of 4376	3928	Odkjng32.exe	107
PID 4376 wrote to memory of 8	4376	Oflgep32.exe	108

C:\Users\Admin\AppData\Local\Temp\41f1782c50d0454ae52ba5fbf78442a0N.exe
"C:\Users\Admin\AppData\Local\Temp\41f1782c50d0454ae52ba5fbf78442a0N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\Miifeq32.exe
    C:\Windows\system32\Miifeq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\Npcoakfp.exe
      C:\Windows\system32\Npcoakfp.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        24⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        32⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        38⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        44⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        46⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        54⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        62⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4348
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        71⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5100
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        77⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        83⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        84⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        87⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        89⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        101⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        102⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        115⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        116⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        122⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        123⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        124⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        129⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        130⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        135⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        137⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        138⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6436 -s 212
        140⤵
        Program crash
        
        PID:6532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6436 -ip 6436
1⤵
PID:6500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
91KB

MD5
94dcac758e8da3850bf3efbc2bfc4d2a

SHA1
d06bf84a5aa122b9ac92ca43b485a98528d9bf2f

SHA256
97a2c8a36b5e90e527997f211605043831bfae28cd80f663a4311ec07cf72efb

SHA512
c5a411ec8a8bfb5a5ecf2c245bcf300ccad21700ca5e376a5f618e7c3ca671c530124fc724ec62d70c0bd1461f6ee7e801db42e529b67ebfc49d79a26216f363

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
91KB

MD5
960fe61a5db88e1d53e55b255747bbac

SHA1
d66eec0cb914dfb04f53fddb22ccf790bc72fb3b

SHA256
b91cb26eb7c489dab06ccd312c4069c4a3078d259465d8d4058cc15696a1cbd1

SHA512
9c1c59e050e6e21a772fbe9978fc9dd82133bc9c8c48c62652d35144bc5d8bfae3d10640fdc146b1447d4e1dac829ccbb1fbafa1bb66bed5858dfd3587df9f87

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
91KB

MD5
2f2f888cc990ea570067b12487faa6b6

SHA1
dc4ff23f2ef7e427bc4e3aa7355ac90088a08fd2

SHA256
5b483d9a6521831c3201ccaef0b312839eae972e192d7ada110d12766c196743

SHA512
223307b840c93847eebd53ded7c0d215cde239fdb9109b61c24e52aa5d7a7e50b1977c060eccb2acb556c11fe1c6dd907c7f1814d06aa7239679330bcb570979

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
91KB

MD5
3022bc02fe2cea960f0450dc2672919e

SHA1
230ddb377630edc7ad91d6364902e8c85aec173f

SHA256
d5fc5ce17039e1622340b990caba10b68b98a2fc3fae0362d09e448cacf73b3d

SHA512
c043dcf73cf8074dabd339b17b9774123f59f793f3c7f99a807eedb5407b681d52a3191da5bc498a7edb633f5f0a436ed783dfa6ed566b8daf18ac00c8893413

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
91KB

MD5
bfb76206469eb8f5fa459d81fcd24c5d

SHA1
0a9cf1bc069a92d00386dfdff92b9a27ddf953f3

SHA256
09230810b7a9fcd1ebde28116768364a1aee6a4d2ce3ee1a2127885e55f01c28

SHA512
58b706dd18187de7b51d1e7e55aa6063d12800f7d0c7e6e8d3887ef2eb55506fe55bf32c8957b3bbc67ea7eef633c323a21039a876d6ab37585537a2be8e0792

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
91KB

MD5
b41aa58881896ab680cda4ab4c09618e

SHA1
7c7d157a5ecf04c43a07703bea88c4ca71ec61ee

SHA256
0716fa3fa3b34dfc4ac7df68f9dda1e56d488711688253619f4dd6667603978c

SHA512
91539fe7bfb1cc346aadae0015888a91a3823a392548a090a4baef95d5056151d07a58077a2f713555a44ceb446901ec3a37f561ef2a8f468862415cbd5b6b0a

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
91KB

MD5
eed7ddf57e3119c5726722c6909a9de9

SHA1
b853aeec87eadc91ee2961bc40068456cd035f05

SHA256
62c7f03b4f759d8fd56d3528d3b22d1c0f86c36abe3c85c1de761c308b55863e

SHA512
bbf772c55ad3d8c6d5c2922e0819e35bb7725f7ee98a48b9a5304aef97ce36461577fdd1e03c320daf2bf85ef6d6b72e98f7a3791fb7dc77a0071bbd93e18634

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
91KB

MD5
c66ed3592890a90f353f4c444adda1b8

SHA1
841683f9283446e0ae55a76d8c27c12ec5d66d9e

SHA256
de1adac03da8d553f50201a8a7c8eb6b45a632598a1365eb1e02e37048f9c83c

SHA512
079ac4661458f5a374b9c40aa3efad8e40841d111aa2e6724ba615a078a0fcb94ca3ad53604e3a5e97c2c896615ec086ae4541f61698cfcae44dc9b6841e934c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
91KB

MD5
df5fbd666b6dea7c828a2b1e3d73a397

SHA1
7397b94e2c8e064c5814f2b1215f75241d4042c9

SHA256
1306efc458de4bef7ef60302328716354c8b7ec987a9bc26294869cf098e375e

SHA512
0afc5957472cf9b4ebb873d4523212fe4dc2447ac33890006bcd9baea4e501364b08a969c66acc9c5a135dff8699f0304af0617fff43355a5fcd5d7cbe59ffc4

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
91KB

MD5
26c4bc34c4687f56761a61e2db8e7fdb

SHA1
07ecb6b9cdadc78f28286b951ea83c3d8209b6ad

SHA256
034cdb8b7632999ffd948621f8201d3dfce0272b66e236ef541ccaaf03f1c383

SHA512
04144170154b7e7fa6f875484c973cb3c817363fb93b388b970de55d96e2b3b77540aab4fb7820eb8a0bbd03c0c08242d525ccdcf8ea5baf3e9247fc81a0ad7a

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
91KB

MD5
ca8c9bd37daf008d265a84724c42dc5e

SHA1
cb6fafd079f269e364a8d1bc32690d41e917c52c

SHA256
1bd37a6d40da9b3740ff9b291afa818bcb5f626a2a44143b1a5b0a16eb8f0ced

SHA512
bfd7a327216af297dfa4176f1593897ed06becec0c16f8841e28ddb16ed5c4e0329f5848e39538467aff73166cfade3f9b306756cb48c0341e0c77cf183508b0

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
91KB

MD5
060ab496a2694a2f05873290c8dd293d

SHA1
1b05f5fae568cf796447f04fe78e40ad6112b633

SHA256
2d86a3f25eb8b81fa58c240c6aa78b076caaf352cfc3c372ea481424685f36e6

SHA512
dd5109feb5c393bcd5fd48fac2729cc251b03a18a508bbb153107c0aee2476ff49b9901361287aa38eaf7b89679136d56a8d5a9930c90f8d2b4cdebdbdb8dc2d

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
91KB

MD5
d9ea6d2ad092e6de4d0ca7b26f4c233d

SHA1
07135f7118eb02358d3033e75b09ee957c8b7be0

SHA256
1b21e7c402323b714e742b6fa1d97934f63a5348e20ddad8a529dc5da98249ed

SHA512
684adc71144794a17b5cbaa07aadb8f72fcb16f05db83ec2cf028d9302e8065cffb5729f636c8e94ea1fec434a41251156ede90fb646457a7558068f31585b86

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
91KB

MD5
e82e3d42ae9065917dffd3ac0b3bc84c

SHA1
dd053f449b8cf07918f1ff8a590761b2e0e9e2b3

SHA256
a6e0fdc9dcf4d5dbe4d1788dcb2bc6338efd792837e4b8ff65d2cf9657d9b23f

SHA512
6e0c035a24d352135b520ffb200ae6f8ee9f933a7569b44eb9bab5aa45ff32b35e7bc4c76b2f5605a392e2ef667ba0ff7ed381f2b9b0a4c24d645d977403732e

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
91KB

MD5
f9771aea38c949115301696981ece395

SHA1
209f20e1a923debc4f197ba05070a2beaf752a34

SHA256
0b7a6d96712266e1c6cfde20c09789550f07d1454030ab068f4e2e42bb07d81b

SHA512
28b394fdddcae3a678d06a53be1e44431a9f238c0ba41a6709ac43feef95bddf0f9ace6fdfcccef1d84edb2e1e9b48757c2721b85c66a2e507d3ba985b7693fb

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
91KB

MD5
f17d9a359bf1b3b0da306cca5ce58482

SHA1
dd133a724713f2f7523be8e20f3252b6572e29e2

SHA256
0c6d7b25e3e667e402366215f7da6a63a9cc04ec1f64b3f73017726ed2b42ced

SHA512
f827cc84477a197921ba7c0ed1b1d4cc282830d34f3aaec573675124675b7b2950cf3ec4755475a7bca17b5159dac1f997219bdbd4cdf534282250180e6874a1

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
91KB

MD5
cc5957a5cca6111cf3e27e6470dede7a

SHA1
eb3c74e45bb8ddc0fbc77071d4b7db1f8d925616

SHA256
ea6e0be003afdf5193b683a59f4596f58c283dd683e1cd4a39651541e3cd56c0

SHA512
1b2115986637197ef14c026a7945b0a7ee256693e87cf144b8ad8d0cbf7bb58f0307238e8d0ec1a6f4f5153f21b642786c46bd8e58cf1a2ba90708c8ea887c3e

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
91KB

MD5
2fc1b1072ba5b9c1a95d972332da3400

SHA1
cf7ef75b41b751fa28d074fc7491c85f4f46ed43

SHA256
274a5e4123a68285b950da4f5a9101e9a6f542ccf84e94297ba2844f6de3a6c8

SHA512
9c1184a35149264b361e6457eb2b4566ba1bc947c222b88be8f5878c7c07575fe9bb522418264e96edba064f77431ae6d2bbc07e715e1541b668526758707926

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
91KB

MD5
033b80a6497dc8e0229d0976ca933b19

SHA1
f94e16128bef0fcf10a7ba98b06f1b1c5e297ce5

SHA256
a9786db036b896a786cf90971ee4aad49e2bf98a9ce81a2a5cc107e729536bb1

SHA512
79235eb45f05c5145b84b35a56d9ca32cee37d60414925124cce354ecd96ea724a4342f76e47f89b5840b23817af446cc30a688a77e120475a11bd788e0c236d

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
91KB

MD5
37174e7fd8417225feafcd9f713dfeac

SHA1
f52d40ad9cd84aa39cca55234be5597c9ec3dd13

SHA256
c038088e8ae6faa7443a8f790ead84c8f85e1b0b16650009cf8aefb89cb09938

SHA512
38264ee51447da0b70110f360bbf6050f976c7a5ef97073618d7493c8d7ff3cdcdba30e600de5a1c8d98d87404f7a56d5b8376daa58e72d73ccf8b2fa744d15e

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
91KB

MD5
75d53a882993aaa5900b504727204572

SHA1
4256f8350f92d0ff1daa1a7e49741ef7e3ea6504

SHA256
c9bd45a71006d192183dffa653944b6da8749d119f391028dc8bb6e571d34bff

SHA512
c9f4d346f59cc39ab91c90441b118d1376200c2dc1759f788314c19a0e3fbc7c03ed23ad6d6c5ce0bdc3fc3fa3b2f56816b904b65ea8e21f2e0326cfd634a6cb

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
91KB

MD5
819aefe54f6d64b8c5b9bff49b864666

SHA1
717f36eb076c5bf2ab082bc44c2a40bcb48bdc8b

SHA256
7ebb8b4046aa827b0d9f770aa02bdf8a2712c794b6195450b2f4242fa8c18f3e

SHA512
6638549085db03a02ee597c0ee587c7eeb5a07a649b4ba3e9ba579ec98c1d2dbef0417eeac3ccaf720466328badfc553e7c4e8ed47d7337d734a0924703e9b7e

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
91KB

MD5
371c7fe8ed37bcecbb06f6741219a5e9

SHA1
6aa66bc211fe188ad6555d3b3e5112c2ae84c6ba

SHA256
e3b9759f3f9605fd238e88039e4c28ec87c96043434c354ac7a33f4db1b0f7cc

SHA512
22a26fdf9d621398ca93fd2a0bea822712ad50390ac331c80278dc0d037629190aa321f815cb4f7d13f767f89baa92ed0b0dd2cca6ed14433d846b2f05377ad5

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
91KB

MD5
ad80388c890b31c88a8f12d5d6d79019

SHA1
2dc5fb3055ae1bdfbcca21d4e566f84fb3b94270

SHA256
002754657aab90d2499852de0bbdb3c07f3110e8c00f3527b82c3ad9b44c3c76

SHA512
2b9c7f015f6d4301f0171ae0baa4cb5c8184c348e1d60042a167b7ad27f2dd36a4d803d1339173a1ae6662946eeb51b332b70b40fa305cd3568f15e4c9724034

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
91KB

MD5
822d00f8682c410884d83925c316ee6b

SHA1
04d0fa7433bf65f6600396699b6ce3a8c6cf10f2

SHA256
e33dbbf076b9069c884bd145b8486c772845ec93c16ddb38fd6af394b3da661d

SHA512
ae8b38dfac1c69e66db43633747907d6a333d9392f57f4615b6da47c14d6e79db2f6408ddfbbcea8693c8f2c2583bb669135744821d4cc8c1c4fe341eb4f49e6

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
91KB

MD5
4b27b1801bd2195e31de4b78d1beab65

SHA1
5753a1c22674a557f98e0f11c3b5a80025599fb3

SHA256
aaae46c024eac5d9093bb95a9dc463993d914e4775150414a35fcb8868e683af

SHA512
778d1ccd24e257afef75c254a4faeb836af80c9ba38187fce1a34a8eb0cedd2927c3deb4c704a29bcd7c501b1e47eb2b3d94afb6399888dc2eb243d19cace19a

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
91KB

MD5
fe3692389ab6148548441ba229b37ec5

SHA1
d25726044332b6e7404db81cd047274e84beb094

SHA256
b2639f444d9170c31d909ad60ce010f2b81a16ac686d6c9ac0d728efe0f40bd1

SHA512
c461c4ae2b16225c6ee53fff117dc2e5c3203e7a97c33d39f5bc3e9fb79cf59de6d480a5bbf7e2637cd2b9ccb1e7edd876e74668f27bae5b1d36ac73ac855661

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
91KB

MD5
82aabb2dd68b8a189ff9b2b0900a64a8

SHA1
cba362285962c36e1aa302494a08b4669c0fa44c

SHA256
2022c9002e4882661fecad4f1953c124ac3f3ead51e88e9348e3f324e5d48220

SHA512
c02416b998fde296ba7a7f7d289f8e4f9c6db946109acbe245d57e6c983910f691a1de7fc430160ed727c7c73e2dd5e0b54a42df6f17ff10242ab6b31e0fef90

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
91KB

MD5
b08bfdafe72adb9ad063ae69caf97c0e

SHA1
2bdf1d01820f92ef9f64ee4e4a60e83ae4c6b6d5

SHA256
ff9e7da154409ccf5d295a1e9d5c23bf2b85108e6be52c627fc318c122efd91a

SHA512
72b5d8605adbe0721179c22b1f0722c3fc4f4db9a499216b2c04f5758e32dca2fe89f07cbb592f6e03ab92de9c6150b83f898675e25807a4d03b906a5604a341

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
91KB

MD5
78de37f554bfbbfaad42a19e0ec6df94

SHA1
4419cf06f5de506d1b9195529bcc01bd08decbdd

SHA256
6142f66267c63b91fccaac7dfe569c3d8c854cb18fd0a775211a33693be268f6

SHA512
efbaaab3085732168b9ad1f5d3419b9289086a9ed1c8ae947f944883bf6319cb389376f00fb51080778478d2c6d215314945689a29761a82c128001a1e07e91e

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
91KB

MD5
bf5fdd398f375e7a86c5b663908b5c7a

SHA1
897ffde08a8817b8ca4cc20a2524dc8101cfed1f

SHA256
7d052d4cb5c44b9ab9b8bcbd1c16c95180f5154656a7da931f9199d860331876

SHA512
3ee5663908d925ac0c22b8f7be8f81c12183bafe34850a13711a74b9892cb6f2f9e9d410ab30c8cd1338cd6cf596b692f0e8f426cda2ea1a9717d809ce4f9945

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
91KB

MD5
cac54a21f82286b25917a19781cd53c7

SHA1
ebc7d77f5aa4cd366e6f95ee0cf2ca490d93f117

SHA256
6048805f5dc555c2296a4b47d9fff859a2261c9af3d5afc80290102158c1679f

SHA512
025fe1e29c8ca69694c711be2825ce87180f79b30604b1d7324befee5f776ec13514e0da4e9b35244938ae0e77859c0d4236d0c554cedaf4dadbd04a1b84e140

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
91KB

MD5
67afb18f589588d1a4c8c6d2a2a058b0

SHA1
751c76288b5552dcb359f8bff0f339062b74447e

SHA256
1001ad0d8e7bb05202c2b4c450f8ca1ebbed85ce68ee73c9372c6fa871f61784

SHA512
1f96a4f96845a4a1669056efb19bcc8eb38174ec01eeff181cacc3766eadd8d0e2585e40e3bd3b3b775bc1b51d746eddbec2e0d6a9883221fe531593e9a6604a

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
91KB

MD5
d780bedef7b47d75abfc07ad5fc2a960

SHA1
df8caafb03428d8dffa80e617b08e206aef89dba

SHA256
f6d269c8fb7b0775065a219eb130d8f1dd8b3098b3ff0fa94419454abb163af8

SHA512
f9c0f9b7d9a31b58e73cd2aa0a3738e2a4959e2dc667cf3f1b5b6e7d830f1f842e16c744ebcbd5c7037932a5680ac6163a5f7d2116f94eb75428aa240b0d83e9

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
91KB

MD5
ad901b5c769c58fe576e4ed444b39530

SHA1
e9f4ad1b9f958ec795aa4ec7a07a8e4ec4d8f273

SHA256
3014c670c63d4f27810f687749034423c433406343397c8000459b4c9af8df75

SHA512
308fe5557ee8a0b573428e2b401673ae3d473f71c3bdc4565b2fff6e46992da0b812bb4f615d9d8e7482d6729c37bf46ba8715dab034848b11741810210c819a

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
91KB

MD5
7e678cf3ddc5d6ff22e67323b9cf50e0

SHA1
dc5a00f3628181e6b729b26c801a55c4f60d7a72

SHA256
2c1bf6cd3504ed1ed1267f3158cda4a3c28bb0cc0b12999f976d3ef58320f281

SHA512
934eca1dfe8d51e498f8ad8da790952f63d8dffa98a00aecae6eb2938c8535e51e9da699d2907290906d1a26e039943f4ce28504b37732f13ed91e680a539bb3

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
91KB

MD5
0ac58226e04a3202d440022ddd9838fd

SHA1
bc31337e150482519a0c3b0a293f63d253b3f294

SHA256
154130f71a4d3526dab6e455bf14e9b3e82fec6c2189fc291188fcc989dfdfb7

SHA512
dde64a4b5236b72e85595749169d83d88750b6b5adf9110d6a0dad8d7f05262f29ced06599f6043790948eb5b46199e34d2ae881d6fbe473ca2701386ef53af3

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
91KB

MD5
8467a93fe5938f25c958b93793bdc23c

SHA1
c4ae5cf053f56bd559475aa6f7ff4d3280f878a4

SHA256
52d350264fc92f6f3fe295c280d4814ad0b2c4f5cc24defcf5100979951beabb

SHA512
d1628194087d5211f1b2f2f969591a766c917c3a30f0a4928b77c015d25b3e0dca857fc1a2ada42243b4c03003482dab3f00bc4cd7172921c93f31daa5690d0b

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
91KB

MD5
d476d91c1aaf11d1af4da1e738a5912d

SHA1
df14770913d077d2d09210cf9db191428900de9a

SHA256
8def6d22ac7e7783557d3284ad0b07eda8ee20874bda603e3faf0a03e62b6149

SHA512
20387e1267a6e7a6bccd4cc76c5171d90a1de96578de50d2a11b822563aaf1c15e2df5c5160d63d7a690c044e5aeb01c2379e15d8e06547197580b5058ba5dbd

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
91KB

MD5
71648413a037378e5310e323fc6e1393

SHA1
a4c387497bd228fbde8eec781256c4e2043a8a1f

SHA256
cdefe6beedfa2b56d70dcbb1d79ea1c82d33e635dc3e81b49c7dd01bc0d9ef6c

SHA512
ec4c4f29505b5d00588d290d63c18e0dc6cada65bfedec96dcbc2dc8ea03d02881de55774d677fab03e027f74346c00830c745317fc85394e7793027334bea43

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
91KB

MD5
5bf0d30cea5457fc95046727c48464b6

SHA1
35816600a1a5cb8dd4b3a5aa9377515d9b226b55

SHA256
ea1ef4a2adda540b302c57dfb35046f929038d9b35877cd5b5a009273bfae6c0

SHA512
0409f3d07e92df6030560a7a090103baf5d51d94419d7bfb216631d8fc10406cbf52424a462fde20e10eb6bf9094e27e769f36adaeeb0d62f495ae230d3053eb

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
91KB

MD5
81efb3a6b413100d72152efc6dbd88f6

SHA1
c054223d93c28f03552a4dbad84d00100c72084e

SHA256
eb377be93355820dc0123868fed583dac7883f7134e7cf01e9a3ea1d326f21cf

SHA512
57805d5c9529fd574e8f83785f694c735d3d6d63da8f920ab9b1423f1282d6f33d1656eb9b97b9237475f3403e5e47cc88b2f46ccc8eff0d305ebbd4f863707e

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
91KB

MD5
770926a1c04a1e12f7726e7a65ffc1d8

SHA1
18c193608f11edfaef1e165facfd329797b3e95c

SHA256
37a7662ab6ff041224454c467ec1a657386d224eff0c0bef44780d4a3e947f6d

SHA512
cbd467f9a4ebb3e516a07101db88d1157a492dbec474fb4d076e55f411f550796164bc97f1632bf7b98f8426e6118fdd4c43eb50f79ad1f67bc676b9447c57ed

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
91KB

MD5
9f10e3c3a0ece019980867a35aac6c7b

SHA1
abf118b982633747961255f734631921e2842504

SHA256
88781332ad23a2f0d5dedd14934f2f84dec720218e5593c499202fa7709caa6c

SHA512
3d791e0d75c77b3abe9a89ef157aef350418a9462d6deafc3f6647952d1e545bf4dcc6c3534e91bad35aff303e4dba89abd63e73446006da87f3b903e2b9748f

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
91KB

MD5
f96654283066df793d36fbdf12ec05c8

SHA1
123bb50e4147e84b645b1807b1e63545c989c4da

SHA256
e8a1d70b26fc57ebf0c0d0141f8422cdac8c489639dbd8e879c49eb47c8d3369

SHA512
7203f5372690aab3bc4a91a73df5203cc76eb00d86e40f23f96557521f6ec103bc06229f02dba93385581034614564bfa7c63f63a6dbc0f25c2de78b79cccab1

Download Submit
memory/8-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/184-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/220-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/320-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1260-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-1010-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-1066-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2392-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-1067-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5136-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5176-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5236-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5308-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5360-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5408-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5756-997-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6352-953-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6396-952-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads