810dba8831d15a10229b33c391b8f22f102659cd3ad3ca5cf4219d3e4a6aa9ca

Analysis

max time kernel
107s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c5a261e2f0880317055f5aadf86bf20N.exe
Size

95KB
MD5

3c5a261e2f0880317055f5aadf86bf20
SHA1

a5dc220206674a51fed90f1b2612276e52c70d69
SHA256

810dba8831d15a10229b33c391b8f22f102659cd3ad3ca5cf4219d3e4a6aa9ca
SHA512

2c91404bc58aa3da3f88ca6b4acba78a951df2f27338d63b8d2c4b257706d8c9e6ead64401b9257f9dc8ea61cc70fe7e809f18ad134977f3e854bca808fdc0c4
SSDEEP

1536:usygY8CNIPfpLNspAT+nN7vA8mwomoD9bHQx96T05RQrCZRVRoRch1dROrwpOudE:usySC23ZN4n7mtMxo05emTWM1dQrTOwJ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Executes dropped EXE 64 IoCs

pid	Process
5028	Nloiakho.exe
4048	Npjebj32.exe
3864	Ngdmod32.exe
5080	Nfgmjqop.exe
1020	Npmagine.exe
2264	Nggjdc32.exe
628	Njefqo32.exe
1204	Oponmilc.exe
4540	Ogifjcdp.exe
1392	Ojgbfocc.exe
3196	Olfobjbg.exe
4032	Odmgcgbi.exe
5060	Ofnckp32.exe
1124	Oneklm32.exe
3564	Olhlhjpd.exe
3604	Odocigqg.exe
3044	Ocbddc32.exe
3540	Ognpebpj.exe
2412	Ojllan32.exe
4340	Onhhamgg.exe
4632	Olkhmi32.exe
5064	Oqfdnhfk.exe
2732	Odapnf32.exe
624	Ocdqjceo.exe
2124	Ogpmjb32.exe
4592	Ofcmfodb.exe
1084	Ojoign32.exe
912	Onjegled.exe
2384	Olmeci32.exe
3792	Oddmdf32.exe
3288	Ocgmpccl.exe
1108	Ogbipa32.exe
4688	Ofeilobp.exe
456	Pmoahijl.exe
5000	Pqknig32.exe
3444	Pcijeb32.exe
1660	Pgefeajb.exe
1164	Pfhfan32.exe
4436	Pjcbbmif.exe
4108	Pnonbk32.exe
2044	Pdifoehl.exe
3624	Pclgkb32.exe
1568	Pggbkagp.exe
1012	Pjeoglgc.exe
720	Pnakhkol.exe
1748	Pmdkch32.exe
3508	Pqpgdfnp.exe
3708	Pcncpbmd.exe
4500	Pgioqq32.exe
3816	Pflplnlg.exe
3336	Pncgmkmj.exe
3772	Pmfhig32.exe
8	Pqbdjfln.exe
1944	Pcppfaka.exe
1516	Pgllfp32.exe
532	Pfolbmje.exe
1584	Pjjhbl32.exe
1856	Pnfdcjkg.exe
2996	Pmidog32.exe
2676	Pqdqof32.exe
5088	Pcbmka32.exe
4968	Pgnilpah.exe
2588	Pfaigm32.exe
1300	Qnhahj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6728	6640	WerFault.exe	245

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c5a261e2f0880317055f5aadf86bf20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3c5a261e2f0880317055f5aadf86bf20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3c5a261e2f0880317055f5aadf86bf20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 5028	4820	3c5a261e2f0880317055f5aadf86bf20N.exe	84
PID 4820 wrote to memory of 5028	4820	3c5a261e2f0880317055f5aadf86bf20N.exe	84
PID 4820 wrote to memory of 5028	4820	3c5a261e2f0880317055f5aadf86bf20N.exe	84
PID 5028 wrote to memory of 4048	5028	Nloiakho.exe	85
PID 5028 wrote to memory of 4048	5028	Nloiakho.exe	85
PID 5028 wrote to memory of 4048	5028	Nloiakho.exe	85
PID 4048 wrote to memory of 3864	4048	Npjebj32.exe	86
PID 4048 wrote to memory of 3864	4048	Npjebj32.exe	86
PID 4048 wrote to memory of 3864	4048	Npjebj32.exe	86
PID 3864 wrote to memory of 5080	3864	Ngdmod32.exe	87
PID 3864 wrote to memory of 5080	3864	Ngdmod32.exe	87
PID 3864 wrote to memory of 5080	3864	Ngdmod32.exe	87
PID 5080 wrote to memory of 1020	5080	Nfgmjqop.exe	88
PID 5080 wrote to memory of 1020	5080	Nfgmjqop.exe	88
PID 5080 wrote to memory of 1020	5080	Nfgmjqop.exe	88
PID 1020 wrote to memory of 2264	1020	Npmagine.exe	89
PID 1020 wrote to memory of 2264	1020	Npmagine.exe	89
PID 1020 wrote to memory of 2264	1020	Npmagine.exe	89
PID 2264 wrote to memory of 628	2264	Nggjdc32.exe	90
PID 2264 wrote to memory of 628	2264	Nggjdc32.exe	90
PID 2264 wrote to memory of 628	2264	Nggjdc32.exe	90
PID 628 wrote to memory of 1204	628	Njefqo32.exe	91
PID 628 wrote to memory of 1204	628	Njefqo32.exe	91
PID 628 wrote to memory of 1204	628	Njefqo32.exe	91
PID 1204 wrote to memory of 4540	1204	Oponmilc.exe	92
PID 1204 wrote to memory of 4540	1204	Oponmilc.exe	92
PID 1204 wrote to memory of 4540	1204	Oponmilc.exe	92
PID 4540 wrote to memory of 1392	4540	Ogifjcdp.exe	94
PID 4540 wrote to memory of 1392	4540	Ogifjcdp.exe	94
PID 4540 wrote to memory of 1392	4540	Ogifjcdp.exe	94
PID 1392 wrote to memory of 3196	1392	Ojgbfocc.exe	95
PID 1392 wrote to memory of 3196	1392	Ojgbfocc.exe	95
PID 1392 wrote to memory of 3196	1392	Ojgbfocc.exe	95
PID 3196 wrote to memory of 4032	3196	Olfobjbg.exe	96
PID 3196 wrote to memory of 4032	3196	Olfobjbg.exe	96
PID 3196 wrote to memory of 4032	3196	Olfobjbg.exe	96
PID 4032 wrote to memory of 5060	4032	Odmgcgbi.exe	97
PID 4032 wrote to memory of 5060	4032	Odmgcgbi.exe	97
PID 4032 wrote to memory of 5060	4032	Odmgcgbi.exe	97
PID 5060 wrote to memory of 1124	5060	Ofnckp32.exe	98
PID 5060 wrote to memory of 1124	5060	Ofnckp32.exe	98
PID 5060 wrote to memory of 1124	5060	Ofnckp32.exe	98
PID 1124 wrote to memory of 3564	1124	Oneklm32.exe	99
PID 1124 wrote to memory of 3564	1124	Oneklm32.exe	99
PID 1124 wrote to memory of 3564	1124	Oneklm32.exe	99
PID 3564 wrote to memory of 3604	3564	Olhlhjpd.exe	100
PID 3564 wrote to memory of 3604	3564	Olhlhjpd.exe	100
PID 3564 wrote to memory of 3604	3564	Olhlhjpd.exe	100
PID 3604 wrote to memory of 3044	3604	Odocigqg.exe	101
PID 3604 wrote to memory of 3044	3604	Odocigqg.exe	101
PID 3604 wrote to memory of 3044	3604	Odocigqg.exe	101
PID 3044 wrote to memory of 3540	3044	Ocbddc32.exe	102
PID 3044 wrote to memory of 3540	3044	Ocbddc32.exe	102
PID 3044 wrote to memory of 3540	3044	Ocbddc32.exe	102
PID 3540 wrote to memory of 2412	3540	Ognpebpj.exe	103
PID 3540 wrote to memory of 2412	3540	Ognpebpj.exe	103
PID 3540 wrote to memory of 2412	3540	Ognpebpj.exe	103
PID 2412 wrote to memory of 4340	2412	Ojllan32.exe	104
PID 2412 wrote to memory of 4340	2412	Ojllan32.exe	104
PID 2412 wrote to memory of 4340	2412	Ojllan32.exe	104
PID 4340 wrote to memory of 4632	4340	Onhhamgg.exe	105
PID 4340 wrote to memory of 4632	4340	Onhhamgg.exe	105
PID 4340 wrote to memory of 4632	4340	Onhhamgg.exe	105
PID 4632 wrote to memory of 5064	4632	Olkhmi32.exe	106

C:\Users\Admin\AppData\Local\Temp\3c5a261e2f0880317055f5aadf86bf20N.exe
"C:\Users\Admin\AppData\Local\Temp\3c5a261e2f0880317055f5aadf86bf20N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\Nloiakho.exe
  C:\Windows\system32\Nloiakho.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\Ngdmod32.exe
      C:\Windows\system32\Ngdmod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        23⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        25⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        26⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        30⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        31⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        34⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        35⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        46⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        47⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        53⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        60⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        64⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        76⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        82⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        85⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        87⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4508
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        98⤵
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1512
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        102⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        110⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        112⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1172
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        114⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        119⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        120⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        121⤵
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        126⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        127⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        128⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        130⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        133⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        134⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        136⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        137⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4796
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        145⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4008
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        153⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        154⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6420
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 388
        161⤵
        Program crash
        
        PID:6728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6640 -ip 6640
1⤵
PID:6700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Belebq32.exe

Filesize
95KB

MD5
19604688e822514c63bdfb0e126e51d9

SHA1
8f87a488be2dde55cec2450ef85f57ef1ce148f8

SHA256
64b1df528646bc148436b80fbb65146c0a8b027fe99ea812aaea1994c0ae7615

SHA512
9f04eb26492ccf0d1f146a0424954d00761aa9438935d8af66f446726706c20da13c4829bc7e58b935f4500fa2b195b0867b55555bffbd375dca8e07b54224cf

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
95KB

MD5
605613be3ef27dae22ad1bbd83e431d4

SHA1
b481b04902546e456c784f014d0215721da1ab48

SHA256
4ecfa0db9f358352abf5c62b54d0f6a7d33e76c83d334938e79816982b27310f

SHA512
90627192f9883c63ed8e55b348b8e1891cc8f853bf63048152299ba470e4531d323ae998a0f5be2da3b2ecc03abe8f1269a6824eab8463063f11dc61a0a5a397

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
95KB

MD5
942f260c92718910addbc215df0092ae

SHA1
f79a1ab8c9a0071717a5f6d085ff10df82b7ec84

SHA256
751e9a4614d5ab497fc87e6cce7a7755563954c788d0461c26e530022617f777

SHA512
f561abb2d98d008aa2ac9af76b3712d29b940222eff97e11ae2139da8b9d7cc60dd4c50819f011135ded7df8fe9351b9876350e438dbbd76cd3f7b17783775e6

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
95KB

MD5
0ab50665d53afa9a0357ec363372c2d7

SHA1
dde3d55f0e48ceb1f9f4a38bb91874330a2810e2

SHA256
9ae9dbd57ccf8c762a06a87097dae9cb8925c6730563c1295734216659307395

SHA512
d5e773cb49d5bbfb8ce37632479c88d5f9ae2af4bf19cc5d48b6c9ad46d7daadeff33ee3dc411a9123d1c29cf53e391345727668645efa23cc924c14da46993b

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
95KB

MD5
9a74c82457b42b5e95f41e41ad256ba6

SHA1
0032bdc3dd30627c00d212cc8ac3f1c088163772

SHA256
420e708f99e53647027c2ac555424d6139bc82e3f1786f6a302184a48844fc05

SHA512
c7f2f04e69be90db5d6e459e03347aa0a7665ed3d6573b43fcfc804e94f03afa6ffaa5b0ee591491b2d8a4df6ad4f4902e17b864f7e43fd144960a6c0769babc

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
95KB

MD5
e8ed13eb5b8e43930f1240d72c35c82c

SHA1
207a9cbd51205ff24d3bff205ce7aca6aabbafdd

SHA256
2e7230b0cc3b44f3ec6dd5ab3fe710fc1ad9899a9d82a9cfdbe80f9f5ea34a64

SHA512
87e265ccbc354200acd2ca105d025f949a0b44250d850c4d35c9da49e0214299c5ca7b01881485a7fb41bd9cd0f09891a6c21bc5edd154ab6b2c43a2d22e9298

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
95KB

MD5
2fc2f42e0c70dba0bfa08697dbdc6969

SHA1
6708c9d3b337fcc2b1f07abd17b66c71f1a3f985

SHA256
08f8c2f1ae21be328b85de700c8c20af479d1010e080224aaa07c1048ecc3859

SHA512
c6404dbbbb6e609502159a926493450377f1f9d835d80f7b12bbac9636a9db630fd0b5fef8dd930d0719ff811bcea695fb89f99f46203b022fb3c0d40d2d4af6

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
95KB

MD5
1afe0d9f0316cb90de22bd4100a58eb3

SHA1
04433b37159427c9fabdfed6d213e8e92a6f0fa8

SHA256
b7c179630fd818f3e1e1f50a57b37440ce9335ff656f061f5b7d74194eac2cba

SHA512
a73a40e6c65237dfc304d3e39274b01b86fbc69a8395db3975eba6908fa69cd361c929c150bf7b8171da9450429f2b93832950ab7495a2b483449671f2bb472c

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
95KB

MD5
8861bdd8e5fc6868aeef7d5b1d9c744d

SHA1
0e8302b022591daaa1df12c6aeb5f5b61662343f

SHA256
90a890107ad0046eb311cfec4fe485c7f7e4ffbf08cac2cc2905b5187e1bdce7

SHA512
110710ad5ee5ee287af8ac5bd5d88c2e7ffff77db23aa840f4af4365f62c408e74e1c7bc4f9f4379918d9782ed8326e54991596e582c3cf08f334bec6771669f

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
95KB

MD5
783c6cc230168575bbfbcd8eecc642ee

SHA1
7fe58953eb8378868a43c88a74051b24c3930b5d

SHA256
fd628f7209ed8bedb8b667725b63f182754a8db3567fdd149aca3fe3284380bf

SHA512
195aad9dbc95b2b564b661e12a61ca7415193b78bc874fb85b6d50c59ef69fbefc2598200ca7e9968b197f60dee5b87775c465a33d274751495e89c41b8c306a

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
95KB

MD5
18dfac10add72501b168966572d9f351

SHA1
82f9d76c419d66917a313ff0fb55905094aa5a0a

SHA256
8a6ad86f3f14ced12266b96f66f275b7cdceee2d392b28f02d2a3f327479b1a0

SHA512
eccdc06bfd9d9e343a810c48de46da067d01b6fa05942c8b11a480eb51d24697dc56c3e6c9e55d36c9881a5a58f246a43687c946e569511ba6fdf73408c8424e

Download Submit
C:\Windows\SysWOW64\Gcgnkd32.dll

Filesize
7KB

MD5
9210403af51db2f31e80a7508812a871

SHA1
e6d4c7806872357860299efbd55e5719c06c2f34

SHA256
2cb24aeed5bcf7a635fb2eb0eb30d590f3e8f67bdaa08e2cd21f5da14157f750

SHA512
3fc7589f8066f61be0332a71c94e033f6cb1c8076c50cb9d221bf734ce465ae2eed2b8eb2a94dd0f452c94a2cf615e3c37cc4fae8b6a8872e3e2bfa329fd5852

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
95KB

MD5
13a963630ae548afe6b6f5e099278e75

SHA1
67df1c5318cf3e55f3af98eea226f4612353f4cd

SHA256
0a4c07499a53c0e3570987d711ba471e73d32d1b6ac778e4dc6c15b8a2080f88

SHA512
92370f74189a3c981d44eee642ca75d2e9990cd2e09bed0529e83476fe364ffc2673ddfaf902ec60a0654d8eaf54bac26469d2a7968623d0930c943ad86c34ba

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
95KB

MD5
0a0c9e9ed5707a7cf5d572f2dd302fe6

SHA1
9c2d0936794abb34567852f6687db95c2bad11bb

SHA256
ceeee97fc9e1c2dee254d5d7c22344d78dba12479aafa66880f8877f967794de

SHA512
a6f8e3429a8c8b6fae332506d900b2661e9755f7d3c342db7934fdfb44dbd6f21f2e1cf9d48fffe297cef24003de5ad8e07d311e68fe9bac299126dc8faee728

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
95KB

MD5
118f6ffe5c8650828053f05f5b6e8503

SHA1
cfdc4eb41aac2c43831c424fb8893958dfc02db6

SHA256
b354c24e9fa22e8394b27070698fddba66f49ce4adbbd469d18285872b8f3cc6

SHA512
2691b50b30205643fd3f50829312cd457245215509e9ee61939a05fae77b58e04a69005f6fc8970c658dc49c32a22029cff6086defbee0ec38587642dfd55ab0

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
95KB

MD5
2bdacb74e496fba08bfd1394e8218250

SHA1
fe333320a2ca4f2599c8c9594f7cddbf46e3e88a

SHA256
9961d8e0960f6332e7dcaf68e1f8dec6396961cc67d644569bcf11bd60b7439e

SHA512
5570afbfb49b35a1b744a4e93c7dfacdc45180f244df9e1777745da47fed03613ad8af1fd43e3fb086875eceae1489c059e5b6a8e5686b79c47b5adb571ef95f

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
95KB

MD5
444fe16d2881cf13c7ea189d843ab082

SHA1
6891821a1f8836c4184464d4856dd7abdf630332

SHA256
f0083111e679ce27c2352449dad02efd77c48e0ac2e32d439d4c83ef91750d31

SHA512
4314c1d8307fa744415cf54c8ba5ec9f51c3cec69a8ec78683439b9b5a880834020b753378063e20327833eef7be1dc22cf8279ff0e29981091fd0da2cb5a76e

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
95KB

MD5
16ba22d9ac053373ffd3dc431bf4b8b4

SHA1
8ec60725752ea17f72623c145cf344e105dfd876

SHA256
df8a6140ef88d369f9c273b8f4f8b520457602a3f3733ace245e733045fa99ec

SHA512
9eaf0cc12b55b19235ee4a171f8a0c3c08cfba7da3c04aae9cec81f17bd5becf09d2ae9167385d3bc6374fa7cbb6213d247b549d2efe0a67e79305453762c344

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
95KB

MD5
f6d42bf1401778fadea9a2af3f3077ac

SHA1
82fae91546bee395e4c4a3001d2e681f74a890b5

SHA256
5a3be29b8a2ef023a30d58ffacb199f19e20224a5eadb0485dad72a1eaf53995

SHA512
2a99e5f7a0599842fd5e7ae11ef42cedf3052ce3214cd86b16ed1be2d15380e754c7d820c6fbb6c1cb2900f7038172162ebb7867c519b0a51648e78666da2968

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
95KB

MD5
36e64e4944dca67a020d8167d59a41df

SHA1
7f161d1ad9027f9e50a0b06e15c62ba4fd4ab3d1

SHA256
db82abd61730759bea6f5ea8dc1e077ba0160a01da0f5db319a88e9400af2a56

SHA512
ece50858545abed1ab0132a04b35d00ca789757957a2d39689f95eae7ca45e3ec695abbcd79bd1b0b41cdb9c3bc2c0ea2d7f5850f4df0408c162bfd77d3b70f3

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
95KB

MD5
15bf1bc9c85fe3efa8098e3575cebbcf

SHA1
b6238f50eea3543d4a7b7ca325c272e76e62159e

SHA256
2e072553570aa522361ee0158c3281933062e6c85d5265e3296db50f25d3ebd1

SHA512
fbb8431df1188f6015e4720a33e220b3fdf32bf5b6997b72f5f744dab546ebc9386b50001a1343b92746098ed6a2818bee1e7bdeaa53e3c9685636cd82e94aa0

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
95KB

MD5
babd66ad411a415f5603a35d45ac84c8

SHA1
bbeb545944f7f2340e5c5fc3d09b790fbabad30c

SHA256
d40d2667deab669e833d7b8e7e85fa4aa75445e2dc5f8a1e9afe553e6b5f8ab6

SHA512
203cd7c3469432c72c398fd28475c8b1ca5a181db8c1a870beb47eecd66be894e571e3c9e0f7f3e2ad9615945fa38f0cd5430ea2a9b115a7ef6e1bd65d77d07a

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
95KB

MD5
2705e91eb2f6a527b3f8dfc246ad02b0

SHA1
2d09ddeef0417cfdec5db7351b3eced2cc77e0aa

SHA256
597eaef1444f7555bdb0a6386c42c6269b6207518e27244aea205dfa314560f0

SHA512
ea417d353c69cd2808f86004ea910adcbdf7ce35601a28113d5d580e35a3a62e7a9c46670116649be9772fd84f88f931ff7c92a7c888d544ec38be0775269c8e

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
95KB

MD5
23df5e4f13d4e792730c184120b852ae

SHA1
03949bcb92a7e58163990f09f05bcf36ba2fce83

SHA256
83d777d1f849744eaba5b1ec9a524062e5d583184567f9971997c469fd0d30f3

SHA512
83749a2fcbfd2b41516a4a94945854a64326b91e6142b08eeed91f722beae2b80fc16895fb119732602de9eda81673795da8d669d389dc97a04838f0aeeac27b

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
95KB

MD5
e9d46d5d3f7b53babe2e179adca5e6b4

SHA1
b43d8e39ff2df370bb9fd24f53fe67e2342b610a

SHA256
9a2badd7d931fc17579b0bc83c348f336afc9cc1159bb21a2d83c4e76aa5c3a0

SHA512
2bea3e7d5e3ba46d1c5227e17ffab4db23a1de8392ea2d122ca6993a3f6e2949cf7235a46e87528e17e5c1c6ff62c998d73370a91de78fbc59664fef807b07ac

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
95KB

MD5
346b30179bee3a1afab297e182e98ca1

SHA1
a8cb76219ce9ac1da74bd9a9e4ef1f7c0edb1239

SHA256
07891710ad434b407e8c21e7815030152957e2ceadc351102d2c64926809e0bd

SHA512
24468bc9a16923157754894a68b5cb36916488011ba8a00595b9db3b7298b96c8d43a2d9184e0ae68e4c04d7aaadd25651412c7d2f68d9bb5264fe5354d9f59f

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
95KB

MD5
b909ed129693d125ee9392ab7ee65130

SHA1
cbac6c2b7233009b6407190e827dd15c08276bbb

SHA256
feb0b5615091e27e5c03eb9c0671fcd43ed89f4be8f49bdc3a2e6d95e5b0971d

SHA512
642451abed868499084de5b69be01e21b667ac5a230ad6c2408e97da6a07b614c6eb22980c247823a205228efc8bca7bb25f6953fd1159f26b57ab88b55e9404

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
95KB

MD5
39530403422b93f51efd5c7954e4fd39

SHA1
058f575d12b864024faa5d0971f2069457906fa4

SHA256
62465c7ca38643fb365790e4fe2ba4867307f84cb096a499e41f9d3c15542bb2

SHA512
6c87046a2975f4666d4449436d731e57941581a108859471ca59eef37b2d003e3ac71ffc47a567d85b718f9fe0e29077c32f7441fa34d8f68c9cfe8999a2c7bc

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
95KB

MD5
8ee1ed2567dab97db786b5d8915e4211

SHA1
d5b7a4f75808d3fb555e45e3ab6c49f5d7abed4f

SHA256
6386d35d335dce63c028e6622d0e5adfc123aeb8b1bd34459ff181e82af25fa4

SHA512
97447aa09ca90b4e7c276caafe686c2100b398446da6298ea0bf252f55bfbce521b943f7f970f9483b3075b66381780b07c2c41895b720e6abd9f19fe94b79dd

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
95KB

MD5
0a95c73c1f10d4c42f8b6cf23af026ec

SHA1
b72571533fcb3539a89b23c4283a725cd382d0ab

SHA256
1a7dce05fc21aed6519af103249857f99564466ea315a6cb0294a4fd0722d319

SHA512
59d203acbe6b3ee580adf7df220faba9385cb6b0cf95391dd2e630d3f35f6b3070764ed80017c3207904d06bd0028fd368f93e3f942238284bba9174029d378d

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
95KB

MD5
0bcc65d6ee568bcd8917bce106e2c54a

SHA1
04d11bb4600170472ff88cf822ff37dcf7eff38c

SHA256
2fd762620cbe4fffaf6ae568002505ee56f29df287daffb50cb38bca49fbaf23

SHA512
363df4c33f2b24037d3de1ca1fe453b1aa1229da2f0e8c644c58458fce831ab2001b5ebe79f8abca6252cc08803befc332ea35503a323196c864a837652e2ef8

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
95KB

MD5
febb3c9aef981b0f9307d6d3a709b935

SHA1
b7f76cb96c38439502cf65f0af1492ae719245f7

SHA256
36a1b5a255ae178e4ee4661c1ec08e9317e3a473a760cefda05bda4296a02034

SHA512
8dc70e6ebc06502054d107607bb998d6f6df3600031eee0a62657ed922bacb42120ef9dd9762b8ec8c292f69be4f5bf046b0e64c2c7f246bb0550c44018b9a6d

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
95KB

MD5
c52e795d4938de8d121e51ebb69fa956

SHA1
c5e52dd2a46de3db2c81d6a617ae274ef537f084

SHA256
c77ad8e5eef1fed35ce912d954a6ca4bfa0dfb817fe9e06946011395d9c65e71

SHA512
16505861c76b9bfc5076715446e9e6fbc8d8ab5ca3f47e4bc6abd112ad0033c1defc22e58d31113ed30f29688dc7af58f46a844457b1300002f0f9134936bb6f

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
95KB

MD5
b9555a4ad49ea45294e8cfb42f077f73

SHA1
18ef623e310aa92cd88af4f002329cbe5dfdca43

SHA256
7609f7625f73b14792faaca5cfa4c516ca8ef91d045b6bcff805ee902825ca1c

SHA512
8ecb86550a26f0a92b9a1f0f5d5c1d231c44dd9141331987660f377c533dfbd0a89575260aacef27676efcf5ec95a3e44502209fb30be5e7c76f1c5d94dd35f9

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
95KB

MD5
e95a0f70c20d784c61c69faa775566c4

SHA1
31e1c3d3781746045f237985b7100127d15180a8

SHA256
554eda831cb34a6f5c04e2c85761cf6216a5286b22b7d8efd2b5140a52e6598e

SHA512
702a798397a421925c186c34e7bdf2e40bacd7fdbdca9fa68bd170fea7264a9be60a77529eed877e3c7260ad4f86571cd6c93d6b77c41e88341a929a71e1e6a8

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
95KB

MD5
6a2822815fdafb9229316802aa83002c

SHA1
2c67b288bb0a4da44f87e03bae84013ee8784afe

SHA256
b064c2fe5e210a1917608c6b60dd59a7a0f5d392d995d73fc10b900c07e03723

SHA512
556a79eaf6606bc5c956500110bf18be35369b0775f1360ff1cd5d877d8c0539461e362712378b5f92391b901d2447ecf65b7b02b573d47d8d4a0a29936fa9b2

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
95KB

MD5
1abe2a0553f40793c250614437311694

SHA1
68dbbc171b3a83e7865969686c9cfe9494db42f9

SHA256
5315a359593a6559b7758bca0c8567b1d7eb8f77db07df82e110a8deadfd4490

SHA512
5d1616541f05eb45451218aa035bd7fe59d6883c6cf735374a5810b89d3dce19145f2dac833a04da636d0926301f662744dda5ce33296c525e5a644ce249921b

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
95KB

MD5
b72370c1a8f83b8bb7bf01a625ac796a

SHA1
372e150831b5961f126fc46af61638e93ed1d6de

SHA256
9ccd7c7f53140b67d7aabc2d10467ed82e11cae3ce8ad544db75b3cb325a31ad

SHA512
308bfd2cf0c74bc0cd442768e886b244ca0bf71f90487dd817e371846ef865f9560799fcb1fd47fcf090790e348ccb8e1db3f8be0234565655170a2c4ee68275

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
95KB

MD5
fd339b2ccd00d7af2a3e36ab33541daa

SHA1
630d9794f4316f555661e3888b59ad3e7388ee98

SHA256
e5a894516347893bd1a7909b4b081f2a755e02addf0ab78f62b65b1c5dc8733b

SHA512
138983fe95217de13f6ee67706db11a04bb7586175d638d1a81c18f6bbe7ea11f9f366cceda7f3be8ef8259408bdd191e302fd188777499f621ab5ff4f1ee3d2

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
95KB

MD5
6031c03eed7222e3884590a3d2a25e50

SHA1
6ab02ccadebca08ba91f2cd83c8cea7b90398784

SHA256
04ddf883d1e9dd6f4f2ec7c6dcf512261857395288e53d289d37bfa1ee36ddf5

SHA512
dfbc6d49f4d8ecd4664d314dca26cfe5d3636033bfa3c20bdf6e514c32e75c23205adabaaaccd4dc2007c4bf0ec1be60b103106121ef8d53f53f6c094116577c

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
95KB

MD5
ff23888d6c525d2cd17b520107135c82

SHA1
4bccb7cf39ffbb14da6abced9eb449a1cdec27b2

SHA256
7aab86a32c9fa1cb468a83e5721ed4ddc54c17298e57586ecc94ace7448e4cea

SHA512
1d0db2e4bfb415b7044359d8467954d64685269cf777917bb56f548d0ca4263459348f974bf3f8733b9c079fd2ce48428fb7e8cbb9b486096adb60584fb196e0

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
95KB

MD5
c8054ccced686f11af25c3463817d60a

SHA1
90bff94c491b6eb7e88ed32198df700f2096f2a6

SHA256
d35f76376e7838cbba5af871fb192abd5555b44d9d1e54f38ddccf6f40cfb4c5

SHA512
6abff58545eabdfa9d4c08f00f799d527e2235361a57b1070e8d71cadc90428fa9ceb894c8e906608e0963aad5041b694860fe21e0930253db379239483c78ea

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
95KB

MD5
a4ca70a9d861a9d47605cd66e7dd4347

SHA1
6d595eafb8dbb72f18806708169300b019b66c2a

SHA256
f4e47ffde44d4b35eb7cc31d4e297d165ac63157c1b62d10d6cb85ed31d31cf2

SHA512
b7fc8880a1aaf7dcc957baf9664124cf5f442a09eb956bca14050b9a2231cb16c55037442ebc622e1f32254996c9215a8debb99b271484f6454577d7ea04b2e5

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
95KB

MD5
3265512d03e5618e7a705c3e8115eb76

SHA1
39923ad8c7b1228f807d5cd33ed0ecbb8e53581a

SHA256
a69cec4b07621b263e3cc02fedb9bd6bd8fbe3caecb73a8ca5b6f8e2f94500d0

SHA512
e24b29c019f62f60892422958a130783c3ef68640ffe525de4e3e8b78be20daec6e4e617e2bf4a25446bfb2f2bdbc0a00ea985b71d9e77332cddfe6f9af8eb42

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
95KB

MD5
0e3853d32ffd47b6ad56f9de74cdc122

SHA1
b9716f95584acfbe6f2fd345a6167534e3edc54f

SHA256
69d086b3ebb10a7826b83342378ba2a7c19b9081901d902233feafe301cd3c74

SHA512
4daf9d9af51f40e4c66ef4833bea77a330a299a5b5257a96c54aa57d99ea40ffc93406315b2e471925b64322fdd9d3a9ddbf874b959e7f4889af48f67c13ed3f

Download Submit
memory/8-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/720-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/896-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1084-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1392-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1392-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3196-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3196-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3444-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3508-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4688-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5148-505-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5188-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5228-517-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5268-523-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5308-529-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5348-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5388-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5428-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5468-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5512-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads