8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b.exe
Size

96KB
MD5

abfdd5682353e30eeccf4316793710e2
SHA1

f03767ab6c8526922077ae782877485db38643e5
SHA256

8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b
SHA512

37d0a1f8fbe132c4aef3d5ee30942ca0200039a68460f318474f04287300e30a1319f688ef791b0cec70a2379be54e15973f91800c40c451cefdf76ddba3c437
SSDEEP

1536:gCxLW1pYOGaJLJ5EOlUpplxAaQ/3fPmUcC5cdkkOM6bOLXi8PmCofGy:HxLW1NJdeOlglxU/3ftd6dkkDrLXfzot

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe

Executes dropped EXE 64 IoCs

pid	Process
3492	Mpablkhc.exe
4664	Mgkjhe32.exe
636	Miifeq32.exe
2612	Npcoakfp.exe
4676	Ngmgne32.exe
3016	Nilcjp32.exe
468	Npfkgjdn.exe
4140	Ngpccdlj.exe
4908	Njnpppkn.exe
4884	Ndcdmikd.exe
4016	Ngbpidjh.exe
1332	Njqmepik.exe
2784	Npjebj32.exe
3076	Njciko32.exe
2304	Nggjdc32.exe
3464	Olcbmj32.exe
2864	Ocnjidkf.exe
2272	Ojgbfocc.exe
3924	Opakbi32.exe
2748	Ogkcpbam.exe
3048	Oneklm32.exe
4736	Odocigqg.exe
3252	Ofqpqo32.exe
3744	Olkhmi32.exe
4752	Odapnf32.exe
3400	Ofcmfodb.exe
1932	Olmeci32.exe
3604	Ogbipa32.exe
3888	Pnlaml32.exe
4952	Pdfjifjo.exe
3688	Pfhfan32.exe
5104	Pmannhhj.exe
3756	Pdifoehl.exe
1604	Pfjcgn32.exe
4848	Pmdkch32.exe
4500	Pdkcde32.exe
2780	Pgioqq32.exe
4424	Pncgmkmj.exe
2200	Pdmpje32.exe
4924	Pgllfp32.exe
976	Pjjhbl32.exe
1708	Pdpmpdbd.exe
3988	Pgnilpah.exe
3548	Pjmehkqk.exe
1484	Qmkadgpo.exe
3792	Qceiaa32.exe
3616	Qjoankoi.exe
1108	Qnjnnj32.exe
5024	Qcgffqei.exe
4212	Qgcbgo32.exe
4904	Anmjcieo.exe
4608	Aqkgpedc.exe
208	Acjclpcf.exe
4112	Ajckij32.exe
4732	Aeiofcji.exe
4272	Anadoi32.exe
4184	Acnlgp32.exe
1952	Agjhgngj.exe
1272	Amgapeea.exe
4420	Aabmqd32.exe
4816	Afoeiklb.exe
3540	Ajkaii32.exe
5016	Aepefb32.exe
4972	Bmkjkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5176	3840	WerFault.exe	191

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3492	4320	8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b.exe	82
PID 4320 wrote to memory of 3492	4320	8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b.exe	82
PID 4320 wrote to memory of 3492	4320	8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b.exe	82
PID 3492 wrote to memory of 4664	3492	Mpablkhc.exe	83
PID 3492 wrote to memory of 4664	3492	Mpablkhc.exe	83
PID 3492 wrote to memory of 4664	3492	Mpablkhc.exe	83
PID 4664 wrote to memory of 636	4664	Mgkjhe32.exe	84
PID 4664 wrote to memory of 636	4664	Mgkjhe32.exe	84
PID 4664 wrote to memory of 636	4664	Mgkjhe32.exe	84
PID 636 wrote to memory of 2612	636	Miifeq32.exe	85
PID 636 wrote to memory of 2612	636	Miifeq32.exe	85
PID 636 wrote to memory of 2612	636	Miifeq32.exe	85
PID 2612 wrote to memory of 4676	2612	Npcoakfp.exe	86
PID 2612 wrote to memory of 4676	2612	Npcoakfp.exe	86
PID 2612 wrote to memory of 4676	2612	Npcoakfp.exe	86
PID 4676 wrote to memory of 3016	4676	Ngmgne32.exe	87
PID 4676 wrote to memory of 3016	4676	Ngmgne32.exe	87
PID 4676 wrote to memory of 3016	4676	Ngmgne32.exe	87
PID 3016 wrote to memory of 468	3016	Nilcjp32.exe	88
PID 3016 wrote to memory of 468	3016	Nilcjp32.exe	88
PID 3016 wrote to memory of 468	3016	Nilcjp32.exe	88
PID 468 wrote to memory of 4140	468	Npfkgjdn.exe	89
PID 468 wrote to memory of 4140	468	Npfkgjdn.exe	89
PID 468 wrote to memory of 4140	468	Npfkgjdn.exe	89
PID 4140 wrote to memory of 4908	4140	Ngpccdlj.exe	90
PID 4140 wrote to memory of 4908	4140	Ngpccdlj.exe	90
PID 4140 wrote to memory of 4908	4140	Ngpccdlj.exe	90
PID 4908 wrote to memory of 4884	4908	Njnpppkn.exe	91
PID 4908 wrote to memory of 4884	4908	Njnpppkn.exe	91
PID 4908 wrote to memory of 4884	4908	Njnpppkn.exe	91
PID 4884 wrote to memory of 4016	4884	Ndcdmikd.exe	92
PID 4884 wrote to memory of 4016	4884	Ndcdmikd.exe	92
PID 4884 wrote to memory of 4016	4884	Ndcdmikd.exe	92
PID 4016 wrote to memory of 1332	4016	Ngbpidjh.exe	93
PID 4016 wrote to memory of 1332	4016	Ngbpidjh.exe	93
PID 4016 wrote to memory of 1332	4016	Ngbpidjh.exe	93
PID 1332 wrote to memory of 2784	1332	Njqmepik.exe	94
PID 1332 wrote to memory of 2784	1332	Njqmepik.exe	94
PID 1332 wrote to memory of 2784	1332	Njqmepik.exe	94
PID 2784 wrote to memory of 3076	2784	Npjebj32.exe	95
PID 2784 wrote to memory of 3076	2784	Npjebj32.exe	95
PID 2784 wrote to memory of 3076	2784	Npjebj32.exe	95
PID 3076 wrote to memory of 2304	3076	Njciko32.exe	96
PID 3076 wrote to memory of 2304	3076	Njciko32.exe	96
PID 3076 wrote to memory of 2304	3076	Njciko32.exe	96
PID 2304 wrote to memory of 3464	2304	Nggjdc32.exe	97
PID 2304 wrote to memory of 3464	2304	Nggjdc32.exe	97
PID 2304 wrote to memory of 3464	2304	Nggjdc32.exe	97
PID 3464 wrote to memory of 2864	3464	Olcbmj32.exe	98
PID 3464 wrote to memory of 2864	3464	Olcbmj32.exe	98
PID 3464 wrote to memory of 2864	3464	Olcbmj32.exe	98
PID 2864 wrote to memory of 2272	2864	Ocnjidkf.exe	99
PID 2864 wrote to memory of 2272	2864	Ocnjidkf.exe	99
PID 2864 wrote to memory of 2272	2864	Ocnjidkf.exe	99
PID 2272 wrote to memory of 3924	2272	Ojgbfocc.exe	100
PID 2272 wrote to memory of 3924	2272	Ojgbfocc.exe	100
PID 2272 wrote to memory of 3924	2272	Ojgbfocc.exe	100
PID 3924 wrote to memory of 2748	3924	Opakbi32.exe	101
PID 3924 wrote to memory of 2748	3924	Opakbi32.exe	101
PID 3924 wrote to memory of 2748	3924	Opakbi32.exe	101
PID 2748 wrote to memory of 3048	2748	Ogkcpbam.exe	102
PID 2748 wrote to memory of 3048	2748	Ogkcpbam.exe	102
PID 2748 wrote to memory of 3048	2748	Ogkcpbam.exe	102
PID 3048 wrote to memory of 4736	3048	Oneklm32.exe	103

C:\Users\Admin\AppData\Local\Temp\8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b.exe
"C:\Users\Admin\AppData\Local\Temp\8c99a42f59f7bc7d7247d7a16e1c4c309506ec393dd535b17a1bfe4c2b73456b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\Mpablkhc.exe
  C:\Windows\system32\Mpablkhc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\Mgkjhe32.exe
    C:\Windows\system32\Mgkjhe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\SysWOW64\Miifeq32.exe
      C:\Windows\system32\Miifeq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        27⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        36⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        59⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        68⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        70⤵
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        72⤵
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:336
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        83⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        88⤵
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        93⤵
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        94⤵
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1600
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        100⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 420
        112⤵
        Program crash
        
        PID:5176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3840 -ip 3840
1⤵
PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
bdc6541253ae32dfa905241ca7fdc1b5

SHA1
f01b51f2f645eff730dcc67d44279c3af709a4d1

SHA256
6ce38e49dc52c19d471969841bcfd0fe313e804d1bbe8f0d1c94f2c7cb60e2a0

SHA512
bdd4203d3a8cae4d5f26e7c4ce9e116a468ded2124a51d19e9d7e07df00ce3a19a0626a34c18a05ccc7e21e0512f2c3e6436f16a0d370434e6c7888952d773ca

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
5d93963561bd5a0fe3a70cde0bed7378

SHA1
82d2d082c1deffed687e224b30bbf5407d3e5e47

SHA256
be9ffac09f597b75e29876c7e1e4468e8596cbb9dcb5008bf5571e58aa15eea8

SHA512
19b95bae6efd2dc36b101f40cdee698afd4ff8a29a435b9c3093a89a18d0b6155a110e60e324c4281d3009775674e9decb50114b14cf9f85466dbfa7d8e775c8

Download Submit
C:\Windows\SysWOW64\Agocgbni.dll

Filesize
7KB

MD5
292e5b394c0d8f7ffb722abd06355838

SHA1
a82767c8a68f16cd675bad4b1ce797ffdddde0df

SHA256
99ebec05f3063f704a57dd90828d68d9c612a8a303840696df88046a4b645153

SHA512
68a62bac766a833d686b37df93dbe8dc5c38f7a56bf6c2e5ff07a4e5c224b08fad6b17b03599e2bcc00aa2e3dd26e96d2a03510e8451991fed2b2a40de5b3a21

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
96KB

MD5
8ecd184fa18ffdeddb11346b5a34a8de

SHA1
122ab4baa6f88e682e4135bbcb4a4ac7836d7834

SHA256
069945368a5a0fe98897157d242f78974a71d333ec90bf2de1157d0f0ca05377

SHA512
ede5687deead3e450ad565b1d052e80e42fc106b15d858a209db92d97c1dcaf25caa7e174fc7ce0be5d90392b4706da50f08ed3009e2de54b62a3c2684e4b784

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
96KB

MD5
e58e7c44be1ae3952ba9d1076384e3b9

SHA1
4648ae385d7eee51ebf8957172af1c736d720a75

SHA256
9228e7c1ea73f4b0aa0170ef643e614f57cb04d184b4830a447084a9f6deb114

SHA512
96de9bde730cab65cfcda9755397096f514b72632f3d6ba21ee38d1b5eda8e94a848ddde8379187cc990b70db14b453dca6527ca7201be8d4a8135eb5cea31ab

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
96KB

MD5
e7bbb2598cfa251f8526f7a1bb2d6061

SHA1
c9389fde210485b2cf97078f3e82bc3cf447c635

SHA256
03f58b8e68bc2481f0c6c6fccbb21ff973be398703472eac8da1d7bf6d5adee4

SHA512
7b7f7fa667f1bf04db8339e76b57d6d73bdfb5b6edbaa19553153e6d88cb5d3f795257cb524a9f0028a96933447a3a2e560c814417e68ae7ff346a2dd146ad11

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
c4f46d45963c7c47f2c6cee4c21ac425

SHA1
5e9a4e2369a663caf2c78a97f51ab46c2e65528e

SHA256
4b938de41a7e7d838386ed91409cb7d2a7f4796f9c08da2f8611dd280ef7be75

SHA512
b3900cda5ee08fa184f67e276025ed4057449790c103aa15d1b6ccffe5a1f5c9140f53a9930fc3266cfa73491f8b03baef4c6bad865ae2dd6e5d9c7f6d93a309

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
2d700ff295dd9da76e8e9866e79af3f9

SHA1
27a8ceaaa8df5185d0a776011788273479105cee

SHA256
ca017be05b1c54d0464e5fea895830d91f30d6832b7e0413ab75f513dcd9c8dd

SHA512
0e01c20ee0ff7e674b3dbf47a3451e8b183c847d86dc9ed07c9a8d6952ff810bd7af6bda6af760b87882092f905673316212e858f0d8d1ddfb7a5bea9de7ca16

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
d292c3a4ee8d88ee5ef91b294aafbe05

SHA1
0a6be9e33571d19f13532177b982afd9f6c3cb3b

SHA256
6238bf3f07ecb361043e611356ecd9ca289a6b281ddcab9006a9056e3e0d6cbc

SHA512
23c4ac3f212a492b215833179e9486b6f5488db5b9def6a8fe9e3304f224a54a2e6a176294c7e1638fa292579295e369fd91c3e681d36bedfa4f6caffed6e67f

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
f87248c096d9ce0c17a74135d4217c0b

SHA1
3da798cfe964abd684638b7819c5bacb1bd38606

SHA256
df101151bbe3d43eaa4fd3c93284aeae0654d99c52906181df1f5380bb20689b

SHA512
219af5747b978945d91fa3ecb148520ab43b07ebbae138181453cc4c5914be907e31c26aef639598bededbd42265dad1d380d645c9367b9f9defb4c6c32560b7

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
9532df9e2c419e299bf2c374549495f0

SHA1
eaeacb5815a4b5e7dc94c6eae147ff40427b466f

SHA256
9e507cc580fb7859f42ea0a97edcd8636324f0dfd94de65c9c68af3234c164ec

SHA512
41318bbef519c9cbdb1713cad8a4cb951e322997c85974ce9bbe103be22ce43ee5eb7ce18bf800d430b2568e50bcf4433e1c4b54e1195378c1fb287ff012967d

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
9d92af35a1e75409dc9d39968936d085

SHA1
8563ad2785543b6f07dbad961ea67261250e1309

SHA256
629b204a8539e8704d7dfc4cb4672942c0ccebaa8377a6d891971fa5ee96004a

SHA512
19fe5d862641cb2245fa71e946a1432111ea8902048ed71104fad08cf9bbba4b7d544f550f73340d7fef20cb63945581939b16766220d5a7fba551dacb033a73

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
c53791ca49de73112ee13242eaa89318

SHA1
1ab9227a5c8cecd20cf511324e1306db17126def

SHA256
b86573627c812fb3f1fc74cd1b01e6575f5bafcaa65383c3e53efb59b6ed734e

SHA512
9c7537d907b0eab8ed52bfc3d8c400499d946a6a0e4dc12f1376720a9ce7d3201f911fe88d6637e5fd9e47c268cbde67c054248886a18077f3fbb88f0c0096c0

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
6942bd19776fdd7ce1a7637fb809e71e

SHA1
9ad949159536bac34be58d58c06d5bd6c88dfc3b

SHA256
01d8bcecc8e38cfa92542c3ebb8d54b040997f1e374ef6ad5b442d98511ad3da

SHA512
f58a9daca1040d58865ee8ee0264d4c82cf7694e430d78baad4834a255759231f26b97cc33270a1d7d2fb33b5df40eb08e8f5a8877969122f3bea01bdc67f630

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
991c7673638af440294129c2c230c3ce

SHA1
4240b0a5da3c0eab5bbd8623e25835b4198cd793

SHA256
a8cb58310e5aa81adc3a200526b66a3ec6d30e6c8d3c135010c75e2ac1df7854

SHA512
68ba66913402b660cb3ac301213651cefb74aeb780c067f5be91574f35f889afed9f63902636c7e7bb81a59ded2a58f0822a06e529949b5ee9ac44045c04afd5

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
1d3b40b5b0c24aa0c036619e7303db59

SHA1
686dfe7d997c0ed512524aaf816fcac265a3ba27

SHA256
aa30822d3eecd35e3314a59116cdc305b7e9d36c9d6ef83a06a3101c27b548f3

SHA512
7ad9ca6892dcb638e83ec995313ea4d1bf477ac6b034ffba5b6a371869494cd2bd12046491f22c753e98314fb3ba6910309d9c625a421e867e0e8f6d261bc161

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
75be7c73e50b7145af153ebbe8f0df4b

SHA1
85cf4270cf3dc01e3ff11cf9c282e987dfe70a6e

SHA256
93142688ff294dff16cc8ddf618c77fca0d43a8d38609c76aa34d7cad4abec97

SHA512
f2abd8832f1e083f59109f2f31b59faa24a0cc3f32f734f789d3745719d31e3985d33a78e89c8242353565be84fbd2043485f77b9fbb6782a823a7f044c08069

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
0c12fb02451fc86e8ca7c286c3d90163

SHA1
cb6f9664967f61d525e957f7d30939c86e27670b

SHA256
cc1fd4f497dcaf821df2fb777ea815975d0ed8607b1537a2ee6688161b88dd6a

SHA512
887e5758e1909730e93df21cd29ab0b8770afab3bb9f4a63683bfb105ad78f0c1d6f06bc756e6f6abfdeb428c8bbde3ded43eb0c12c85c8582f46ddbe3f0ac1c

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
31109421c14707e1af499d34dfd426cd

SHA1
6c34b33cc03707128c4d0edec54ecddddaee13f7

SHA256
5183a97b055338c46288f74f17e6cb0587c3d0d494c65f0937564c40e587d25f

SHA512
daee961484068ec64ce1bf49808eac12ee2defa40894331e4f20df1e1ce2397d002896de5276208b2da9f7e6869a7605f8a6c9da44e21d01bb9dfc0e509dc593

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
96KB

MD5
9b2ad591e1a4d791d55b325ac36ba4fd

SHA1
2c02b519611e1edb252b053163b1163c89edbcf3

SHA256
580dec25d9bba4e8b83672117b1186962775e1e2f5cf3abebe5dba4f57594957

SHA512
01b9d9037d94e554576c780d8cf3517e7b81b07f6223254fa3c3db7756d40c4e07a2e95a5cd7e7fff95a90f112b0e1c5c55df998c19c266a9b189db3f6f302fe

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
6806eb7d6f8027c30f493e14fd6d76fd

SHA1
2f3d4137f277d08d82dc6cff3a76b642ee2bcd07

SHA256
a21a6c5e3ff6800c0ec90b2fcb0411b0e904769bc97b29b0c53c85929b3894df

SHA512
96ed39cdbc18666393b0bf196dd430e41b86717132c60fcd3e0e021cb4d828b74805aeacc75b695345d9aed7e93848e2dc5c97beb7ccd9a5c3ade36bcbfe3be5

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
96KB

MD5
25e361feec0166ac83a46edd123ddd2e

SHA1
3fbb0bf0de1f6f95b053d228c87165547d0a0221

SHA256
8ddc4a98af653ea7761dcdc025fb390fa25f7a76c3b7e563412720be40da917a

SHA512
c7a7bedf137471c59e7f8e236da66a3c9cbf16bbb1fa45a483faa4f80fecda2391827f8069557da72dc0dde6a18406e15b2284f8d360a45b559cbc650ed4ba1d

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
96KB

MD5
c1a47c39697cbc46475e9892907b971b

SHA1
02adcec9331f5275b3d92bc6d5834c0246fd15f8

SHA256
1f88c540128de8d857f2477516585fbe332ffdbffd85d44f976d26dea2564bde

SHA512
f44e128f4929c26963e7f1c73358a2eb59c11eeadb714299db1104d409c0a1b485d2a6b6ab6e8e5457ce0836f51342cb96b39ed029f1fa282248067019e75a72

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
96KB

MD5
178b0fdbf9383550185e7f7bc7d33214

SHA1
63896f17ab466054ef3aff3980839de2464c7622

SHA256
a89b3d5ff73e342f03584bb27cfe89138b448497a0085f3d1668670cc6a642f9

SHA512
c1cf4828db7d5f4ebe1ae4649a2763cd02c7ede8bd62d3c76997a136477c134fe1f95a220f5eb5c0d6e423b3b7627cb3daa6c2184260713a0ccea25c5bb36f1b

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
96KB

MD5
bfbcb11d7f0e2a880f59b26eb2244ac1

SHA1
e3867ecda1084224e98768cbae8e6ffcbefefdd9

SHA256
9696b1e835960089d8e20e858b0f8e2dc8b27e54aef8650dcc14bfda0e907df0

SHA512
e3ecde2241e8798ede5d2a214d5d70229743109f1adf737763c3e8ae50ccaa355a0e4eedc9ea9422ba5e0becfb136770c4c41567c3b70525b32aa1d9800248d9

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
939e0ac3536ef9e64550a8080be26bf4

SHA1
964d7a3a1f7754656f9f72fb049de775e90f6dcc

SHA256
e8983f25a9910bcd3390a6ab4c9bddce09a4c6508d7f439bbacd627c90204678

SHA512
961bfe07333e2def19b86236f1a3b4ddb2ed059094d95875553fb26f7e11c6c68d1f83ef8db0878a38f5599ef1c981ba92b6530aa8287ebe8dd722211153ec7c

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
0256f68821c1ce41fee4e144f15e24d9

SHA1
7e43a891310566d756a26ec7076ad0f80b539b4e

SHA256
d2749e4dd512d53e8984abf3e456efbb209df4077002809b70a261f4fab60513

SHA512
fbcaaa37b3c593261867fe1490d9d300ca082da037ef2b9e33dc36f07663e1d1193d19191cf6aa67d14a2761ac5456d1e3a734cc68936001c61406b0768e39d9

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
21206d706cb46a1720f8242c433810db

SHA1
84079982b653043512e925a47b68919e4e5c3fef

SHA256
5238560e822934d0b229e31c1cc5035c6bc4956ab8e521e0f0a9decf77b6e7e3

SHA512
e1edf49aaf1492e32ec17e9921ee2bbd6b160df4bea298644c25ec62123e6263731630918961e6ad3631e10cbc37d92dbc2f82379e6053f8bf152ad316a6716e

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
96KB

MD5
a5ab586d6a42da2f906d0c43334a9f42

SHA1
73632b90a268cb440e33ce55b1849fdea91868b1

SHA256
060d24d9d41e08807c82dc2c20a6e67aecd52976463c95b6908ec0b4a72d7b7c

SHA512
e27f614520a659f936b2150cf4a86480f25102279f44f145ff5d14242065cca2a9dd53f9960f5954e813077b6e4719102847f405ec85b2df70efb38b6aa82704

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
6b394b278d03991882b7809768f45bd1

SHA1
1abaddb6065dadf0971a444ff89953a47ed5a802

SHA256
9ab0c000b5c71c52e131fdc8881877d003af3807d948c4dfdc8b827d2b3eb98a

SHA512
b751770ff8c149bfcd2a4553382bb9da035943df28fa29e1c8ec436a16969647809ed919db7a510f30f522672e50793fbe05511b18942d85bd370908098db19f

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
96KB

MD5
b8f5ed0acb36de581435fc81fe6b5ce2

SHA1
28c4389476e1feddaf174fb91a235d18002a6f1b

SHA256
1425c27b4b03f572e7221adc308e421ce1585027a483669f305259402945d948

SHA512
2d14bb332f7d130eafee116be29e29b068c8d42b296d2c1df5b8d895db40f49f402fb80f858bfbd6e9b0891ade486b5f27abde30fb156ab2c2a1d0b6d51cc51b

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
96KB

MD5
bdab4901613521722a763b693299c818

SHA1
a0634c535f5f82622b98a084c8181241d1054e9a

SHA256
421fb495360c68b2083415349564151449a70428d0ba6f9f167aae974ea3d1f1

SHA512
2d1fd1d6469201663faf5e82045b37ff449f9475ac4f795e10a3a90e0d7585d6fb89181edb511a999da14b69953ed061a06793e3a737c4aede7cfc45070608bf

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
f5506eb358e4154ff9fc83cd8f649732

SHA1
99eedbf1c0fbf163f870db532c4a96143c336595

SHA256
a6cdb3af62b017f624664a8c79a1e30a4d094f9b4bc612955af11296ca6f9a3b

SHA512
ea8e4813148cc3827a6d28df6a1da61d69a0c88139d695b77f53d700eacffb0374dac81ccabd779d84f8b2f8097c04f82272582ab51fd56dc786643a2416f92d

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
96KB

MD5
1f9930e4075fd67733f538e157eb6245

SHA1
7d0baf21c760c607a871b35fbab3d5f04f3f0fb0

SHA256
726f73694e30d9ab0c61f5ff0d424100c8f8dd8ede7883f9b99814b7bc0a6052

SHA512
1be3112097a59b5d5a26a957e193c81c7683ab8123d9fd519edcb6b3a34a39023d02ff9ff74467463d3bb371464ce0328b2932f2a6fc04d811f5df0b808a5950

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
d9f13fb65b9eb81ee1e6e50ec6eb1399

SHA1
23daad80accf2df5b6b9f107247f3222d836164b

SHA256
fa4b86ff7e8a42f1a966244ef4677a4d0d04f71149ae8bb3b9cab1df80195d55

SHA512
a17d96ef22fcd16ba0951f947866aa88c7d155ef923ceafd1db2aef6fea38e91b8ca87bcae1860c8c00f8bc70afb74cbb7b9534737e8c99e9246fbd05ca27ee5

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
ef54dcf03dc876f10515d93e7cea49c1

SHA1
646efa24a92567ad49d473fb38813587f8bc2705

SHA256
e5a741e417a703de80132d57f3b49b596f2e8a481ef53f6ee10c7f357d3d16b1

SHA512
7656a0e76a4039b434ea6e26e62296ada5564078b73a9f887c1c10a01979193040541279772477d1469f4c68c87910cd159fa8ec008e13a1f14fbc1c93db8f19

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
4d1bf739d46f5eaf24a39476ce99faf8

SHA1
13e706ba9a43d3c248a6d5ca4d029701c5e1fbdf

SHA256
c0db600e5a5f54b2482fc4b2ae4f28b3210cb2d05d0fd4664c350a044fb52442

SHA512
601e6794f6b5ad55dbd3c1ae2659d0f0908a01ec31e54b35f800d24ed4ef44b9da5acdccf90a8bfb6f507ab778b6d6b0a251d50b2ee048e62055afbf08456c01

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
96KB

MD5
185fc84f4b1b3c8534166bcf426b7cf9

SHA1
46434e470627f894810933bb1f9c913a01706858

SHA256
e9c43eafe968dd117523f77c0b945652f62fd1aa17a4c5c7f21d1a95a54fb32c

SHA512
a96edb36918a5296def0d4500db11866afd4661e2a28e86afd60e2de64837bf55f2cbc1d3f2a847c69a0b2a8615ca3f9a6a4e36604f045a64d09d8d81e55594e

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
96KB

MD5
46ffd58ebb0bce6e97d392dfcd7afb7a

SHA1
1506a4e7674c82518508d1c7601356a89341d71e

SHA256
9f287c20da34884d92cad5199f676c41341e3a379993e4ceddc2842260fe9762

SHA512
70e8252969c490ffe1aed27aba28bcbb1117bcadca876944b6130bcf3a11c674aad2cc19c43dfc68d00b91c2267d824675cb0c288e3f810853397705218f16ba

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
0d4eedfec31a6688435cc795935bf2da

SHA1
d53c2d93e86fabbbc0a29a12f6d8150cede9093e

SHA256
702908408135baef41bf6a2a04c906d0b1b256fb60e9726af7afbbbf29ac1148

SHA512
adbafeed385ecbfe7717294dde60947d728b2d390f239940713db27ff3ccdebef6d6b464934cbc925c148386e523a1c3070f01d2ad880ee5dee3f4a0d429b4f1

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
8870c6ff213e6101b235ecc7154983cd

SHA1
00395732e9912073f6329f4a2db9d4c0f0178a97

SHA256
c21325fe1774c432ac2e322ed394ea4c968eacaf6d25b7221fa4e61320b5bfa3

SHA512
17497269c7461de80f587d46bef95beca8adb170bad9c95d4a8d816b39886557d061830467baa8d659de7bf4d2fb30e05d9d98522c109fb60cb63a0d14e92196

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
64KB

MD5
6e185f5d5b4fa08db9b53bff66e95065

SHA1
dcd5a259ae6050e77971cac5cd2d0a4b131cb850

SHA256
9544d438c72bd1c80ac5b8d2a8981721e20b26be1d5073bc52d072534a458ea0

SHA512
5b0b780fc44c1921aca8d36576a1ac319e602a585e892bf050b713d7e3f1bff5163e2d56fd84d279fa2c9fec187fcd91310791637f7f7c70eb0fd248420f7ea2

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
96KB

MD5
9a6f6732468a9c2a01c939ddb9990aae

SHA1
e1627bb239347a1aeac1256fe19ef236ee51efff

SHA256
d23748bc9504ca3b6d0388633ef27f64931b559e8fc52a814f8367b2c13466aa

SHA512
39a571bdd58c22b16af5c88f4498be5b337a4a8009f7272bec1be7393cd445a303cadda201dd6f52f1d9e01cc97a372df404a6f3a185d970c400262d865f2aed

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
7e9286cb140601f051a554aa1a94ce9c

SHA1
6d59a37d706c74ad61f3a74bb3b8ae256a43904e

SHA256
2f5d559532c9a4d6fab3370f5945da82527f262b849d99d17d22256ddda9abf9

SHA512
d44bea4d5e40b2182ebb308155876cba1c1e7c024abc51cf3f676072bfc8543a343733404ce9e6482c4c543cc71b0d4c0a69e1646594e5460a36a2350fab83aa

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
96KB

MD5
ad5a25bd3965076d0f07f0b338597a48

SHA1
b922f76f034584c3ffcc3e64ed03599a0b9e75ac

SHA256
d5dcdfe451d8ae5ba6f582f8b9e0d32caf78ad89213b77c74b0bfcbb7b09f759

SHA512
b9df0d9534911aabe9624b49c97c15f0bbe64b15e0d792d38a5ddc545a2f1af458e68f41a16c5b5e4dc46e3e41697c97ac5a6e1df4a919fe95fbf9a7ebcce4d7

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
a06f8fa5d127dee534aa8e30b0224069

SHA1
1d3f153162cf0dcf2036c715a49faac2164ee367

SHA256
8a09681a6ae68248d3f6d8ae5512b642c79fdae6a8cded2c35617b619c7a54eb

SHA512
4d6a78cf96dfeb1d348c641f59e5ac583af45ddbd6987aa1f089fd58ff23f699c1fa2c9c60148cc16b91bf9f9f2ef18c7e2f9ab15e4a14f281ee5b5f45db0923

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
7fce242853eff96585d1b4897d47e14d

SHA1
48e33e5f4248066129a74767deba3c019cf70e0c

SHA256
9ef83d81512726f92d8aca79b9cf90e59fedbe6ed842462fa3d57cf356406c09

SHA512
050ffc7b923f150b31c34be75675c1347eb9b7bc3db80d36f51337a22e13ea8926e6f2d8438a18d4418e33637fe2265d38ed866eab87104cb56391e5b625b480

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
2eeb16139e3c2b5c5cea4ecd7a9760e2

SHA1
0a9823b7a56aa983a8411037c0b857c0f9283ed7

SHA256
8bd47c7b6c3b983e58b815dab5d5053b834b556dd1960356dc2a49ac48c44d90

SHA512
b84b81bbd30e1f297cea982c8aa8525bead699b2fa16276d54de3d714a55c09abb7b07d708cfbcaa5cef52315a482147ba505c500785d409e59edd71f4ca7808

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
b28c31ed9712d7cbebeab5500ef676ea

SHA1
6467fccbd9bc7730c3c3ef017443badc19803533

SHA256
cbc1f73de2760a75a6addd260533f26248106da1286e3345105b4cf5de8937ef

SHA512
651a26bc1fcd47d6fbaf4d4fa8549b8630ab77319386dcd6c8aeb9509ba5d94be964f15af9156c67665ac7cdd5af05beb1ab641098449bd12e6c14475065d32d

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
ee8d461a629a05f03cecaccd00a5a608

SHA1
1861def3d7e3e870402dfefc2c7be7890f76ccf6

SHA256
33662127bd6a4c286b2c020d2600f4d85a43f594d0718ba1c65fbc71fd99774e

SHA512
5063e7fe15ddcb58855dbbcb6e191a4df12278ea7fd2f2bc02fe94dc18522d0610ce72877297d9607b73e52870021061c4466120e1fa26d6f1b244c68087bb7b

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
e1ec121542613b65dd92d5d96d105e95

SHA1
582fc7bd8ab9bd7332cc1e0b06af77ccdea15763

SHA256
9acff9a5547a9c420b04206e894a6b9d83779196fb12b110aadf47ff514fa092

SHA512
fac8b62208e5e60a1fbd2d89f8129bdcc162db650ac162f6b3ae1b72d1823009b7ff1b6c33140649c7c15667fcecab3457c06df4de1ad3c061ce46ca24628be5

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
96KB

MD5
d423f8e0e393359c1e1af6307272a8de

SHA1
51d9f8946890c5b377697ebe52bf90205c816438

SHA256
5e68dd4cce129f61786760e19f9cb09dd7bbca83dae9c45f26dd6163a229aaf5

SHA512
8b5be93719666558c3bf194c774d4a6d0fbf5f2fd0a6ed3bfbd4d6f10ab4d70c39bfb35cce804a7b508eb4b873045697ff9ff3db4f11982fef1b6c407135f14f

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
96KB

MD5
a044a8e8d6948978f665d3dc930157eb

SHA1
93d28ed4948a6fef757f74ba8d23d6960ca43dab

SHA256
972552b281dd85709406a5b43a12f0d990ec802d6b10ee827238899ea3b5f1b7

SHA512
7d3da0764540cfbba9dce9347894e720f27d1fac91fad496935e53dc4469090e85f42c1f5e0d3f2622401bad6116eb8b03503d8fb58e2ba43a7c0728f3dfba4e

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
f861126393d4bcdb27314bcf95b08db5

SHA1
423ad98293ee93b63ef7b1a3aec6e722ffb24514

SHA256
e4316216c56bb6cbd3692909e178847f3bd7ca7349003672386df0f38afb8803

SHA512
819d4fd14b33190701f9381ab5dc1bf7e681f317c637d96cb752851cefb0b72bc931b1bf003a6b670892819862dce2f48ad9b34d178ebdd9f13c12c703725ffc

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
d5b73e30ca24f5660aab3551ada8cefe

SHA1
e3936cefa00825111eb954078d0bbe99a34bbf06

SHA256
683e95a688329c48ae0613b367c39ffd503ec59e6865a78544357ed67f5e7b1a

SHA512
98f4a4e22a763077b1f3861c514b45170c4a488c91592b2cdc56d0d4ecdf9cc60205ad272314953ac5596f664e844c83f27046b1045b735b277db44019be3b44

Download Submit
memory/208-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/336-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/468-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/468-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/740-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/976-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1104-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1108-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1272-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1932-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2364-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2656-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3076-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3124-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3400-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3604-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3616-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3688-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3744-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3756-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3792-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4140-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4184-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4272-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4620-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4664-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4664-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-524-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4932-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5104-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads