604bfec32aa4cb071e974807e0254c05861ce51d9c62cf699a1abcd84deed5ec

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

921957db432feb3c3555af5cdc8c7130N.exe
Size

93KB
MD5

921957db432feb3c3555af5cdc8c7130
SHA1

750c8fb16dcd1a7a72606c79e6deb0e0e54d0203
SHA256

604bfec32aa4cb071e974807e0254c05861ce51d9c62cf699a1abcd84deed5ec
SHA512

1d49270ce6713eca18062d6ca2fd79301d66db74b9f768466a03c945e3ec3f4f634bf9bfdba50cb303ff80d50873e2430722ccd16c142b058591dc7c43ee2d66
SSDEEP

1536:CuJxxtreMhgX14flF8oG8oZOg1S4/xysRQ6ZRkRLJzeLD9N0iQGRNQR8RyV+32rR:CuvTrV6XccbX7ekSJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe

Executes dropped EXE 64 IoCs

pid	Process
2868	Mcpnhfhf.exe
3804	Menjdbgj.exe
2600	Npcoakfp.exe
2812	Ndokbi32.exe
4296	Nepgjaeg.exe
448	Nljofl32.exe
1060	Ndaggimg.exe
4780	Njnpppkn.exe
5028	Nlmllkja.exe
2284	Ncfdie32.exe
2968	Njqmepik.exe
1408	Nloiakho.exe
4608	Ndfqbhia.exe
4796	Ngdmod32.exe
1480	Njciko32.exe
2324	Nlaegk32.exe
216	Npmagine.exe
2256	Ndhmhh32.exe
2280	Nggjdc32.exe
2564	Nfjjppmm.exe
2828	Njefqo32.exe
3240	Olcbmj32.exe
404	Oponmilc.exe
768	Odkjng32.exe
3092	Oncofm32.exe
3084	Opakbi32.exe
2532	Ocpgod32.exe
1040	Ojjolnaq.exe
4100	Olhlhjpd.exe
4204	Odocigqg.exe
5036	Ocbddc32.exe
3768	Ognpebpj.exe
552	Ojllan32.exe
4868	Onhhamgg.exe
2112	Oqfdnhfk.exe
4784	Odapnf32.exe
1416	Ogpmjb32.exe
1940	Ofcmfodb.exe
3924	Ojoign32.exe
3672	Olmeci32.exe
1752	Oqhacgdh.exe
3000	Oddmdf32.exe
1764	Ocgmpccl.exe
2032	Ofeilobp.exe
1192	Ojaelm32.exe
676	Pnlaml32.exe
4028	Pqknig32.exe
1624	Pdfjifjo.exe
880	Pcijeb32.exe
1164	Pgefeajb.exe
1460	Pjcbbmif.exe
1344	Pnonbk32.exe
4564	Pqmjog32.exe
2632	Pdifoehl.exe
4932	Pclgkb32.exe
4520	Pggbkagp.exe
2044	Pjeoglgc.exe
1140	Pnakhkol.exe
3096	Pmdkch32.exe
1400	Pdkcde32.exe
2616	Pcncpbmd.exe
2296	Pgioqq32.exe
4008	Pjhlml32.exe
4368	Pncgmkmj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nfjjppmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6696	6600	WerFault.exe	249

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	921957db432feb3c3555af5cdc8c7130N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	921957db432feb3c3555af5cdc8c7130N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfaigm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2868	540	921957db432feb3c3555af5cdc8c7130N.exe	83
PID 540 wrote to memory of 2868	540	921957db432feb3c3555af5cdc8c7130N.exe	83
PID 540 wrote to memory of 2868	540	921957db432feb3c3555af5cdc8c7130N.exe	83
PID 2868 wrote to memory of 3804	2868	Mcpnhfhf.exe	84
PID 2868 wrote to memory of 3804	2868	Mcpnhfhf.exe	84
PID 2868 wrote to memory of 3804	2868	Mcpnhfhf.exe	84
PID 3804 wrote to memory of 2600	3804	Menjdbgj.exe	85
PID 3804 wrote to memory of 2600	3804	Menjdbgj.exe	85
PID 3804 wrote to memory of 2600	3804	Menjdbgj.exe	85
PID 2600 wrote to memory of 2812	2600	Npcoakfp.exe	86
PID 2600 wrote to memory of 2812	2600	Npcoakfp.exe	86
PID 2600 wrote to memory of 2812	2600	Npcoakfp.exe	86
PID 2812 wrote to memory of 4296	2812	Ndokbi32.exe	87
PID 2812 wrote to memory of 4296	2812	Ndokbi32.exe	87
PID 2812 wrote to memory of 4296	2812	Ndokbi32.exe	87
PID 4296 wrote to memory of 448	4296	Nepgjaeg.exe	88
PID 4296 wrote to memory of 448	4296	Nepgjaeg.exe	88
PID 4296 wrote to memory of 448	4296	Nepgjaeg.exe	88
PID 448 wrote to memory of 1060	448	Nljofl32.exe	89
PID 448 wrote to memory of 1060	448	Nljofl32.exe	89
PID 448 wrote to memory of 1060	448	Nljofl32.exe	89
PID 1060 wrote to memory of 4780	1060	Ndaggimg.exe	91
PID 1060 wrote to memory of 4780	1060	Ndaggimg.exe	91
PID 1060 wrote to memory of 4780	1060	Ndaggimg.exe	91
PID 4780 wrote to memory of 5028	4780	Njnpppkn.exe	92
PID 4780 wrote to memory of 5028	4780	Njnpppkn.exe	92
PID 4780 wrote to memory of 5028	4780	Njnpppkn.exe	92
PID 5028 wrote to memory of 2284	5028	Nlmllkja.exe	93
PID 5028 wrote to memory of 2284	5028	Nlmllkja.exe	93
PID 5028 wrote to memory of 2284	5028	Nlmllkja.exe	93
PID 2284 wrote to memory of 2968	2284	Ncfdie32.exe	94
PID 2284 wrote to memory of 2968	2284	Ncfdie32.exe	94
PID 2284 wrote to memory of 2968	2284	Ncfdie32.exe	94
PID 2968 wrote to memory of 1408	2968	Njqmepik.exe	96
PID 2968 wrote to memory of 1408	2968	Njqmepik.exe	96
PID 2968 wrote to memory of 1408	2968	Njqmepik.exe	96
PID 1408 wrote to memory of 4608	1408	Nloiakho.exe	97
PID 1408 wrote to memory of 4608	1408	Nloiakho.exe	97
PID 1408 wrote to memory of 4608	1408	Nloiakho.exe	97
PID 4608 wrote to memory of 4796	4608	Ndfqbhia.exe	98
PID 4608 wrote to memory of 4796	4608	Ndfqbhia.exe	98
PID 4608 wrote to memory of 4796	4608	Ndfqbhia.exe	98
PID 4796 wrote to memory of 1480	4796	Ngdmod32.exe	99
PID 4796 wrote to memory of 1480	4796	Ngdmod32.exe	99
PID 4796 wrote to memory of 1480	4796	Ngdmod32.exe	99
PID 1480 wrote to memory of 2324	1480	Njciko32.exe	100
PID 1480 wrote to memory of 2324	1480	Njciko32.exe	100
PID 1480 wrote to memory of 2324	1480	Njciko32.exe	100
PID 2324 wrote to memory of 216	2324	Nlaegk32.exe	101
PID 2324 wrote to memory of 216	2324	Nlaegk32.exe	101
PID 2324 wrote to memory of 216	2324	Nlaegk32.exe	101
PID 216 wrote to memory of 2256	216	Npmagine.exe	102
PID 216 wrote to memory of 2256	216	Npmagine.exe	102
PID 216 wrote to memory of 2256	216	Npmagine.exe	102
PID 2256 wrote to memory of 2280	2256	Ndhmhh32.exe	103
PID 2256 wrote to memory of 2280	2256	Ndhmhh32.exe	103
PID 2256 wrote to memory of 2280	2256	Ndhmhh32.exe	103
PID 2280 wrote to memory of 2564	2280	Nggjdc32.exe	104
PID 2280 wrote to memory of 2564	2280	Nggjdc32.exe	104
PID 2280 wrote to memory of 2564	2280	Nggjdc32.exe	104
PID 2564 wrote to memory of 2828	2564	Nfjjppmm.exe	105
PID 2564 wrote to memory of 2828	2564	Nfjjppmm.exe	105
PID 2564 wrote to memory of 2828	2564	Nfjjppmm.exe	105
PID 2828 wrote to memory of 3240	2828	Njefqo32.exe	106

C:\Users\Admin\AppData\Local\Temp\921957db432feb3c3555af5cdc8c7130N.exe
"C:\Users\Admin\AppData\Local\Temp\921957db432feb3c3555af5cdc8c7130N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\Mcpnhfhf.exe
  C:\Windows\system32\Mcpnhfhf.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\Menjdbgj.exe
    C:\Windows\system32\Menjdbgj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\SysWOW64\Npcoakfp.exe
      C:\Windows\system32\Npcoakfp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        28⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        31⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        41⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        46⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        54⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        59⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        60⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        65⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        66⤵
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        72⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        77⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        78⤵
        
        PID:964
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        80⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        84⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        87⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4812
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        93⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        94⤵
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        96⤵
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        102⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        109⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        110⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        114⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        120⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        127⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        131⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        136⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        139⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        148⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        154⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        158⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        159⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        160⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:6600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 408
        164⤵
        Program crash
        
        PID:6696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6600 -ip 6600
1⤵
PID:6664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
6c917d417c031e82d7e8ea4829cee4b1

SHA1
99216f3a2977f1bb854f6406264b48d8a9fbe520

SHA256
ac8a7e67cccec66d8f45226cba0f2da85b769ed756a4ae37625b0c623a1e14eb

SHA512
f45cc91d97c8d045ed61a0b28a4a0306b82974a54b0afb0771fe58c1f42c5f47ea532b184dcdf1b1da771a7c358037ca1fed130e82e65b22d3d589ac01644267

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
93KB

MD5
c45ee66f7eacf46e6c4d96240d3d60ca

SHA1
bb70a43021cb06d5d9d3bb31079981d5e4d243bd

SHA256
02a91682b63549c5d36674096a2b7a47017b1f3923f1d2d711f6838914aec592

SHA512
4464619048247925dac14f9ae5b9caf7cdf5521cfea22a5eff528129b2ac0809d1af9ef26c8563315c6465d2ea4f97222f76aada141298249305c6a1d8da1d9b

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
93KB

MD5
cfa2023194058dfb7d168c422f1d2fcc

SHA1
43762b99aac95455d2e3b9f08e9234a1f1f25768

SHA256
ca26d2aeae93843052a3888d50d3c55852a6009c5535eb661f812901375b51ba

SHA512
df72e8d4175fcf43ced0ecc4daf6d69485f568bfe95a07564b5a2ddaaff9da2187fc6c54d2ab60daeb9901afbe9c2ef17a7d20ebd3a04e362b0c19cedbaa94e1

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
93KB

MD5
c21c67d908c3d02c8a841e541323a029

SHA1
bc27bf6f80ccc5b6d91f5fd55146179b83c62312

SHA256
eadc0a8473755fbfa6a2a034a02025aa9e229998bf0ddd32f30845a8f77bcdaa

SHA512
ae9b1b8f7ce3fa538c7c548063d3284a6fca8fb480b071a61c45c0ca2a5287dafe6c3947341acff90d3274846080feeb9404008042f1d251c5966e1b6d05c070

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
93KB

MD5
bba0d388dc0ef29405b48fa26c472294

SHA1
dd26a4242b69d65b4cc9e4ac9cb214ce8a8186f4

SHA256
57016f4b2a09ac080be1f06520be59b545219569436ad82168e0b261c5db6816

SHA512
b8095bd398aefcd728f48ec1eb24c072fc427ce04e98d36a106c8638d429db342df7521ab42dc6fb9321756723e2b7ae4dbb7dd6b6734113ac74ade7bbf587a0

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
93KB

MD5
1a08be4b737f0743e25a76abf7c7464f

SHA1
79788c0504575f2fb17c53941fdd8f12432aa0a1

SHA256
12b3c6c19974df9fae7db0e7d4a80e83c53f4824a2f356941f142a0b7ff6b854

SHA512
c7a727396a9728382559decabd3e599d21e0b9f5034b9e25340ca3c12effd16395fe4a7ca15d329cb9739acba5897d11ecb71d5caa8cef4ce8990f98f77a155a

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
93KB

MD5
c99fbe2016d34ceb9c633091a97614cc

SHA1
4591226bb6670f03f11b3d584d579e746fb3421b

SHA256
a000282fdd0d62598640e5b102fe5f2578fba7d742c8ff5036a43e642cddc8a3

SHA512
a28c54e7446777ea4196493f4d6a58ba7f11b41b4d0ac7449b40881435d004fd228ffe479b16d0044cec80f1735aae24d89e3b80190da5e1c806106154182d0d

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
93KB

MD5
d9c9c468fad4b0a1e9dfeba00825eac5

SHA1
c9c51c0a1858ddbcc45f152dc933b32cc89459aa

SHA256
60d947a5a56397a3f2a27832d9f83b64b09f163f4d9f538b9775480044cfeab3

SHA512
7a8453e21664e3bc175a72d3b3ab099078f0eb94ee5e93a2d45c4ebb6cfea815849ecc8e3983c9ead3d572110ad14f48f78f806dee8d61f745fa1bf9bd129e1d

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
93KB

MD5
8ba8cb6935f13371c6f263898927a0ed

SHA1
be6f60b69dec6a8328cef7c04bf56f7a03567a4a

SHA256
eac4f734aa3954b2027eab343b2d4a4e06dfe1d4e9e012560080ad2abd07d91a

SHA512
f3fc812790a747b7082c717d65963bf1ca1af8101e27fad1bb4b0ee21fc180e386b357a228948f5adbb345e7dadf8d1ace7de350c319bf8f185482ebd6dc720e

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
db9b381ec0509d2e8832a83f6363f641

SHA1
18476e321924c2da5a95f378c9945018f2cbe07c

SHA256
2c94b9d2500b4cbfa33a9e52adad631b548f0e8eeef941d3e0fe2639c4c8e27e

SHA512
655b99e3bb365e3e3bd3a1540982634e71e56551c9a9d9649ac0ed6b2c7d25179ed6a3ec5d4ead24e48cfff3a00e2ec828f336d6042f9f6813beb002f969bbcd

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
93KB

MD5
76e5a7768c66336a2c44f422b5ad1e42

SHA1
1d4af7904be3409bf51e8caeb7b52477f90601bf

SHA256
81f019cfc30d78cdd937439e1f0c7939735478dbc83b204b2f4f9f16c1ada31d

SHA512
4f523e2ca6e1b50999e1ac330aa653d0b8cb9b1ff802e69915fa68f1b87c2bee0eee224a2598bd465002e8ac1f060f65cd5af31f21b5c70ffe43e1f248052eea

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
93KB

MD5
3a5fbabee42dc906e0fcd4f78afd9358

SHA1
9946d55059e3580557c7da1769ac4897b7115da3

SHA256
c180b0e80ec062052d9443cae5318124156e6e734f6c49e0e5c74e5a87e80cb7

SHA512
47ba092a1124a1f8a5fd0bbc35716dc94f470ae1358827eadcef3aee2baca71c1589197aeb0d8f5ebf9779926e303d8b1a7e37602f00250c859e14defc0a0d5f

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
93KB

MD5
239b453cf3ae162d54738c4302af80c8

SHA1
2b326166b54b260ee5b1b880c1188d44e7f8728b

SHA256
d3d0caf663b5495024efe7349ac573576df62c255c491a9a95ddb41aee3eee4a

SHA512
163b9ae065b90cb4e20a2ba552625cbf7ea0eab0506316e057279446869b3ed343e7c9a94dfb90406930fa6e822b46472563c114d9846e5aceabbaff59644dba

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
93KB

MD5
a2e46a6383634f8a032b099cd471e4be

SHA1
708035ff20a9251639100926dada61b14275bb0d

SHA256
5321627feb3f23cd0c4a7fc191737bca68f1b0ebaeff13242a7e233229b042f1

SHA512
8edad703730700e5e0b86dc1678e20ebe1c07e731d1e065183301ec2b5edc29da84842455d50b0961c1c646e36926d13bf7f68662177d7b3ed7337d84725acd8

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
93KB

MD5
ffc1ef3b578c2684f1c2c86ff3d04429

SHA1
b53fc2a3618fb49cd54bd896d1bb00f5aac90994

SHA256
554cf49f3f5ab8766f9005a916f57cce3227dc40d93548553029366cf15e3a3e

SHA512
ec22a310d6636b9d3431d9263f8b10e15fbfb287c47ded9a75958cac04568b304cac3804bef56936ce828f163c3be4d463f2d6716ceed75e220a9c7f15560fbf

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
93KB

MD5
8c6ee2c51827693f182f539879b73fa2

SHA1
311e7d539258492bbd039ad0fe0a0dabfbada676

SHA256
0a56bf2f12d565e3b96a04f8ccb22ab38d17a609b82c5bdeed8fe77583bc0637

SHA512
04a1b536790c2a601d4f2a477ea84a362493e2e90da4b27086f44e18a9226457eb795cb285b2f0aabbe0768e71ccdfa673a12d6732121a6e405dcf2c7dc330e7

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
93KB

MD5
db2532d100ece15b32ea124f29154e8a

SHA1
3661f47b2d3a4b387e85ec1eefcf7a286380aeac

SHA256
3d983f24d55c2e7ddab652daa14dffb06f4f3cb10c3588757637fcda7d97bb41

SHA512
6b0551e695477a365b2708808c5e6ae39fb61b0fb25bfd513002d59b047e4b168b9929e53a64c0c6d82f870595cb1622e671d592a48649e3e97a2ac0e2e20245

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
d7fcbab4767623ee11f0361e56470ba3

SHA1
3e3f0ddb748c27908e6b290030c9e78d7be743bc

SHA256
2a8dbff5c085c190e58c8918a299ff0644f392796a177e76cc1348a8ea0e81bb

SHA512
4b313c732fbd2bcc29b4cfbe47857617fa0a8bdcbe52122bfb5c131054cf32548a0e914cf55b7702dbcfd6fa2d4e88b001579963bc2934ca23da6a4351fa820b

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
93KB

MD5
2c51b1240687bde6d48dae8fc6a4d56e

SHA1
3f53c86f5e677d7a39cb57e5612405d455bbcae4

SHA256
6064111dac3f3f135cc907ed475c3cdab91e66d823f9601d8dc23082866e7122

SHA512
0304a7e1ece2744a7ab65c637d0a638f2bb0fbfd917c682e69852c09fcf6c1aef24291f19e47515a2c2fc0a1a9f5d20a7fa75eca749e10ffbd0c45132607aa6b

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
93KB

MD5
78e17f68b68d8146497a016544e1f2da

SHA1
55c62ac551f210930a3515f00baa7903e4fb7143

SHA256
5f7ce4a70b65e17dd3a8587e9ca169f4ab86864a729a2e5234e9f7ff3ae4050c

SHA512
fc76bf7ae387947ada98fbef433d0af744de0aabc16d0e1b993704c05576b3065b83d53e9a7dbb793c7dfb4109a86e6822fb3ec50c3ffd4438d6aea86537f734

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
93KB

MD5
1c15502a1837e9dc62d3c165f98c9302

SHA1
416e67f24401d52a54daf196ebde2196f4e27a8c

SHA256
0ddff00667d6716736a2524869f9550247c1ee30068973820b6d7a10fca5acb5

SHA512
555a1cab7d1992194433b415d511b5fa708e3b2170fcd8e1fa1973effd2aa9ebedb25dd31ab77b5818b9125e3baf6a6fb17a3e507d31c57d929e2dd276871225

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
93KB

MD5
b3557caa5de9c6c8f6eb4f43e1b4d276

SHA1
3f7a16565bc64fe5a847a0cf577716016e59adee

SHA256
bcf67654f7e8cc1194c79b25ce2d25d8331f9ef43d2e1b93a86f91536243428b

SHA512
38d8ef406954bea7e05ed5529bb9d10ac918642bf697fc0c964a877b9ef33100f39bdf653740d914d658d055903e5b27639914672417fdb80deba8a059e47ccd

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
93KB

MD5
446693f11b494fa402f21d093ee35e5f

SHA1
f36735fc8c2c0f4b3f60f35e62394b518c3fbd46

SHA256
1455c0bc2c4933967545bf66cfd70b1a8b1fbc738568486b572137300644e94b

SHA512
0d19d9a28e680d0c7ab096882f3871a349438e0cf914ce0f1f2236fde992118ec4ccbaa9aef3cd177087c8a4e0427decbbd53a7d4fe4b1559b3f5e5a4204641f

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
93KB

MD5
9df0f9c0d167b629fe3a7433634e7ed5

SHA1
eb362c8c0f7ba856588bab3a82cbb5f8931e24d9

SHA256
55c9cb7d11371b39faebc5af2e8133674b711119f39d6c1c729a368a72d685a9

SHA512
3cb65c715835ada34dbdddadf29e72f217747e78ec88bc70d0a81a18eed1309ff2a956dab63ca8864b121606d3b97f6923a2a0e209d4c80748d9c0e582be0934

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
93KB

MD5
e13320126a4aa28c3b5a3913a7f2a3c1

SHA1
c50fde77b48cfe8cee7633b3c8b792b009fae0bf

SHA256
0b1af47b02a15dcca304d0b9459928559238d548ea7adb962b9ec96f173068a3

SHA512
173434c6225dfa4b3386e26bc9b820dfd474ae02c5216e9fb6a954f03d557504e359307d1a1ebd1d7ec8d0158b90abca504d96b066771df0676f3770a8d5623b

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
93KB

MD5
448673541175b09e9191cafcb5d9bc20

SHA1
3cc35aaf91b8186fa4f2cda190276a5d47e30e7c

SHA256
001ae8e37143ff06346ded88b0a4e069de4bff0e2c022556a7eca95ebb616d5f

SHA512
b6009d3b862909ab06fe9bf996d7682148d4103aa48a2d2b59e0b57a707914d84d154cc88133260ad0665f951a1852e386c3517b3683d189c4fbea3c949f5f5f

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
93KB

MD5
3927742065e0bd75b0fd624b5679ef79

SHA1
9755ce87864cd7262943b00fd20c2e524d125ee8

SHA256
49d743ae1088963dea3d22468c2176610bfd643cb226101e0b59b337f32da19f

SHA512
d5d749e0c704a54caa5c18815f5c2d4ef1fb297b2d28afdc0aaef97c5f703dfd8cd7d3e0b62538a4ee06e93bb450a209bc4c5ee5f3e18aad154afafa266856b8

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
93KB

MD5
10393d70874571101d19d495f5ad6ce9

SHA1
aafc65660de9c08176927b2b09d2aabef9c9a7e1

SHA256
64a6b679a01e92d590fa14dcc1d3e97e2d88c7bdedeaf654f6801b692d135d83

SHA512
ac1b524747bed1d22e43203cf0cdf098b77d7aa74cd5987020df37f5e6f7cc5e1333ef54e8c65ac29a5e2071ad5e6f984c4b8139171da82b62db6e035c03b114

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
93KB

MD5
d1618b6079298e7e9bcfa7e7b49846d2

SHA1
7516909e83aeac6af4e1205585d471251d802cf1

SHA256
96877733d4b615d93b6416884eb7a53888e0183346ca23e66a870ba9a49d6b90

SHA512
ab747ed57a3f9f6dd7a2d6d921e87ec6933588b115ff495887c20cb100e46b9dde459fc786fb91a60f437012e730af0ecd88e7f673dfb6a0b9972d27314b671f

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
93KB

MD5
e0236505892211487ff53bf6e8d8a98a

SHA1
3e505618f4fe3b99383f123800e587531c69d2cf

SHA256
f769470336712833e33bf7ef002d9b726d0fced60f72fac748ae8766d13fd7f1

SHA512
7627685e2e284efdb6aa7b0c0cc45698d2e910112654096c2ba1c1d9025a85c5c4c0a64a2d738ba25e17a266d425e17f2fd2eeb31f2f91e57db9b1dd1d7db34c

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
93KB

MD5
d417630ff8a1bcf42ae982c66a054c13

SHA1
a3e4dbd956c181f3ea483fbda84bafb7f8088e20

SHA256
54d7a330ad542a8fa0381dff5f0c4605bb6c91e42b9d375da501167686fe7988

SHA512
604a1933417735c145413359ae48e84dd40d6a1dbef91624053f73d9d7e7265e4c1b49bdec75dbd7a3e1f8da3fd02d1432bea5532cf1135fe4154ac622e88e5a

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
93KB

MD5
cc1f113d5ff94b18a99bb90755898db7

SHA1
9a2ac210cca746924e60dba84ed8595a8db28958

SHA256
0f636d71aa6cbe514a12d5dff52c6f49c653c0479f4c9eb87331e89e151199de

SHA512
7dbf8682e85ff38a851b296154eef1330bbe59bde22fce182990f81c94b150b60636164371727e4fe4838458576e75a4708ad6d2b6970186cf1ff60fd28c8be9

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
93KB

MD5
7675e58a0b62cf832423db236548c262

SHA1
ad7f4004fe28bf9a6e0d4087b6c50d09cbefe141

SHA256
d43c1a3f8553686d854f4987cb838db21d6085f1f164838ab6986340e8de5a0d

SHA512
376c95f3d4c3c51dcfaaff01f3ce38587b4eee692a64198716d98319b46cf5cadbd1b855e4227165d037f3ee021317dd3a641e912074f5ccad4d6f5edef00763

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
93KB

MD5
e536b7ef5b326d8db0e2cf2439f0681d

SHA1
c3187c1453a0a5fd3700191b63e4ece594ea278e

SHA256
e572740df7ce2e1aba25e4192750302e8a667c174cb7bd8a22c3abd28ac6a142

SHA512
49acf23e5f90e71b0b1eaab620dd52c0b6c3151062439a6966448af3d12788ac25a704b0b5ca6046cdac2d1f36e48659df5e2c96f55215a77bd730a8e80158ec

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
93KB

MD5
25b8be810807028801b913c25ae61b30

SHA1
66182be7e513913680c789676f004b80a027a309

SHA256
8a1913dc2577ec60e61148b2ceb51d5dea4f3a5bd988adb8a6f4ddf093b8871a

SHA512
eae30740fc99f2fc27c3c3c592f7c5d594cc08b2200612c9295377913517eb97409cd8c1428711bbe10a8f37c4791831acb19c350d4a8d93bbd60772441e8c61

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
93KB

MD5
3ddc7efd90c964cad3db11c88b98c3cf

SHA1
c1fc0b42f84b6c0bb8d78bc8c3f5e41e11ca2206

SHA256
f2896b3b76c20415884975761583cdbc5192bd687f7189a15e824afe9edd3055

SHA512
d3f09fb370d91b804f67a109fb9360466375ab56ef46c92b4b0868abe2d5628e83d5312ad55dcc939a58dcae9d23c4a2e143bffa3eaebe6075ea769353a00814

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
93KB

MD5
e900975d6ae9464532758b71f0d48808

SHA1
83ed125452cf6d953ad37c8e29c4ed21148377f4

SHA256
2f9e43e21a9c4a21a7fb5854cf00cf3ee434d6bfb58b47ccef5b3bbd63f9414a

SHA512
d62bed4538a796322b34bf4c6806ea70a4566c2fb31574ea2e6751519d26dbabe1b430143c80f6960f3024f892526ff0504e6597466b527617f32f431166e021

Download Submit
C:\Windows\SysWOW64\Pnjknp32.dll

Filesize
7KB

MD5
b6d3c35561da6b26d3a8226b49f446c0

SHA1
9e7eae404a3e798815bbdcef7fb490e638f2edaa

SHA256
c521bb3a9aff5d82cd23a96f74181d81e6e4fed176c5debd92f37bf55c880826

SHA512
dbc5d7d3f5c1eb85df7a4ff5bdd71365fbde8e75a5957d020df93644753028737a0b72a4b1b47cac13118e3998e5f0a09a1af9163fc5b2d9620ff93980c172a6

Download Submit
memory/216-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/404-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/768-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1192-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1480-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2532-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3096-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3768-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-563-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads