962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe
Size

439KB
MD5

d89dd48b19029d8fdcb144796eda8c40
SHA1

acfa87924ff78329e1c89550953f1950d8277dd1
SHA256

962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6
SHA512

f354d8774baa3a3ddba742d62b7037f56ddc3848fe7edb592e639d94289600139d0b2a8fd7e4f362a76ac3af3487b1f25e1adf5918c56bf9a4dd4363a547374d
SSDEEP

12288:ZltyPeKm2OPeKm22Vtp90NtmVtp90NtXONt:Z0pEkpEY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe

Executes dropped EXE 64 IoCs

pid	Process
4412	Klgqcqkl.exe
5020	Kmfmmcbo.exe
2296	Kfoafi32.exe
4160	Kpgfooop.exe
4816	Kfankifm.exe
4448	Kefkme32.exe
800	Kplpjn32.exe
928	Llcpoo32.exe
1196	Lfhdlh32.exe
4500	Ldleel32.exe
2396	Lmdina32.exe
4920	Lpcfkm32.exe
2284	Lbabgh32.exe
4784	Lljfpnjg.exe
3652	Lingibiq.exe
3332	Mdckfk32.exe
3844	Mbfkbhpa.exe
4948	Mmlpoqpg.exe
4472	Mpjlklok.exe
3228	Mmnldp32.exe
5048	Mmpijp32.exe
3740	Melnob32.exe
1156	Miifeq32.exe
1948	Ncbknfed.exe
2976	Npfkgjdn.exe
4996	Ndcdmikd.exe
4168	Nnlhfn32.exe
3624	Npmagine.exe
912	Nckndeni.exe
5052	Ocnjidkf.exe
4720	Olfobjbg.exe
1036	Oneklm32.exe
3492	Ognpebpj.exe
4300	Onhhamgg.exe
740	Odapnf32.exe
4480	Ogpmjb32.exe
2036	Onjegled.exe
616	Oddmdf32.exe
2148	Ofeilobp.exe
4516	Pqknig32.exe
4064	Pgefeajb.exe
2188	Pmannhhj.exe
4908	Pqmjog32.exe
2144	Pjeoglgc.exe
1324	Pmdkch32.exe
4228	Pgioqq32.exe
1032	Pjhlml32.exe
2104	Pqbdjfln.exe
2948	Pcppfaka.exe
1580	Pmidog32.exe
4144	Pgnilpah.exe
404	Pjmehkqk.exe
4272	Qqfmde32.exe
932	Qgqeappe.exe
1652	Qnjnnj32.exe
1772	Qcgffqei.exe
3096	Ampkof32.exe
1756	Acjclpcf.exe
408	Afhohlbj.exe
3612	Ambgef32.exe
4556	Aclpap32.exe
1684	Anadoi32.exe
4296	Aqppkd32.exe
1100	Agjhgngj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1980	1908	WerFault.exe	186

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfankifm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4412	1952	962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe	82
PID 1952 wrote to memory of 4412	1952	962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe	82
PID 1952 wrote to memory of 4412	1952	962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe	82
PID 4412 wrote to memory of 5020	4412	Klgqcqkl.exe	83
PID 4412 wrote to memory of 5020	4412	Klgqcqkl.exe	83
PID 4412 wrote to memory of 5020	4412	Klgqcqkl.exe	83
PID 5020 wrote to memory of 2296	5020	Kmfmmcbo.exe	84
PID 5020 wrote to memory of 2296	5020	Kmfmmcbo.exe	84
PID 5020 wrote to memory of 2296	5020	Kmfmmcbo.exe	84
PID 2296 wrote to memory of 4160	2296	Kfoafi32.exe	85
PID 2296 wrote to memory of 4160	2296	Kfoafi32.exe	85
PID 2296 wrote to memory of 4160	2296	Kfoafi32.exe	85
PID 4160 wrote to memory of 4816	4160	Kpgfooop.exe	86
PID 4160 wrote to memory of 4816	4160	Kpgfooop.exe	86
PID 4160 wrote to memory of 4816	4160	Kpgfooop.exe	86
PID 4816 wrote to memory of 4448	4816	Kfankifm.exe	87
PID 4816 wrote to memory of 4448	4816	Kfankifm.exe	87
PID 4816 wrote to memory of 4448	4816	Kfankifm.exe	87
PID 4448 wrote to memory of 800	4448	Kefkme32.exe	88
PID 4448 wrote to memory of 800	4448	Kefkme32.exe	88
PID 4448 wrote to memory of 800	4448	Kefkme32.exe	88
PID 800 wrote to memory of 928	800	Kplpjn32.exe	89
PID 800 wrote to memory of 928	800	Kplpjn32.exe	89
PID 800 wrote to memory of 928	800	Kplpjn32.exe	89
PID 928 wrote to memory of 1196	928	Llcpoo32.exe	90
PID 928 wrote to memory of 1196	928	Llcpoo32.exe	90
PID 928 wrote to memory of 1196	928	Llcpoo32.exe	90
PID 1196 wrote to memory of 4500	1196	Lfhdlh32.exe	91
PID 1196 wrote to memory of 4500	1196	Lfhdlh32.exe	91
PID 1196 wrote to memory of 4500	1196	Lfhdlh32.exe	91
PID 4500 wrote to memory of 2396	4500	Ldleel32.exe	92
PID 4500 wrote to memory of 2396	4500	Ldleel32.exe	92
PID 4500 wrote to memory of 2396	4500	Ldleel32.exe	92
PID 2396 wrote to memory of 4920	2396	Lmdina32.exe	93
PID 2396 wrote to memory of 4920	2396	Lmdina32.exe	93
PID 2396 wrote to memory of 4920	2396	Lmdina32.exe	93
PID 4920 wrote to memory of 2284	4920	Lpcfkm32.exe	94
PID 4920 wrote to memory of 2284	4920	Lpcfkm32.exe	94
PID 4920 wrote to memory of 2284	4920	Lpcfkm32.exe	94
PID 2284 wrote to memory of 4784	2284	Lbabgh32.exe	95
PID 2284 wrote to memory of 4784	2284	Lbabgh32.exe	95
PID 2284 wrote to memory of 4784	2284	Lbabgh32.exe	95
PID 4784 wrote to memory of 3652	4784	Lljfpnjg.exe	96
PID 4784 wrote to memory of 3652	4784	Lljfpnjg.exe	96
PID 4784 wrote to memory of 3652	4784	Lljfpnjg.exe	96
PID 3652 wrote to memory of 3332	3652	Lingibiq.exe	97
PID 3652 wrote to memory of 3332	3652	Lingibiq.exe	97
PID 3652 wrote to memory of 3332	3652	Lingibiq.exe	97
PID 3332 wrote to memory of 3844	3332	Mdckfk32.exe	98
PID 3332 wrote to memory of 3844	3332	Mdckfk32.exe	98
PID 3332 wrote to memory of 3844	3332	Mdckfk32.exe	98
PID 3844 wrote to memory of 4948	3844	Mbfkbhpa.exe	99
PID 3844 wrote to memory of 4948	3844	Mbfkbhpa.exe	99
PID 3844 wrote to memory of 4948	3844	Mbfkbhpa.exe	99
PID 4948 wrote to memory of 4472	4948	Mmlpoqpg.exe	100
PID 4948 wrote to memory of 4472	4948	Mmlpoqpg.exe	100
PID 4948 wrote to memory of 4472	4948	Mmlpoqpg.exe	100
PID 4472 wrote to memory of 3228	4472	Mpjlklok.exe	101
PID 4472 wrote to memory of 3228	4472	Mpjlklok.exe	101
PID 4472 wrote to memory of 3228	4472	Mpjlklok.exe	101
PID 3228 wrote to memory of 5048	3228	Mmnldp32.exe	102
PID 3228 wrote to memory of 5048	3228	Mmnldp32.exe	102
PID 3228 wrote to memory of 5048	3228	Mmnldp32.exe	102
PID 5048 wrote to memory of 3740	5048	Mmpijp32.exe	103

C:\Users\Admin\AppData\Local\Temp\962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe
"C:\Users\Admin\AppData\Local\Temp\962556d0fa26b26e4f86ed7abd4456dd1244f29b69459c53a3a5f21f5eba39d6N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\Klgqcqkl.exe
  C:\Windows\system32\Klgqcqkl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\Kmfmmcbo.exe
    C:\Windows\system32\Kmfmmcbo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\Kfoafi32.exe
      C:\Windows\system32\Kfoafi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
      - C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        63⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        74⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3640
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        84⤵
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        89⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        92⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        106⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 404
        107⤵
        Program crash
        
        PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1908 -ip 1908
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
439KB

MD5
545804995c557f8d5472e5ed6bbfedf3

SHA1
25ae1c0c99604ce610b88ae3ee9ee5031e8740d1

SHA256
91923c4e71c55413ff434c52d059fa1b036cbaabe281daf561d682d79b1e7a86

SHA512
9e20ac2b09d0377f8d62b413d38401e7ba86abfc6020e76a0014450797ae4380c068b6090d2928d5494b3309c6d4693cfc9f427bfa610551e8a1c967d97672a8

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
439KB

MD5
3726a224f91d047254f437b1a6e07ea1

SHA1
c168c3302f4860c899f2410ce42038e2b1d1721c

SHA256
c5799341cbe7e15d429fd2ff16691c64fed2ac8e4fe6c6ee4d6956a1a83f3a80

SHA512
6ab80e3f53c39246458649c682f795b484ae02add298035aaf3e7433b400b1162b4d6bce14b57eaf989cc11a92d4be976476dea1773aab10baccc9a4652583ce

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
439KB

MD5
86a7d071847285f6b6a95680ccaf0991

SHA1
a6bc15675d3de26e95905a63725841a7ff8a98cb

SHA256
d04d95170ab0b89be658867b10a722e0f0bd83c73de452b0b0b0df23074cd3dd

SHA512
ea2014d2160031c3da3374f1f56c15c591df96e059e4398b21f17f10b356044d8993bf434353b4e68ddbd4bf34f9455ad573c80388da834e9ec3b8ea358d577c

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
439KB

MD5
eae09891a0a559933aff5fbbd0c9737d

SHA1
775c336596c870ff270dee2d5f8b1619398667a6

SHA256
e2cb7509c1538b0174177571c7e5fc1951b13159e2cccb4f888bd73729eb75b2

SHA512
153e17b7fe16d7122f1cf428509201bbf3bbc916cdfe26ef8b6e12a154bd79f2bcaaa03e821d58a2a08782580997c404c9c9b10d0f168af95e51dd2ba3e26af0

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
439KB

MD5
edab1103c01084b2bf14a0df2a8d27eb

SHA1
e1c53106b23e8f520d6de4f50ae4e6f0c483338e

SHA256
63ef22e6e4ee56403e17091b4e130fcfa54617ea279a862e360c3ea0c75cdfb2

SHA512
36b48b6c7d8767499f6b18a1b9cfbf3ab100e31e62d038ba202f3ebfa9f8ade217df3bf8e4d649818a9877dd3f39f508aba4c02293129e6335950c09ac1e5e09

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
439KB

MD5
7c6ed7831826273159204e87e1baeed1

SHA1
0a46fd56d04c986c94b99e451e7ef772191078ce

SHA256
5bd2a7160796dede29aea0a3b737507c3c02b78a62ac2a6d5f89bb908873a9fd

SHA512
d5976b12f38d5a029558b09b17cfad61dcdc94647efcb0d0562fa9b1209ffea00002090a52f2f374e5eb3df41353e37d595bede2120c9c8d33e50102c420ed93

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
439KB

MD5
f8c6fed59035222893fdd20db38fec93

SHA1
af79c5b7d407276e89c7699920274abebb463b9c

SHA256
28af87344118630dbfd8dd02bf07109d177316463a6ea04c6c2bef559b61603f

SHA512
e659f8d69ab089a9babeb087ad454edb36cd5001ada50edbf2d50f6b93d3cc23cf5b2cc64bac5f4948288b0ce947b32deef3d0703fef220a4c223fa9038c1c0a

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
439KB

MD5
aa1371df16332cabd0162b68cbb7767c

SHA1
1f635d00faac7eb3ea2f669f92376a503f60a6a5

SHA256
2841131795f41a76511f8dc0b8ca54d482d25b8f8c08a7b970581055d52af898

SHA512
1c0dd39a5f58fa21ad16a1e3be391876efc4af29735a394979151cef4c54e73de828d40316d42327c3405058983d05b3cf682a5527a104ef15375b71a10d41be

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
439KB

MD5
4a6c73132bc3f084e4c0074ae751e6bb

SHA1
43fae6935404c0d2a4715e84202d64c7a3062626

SHA256
d06e0f6391a312b44852130e18e193c9899f2e44d505b390da89ccdd440f174d

SHA512
98ebff97c6fb1d406c3dd2a57c42522e1bf55a57eba108187f1917f6a1bdcca75a5028b90ae993fa6d63beccf6b6f6461af89c10c5221ac316cd7e3b36137666

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
439KB

MD5
f0b9ba5940285eaecaffd23cd4745ffa

SHA1
6f3cc36c119775a453f253541e326a6c918c1a38

SHA256
f1f23dc0f5e3b82632775143df33115e98cb7d71abb4afb5fa7c7b4b9e083184

SHA512
bf2411bfc449ff813c94a1db7fff66053f3b6b46075c9d91247b295ad5dc9c226c41083b91bf1ceb101e2c034050a6af5b75cc2afb0e1410af3fddf548c48617

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
439KB

MD5
62aaaed9958e3a97f5dc6969fbf95b06

SHA1
c340271b5a9abe73e38300798b65be9bd52957bb

SHA256
ab8ede392c2c1d14d68b5dc5f8fcd28649400f1d59d147e0da7f0cb10bc17c11

SHA512
66d0329801ec70275160547673454c8089afd9ff2f22c38cfa751cad4c9fcaf608863bdd8bc2ee9f5baaf70270cf4664703e4c02892877c8f43c213be460192a

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
439KB

MD5
5ff8b06e849cd0e9e89f415b01e93990

SHA1
806262881dcf9c3a03b5e2009c67b26fe871b500

SHA256
2900ec08836a71a2e17da473d1586acb6319a7883227174f7cf29ad2b3e12ce9

SHA512
7b7954f32308a423e26a1117d18a5096957ff7b804bc6099439d95a6ed12751b51342c81681eae303a39fe938eba37f38d69cb19632821ee2190566c47f0428a

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
439KB

MD5
e157d78c6e5b5ffa054556f8c68e0dc6

SHA1
a5231355f8e61b222e73a383925c65fedfe8dc76

SHA256
7ec1044e3bfca5af739c3bab6939f9cb78cffb0e685443b5ced1db37081c514f

SHA512
0ba7114e48e92524c68865c62b1ac9c3e72c30b2c3e246bcd89c425c8ede94a926432b83ac2872343303f60c77ad56d1c58e0462a5e9117c51f71e030e47f3f9

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
439KB

MD5
3f432aecd11bb579484f2d2b4a9a3398

SHA1
35e9808f447848813a287e99a64d81343a35415a

SHA256
f6f31162b5c8cb4d23579ed8c58754a0d2b8d29326d9539665796972fac47468

SHA512
7ff87ca991ebb8269387e075849370515d6047d0e5e544086f428ef0042399a667c47a49a91a74ac6fe9fe5b1b4cf6a0d7249c84087c18e0e439d54ec4598ced

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
439KB

MD5
c800355923ff4585897f5932f0b3b913

SHA1
21501de91eb045e2ff132ff5a0b7e7c998b8f87e

SHA256
b396703640ee8d45f5b4277c61a89448987cd06cdd576c3134c3283677239383

SHA512
02846031eaee00a100e1c70aa2fd79f409aa19efce8e7230d30444ea56986e1f91884a9c7aa09f9c00715b25e02dd3b320ded3fbad5b4a87288e51d803bcafd7

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
439KB

MD5
a78dafb62aacbf7565a34ad0600f33b9

SHA1
e2f2d5bbe45f4afa373c8c6034dcac62b162ee44

SHA256
cfa9aca520f66fdf06a722e3bc2bd673d2a270658e50c73b357dfe4381d71720

SHA512
c4d30278882baea1e3228d298077af19a042efb567721869e8b22c62cde9ee98cd75725e3df912c6e129a26078608e744506e1a3c58d33c4fb0c84568a6e26a9

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
439KB

MD5
01f32bd8d0444edcdc58fa8198a1820f

SHA1
26808d0ffe31b966cb4959ec3f38d0cd25276225

SHA256
d27cce0dee1b07a1083176a7bdb737fe860035e0976ab9b9365c80c574496aad

SHA512
0a983d9a82166f0e36d9cb1505bd2c6fef77a76ae3d8f62ce29c79f425ccee52f4b2bf897215bc8c3fdc1c777505d3de9db727cae63a8a3069d77f40f121c198

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
439KB

MD5
fec0ff07e1c2fa96a1dee1e1c73b4e59

SHA1
e2d2921fa80827478357b250c3f5439c0ffcb946

SHA256
e1ca7325e0ec6b7795c97ec7354e9adc134ef17d520e21f35890612caa7feb65

SHA512
14cdf5d851301b759ae6a6fd759c36159bce66fd2071f07e8257fcafb3a156887d4121e0a67d926dca24926ea8dd664d913e1547991f68fc7be3ed2e2c5b9154

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
439KB

MD5
8c840db91323fa3f96730d5e81bf4815

SHA1
5a2d533b8f34d721eeaee7195fa1a4eedf85d861

SHA256
4a32b390829dbabcac18a36f353367023db9a2ccb0702f1baa0e80e941afb77c

SHA512
b922b57ff2767839471f3f845f34aeb13ee37b2468b41a992ea10efda5a4353f4c76a3974fa3f1ae01cfdf0c78a6c1d11fecea57c60e53882eab2d5cc4e559a6

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
439KB

MD5
de89ab1845192b5bf541c871e0651d53

SHA1
2178f8c7dc4e35e32a84a58ca403c193218518d8

SHA256
e0bab989568d5db5cd059b34453fb3720d483088b5ce0d2e67e7df7eb000bc06

SHA512
6f7f2da4e0805f949ed262d86c2996638fb60007f6283d96ecb8ee48f4797fde9668f7bf8e1de7d59d0bc36f6baeebfb2e1a6932a7c3158c0eb364774b09497a

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
439KB

MD5
8d7e3d39d5947691314dcc8b142e141e

SHA1
6c15a05723a6d89a2c18013d06b1fe7ab4b7e35c

SHA256
c21be408518f2e444c15552ff60ab11a1e1280c810fb008e620b0e339395d074

SHA512
387818b818ddcca7b350b91fb02aefb17d8cfb3be9b20a5814e3e7c371fea939ff34f5b0dc492de355cff6f6301b42112624b5e654dbf0422779c3a515fedff7

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
439KB

MD5
3e8251185da389b3abf2ee4c7b1f04b1

SHA1
254c49a2f25ae45db13f42ca45866a4ec97b6104

SHA256
023cc351450bbc9d85848e7d830c52efd26fc7b1c95e0485614e7e13d74a5312

SHA512
6bf98bbf640f1f25688e9a9fa8b399dbb825eedf8c6c42e8ff9d945b1a1a30d3cd1254807ee3c975b2d8199e526480a632b40fcf763722a5685e2aef498bcf09

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
439KB

MD5
b41cbdcc7b00b38f16848ad5e1a74761

SHA1
6fe78de3ad1b3d6fb349c7ac8b88e38d41e11d21

SHA256
666785010c01e0b33480ad28e6d5874a754187d1953f141965ae1d749d42f5f0

SHA512
f95cfe6962815695d40a9a1abbf1548c46cf1e08fdae02f2c7f77132ffe566ad41c1dc81fc563ab2c395ea6b41a6f59774ea97ab915ccf48048b9c96f8f95b72

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
439KB

MD5
588f5c7d882b79ae31610075f978cf05

SHA1
857402d0c1397b282aa39d5a60f8afe2d5a3cbed

SHA256
4a08d70d88648a8d8a32c96e28c63a4e69e9b7981c3fd0dd08f56a284a1ad888

SHA512
63c35f24e3026205e51e1f68197be0492af52d8c52084ef6ee7e4dfa07d40b76bc3b9a4e24048622977cf1bf9b5429941a8b2b589ce332765009dbcc0aac62dc

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
439KB

MD5
443bdc84aeb71cdd6f7eca23456af253

SHA1
71413c46b54921b93e3a1360e0649df9da26ce1a

SHA256
d88fdd8faaee8a58b36b88dd1bf683d8cc9ce234ebedbefa032285c6a79f9289

SHA512
36e7302b8ae3aafae7f77000f4a8270e1d2beef7fb7a4cb4da4df3d6cab97ce0e092e2adacf069ec8a266e024c6e0b0274a1dcba3bcecd16d07cbda14b68f56a

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
439KB

MD5
40c7e5c6acb2e6ce1f507aa98a98a94a

SHA1
b93ac556958a0923fcf2f97159a3ef8f6f5b7d7b

SHA256
3bd47602f120d5fcb58bc7368249c0e83339822cab4fe52b06b93310a8784c86

SHA512
7acd7a33e696e9ac3294d97f3d42664ba9aabfdfda2b591f485382ed0e56f897d745a3411f430a81a58e659ad60dadaf1922fe969f07aa7e39cbf05c2ce1e693

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
439KB

MD5
339d4f3acfcdb0355a684f126b97be47

SHA1
bebd0f0cec7c514d801b9b92b38f623507c25791

SHA256
74a8f31c9098da5d397e3dfef151954644a84f9636da0e6558b4ebec0882f6a1

SHA512
2cbd680937100dcb3a542d16e2a811b1babb69c365e33c75a6c285690c56fbd8859e2ab0e8abaf3503e7dabb94d7ade881507378ba477920ed6d5326e95ebdbb

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
439KB

MD5
fcbecabc4fced7d059a3665112efc1b3

SHA1
6931f5c0803d24a64772672f27bf8e41628e443f

SHA256
52a6229622c0bda6da34cc8e4dd2fe23b8dfb94160b303c3921665f2c64d5698

SHA512
efb76354946d3d01d343b25b3f27502cbede6ba201310bcceb2c041215ffdc39c05d1b8185819c623e6d79a270879cd68fd1194010c0a5df91dbbea94a4b878d

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
439KB

MD5
9c286b3f85889734b08282afc88659e8

SHA1
d573792176f3534ca14ba664aa200e8cdce3bc11

SHA256
fa02d84866c1a12da3fd502215651d7753f37d3fe1d07cc9eb2c33396bdac7e9

SHA512
82ac74928c5644d2e3778b2bef44dc6c1952e6d694ed3d7e5ee42fc64b88d04151b67e4b242b7945f74532e2230d5dae20233b7df57cf7507b9308203a976b36

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
439KB

MD5
f2b49d6b3d462ffe0db864c8e183b2c1

SHA1
d4615941d6bc836aa62fc23b746b6bb3673d16fe

SHA256
af5281232f1f846f1af6ce3995445743ce33547a552b00f322a1fe35f5f5d387

SHA512
b592cff00f2fd85597854a66ef9a226e9a66433feb4bab00c081f2bf5408d00c273edbf0d7f01eaedd620261d036c550338f3e731cff19ca2ae17a2739beb428

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
439KB

MD5
6d2cf08d156d5d5603f4b756ffdf9372

SHA1
960a603e9e05042671a062ffc509dff28715e066

SHA256
6670282aa6b27b232d230a1e8211405460fc57e8495e14fddfe94033cb063eaa

SHA512
3ff7b30df078ecb1f0cbaec49ba728dc161f8d36f09289c2e7bcd32bf39a72e03819847fad6e7350a54affe5c449eeb32fcc42357acd654c5e5e9b98a021a795

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
439KB

MD5
8a6bf633c4bddf625424c9537149c555

SHA1
93c3426a66eb03fc709a230bebf5f4f52cf33fca

SHA256
38c4af51da1840069d9ca212710c6114c973c63d6a8b1757e8a7230374f2b24e

SHA512
b8215a0aef5b3fe6588c112512b2191fa940974b21c18fffc90269160a0d06901642bdf565f351c12bf8c0ab148d936dc319ab5c3d6c7502783bb5f83c1e30e7

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
439KB

MD5
8e211036c59902a7b25fec3d40301b8a

SHA1
32df4917aa518886f3242e642080ae95999b0b0a

SHA256
c8a2822630c48b1523cebb6ee71174ec8cf41b76e3c50612599ae5759c6de774

SHA512
aec0f40f46cf3f2d70a2123a868d4f91e6fdb800928e1bbeef603c0cd0244e7c9f09f64da5921615d1da9ed99ac67522ff2194437ed998c94e2f0f688aaee69b

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
439KB

MD5
df91165e5004af698e12923ac5eb3090

SHA1
a74435d0458d7b21da1d546bf46b6ab5967ce7a7

SHA256
13b796ac520286eb484acacba26e8c94582bde143c2760b1a7e924bef7711622

SHA512
280d6ab803c63700f4d62349378078f2eb694e037948c9b7cf4427ccced46f7585f6dd136ccfff2971c982c915b463c53b3abdeac8fa370cd8dcf13f4602b8ae

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
439KB

MD5
f95367feb9f0ea2369f357a0bb02e1e9

SHA1
08f5b85427c146133a0931139315e17cec0a9fa9

SHA256
e48d62cbac2503169d032a4c16f0b9d792e8c5dd307b816bd01d1ff2aff88724

SHA512
77595597b9be773274d29ec3fef73e19dae00e32d2b7e9b456cabfa502d44f91049f33f0d3359baeb3356d04f3e602fdd21950d62227fbea5c27a3bf5a526444

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
439KB

MD5
f6afb759e1e2ea4f6f852a9ecfcc4cf5

SHA1
88f746e02f968d32dc1f4df3110d1505d31817b5

SHA256
0ca03f752a615a3b03717c7e02335da93cc8661c8fdcebc7e6e687f07d99867b

SHA512
5ce079aeaa45988bbc424a8078f652e792372f365d66b94965799ad92305d0e4119a1243f34a0297d1aac748ed6e0515b8da28e457f49afe6dcb799d6dd76382

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
439KB

MD5
abeca073cabb6db673b42f61d228ab16

SHA1
e9356005e92803e69f05d5bea1d30324a1f0c9a6

SHA256
d713ee5cb05c272bfb4be5c4b049beede1d7adc2549a6dfd5d75ec085ab18fad

SHA512
ce8f9a2395a2bb4378a9f0fb40ffc26db1ae956bcd4952819066bf7859ea8990733741cdae5fbcc664d9b7ea455fef2a3526e74044e1575ac6d842c7f7d55d1a

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
439KB

MD5
3a03b3b6664b1599218df8f56ac589da

SHA1
e844bb0d56565437e0a89e24a2392a1e60c2f23a

SHA256
0e154a06a18ae92e8ca70834a77ef9162ce546a0312d1c5a309d78ae0129badb

SHA512
7d09a9f3f786516ab4a31b357cdfdfb587b789f0839475a270d20138d5490abaac428bd54a6485ed175f92b896133c3603588117e68db68aa964fd6b3bec2251

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
439KB

MD5
df1c34fda2c85cf743421ae3b6345a73

SHA1
fefd205a8c8b5cc4ad124493f464229ab52bb62a

SHA256
a260fe1ab536f1322ba00e26d8063c4573b1a79730d063884647edc1aacfffd7

SHA512
0cb58b96bc32f03ab68c228c17b93b48fd9ac383884bac8a916f659d6d88d6eb2a411d19c1dd6f0805540d933e72e61807c4a4e6a52f9a9aa5ecddfd8a16b316

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
439KB

MD5
eb600ce8cf5b9f824020e1b0b4a22ac7

SHA1
c63372791dfc0f8a4a3b21fc204b085ddb33f171

SHA256
74952bf120cb88732b6fd4ef8ee9b178b239869a885e278f080807e098389606

SHA512
cf3b2128c74327b91f25f1a925fbfe29d6dbfef5d2b955f080e3764b744ead7ffc141cfda0fedadb4cb0a7d12eb55f7d651ad2691344c101f955caa52338b42e

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
439KB

MD5
2d3f496fc3b270d18e01fb2fa8814a59

SHA1
cddf1624057ea90efa55af7a74db460a934a18eb

SHA256
2fb169a9a195359c626e5d9840fd7ceb500f6931573ff400fe26c5f20fed6300

SHA512
d6c3e95713237624d993f847a27947089cddd3aad47394b46ad71a9659d5939576069887d6d367e0c82dc81a1fe8afd37ae1392f2df78e4a21a61da6a39987ca

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
439KB

MD5
2e7bf31a97d99b8ccd76d2ccfde12658

SHA1
71d2ff8b4115ea48580fad6d779a284b9b3b7359

SHA256
d310f91214a6f3b4de8a653814fe6a37c717f30b729386ebbc68abf8df1b1374

SHA512
493ecbdb71742ec147f92e452b793db4ebc22a2cb3dd01949dcadb955d42e81e5fb9140f10a535a646b22becf23fbacf9568472b40f5ea31b5c2834c7364b4bd

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
439KB

MD5
5bfce8ee0685fc2a2ff3f64d8e82a7b1

SHA1
875555b0db430a08ddf74a6d8be608cc7be718a5

SHA256
7e6d278e332f1e78e6585bf563237d70299991a29b510cff2d3fee4e47d48d00

SHA512
ed9a29449dd20e58fbab918c69bfdf539a573eb7d2dddf399dbec17cd3ff5e88c84c9f1ece915d316cbb079269da7b3e972244db4e08ad37be935c80d5003714

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
439KB

MD5
f2747476bdc5678581006f394250f7bc

SHA1
152128803eb9089ebb4ef928732585790804ba71

SHA256
29dd24b3c89b5dc7e3cfee73f152df7ec94581941eb86eb9bb1b232180f1f9bc

SHA512
ee70ded3cdf32d2e6aebdc8180fefff71062d7c6a812c6452ea93aa1d892ab6288f430ce81deac38c171f411720a8a0d09dfd6133739897def19b0ac694cac61

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
439KB

MD5
ab01f0ee8fa289f2a21bc41d9c763a76

SHA1
5137bbb09a08f503c1c421429c16e16324c7fb8d

SHA256
0260d5dbc15e7af62a673173280ae911785edc5558b5ae05c5d09e05e99c5841

SHA512
1e19ce1167388aa2894b01a972869fdfe2d1da12ad5c116383991dfff0a70987a62336f3f1d56b597d2699e4dd2182334e517f0d14f9ed0c2044383c7c56d4ec

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
439KB

MD5
d0deb45e0cdd62c5e43d3cc226433092

SHA1
9ebe8a5aa2010603eca3554dab20c1319ce7d65b

SHA256
cafecc7552d2a49ed22e65ce2d79201829aa8ae52777122fdddccca271c901d0

SHA512
1b897905bb0c45bf9398aa851a30bcc53af47c55ff8962917f3435e3b8db6afbe949beb83522e9c34d63baf87906c655fd0134fd4a5c8c091840c770380a6749

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
439KB

MD5
d46695f4d323ab84fad7771a78550f62

SHA1
767faf19ae7e7c0cd9652179b6d02be93d7a8006

SHA256
5ea44d37728b9880a30719cf08cf9492112fdb53bf9a261053647a0dd9f211fc

SHA512
94463cd3dbccc102252dd3bbaf528514ccb7a6852ed4a0fb3cdd07bc8d4ab933bbbfe58375e79bba2669abfeb4856609f535146c6bad16b3196c4a8a008a6136

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
439KB

MD5
2d7604957024f7799fb609277451e28a

SHA1
fbb6ef9483acd9d0808d44c06c700194209c67a9

SHA256
26561ee0826955d170b38fb11f92fd9f17d1b7f7fd178e05b54561faf0d81b42

SHA512
c63634bc8c89fcb56b3acaee46a47e4c06b7c15b15c926b650e44172fe513bba16a89e31ea6367465dc0a0c0102ba54672d7880dc979e74eb987f27de819c18d

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
439KB

MD5
eb75076e26e9450107c003aa9a3ae143

SHA1
a5df5e28659a6db4378380a371e55833549cb0b8

SHA256
1a5916e349e421063416c56af37f31a60ce34222ce7fa5ff6b79910ab06c1b37

SHA512
6b7c8f1bde1aa3f902944741abc6ead863083df2e5048a297a3f92bca45ffdc3775bc45f2332dcd3bbbd768fce878a13ead401c4d722582f3ad0abde815bd476

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
439KB

MD5
3bd0ff74b8b733774ac5dee984582b83

SHA1
957f2d61af80f48146d19bf0661b5a63e3cd5285

SHA256
66cbb3f239f1f4d1c53f740ca09b62aaae086899bc80d6bc14b0df3f40144421

SHA512
b9fdffd8424097493efc030d0b8b65d507a8dfc992ee6f3b1b19bccde73acac42bf54a939dd51e793f88b62c14654e5ab8ca084a4fa6b5baf732cb1e72ac11fe

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
439KB

MD5
6a396a99e80252ecc7ca90d41d8ae4c8

SHA1
176403fb8a788be5e35902aa005fb2453ef5ccff

SHA256
4604b7729699956030d9a3b0bce9487c1fc31959ed31d92ef04f93f2b99627d8

SHA512
5e50850bad636943b32e82f61b1daa58fb2ce720dfb04a74aa33d3ec9138d83b3debd913faf49674006c51d67319973ef41e02c75283b7e096f87122c1704a44

Download Submit
memory/116-543-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/316-466-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/404-380-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/408-419-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/464-490-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/616-293-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/740-275-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/800-56-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/800-588-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/912-232-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/928-64-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/928-595-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/932-389-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/960-484-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1032-347-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1036-256-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1036-853-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1156-184-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1196-73-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1196-601-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1308-582-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1324-335-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1400-478-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1580-365-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1652-395-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1684-437-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1756-413-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1772-401-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1796-563-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1876-589-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1948-193-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1952-0-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1952-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1952-537-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2036-287-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2104-353-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2144-330-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2148-301-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2180-525-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2188-317-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2284-109-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2296-24-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2296-562-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2396-614-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2396-93-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2456-508-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2536-472-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2712-454-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2948-359-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2976-200-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3096-407-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3228-160-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3332-129-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3372-531-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3492-263-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3612-429-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3624-225-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3640-556-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3652-121-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3740-176-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3844-137-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3900-496-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4064-311-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4144-371-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4160-569-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4160-32-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4168-217-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4228-341-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4272-383-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4296-447-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4300-269-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4412-549-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4412-9-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4432-506-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4448-49-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4448-581-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4472-157-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4480-281-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4500-81-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4500-607-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4516-305-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4556-431-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4700-608-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4704-519-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4720-248-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4752-460-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4784-113-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4816-41-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4816-575-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4908-323-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4920-97-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4948-145-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4996-209-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5020-555-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5020-16-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5048-168-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5052-240-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads