d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
Size

56KB
MD5

e5bb49b59907f3c4e32baa8a89db4ae0
SHA1

8cfa669c163f2e3b5be9b9adb520e89953078578
SHA256

d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246
SHA512

17dbd91e7e430b3b8809144db031d7687ed61d7969688cf77b980814d7c608d381dbd1527679523c6a96964990b8449fd42cc7f64e3a68cac75241429a598d0b
SSDEEP

768:+G21bvYVgabvEYMNdI11kXfsWcOglyVgmApauzq0oCZEYhP5/1H5+Xdnhg:+r1bvRNdo1kVcwgmAYyhPbyW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe

Executes dropped EXE 64 IoCs

pid	Process
2796	Lfkaag32.exe
540	Llgjjnlj.exe
1744	Lbabgh32.exe
436	Likjcbkc.exe
2836	Lljfpnjg.exe
3188	Lebkhc32.exe
3260	Lmiciaaj.exe
2112	Mdckfk32.exe
3784	Medgncoe.exe
4756	Mmlpoqpg.exe
3728	Mdehlk32.exe
3988	Mmnldp32.exe
464	Mdhdajea.exe
5036	Mpoefk32.exe
4204	Migjoaaf.exe
3328	Mcpnhfhf.exe
2688	Miifeq32.exe
4412	Ncbknfed.exe
3528	Nngokoej.exe
2192	Ncdgcf32.exe
512	Nnjlpo32.exe
4492	Nphhmj32.exe
4212	Neeqea32.exe
2384	Npjebj32.exe
4548	Nfgmjqop.exe
4932	Nnneknob.exe
2792	Nggjdc32.exe
2956	Nnqbanmo.exe
440	Ocnjidkf.exe
1168	Ojgbfocc.exe
704	Opakbi32.exe
2668	Ofnckp32.exe
2004	Opdghh32.exe
1864	Ognpebpj.exe
4304	Ojllan32.exe
4160	Oqfdnhfk.exe
2268	Ogpmjb32.exe
3648	Ojoign32.exe
4612	Olmeci32.exe
2656	Oddmdf32.exe
1616	Ogbipa32.exe
4912	Ojaelm32.exe
812	Pqknig32.exe
3068	Pcijeb32.exe
100	Pjcbbmif.exe
5088	Pfjcgn32.exe
4444	Pdkcde32.exe
2700	Pjhlml32.exe
4544	Pdmpje32.exe
3276	Pqdqof32.exe
532	Pcbmka32.exe
4608	Pjmehkqk.exe
748	Qqfmde32.exe
1236	Qgqeappe.exe
3560	Qjoankoi.exe
4228	Qmmnjfnl.exe
980	Qddfkd32.exe
3428	Qgcbgo32.exe
4980	Anmjcieo.exe
3172	Aqkgpedc.exe
2256	Acjclpcf.exe
4956	Afhohlbj.exe
5104	Anogiicl.exe
1888	Ambgef32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Blleba32.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5928	5840	WerFault.exe	210

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2796	4164	d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe	82
PID 4164 wrote to memory of 2796	4164	d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe	82
PID 4164 wrote to memory of 2796	4164	d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe	82
PID 2796 wrote to memory of 540	2796	Lfkaag32.exe	83
PID 2796 wrote to memory of 540	2796	Lfkaag32.exe	83
PID 2796 wrote to memory of 540	2796	Lfkaag32.exe	83
PID 540 wrote to memory of 1744	540	Llgjjnlj.exe	84
PID 540 wrote to memory of 1744	540	Llgjjnlj.exe	84
PID 540 wrote to memory of 1744	540	Llgjjnlj.exe	84
PID 1744 wrote to memory of 436	1744	Lbabgh32.exe	85
PID 1744 wrote to memory of 436	1744	Lbabgh32.exe	85
PID 1744 wrote to memory of 436	1744	Lbabgh32.exe	85
PID 436 wrote to memory of 2836	436	Likjcbkc.exe	86
PID 436 wrote to memory of 2836	436	Likjcbkc.exe	86
PID 436 wrote to memory of 2836	436	Likjcbkc.exe	86
PID 2836 wrote to memory of 3188	2836	Lljfpnjg.exe	87
PID 2836 wrote to memory of 3188	2836	Lljfpnjg.exe	87
PID 2836 wrote to memory of 3188	2836	Lljfpnjg.exe	87
PID 3188 wrote to memory of 3260	3188	Lebkhc32.exe	88
PID 3188 wrote to memory of 3260	3188	Lebkhc32.exe	88
PID 3188 wrote to memory of 3260	3188	Lebkhc32.exe	88
PID 3260 wrote to memory of 2112	3260	Lmiciaaj.exe	89
PID 3260 wrote to memory of 2112	3260	Lmiciaaj.exe	89
PID 3260 wrote to memory of 2112	3260	Lmiciaaj.exe	89
PID 2112 wrote to memory of 3784	2112	Mdckfk32.exe	90
PID 2112 wrote to memory of 3784	2112	Mdckfk32.exe	90
PID 2112 wrote to memory of 3784	2112	Mdckfk32.exe	90
PID 3784 wrote to memory of 4756	3784	Medgncoe.exe	91
PID 3784 wrote to memory of 4756	3784	Medgncoe.exe	91
PID 3784 wrote to memory of 4756	3784	Medgncoe.exe	91
PID 4756 wrote to memory of 3728	4756	Mmlpoqpg.exe	92
PID 4756 wrote to memory of 3728	4756	Mmlpoqpg.exe	92
PID 4756 wrote to memory of 3728	4756	Mmlpoqpg.exe	92
PID 3728 wrote to memory of 3988	3728	Mdehlk32.exe	93
PID 3728 wrote to memory of 3988	3728	Mdehlk32.exe	93
PID 3728 wrote to memory of 3988	3728	Mdehlk32.exe	93
PID 3988 wrote to memory of 464	3988	Mmnldp32.exe	94
PID 3988 wrote to memory of 464	3988	Mmnldp32.exe	94
PID 3988 wrote to memory of 464	3988	Mmnldp32.exe	94
PID 464 wrote to memory of 5036	464	Mdhdajea.exe	95
PID 464 wrote to memory of 5036	464	Mdhdajea.exe	95
PID 464 wrote to memory of 5036	464	Mdhdajea.exe	95
PID 5036 wrote to memory of 4204	5036	Mpoefk32.exe	96
PID 5036 wrote to memory of 4204	5036	Mpoefk32.exe	96
PID 5036 wrote to memory of 4204	5036	Mpoefk32.exe	96
PID 4204 wrote to memory of 3328	4204	Migjoaaf.exe	97
PID 4204 wrote to memory of 3328	4204	Migjoaaf.exe	97
PID 4204 wrote to memory of 3328	4204	Migjoaaf.exe	97
PID 3328 wrote to memory of 2688	3328	Mcpnhfhf.exe	98
PID 3328 wrote to memory of 2688	3328	Mcpnhfhf.exe	98
PID 3328 wrote to memory of 2688	3328	Mcpnhfhf.exe	98
PID 2688 wrote to memory of 4412	2688	Miifeq32.exe	99
PID 2688 wrote to memory of 4412	2688	Miifeq32.exe	99
PID 2688 wrote to memory of 4412	2688	Miifeq32.exe	99
PID 4412 wrote to memory of 3528	4412	Ncbknfed.exe	100
PID 4412 wrote to memory of 3528	4412	Ncbknfed.exe	100
PID 4412 wrote to memory of 3528	4412	Ncbknfed.exe	100
PID 3528 wrote to memory of 2192	3528	Nngokoej.exe	101
PID 3528 wrote to memory of 2192	3528	Nngokoej.exe	101
PID 3528 wrote to memory of 2192	3528	Nngokoej.exe	101
PID 2192 wrote to memory of 512	2192	Ncdgcf32.exe	102
PID 2192 wrote to memory of 512	2192	Ncdgcf32.exe	102
PID 2192 wrote to memory of 512	2192	Ncdgcf32.exe	102
PID 512 wrote to memory of 4492	512	Nnjlpo32.exe	103

C:\Users\Admin\AppData\Local\Temp\d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
"C:\Users\Admin\AppData\Local\Temp\d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\Lfkaag32.exe
  C:\Windows\system32\Lfkaag32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Llgjjnlj.exe
    C:\Windows\system32\Llgjjnlj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\Lbabgh32.exe
      C:\Windows\system32\Lbabgh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        45⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        50⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        66⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        67⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        72⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        74⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        75⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        76⤵
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        78⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        83⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        88⤵
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        90⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2892
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        98⤵
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        99⤵
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        108⤵
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        112⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        113⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        116⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        129⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 216
        131⤵
        Program crash
        
        PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5840 -ip 5840
1⤵
PID:5904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
56KB

MD5
a5e7022279bfe297b899ed9df50cc985

SHA1
a35b816d4abc830b33854ef0c8b9177d321ea49c

SHA256
049f4f377210e00e27343ea23021ad4aeffe0d7a869d4e8fae26437fc77b8cd7

SHA512
5443c577206928301b4fe024b248eb41464e920f39050f3b5f6ebaa9fa7e11d592e489e31bcca1c527a2ad1286b9bca46605df4335481013e85e7d777d862608

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
56KB

MD5
5def9d207331f8babbbfba7cfb2933de

SHA1
b0ae3d84c08582cb5b1b80100dae4a60a2c002a6

SHA256
194ceb9a20b15d20d0115af1038df26b13fc889bb8bbd370d16db09d97edb1c5

SHA512
108ffee9685b8f4a1fa0a47d25edf178c81a0076a084c129f71b7b5a0755eeedadb2ba3762a9258a9e87b0427a281140537c2af4c87ce8884fe4f5659dbbb1fa

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
56KB

MD5
11fceba4edc6e55525dd132798fff323

SHA1
a3a5400d93634e40cd6cf7c7dd1f38415065e131

SHA256
05fe20b788c120bd76e6e17dc59ec91000486ef7f7efab9495a5fb0c10b30b91

SHA512
861d31373124bd95f5b1412e337d6d02e93a0bded4719d6a3bf1fbd6ac8f812eef127ad82f146cb01d6af0e00891e222a492c3b4944fc0e06da6cc9d12f804e8

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
56KB

MD5
6f16247cbb6f890d7397fc262d7e9fd4

SHA1
c0d0c9af11e2abc02fbad1275601958fd63ae923

SHA256
7c86fdcb0262edcf1fc260af05c76530b4740bb66a8a04691f7bec1c6dc08ece

SHA512
0c7e9124b82abff5b950407297e12b2018eb34fa9627ecd5472cd56cf48d7eb5d0d3c1d67b7505e12ffab70631390b89375125176a834a7e59cfa96384b7c7d4

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
56KB

MD5
8d02da6a7dd9b2f5f8264d2a8a16fd02

SHA1
7d948290cb8bd9df8a8138337ad18b442bfb514e

SHA256
5ee11a845249b067e4b18e3d59ab0f24f8b93ffd41228b0969c797d54bf0e806

SHA512
c1ffc352a1f75b0e740c0ceff3a2bf97260d9fbfce27847c0804097b29d0d8ce39c2ccb5775622afb0fb91926fc944968305e3e4cc6bb53e060a9e59871c5986

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
56KB

MD5
81bb59938fd4fc14ac5029743c5af188

SHA1
31411e7ae87a49a05bef218e181619f0c243dcb1

SHA256
02c4a3c42abc5b6df52207671e54dd3126831a577cb3005ccb62e5646f44d191

SHA512
74dfc7612e666070f3eb25874accbb8731af99559aefbeb1f8012e59de7e9f2439e99e3ac2eb6a48d8914e2bc081e2d7279fa7676a036952f3278382a1b3bb69

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
56KB

MD5
2200345757581c515590699d9e843861

SHA1
64dcf1d6f2854e807f4900cb0fbe3513dbf5eaca

SHA256
c7710c1805b1574dd4fd44ef4327d3f003f199a26dca027a4ac4222f66fe7972

SHA512
9d5a6136b2c4049fd7da08f23f19a74c77157b301349359487169a392eb764d6bbb507a79cf71d674fa9bb41a87bec6850bc8d24ba87310732dcda60923ca075

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
56KB

MD5
3dbfc360569392cd111f4a93c452955d

SHA1
37f2095d0e80833a8b61ff2bb7822d69a450f935

SHA256
512332860be9d3e208dce0138633c5662f9cb1d40dfb12aae8c36568c95379d1

SHA512
42db359967220094595edbf88016552dc6f149bfa88ffd48a5cfb69b654fa2dfa41bff1b699fac26a05a79d717554d54ffcdd5c1931508a334122b94878e62fc

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
56KB

MD5
b08ee0d72775fd58e334c4ed03ca3e25

SHA1
d53f4a255c014a68c1907553a204edd76f2212d2

SHA256
42bed7825615e4e4189ce3ee2291136013087b604eac9b3b201aaf2b5c2456b1

SHA512
3af3a6b910aa47d3686a9bc24400a3f23f81be14689a682d9e53e5524f63028ca1ce2fc1ff1e83d6ed82959e34ef2706105799e0fef9746cefdfc13bc81c1549

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
56KB

MD5
af4b7a3693fb00ec3cc16420ae97783f

SHA1
1aef3095a6a236e0d8478af6da0105c468ebc961

SHA256
1a2da814a1e726237cbc6e10c8e22f22cdaf3eee29da5138630ee2506c3585ab

SHA512
20868feed29aba3577a80b65c079c39856d00d57c0c67b05ae02bfe8b7c8685a8c796342034c8fc37c4068d8fe86078bb14d232411317f21038eba3a138c03f7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
56KB

MD5
a6480608b76af6495424a53e215e9506

SHA1
7593697abbffad62460e3e21192fefaf076ccf90

SHA256
06367eed7c564b3284b5b7eb87b0c3b660a23642db6fddff9a1eb0618d37d53d

SHA512
cd5f48e9258532698d07f04d8858e54f63ff737fb0a2c93dce7133b9900b070246ab28611e8b85d35918d080320ae003229fba179d214d56f3b0c01fb5895fdf

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
56KB

MD5
f0145ccf0fd62cdbfe9e5e1195f0de57

SHA1
874f93699d8fca210513cbfb05ab1144eceb90e0

SHA256
93ecbcc27f5eb5cccd3a3f9afcc082f095cadb81100df2e28c8dd8063fe72c02

SHA512
49a473845d02f713bbb333ea8e68b6037f9da414679242b3a1c5a0eea05eef4c420f9b1f72e41413f94b713a67a1c9a85e7b9f37254270b52a3c6f2cbfebcbd3

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
56KB

MD5
44ad15e515fb56ee5fb3541594ddbc15

SHA1
fc8f7c2bfe879b4165276b53b257953b4f237065

SHA256
066153177b6ecece9c55f2c4cc0d228637737f86c47ed14bc728eaf5e8697960

SHA512
03508e16b9570e1456214afe905cc2be05023e3c1ed26c59320d466e047de369d3f8ddc31843c28c0c703bc02b3d8b8a8110509c7853d25943cd50178e772f1c

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
56KB

MD5
5fc8d46f62f7698b9199848a2b249e50

SHA1
dc9e087c9e5e4f101ebcda04d06a0ddf6c7f1d76

SHA256
c283c2cf1c648935653a499993a18d49af8c62c69ce4953e299b638c322fa95f

SHA512
375b59025de156037d94afe72ef77f4d21ced1c8920f0dde852b78ac4a17e3295c750c988baa23f624ec54c064497c2baf8fc25cecb18b10377801294af930b9

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
56KB

MD5
de8b5e61ebdadec1f6f70fc3cd54af7c

SHA1
f365736bba9e9511a884b633ce47178ba850b7c5

SHA256
9a1128a3ea1445c18642a0e118c784d42c450a8a06dd7dca3fd89edfca8817ff

SHA512
9bd9661bb9b02f5a497a8f0a70fa866f7313796a65b93a6131373e3da1c1db5fe2fe76d0866770eaf66d6aa9687d6effdd2acf642d2a860bd7afc18def6085e8

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
56KB

MD5
53b62a8f4e422c79bd0697fa32d8252e

SHA1
bba1094bee50256b60dd19d948fc6904510acb36

SHA256
67a10f4d0f07f65973e1a12469efed82c9ac7c6fd72f06804335115bd104aef5

SHA512
f6de2812d1bc575681b24ae8f79d4ca8894d855bc614ec995fa58b7e6276de5049423ec92779f1c39af6c05345b2ef5648adc3a9788c75e9b75f96405411a4e9

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
56KB

MD5
ff22ec15f36aec44b2c0a3d57fdb41db

SHA1
39ebfbd5745268908e9084e4976223b91e0c573c

SHA256
b60d05c3bb815f1b995d95fa24cad30c4077f8cd3483ba3d9d58de5ef12cf261

SHA512
58fb99e490f0d3fa28f120edaa8bfb3bad4f32a7a6174ebd95bf5c7599a90aefb59fa3f87be6c728a1a0a6de51b05cabeeaf56a8d6e1995afec00a869f5324d4

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
56KB

MD5
658d0827fc175cf0dbed209f215c4a14

SHA1
3b80a4969a90508f0e5b56a7dc82ea13a44200bf

SHA256
16baa57519d4adea2ce33f52656e22b4130ab4d50cc2a01b9c56d573d2893f4c

SHA512
c38cf3543d127a9943b12302ee192c77a22283d38eb1ab5217e07e2ece646b360a1fe2a41bba1d66a63bca2e56bebe899daea7a312bc1eb41f4c15d58ed14b65

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
56KB

MD5
ae56bea5c79f4f3bcd6643a04a122951

SHA1
e215b7590cab5f5e997ef09c590dca00184d14ee

SHA256
41578f45d41f7bf38e7ea876bf3185bd9e72984852afa829544a36f791bb4947

SHA512
2fe7cb3da0513ab962429732b47acfb784c2ffa06ac394f19d59f587241703e1d998d0963eb284de551e1d2a7b7d2b7b0a2d9816ea9799f883e3304d6bb7f48c

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
56KB

MD5
9a2dc2671501978e832f62b997d06927

SHA1
7c72df1bce6221b5d557cf137396ae2e945d132b

SHA256
28473927868e8770c4f7697ab80aa9fc461a0c49b679af294d256c0e3c62a2b6

SHA512
9c43261ee35b2bd3d055076e37b7701317c3bddb53918781e14b89658c05bfd7208cb97b3fa306d269ff0ba54366b90589c31b97d7f0512cd0d81cd047219ed5

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
56KB

MD5
2117286d88524b960cd25e448e852e94

SHA1
167e21db69bd7c7478332ccceee1b232ac784bc1

SHA256
c9bb938c3a86b89426bbaf2fe5396b97cd6f029ad56d79ec52d27c9b082cbdaa

SHA512
60b3b05dca4d59ea26ad0ace63111c6e3a5785bae9b3d7d04a20b2a379387cdeaa2e6c9afa32cad373535476326c819e062737ea9c25f06a7a78acae93dc2e73

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
56KB

MD5
24b0b2d38ad1a778dec3b9e992c961a0

SHA1
f1ccd7090ed1ad64598265b93be7d4614afd40f3

SHA256
1dbed7a14bc681529248b291c096c4a4beea12e66c981912efef88d0edd5afd5

SHA512
f8af511ce17a731b1db6a815a14ddd4f61644dceb0c9c7d837674650c517a74d4711abfb6b9b2685253adbd5ea7b3658240f8d49a8ef48b919d465d5ba748d70

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
56KB

MD5
0275661c9246d28df8bef57c1eef642e

SHA1
f218ef3fdd1b693b6407a16b9119191ac6280122

SHA256
555b4a3c10e9e98ebe5803f74925383b5397f387b84452169457403dd26995da

SHA512
a8701fdd0e1627e7254d73a722b9e20021dab83b1a24d7e2de38a6726119d705bfb97972d05aa6a7cdcb7ce7eb8484a85acb0d6e8c07e24cd3f68ce63c74e28a

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
56KB

MD5
a7550a8e7ec232d6cb3fc8db3f9b257d

SHA1
074514a153a2cd84e099cf91d88e33a3bc9bba9e

SHA256
7fb4301addd177b117a275d1a0a02b4569d99be2bf20c3340b472faf9b959470

SHA512
b48c61c89fc32c07449790d56f1f35e1eee15dd520d8fd72db45f85a4b2c4b81e82eaaad120c6cacfe705a1c75a1cdecc67ea636f0f273996c37ce7afc32175c

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
56KB

MD5
53d8f55bc148345317d3ea53771043a5

SHA1
7a2d76a57e8ea759bdfe183d6561f0a59baa06d8

SHA256
59ef1a03e197f599cc88d2194373651d6edadd6eefe95a047d79c020d551d7f6

SHA512
8cb354d5ebef5a525ea0fc5555c62a99f26d6b5fad0d44db6fea97d62df1758b0a1a2ecdc0e7136af0f72afef7b16f7df9302f93aa1a5b3c1ccba89042fb05c2

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
56KB

MD5
02c87546ef6893ff7dd1d0b83a256ce1

SHA1
3107f35d9e125b294ae2f1132a9c86bf4f740a7b

SHA256
f068d61bf0ca679ae0587022cad2fbde16fb8bbf60ba8e5fd0f8fbb5d6d81e6b

SHA512
269f3b4ff4ccbd96a1f28b85f0ccffd02ed614478cfad7b94e9a8d3922e5e8fafef990ea34255a770023932170df44c0aa24676ae3f92378f9dda92957b072a4

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
56KB

MD5
e1dd38a1d707403d0a358c86d267f08b

SHA1
42fcec301c76b9899f261f5090b77dddf81c658f

SHA256
fe10c4e79bb5fa364f55f654f2350c91bcce32c5a532c7a4006c0f82ea02bfae

SHA512
73ba69c0d0faab2da8b81c02bb4003edede202c753f2dad57ba6752da285a0ed42951d053b311e94713339e15496d8d1c5c86bb646d060c34b46dcf3d8a6ae28

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
56KB

MD5
b45f6bfd94c2b079a27a6a44512aa8ad

SHA1
68debf1f75afd25572a7a06b53b0dedc4689a919

SHA256
fcd9a8ce1272ec0d7bf368eb0139186ad4dbff8038206641ff6562cb415591a6

SHA512
055f59d54b4b44f03177eddd2362d12eba6001ca0e7911e0191f60436094669d453b55128867e5a6fd14b0d3a8ac382e95a7e8af8968ac355488f1a850bcb070

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
56KB

MD5
5a86cffa3d2ebb2476db236d9612d1dc

SHA1
a6daea78199104c972ae922211c53948c01d3eb0

SHA256
6ad2283fc200175b7e9d61fef80d0305e35990890530f0872322a8559793e358

SHA512
f59d466de24cddcd78100b3959cfc598945d316f37140249cd49884a8f8546c1085380ee2369fb38475a43d80dd6d414ab262a7a00e1e06e714558919414c6a6

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
56KB

MD5
97cb12d30dca67265444194af5c4ac13

SHA1
b2cd15ba6b21d3487191a95656979b0c0ac020f0

SHA256
506cc4e4da6118d418d0853b67e66c1b636e18bf74dbb541c9ff2058ae321b65

SHA512
7fe05c0e74210907233a5b547c664ecf357fef59c5a81b76f4c565e38ac5c38643d481d5a68abe074bac937ed02932db77d460136029dc1bb82a11796cb46b5b

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
56KB

MD5
1b59aadce62360ab8e33f7ec72b8d255

SHA1
681c69562d48fe672046d369860c732125525be6

SHA256
581ca2dc481103dfee62de77bcbb10190d685f06d6c6c5f692a64dec8791358b

SHA512
44247a8a7b3ccd69c5d34a2e6cd0f7d27e761c3282cabab3b6bbd01ec835c06c7aed629015df8cb5764b8892331f89edcbc61a3145c1cf6cd76cb128c4061eb5

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
56KB

MD5
ffb0afcc6da5917ff2226a6743279fee

SHA1
cfa8dfa2278734093b8315320e62ee956176be7a

SHA256
6d65cc5b080f6c89da8d379d8ac42d162c9f94085d7e0fa933c2ab64b76fde04

SHA512
2d83cae0e9460ca2440eeedf74fe6f9ae8e9a18dfc9953b108bbb676769002b502ff31d5fb762645530dd457436c51f402a999fdc6e18d8d79194d080eb2d67c

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
56KB

MD5
2bba679403d5dd1f2a63ca5e55b121cc

SHA1
a60e849304e9e017d1e8b7fea5207d74daf11f2e

SHA256
16baff05619e64d454d98389c32c875a4e0b6ab930137b92076d46dbd3b1d69c

SHA512
9f08129328df2594aeeee03c8e1eaa8cbac95ff08d92d592786798e0d5f1e8e993ec7da8a3d8f20316d5f22c622c93d3484c80c326074ce1135ee24913d7d45d

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
56KB

MD5
b158102db2a84a79a1b15347486ae3c8

SHA1
33a480131f3025ee944e7c0ee06b8362196ac691

SHA256
473f596730c8334c5866b71d1aa370b31b10876ee98a6a8986ace4865128de46

SHA512
55a81ed16248a0444f8fdfd143af1ac62703b2d4fdaf62964f05af0526154c7706646479fa99f3fc1e0062ab408589de55a556e1dd3a96ab5a6137bd8f864f6c

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
56KB

MD5
4d2d6abfcc3827498043b0e958e73a90

SHA1
42383206808e4d0c90e6a0a496c2f92f557667a8

SHA256
67588f6f261f1f3aed704739788d1c7830a3b2e63d090ae33917e7def3094120

SHA512
5b9c5fcac83d45f05397ec99b9244e7806c8c25df3fb59553f662c359450fcf67ac7e3944db05e8e6c93e12e2fa42aa75029e494147dffc5dbcf12fa6b28904f

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
56KB

MD5
80b70561624e84c6b4bed00c999fa899

SHA1
80a617e03fc628c43279e41691c14cfe71ffcbc8

SHA256
6c10c0ed44bb19fda43ffe8bdc6155c8c164c467ab0e92336cd02e09862c0057

SHA512
d8c6ae0de47fb2945508c31dcbd1ee20bc4b24168c75b7dafea0ae142941b33fccf7b12f5cf607aeb5c980cc7f16d07bd34d9632c388da327f1fd2cc6afcdd24

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
56KB

MD5
202bb817c2d43911ea49b1de185f189a

SHA1
0b5262fe0141c1aaca31ae73cd15831d2d6df4ef

SHA256
f66aa7c035ac2d912eed28a197c64289afb53db8cf5335a45fef82370054d1fd

SHA512
4f3293248ea0834722c949ab51d90b5852f00f78556d59af5e964d82d0f94008eda30bd54525f1cfb9c4355ae7d39b4344b72908c90dba3799b27fa972852b79

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
56KB

MD5
126c3e2a350ce6ae5f83557ce47b32a2

SHA1
48f0e02b380d18ade4377b09fc5cdcbe8efa04e6

SHA256
f98246b383159f4554d12519867c1ec724467a698a3b90a3394d20c7648b47a5

SHA512
63e135846e6bcf19abd2fc72f7c8a1c590b80de3c54dcce41a0793e7adad168e25982173649264d54e0672f51bd26939a3db51b3acbbabcf1bf3fa38101b1d38

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
56KB

MD5
38ebc7a36e75a04a11027e2f21f0131e

SHA1
d86afc60f910ddc83ac867b16ca9a4c1f7431111

SHA256
06757e643c60c6207808ea4f32c9e849d7b07bf241ef8b90f5f57cbaa868b95e

SHA512
6746021c92761bdafa5116a5ca00d0335dff61b05b6cbe260c8e19d32f4a1ec942148133718bd95e05b232398ca5fa6945122cc150553902197e5e01c33b7d74

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
56KB

MD5
dbaa6811a8048a06f06e3563e719b002

SHA1
1ec04011c8d45cce2e0bde077ed5e4fb4721df89

SHA256
cb39915deaf1019aa6d2ed2ec7ee2b80f85ad5354d6dce43661ebd5f6d2c32f7

SHA512
3aad9dab7d3086b8ebcc06152d6fcc4702defa8c56ae73911bf967bec2ebe203e809e573f4595f66e4629fcfd1c1a19a0a007544fe6ee13e7394951a65cdac68

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
56KB

MD5
0a9e958bd5d1d73e9fae772e78e11563

SHA1
7294722243e867cfa399f72cf2425895c522bc23

SHA256
28bfd8060dd50dca7b7f624ce2e0fb82ca0592d4a041b691237d03f79509e081

SHA512
a3631c359a61fd39cc928fedbe275036a724f32fc45abe3453a4fac2d7350e8299040249f8f696a70200ff6c4e955fb7933375b494b85914822988266ac89247

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
56KB

MD5
9e495e5bb8ec079701372481b25815b8

SHA1
a5901acca9853781fab642420e8140745f802f51

SHA256
e2e5a0c4c9026468ef076d63109e11966fceebe1bc23e5c524633ce2d7d61b64

SHA512
6ff4248ed49e519ce43995ee92cb31130661b04e5ae5e0a4af2dad4cbc3e14db5256a8fb8a98800202826ef48f8cc00ed104b7cfc3aeb8114d43a6f7b9823e25

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
56KB

MD5
2cc5a0372077aab11ac49b545d2c245e

SHA1
5ace29ea2cd696ad5658510695142f966a2b738f

SHA256
043d4c74ee4f992e3a617103b66bc06a209c48e441aa0f74c1cbe001b0ce2097

SHA512
77a801915c05a879600acdc5c518f7bf1717bb5b93f9d3480286453c2126f3b4c46d8f801972b89d1ca4df0f8b261bab3e727c317d9156d187a3bb2234637e4e

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
56KB

MD5
ffb4efb6c48c3fe565f763a1d95bf756

SHA1
e3576fa20605aadf857bf27d1da5a7b6994a3eb5

SHA256
1ec5613b96f4118850e754d6cf43bca5635042ec2d00ea6317ada41a9c17568c

SHA512
6569391369c6c3dc216c7b0902945ec148aee8e8d00ae56e0d0e8162f6c9436615baee5f6e86c0d5cf6a662521793ff864df0b9484e5ad10238c3d218c0cad4c

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
56KB

MD5
d616df711c28a74b181505771093ec8b

SHA1
b60051212134f768c1936e1ae49c5982a4a883f8

SHA256
a669377a8de5b6e338e5774a17dd22942866084675d2c328700dc7cf0701d136

SHA512
9152e483644f08845356f51e24c7a471707e065af2e4c4ea4bab8488453472a3f0fab86b1a449d01d61cef602d77e9d94f3cae1363fa30958071b34d6e4678a6

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
56KB

MD5
3044e3e4e70013a91f217676cdded4f4

SHA1
19e7967a3a9d844c46e8a1b7372818306b20e52f

SHA256
4bf7da992c2f87d6f22e8e278f0df4ba7c320eea0bcba5ef1851511d19003e4b

SHA512
be4f980dd3a3923245eb916fb6da96e6ece466d4d08177ebad214af39944b84628386468017a0e178c3760e1f1fd323449721cb174e66016b159a20e65905bd1

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
56KB

MD5
38196651c1b24b9f6b5206171d7b856d

SHA1
19e8738b575b26df37f1867746ed68f5ea8654d7

SHA256
d8909e9275c8b370d50fa73cda10dd2c1de8d273e98d5aa2740c65b131db9d4a

SHA512
c259d4dc0f3c396cf83ad7a01120f215fc57462eb581b9c12ac60eebc2d6cd8bc42be2485885c05929ac6e29c81a4748273c498a5b70b76b3bb9abc238389b2b

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
56KB

MD5
fa24b7576f884217b2d842256448ec8b

SHA1
977ce91136ad6e88ae058fa53b62c5b82e3810f2

SHA256
2fab31d3d9d2f00922e1043e9659d3f04164edafd6aa731d00b14ee23e6e60de

SHA512
cf58775941b0ca6a83c37b1138262d87856643201fc64618ca1127e9f0314730ae7a106e39e8ccb604e53673c7e2eb74c0ff407e9bf673158062b00f3b209273

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
56KB

MD5
b59992b4b9cc0269500a7656522b38fc

SHA1
93fb72c52a3dc5afbba7d4f39969d71f4e67eedc

SHA256
9fa5b9c49e658e17fb199e905238dac3d9e4c6cb01ca41d3f6fab93716ef8b33

SHA512
8366d657e8728adc3d3634a91ce3f89f018e4660ed1fd6f164b8f3c2868762587c75986fb9284438e74a3af230d61328563efa46272c20000c20d99161d85bd2

Download Submit
memory/100-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/704-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4204-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5664-965-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads