e625ea60ab9b663e2531e6d77757cc11e2e402e06323b779b6a403bdc66bf5c7

Analysis

max time kernel
92s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c352e48097eb9a6642badcd22848760N.exe
Size

192KB
MD5

8c352e48097eb9a6642badcd22848760
SHA1

469cfa72415bab172731f2900caa75b8b1286af4
SHA256

e625ea60ab9b663e2531e6d77757cc11e2e402e06323b779b6a403bdc66bf5c7
SHA512

e8d2c8b593d0455fbc61438d49307ae55c6b6ae7b4aaac89ccee7b58f828026666879d00cce268518161cb278d20859eec2151a320a06439bd405bb1a08e5691
SSDEEP

3072:XWL7ZXcyDAgp25DJK4RuukVCToutkTy27zU:y7Z1DAg45Dc+V9ToSkTl7zU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8c352e48097eb9a6642badcd22848760N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8c352e48097eb9a6642badcd22848760N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Executes dropped EXE 64 IoCs

pid	Process
1852	Mdehlk32.exe
2856	Mmnldp32.exe
3140	Mdhdajea.exe
4808	Meiaib32.exe
2720	Mmpijp32.exe
2860	Mdjagjco.exe
1736	Mmbfpp32.exe
1164	Mpablkhc.exe
4556	Menjdbgj.exe
4980	Mlhbal32.exe
3096	Ncbknfed.exe
4412	Nngokoej.exe
1228	Ncdgcf32.exe
4940	Nnjlpo32.exe
1316	Ncfdie32.exe
4888	Nnlhfn32.exe
936	Ngdmod32.exe
1788	Nlaegk32.exe
664	Nckndeni.exe
3548	Nnqbanmo.exe
1908	Odkjng32.exe
632	Ojgbfocc.exe
3564	Odmgcgbi.exe
1020	Ofnckp32.exe
2420	Olhlhjpd.exe
4744	Ofqpqo32.exe
2304	Onhhamgg.exe
4344	Ogpmjb32.exe
4304	Onjegled.exe
3624	Oqhacgdh.exe
3604	Ogbipa32.exe
3972	Pmoahijl.exe
4060	Pdfjifjo.exe
1080	Pgefeajb.exe
3124	Pnonbk32.exe
544	Pdifoehl.exe
2684	Pggbkagp.exe
3304	Pnakhkol.exe
5052	Pdkcde32.exe
4688	Pjhlml32.exe
4092	Pmfhig32.exe
1208	Pcppfaka.exe
1284	Pfolbmje.exe
1920	Pqdqof32.exe
2628	Pjmehkqk.exe
4716	Qdbiedpa.exe
2868	Qnjnnj32.exe
3556	Qddfkd32.exe
2624	Qffbbldm.exe
4424	Aqkgpedc.exe
1772	Afhohlbj.exe
4476	Aeiofcji.exe
4348	Ajfhnjhq.exe
3384	Aqppkd32.exe
3464	Acnlgp32.exe
2412	Amgapeea.exe
2904	Aeniabfd.exe
2308	Afoeiklb.exe
3748	Aadifclh.exe
2728	Bfabnjjp.exe
3616	Bnhjohkb.exe
4260	Bagflcje.exe
2492	Bganhm32.exe
2056	Baicac32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	8c352e48097eb9a6642badcd22848760N.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	8c352e48097eb9a6642badcd22848760N.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5484	5388	WerFault.exe	189

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 1852	3252	8c352e48097eb9a6642badcd22848760N.exe	85
PID 3252 wrote to memory of 1852	3252	8c352e48097eb9a6642badcd22848760N.exe	85
PID 3252 wrote to memory of 1852	3252	8c352e48097eb9a6642badcd22848760N.exe	85
PID 1852 wrote to memory of 2856	1852	Mdehlk32.exe	86
PID 1852 wrote to memory of 2856	1852	Mdehlk32.exe	86
PID 1852 wrote to memory of 2856	1852	Mdehlk32.exe	86
PID 2856 wrote to memory of 3140	2856	Mmnldp32.exe	87
PID 2856 wrote to memory of 3140	2856	Mmnldp32.exe	87
PID 2856 wrote to memory of 3140	2856	Mmnldp32.exe	87
PID 3140 wrote to memory of 4808	3140	Mdhdajea.exe	88
PID 3140 wrote to memory of 4808	3140	Mdhdajea.exe	88
PID 3140 wrote to memory of 4808	3140	Mdhdajea.exe	88
PID 4808 wrote to memory of 2720	4808	Meiaib32.exe	89
PID 4808 wrote to memory of 2720	4808	Meiaib32.exe	89
PID 4808 wrote to memory of 2720	4808	Meiaib32.exe	89
PID 2720 wrote to memory of 2860	2720	Mmpijp32.exe	90
PID 2720 wrote to memory of 2860	2720	Mmpijp32.exe	90
PID 2720 wrote to memory of 2860	2720	Mmpijp32.exe	90
PID 2860 wrote to memory of 1736	2860	Mdjagjco.exe	91
PID 2860 wrote to memory of 1736	2860	Mdjagjco.exe	91
PID 2860 wrote to memory of 1736	2860	Mdjagjco.exe	91
PID 1736 wrote to memory of 1164	1736	Mmbfpp32.exe	93
PID 1736 wrote to memory of 1164	1736	Mmbfpp32.exe	93
PID 1736 wrote to memory of 1164	1736	Mmbfpp32.exe	93
PID 1164 wrote to memory of 4556	1164	Mpablkhc.exe	94
PID 1164 wrote to memory of 4556	1164	Mpablkhc.exe	94
PID 1164 wrote to memory of 4556	1164	Mpablkhc.exe	94
PID 4556 wrote to memory of 4980	4556	Menjdbgj.exe	95
PID 4556 wrote to memory of 4980	4556	Menjdbgj.exe	95
PID 4556 wrote to memory of 4980	4556	Menjdbgj.exe	95
PID 4980 wrote to memory of 3096	4980	Mlhbal32.exe	96
PID 4980 wrote to memory of 3096	4980	Mlhbal32.exe	96
PID 4980 wrote to memory of 3096	4980	Mlhbal32.exe	96
PID 3096 wrote to memory of 4412	3096	Ncbknfed.exe	97
PID 3096 wrote to memory of 4412	3096	Ncbknfed.exe	97
PID 3096 wrote to memory of 4412	3096	Ncbknfed.exe	97
PID 4412 wrote to memory of 1228	4412	Nngokoej.exe	98
PID 4412 wrote to memory of 1228	4412	Nngokoej.exe	98
PID 4412 wrote to memory of 1228	4412	Nngokoej.exe	98
PID 1228 wrote to memory of 4940	1228	Ncdgcf32.exe	99
PID 1228 wrote to memory of 4940	1228	Ncdgcf32.exe	99
PID 1228 wrote to memory of 4940	1228	Ncdgcf32.exe	99
PID 4940 wrote to memory of 1316	4940	Nnjlpo32.exe	100
PID 4940 wrote to memory of 1316	4940	Nnjlpo32.exe	100
PID 4940 wrote to memory of 1316	4940	Nnjlpo32.exe	100
PID 1316 wrote to memory of 4888	1316	Ncfdie32.exe	101
PID 1316 wrote to memory of 4888	1316	Ncfdie32.exe	101
PID 1316 wrote to memory of 4888	1316	Ncfdie32.exe	101
PID 4888 wrote to memory of 936	4888	Nnlhfn32.exe	102
PID 4888 wrote to memory of 936	4888	Nnlhfn32.exe	102
PID 4888 wrote to memory of 936	4888	Nnlhfn32.exe	102
PID 936 wrote to memory of 1788	936	Ngdmod32.exe	103
PID 936 wrote to memory of 1788	936	Ngdmod32.exe	103
PID 936 wrote to memory of 1788	936	Ngdmod32.exe	103
PID 1788 wrote to memory of 664	1788	Nlaegk32.exe	104
PID 1788 wrote to memory of 664	1788	Nlaegk32.exe	104
PID 1788 wrote to memory of 664	1788	Nlaegk32.exe	104
PID 664 wrote to memory of 3548	664	Nckndeni.exe	105
PID 664 wrote to memory of 3548	664	Nckndeni.exe	105
PID 664 wrote to memory of 3548	664	Nckndeni.exe	105
PID 3548 wrote to memory of 1908	3548	Nnqbanmo.exe	106
PID 3548 wrote to memory of 1908	3548	Nnqbanmo.exe	106
PID 3548 wrote to memory of 1908	3548	Nnqbanmo.exe	106
PID 1908 wrote to memory of 632	1908	Odkjng32.exe	107

C:\Users\Admin\AppData\Local\Temp\8c352e48097eb9a6642badcd22848760N.exe
"C:\Users\Admin\AppData\Local\Temp\8c352e48097eb9a6642badcd22848760N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\SysWOW64\Mdehlk32.exe
  C:\Windows\system32\Mdehlk32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\Mmnldp32.exe
    C:\Windows\system32\Mmnldp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\Mdhdajea.exe
      C:\Windows\system32\Mdhdajea.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        50⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        62⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        64⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        67⤵
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        86⤵
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        94⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        105⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 224
        106⤵
        Program crash
        
        PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5388 -ip 5388
1⤵
PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
192KB

MD5
ea7314b45fd6a811d17dd362e7f396f6

SHA1
6da88b611bde8d7528a9f2de58b25bd2d48bd25b

SHA256
0e017eaa4184e72e3558fb43df8f742df0f4b3ea4574e44588d9b9cf29a75832

SHA512
68f6e3e0be11062653b0fe40636867e83658634852fe3127f7ce117140ac0a4731257447282e6c5bd9fb8e5ee9f1b8560053f9408ae5047d0aa911d86d9616ad

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
192KB

MD5
17139213045e17b04c71e8dec6bf078d

SHA1
e19d680deb3a86ce8aa1328e88cc4fe25c60f489

SHA256
ff44a409d9e323bb57c4c3a6e543fbb11093ec8fe433edacefd8b3dde217258e

SHA512
9e9ebe0f6522e85643a00788e31360207bc747f97f571fa6b90911a0a107e1e361d080208c41915a848b62d4dd37c4a030fcd901879ee31961e7f7c133763d7c

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
192KB

MD5
eb84e28c60abd91d335ab7eec967d0ba

SHA1
dad6ee619afcc379238fcd913f30000affe29173

SHA256
5a3e592904469963823d636822fc08047f73fe16fc538c105f68b59586da4fbf

SHA512
2d69c823777ff973bd6f6c822ed26e58f5af40bb6026a49a0ce98fee4ed5103a617c381faa8b756ed04a4e72f7173e7f66be55cd2543f54ab3d7a7909e00623b

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
192KB

MD5
d83e31407f9580a736f4e3710eea406a

SHA1
4656613f4901bcb577cd691711b3836f36dff994

SHA256
2a1597b93ee3a803f81433a25ba875254e2b4ac48f726ee99c0641bad1120e81

SHA512
ec8306e66d38d5bf38bc9be96d3b7b1a2e0d64c11aff226928e2a5aad33c324eeb5a238e091635ee0f63172ba23a0ddfd3c5f8c7e2bec5194f6a30d027e8005c

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
192KB

MD5
a7ecf8286df66ccf6b5df3c965785b28

SHA1
95141b56501776cc117adffebcda5c0300a42d23

SHA256
7a09a7040b01cad4a3fb05fcbb1ef1046182854088162c4a0d56c5c2e8576384

SHA512
f75d6bef847706746a30c9e21e77badc62c9a9fe62eac69d9d14f8be7fc87121e871b74cc7651752cfe9418ae24d532154fc5330edc3bb3eb4017dc6c0e07d79

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
192KB

MD5
53c40af7230c32a46bf893b2e1e4d53e

SHA1
37eacad43b7548f6f12ca8bc66e6a3c8a34fab98

SHA256
8c0a0d0593e09223292abe5f53a499a69d03c029c94a5a4962554e92606aeec8

SHA512
f561085bb97ea601a426c07cf01c88dfac4afbdc5561a620f33d2b2384110879bb70b17f85b8bc2bb02275d8683298cb45126def8e58ba59a180f7326211f045

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
192KB

MD5
40cacf5acd86bec368e0a2a185fe02fc

SHA1
63be1f136ed32daf545d88c2fd51ca6244d8d3b3

SHA256
c3b768af516d3cbe743c3f7dcec5c23be905437601bcf6adb793dff36a787127

SHA512
3abda393d613733478a3a530e297cadd4f4b16c2e77ec661d837fb7b501dee470d770e1d1cd55b253598a8f862a8c37ac58d2f6ef23e131b465e2096b5a91ecb

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
192KB

MD5
1f31215957683f0d6eb8c875925f60ad

SHA1
6316c4bb952870d11d9c21d550e30201de864ee5

SHA256
c0af3d3860dc4b17c43facf6862d0d1540d361ee7360e3fed95e68c3959c5bf9

SHA512
84a441e39376891f4e9c1b20743e8ef5f37cdb3642f7bd8d4e54c8f0df9e6c8903f701022bc07df7e9c1921b336bb3efc41c4874501a4516ed8f46b6d2f8b611

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
192KB

MD5
0d6d008bef6094d99a9153f33402fa9d

SHA1
8059f142162e922819bf5804c4bb5db672cdd997

SHA256
20eb7cb52075a69b9ea638923c14d21503cdbe64be1f8e6a482f4556115bcfe5

SHA512
2b7329530085377a2e5803e3d70f8b0d367e0d2de613b28ffdbb86dad873d54fbc76c5404a720b7ebaf5c43b4fbec5232f8f8576d0f6cff2284ee53a0335822d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
192KB

MD5
df1647f7042442a73d361619f8438642

SHA1
455b72d4dbd060ed6bffcc710a63795693d54a21

SHA256
e07e48bd1a4994001b0e524e801b99bea38b7f411d33eb20c165ff44948949d1

SHA512
a423b3e463943992e928dcfa778476180d87a65da339e7563c5ce01a3d98a04fd0baa380539ce0879191222091b5d3bc22c6e6641c2dd5fe08f594a0984fe7a3

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
192KB

MD5
04e8046f464fdca006fa227b4f6b3504

SHA1
0dc0f808d1c9881f599dceb2c96a2d308da05458

SHA256
5f265cff5ecc65a4cb2b06bfb7ffd7e95f39036e42c45b1d1c1fbc80431fc24c

SHA512
76f5ad251f6f08f25761558fafa4d80aa4279b14c82a2a520e0193fee104b9cc851598ee0515b9914689f4069673bdb5fd9371894b05b22592b047d60ade14f7

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
192KB

MD5
ffd2c4aae0f98f10be91cf2c7557fba1

SHA1
f0d9e9c4e948ce546fffb2c3349ba58ad7524488

SHA256
e7d26294f8e49ecf0cfe371ed377f4ef4eae4dd0ed778731900b66d3ccc8dcd4

SHA512
1547e9903cabe214daec392fb799e79c3581633e83e36586a52db8b89a89902e19764f72e8a62a462d1d496ec72173f18ca0d568a97d53ac87c7cfadcd72a25a

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
192KB

MD5
6fcbdf30ceb9c6b7f9465d9e00f68ca0

SHA1
fbe9700cbae43b370eb7a480102b83d90d27e433

SHA256
e38b38089b4eb38e00f91107645e0951c5dac60d284576c259920f8edd4e9b90

SHA512
512dd839c005ebc3215ae1e187e076977c8aa4cba97bda262980124ef7538a34b50d21faae512cdaaea2f525d0beb686f72323ac01e83c3017ee8d57e97c721c

Download Submit
C:\Windows\SysWOW64\Gaiann32.dll

Filesize
7KB

MD5
39c2e9c7a9a652989b13776baa62fa99

SHA1
e958e8bc632f98499973ae68f49ef9fedfa636ab

SHA256
ef190c5bdab539102e665909ee3456101037d6419447827d3a6e998df5efebbe

SHA512
b612a59e0e90d626c3be539df1ba8a7b67fc18e4584bcab0084f38a3f8e04e33a76108dfafb2c68b15e2ffb048786318bcf4beb460fe73f18f8d49e847a1b707

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
192KB

MD5
71d8bf1246a604fe35322a0c4b62a067

SHA1
780a70a285f8ed3a9d65c7492f05d43a2b642d5e

SHA256
ecda9487f0c0833b4f791a4ab95d2264b1df5737be17a8baf046297c52f94d3e

SHA512
36b288f3dc9388853fe9ad41e7673903ad7335ab0b86424f893a6b480b9e8a88334b81e13948a92318afdaeec2d3364d6858b086fc9b5176c37b4ff97ace713d

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
192KB

MD5
dc354dd53687098db47d302c3c853bdb

SHA1
bd03fbb40bef5affbbbe6b95fa26d126b012d0b6

SHA256
54479c6a10a161941d3a0a5fb715ad576457dea14d6ffd10a64cd7384b233301

SHA512
7d34c7ae6daeedc2af0b488fbc000df1a9c204d2b7441c928d930818864ce60d6829580938efcfa8ac53013eb1a97b7ebc1ad9f42e6acb6c45578976c18f7340

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
192KB

MD5
87350300a59c9100e08126211ba1073c

SHA1
f632f157a26ac2422c6f59fc542cdff46cf5b46e

SHA256
c5a48e214bd5cfe0ab600856c5e416fda4949bc208ce757b08cdeee47b4c4208

SHA512
57287358d195763e15725d26c1ef4d6608c873471de1d7f2ed5fcb8f5d11705808cea70165f282587ca56a0f1768cf9db29405204842b46e36d51aff23edcec0

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
192KB

MD5
ec4335bf23b75180d8c5e2ff12d32367

SHA1
e8beb80e478d8d64e48269f746b039947c3e54d3

SHA256
393ddbd3924403422754a0e349cc4b5a91d72c916cb39dcb017e108d9d95e238

SHA512
4d069271428050f55e80abe1d9f7efa0f1561b78c8ad9a00918e9f6be6a2b1568f3a144f9dc72d89ebb607e6e2e1fad65f48d5b76113ea78cca7905ae0d7dc7a

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
192KB

MD5
499ae47c6d29917905f6abd5a3bb9cbc

SHA1
8e1e4cc64941be6c6a4b654be4a3540daa1ed590

SHA256
4c4c3c70b7aeb1d2187970875923ac9af23d53ab086998a1bae685ff32b9bf03

SHA512
5460bdb7d0333059c8f782e9fa44e324f2dc1498fce515dcff13f2cf72217ddb8dc2880d9dee19d6a9475e68a78ab4d984aded0a42ac20482ae4847467bc3606

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
192KB

MD5
93ce94d47dee41dae936dfb84ac6ba2e

SHA1
dc1acf0d998d60c1c930a603e45c2620c29dbcda

SHA256
a00afbc18d9ccf66434638c2a834c79d4c958d55a5ed2deefdac75cbf21df8ee

SHA512
d7ad5d8eb54d87cacc855e3d65589fe44f991938b7d2b48eb44850ba8192c9a922ab232dfe887a359d32d0a5efb6c2b0883b7938026758e59ebadaf6727cc043

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
192KB

MD5
0c96b2d4642bbc9a2ad0258961282260

SHA1
88b47b13935bb91dd4195675cc0c664b14856af2

SHA256
f0751a6fabd9d3960811537c3aabf42a1bd705c0bbb3335b1e432ffa42a4ca1b

SHA512
ff27a0bb97757d69379e58e946b4f430067a9f3cb192f933261be7e29e9dd52774423e5405d48b12228cd104e87cf1a69053a3926915852b84ec1af2adbc2c29

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
192KB

MD5
ace7aadb9715465ca16488bcae2e9743

SHA1
ee2cf0dd2c9baeb97fd3454ffff94322b7d50ae2

SHA256
b7613c25a511bf0dbf57ca8dfd0c73ce588e404a579e6649c5291f0fcb94ef93

SHA512
e91704337c2adafc56029e3ee4772737b5bb5113e28ec8a421bd958d1d1a94106b785cc19d557728a8b820404c7e85b61e35dea643b2188708c7a094f56ff0dd

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
192KB

MD5
ac4a0ba0e99a0a6de7c51b128eb1761d

SHA1
d268a58e82293aafcd77b66b3ddc5abf7d2e1484

SHA256
8752ec7259f4a5926f892c2973f180b977e5fceba4769ad35b4bee3ef85ecfa2

SHA512
54f815a76e713e5f9eba486959f04d78f7ef24552e6914c443e5030965999810bd7af4779a4c69580d252d0bda0c22fe33df4de26d80350cb819d8718c31bbd9

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
192KB

MD5
57e7f9538cd0e77551a65b7818cb26db

SHA1
e3467823dcb5b6584a79b1543db279e3b4d37035

SHA256
176a394c389eb0cf3f96f16468ba4219bce5869327857ab95488433a35574832

SHA512
8cf162bfd969a1195fe99f5bdafef1200abc26297aa3aa12731c7709d380372cc18d1fa9fff92e4fdec081cadc77798d12f998ff987e2b76b3693b5cc7fa7068

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
192KB

MD5
ceb4736a118ec6993c5fd7e0d0defeff

SHA1
78db40d609879a391f24fe6c83c7e5757c79e7f4

SHA256
572b4dfed3bb2a9b85da5f14152aeb37d00783125c48e2c6c0879fd11ac0a2b2

SHA512
6d7f8b99fe575e21cc595b875375831994919a4541a70f4701bb74e56e33ddcf197f421b4f576402c40e1637054d3f2a836cbd120053f54ae242bd66695d1254

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
192KB

MD5
c7022c4443c9a4f5a624e4862e9f44b5

SHA1
07fe899510a3b456f63eeb7c97d6d5a8fe05673d

SHA256
13cfac3963ce33cc7f437959b58d89eb65b949023e5b1fad4b8f02c7b63b29c3

SHA512
f68e0bec1b9862639c6fcdb63efd820b2e13580fa6af0b49429cc39136b83dec31c96081e97720c086541a56fefa6b7c059d5edbfa808500b6c334ac1be8998c

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
192KB

MD5
baa80c5b00abc5c3fc78e0111069334c

SHA1
d379725fa9085300efaa6bd73c26779a97a0f493

SHA256
b18a799a8b8c0c5603747093cc7137752b2f54548b9360708b39c3df3cb16453

SHA512
a77b0a8396f66164575fb1713204c86d0e5642e1491ba3b45b0d9f036a3dbc59756cdac1b58540859a009b966374a8c1b7434b9f196d52ae7a3564a8cbc42b6e

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
192KB

MD5
47d9610fbd6f69fec0117d27dd4ffd75

SHA1
189ca8d83f979acec1d3ff9e86b6a6172f3e8c84

SHA256
c2b7358e1cd5287da2ce8bf0730ee4ec1acd520e7c9c00f98c91a94b3b91c23b

SHA512
9f28d40c5c4c0e3ea3cddf441fc557c7a8a3a2a788a37584db2d98ecc5bc32445079fba4e5e07cbe7c454ec3acab9c350982728ebf3333f7ec11735772bf41db

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
192KB

MD5
b1416c606dc3c8e3cc83a7fc3feb370a

SHA1
cb350b0d69faaee0e058753afc25284727c41b16

SHA256
977a8a51f7587c1b953a0c33146c8214cb258d3495c6b20130364913a1b11868

SHA512
223845b4b08e2293288eb76e96d9abae48202dfbee8758604f1abe21fdef0c93ff91e4df32293b04452b7305b03a0213e759e9e0fde54e9f9f1868a9dc2a001a

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
192KB

MD5
8425d34f5f590283721f7ec7dca2801e

SHA1
45d8c1502ea69d191ff32fce6131316bb036ec81

SHA256
5bb4a35d847afd2f964aafcd5b1f78e6f2a6b3dc202c68b1f4c429407019cc6a

SHA512
6dd3e31cfdc9ca7f6117e10074cf21190ead818b2eb8dbfefc29635fac2de9c5b00ac45161b8197ee29c9983a1e0491b33f152238119b5eb261928d434571863

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
192KB

MD5
d23eab4bd4dafecfea975e57e82f433c

SHA1
f4cea2e974c189cfcd03253833a726609064829d

SHA256
db1b7d968ea602d3f545d2b3827883d38d6c7c9e3133d62fb7509b96281e8478

SHA512
b62fafedc6b74a8b4dbd3e30057f82db8d295c3e0531f1893f41b140741002fdfc64f995bf9de5fbf3c155d6e5b02a2d30937790f9e3034c56c9047224a26460

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
192KB

MD5
44fe7e4f89623807bf85ba5f7f44e216

SHA1
d1c966406ab2c802fd65cd0d877cd70563437e25

SHA256
68d59ab7d931a939638b02d5e7f5139241048ac9d6e64062bf74fbba928a6017

SHA512
0f934db9ff36ae811e7bbc52f199c1aec4ecd12fffd5ee0ddd3c1f261a0d84366c4ffe020e93aae898cca019ef80ac0f60cd21a0fddf6c17d7699fda79014064

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
192KB

MD5
7809661480a7d3e3b6ed09cfdaed9c45

SHA1
d311079d6781c0778bad3fdc9097783c5d5a5bb4

SHA256
a6ebf5000ed11bd8a56b1e579587e1fb48b6953605c5a23927079b2285ce707a

SHA512
c1bd42931bcf5daed2ee961d32f62ef5d4b1711879123774ab9bfae49273872547708de9a3948dc60eed3686c7ffd2cd796766216f2b043b2ea1d8f6ae5f002e

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
192KB

MD5
08afd3bc92b088c693adc2159c84a111

SHA1
52a8d0bf40cee52aaed447c8ee410860701caf83

SHA256
388d764509ac0aaab506bfbddb983b1384718abe0d80cea76322771adecc8fd0

SHA512
a58cdb88d9c16a9d31d60f1855a83180c040b1aa9e6cb9cf114dabad8fd8067cf5aaece6e6e79d8b3db1b718de3ca0f4fe0f3109e014ea4aee3132425368371c

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
192KB

MD5
407dbef050066396b25970cbb92fa031

SHA1
a6a071ffb0339f7a9b690a32e4359b090817238d

SHA256
b6ec9e6ce84d647d4b5f5d561675851e9cae6d5657e52f619eae483d057f7b50

SHA512
c2a7b2eb351e137f435b803c9267d227cef1f43f625aa327b98c36c3d162d23aedc95ac99df7f01b32f45e29eb9481c3a6fcb36ae9ea5673044a34838eed8d90

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
192KB

MD5
65cec1488ced168fce5d9245d1c88c0d

SHA1
5be92c721faa12e48ce53fa2b808e662d0df6392

SHA256
c8af6d24727ff76333e5c3e259fdb375b2baad80f9f489fd61b6366e1217a79f

SHA512
a9a75488e412a07aa1f9b1871400e01730b3d95c4b02485f01e4536aa9a6fd7a9cca24ce1ab94650d45060170ac1cd4430ddfcf6bb1f644ab956448cd810ac47

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
192KB

MD5
91c493938aa6a173b0bfa01226837b37

SHA1
67269f932b695ed75576c1440a2278d9be25494e

SHA256
198b397d4c17ac94a23261b1e98788623005fb8029490743359f3ae5d77077d8

SHA512
390453264c31273e4d487c5bb19dd88254e44b6e8c649bab536184b428f04913fe118f3066fccc246669f6f7f8667ebac3b6a63e5b7f82111e175ae80735b595

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
192KB

MD5
7dd9ddfc06bf1cc34b8f183328f7b20c

SHA1
39af930f6d5bd475445c22521489ca305146e815

SHA256
79634e36755445c0485b4766a6a4fff966e2dc26108b5229b8e0f01be6605e6e

SHA512
b972b6a27b6ca3a141cbda0647ace12a53ca701337b00be587572e582e026cbeb6152978b5d35197a9356ac99ec7a782ba6d2e7ac2f1e3a6a4ae7aa126318462

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
192KB

MD5
d52cc93783a6ee3847327f304a15f429

SHA1
65300da726c5802ab8b4e2cf66dc16b59ae448eb

SHA256
d9c3c9230e8f374e6b6ef9acda96011c6688d741af166c1c2340ef86d70cab33

SHA512
1ba2fc7d944ea73c4d200fdc135993ded4b41ca053fc1069ba8d741568de6dc6d387eac8f1f3ed906b3ff4c0afb2c714b3021ddbb88a476c6e7272e639a86b1d

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
192KB

MD5
279dddb729efeac3788dc9b0be4bce89

SHA1
58a2245d44946ae224bca51730653c6ae04c3db1

SHA256
f37e51b6e3d3fc4fcb2946fdb247c83fe101d31ceeed3da93fa43ceb4ac124fd

SHA512
86dbfd4b00f84287b4b98436f3242c99c621dd9df897db87a92bc419ac4ebdffb8e4bdf917441cbce05c11905876449cadc33805bccf0f972343b1a983c85513

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
192KB

MD5
33c5c9bc49fa66e3b3185a1ceafa537f

SHA1
daae696360d6dff5dc3d708c18ab0ee713abd0bf

SHA256
e091e0cdd27c7939ae81f1a7209e2a4b7fa5e5aa9f4678dc4d024d6b20e3eea4

SHA512
dea5b68193c663a523f27f4f579c98be27636fdfea94f6cbf655221926f90bf68300033c1e8a0e57938ce139cae487beb875bdef3cb052697523f0d6c19fb83e

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
192KB

MD5
33f94da47987abab7ebef585c7cd9869

SHA1
07078812cc43f4062316fa71b858beac8d4be298

SHA256
ca30d5abceab31c6daa5907cdbd5644491da99f6344bb3cd9aaed94b484d4caa

SHA512
e24b20cbb8352f1bb3461b0acd258ab49988d1b2a9395796bd1756a6e88a7b80fce510a28eb0ae143b01590ccc225c5fa38d7828b99aae57b34d0a7b6be76d05

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
192KB

MD5
7ed900164bc108baa91d78702c43b042

SHA1
c08f6b27a5b4180d243dd9a674f385ae3afc2275

SHA256
8ee95015db342874d8be139b938e266e34d41acd7e7266faad410cc3622f5815

SHA512
d0d0dcb2f3b0a40b525484e2d254203b18eefe62563bf2a4f06702a9a338b546d7cb9b70022bced1022bfe0da73ee885ce9445735c8eb883af8a824a710f2d45

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
192KB

MD5
29b649de0e87d6ac7b06b28ab0d7c5e3

SHA1
f33b73a1da1233b447f6ee90988a74d545c86231

SHA256
1fae6c2a44cbbeab07765d898c8f3a7a548478eb5e279ee78cbd361856008d9a

SHA512
794260e895113e819590f86a7c4d0cd14d2ce3e51c1d9a85e4a1784d4099396412bbc1a6f69790d72cb5fffef83c1eeaefce7004352dd15b46bd81dfa23574e4

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
192KB

MD5
00769fdc174283e77859bd8a49ab0d55

SHA1
042d73134ff1abdfc5f47cd4f8cd5fb59ae8b19b

SHA256
3f00c07e8cec6f8f92dfd7a87265d4fa618e6319834d62f3e450f06ec5621c32

SHA512
4e26a4d029e7471c194a135b3c2a02ad98f71bf2dc11d40b8bc9fd636e9a194985071a2cc3fb9b57a966ca10f35bdd0c5a7cea6fe179725d0d2bd4d9cb24a36f

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
192KB

MD5
0b7beec1401d7a3965a528aadd349eaa

SHA1
6e2c49f6159677e35d1f1fe69ad440f66a590278

SHA256
36bd6a62e9b887fddc531490fcd78ca994f48667411547b5c2e5bd2f483b00cc

SHA512
cd4f07e8e802fd64cd523539bba6ca5e1b5e53b99b3cc155867b91392e4dcdb086080008a38c6a755b7e12ed0a1f5d5649d82d483cd85e03e0c32e59d1ccdca6

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
192KB

MD5
314616437c8edcee8e8a26bd8e69c117

SHA1
124a65c7c781248e9ed6827eefc18d837c89d9b3

SHA256
67d47462a8ed5b8b548865e9d2ad166f0b660ab35347f4787e32fc62b1c30052

SHA512
c7324f21e2f4cd3cfe9ee77ab36ca782e19e47a073b48764cc72f9c62bd64ce2879103e38134e63f019b55494705968ef61fb3b3f8d0a7dad01690d26b8d4fd7

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
192KB

MD5
5f385c541153416bec57a4cb5ed5a952

SHA1
1d7f17e42d3f7d6bea33e1ae2edf674eb04d27e2

SHA256
758e38a498c40f7700c5eca54074227ff1ad913eabf34c699a52653b85aa8cc6

SHA512
e08726dcdff64e83a3756fd829f98c7b155ce94d624e6ac22f2970792c550747ddfcc251fe46f6342223f10eba85f0a8daeb62e70e4ab89d94a6bb69ccb0a761

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
192KB

MD5
48663da09ecd1d3e8b573efd4a4be9a3

SHA1
1f8d782abd564624a9c386293d118a95cf11ba57

SHA256
a87cfaf8a84719b9b4710e9e72dc1b1f8a2cb746c3170e9f7822e754dc925f1a

SHA512
d2393bb08b8d4cdc3c1e96babe1c876365b00fbda4821b7ede9b4a847b05252c88a4958051237fb3f4a4945425925e0217e7eb8dd1fbaabb067aaecce269bcc4

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
192KB

MD5
c3a83c157cbe27d5a7c40fdb6b2f5948

SHA1
76b4e4528ca8d71856149bce34e667f69bd96de4

SHA256
3394f3b100afb8cbc6a2acb649e6499018823d0e0c99d7b63130f81899ac2a27

SHA512
2064bddda654f6f75c2267c3bb2cf6de30b54121c1675b5e02b7701f6d2e5205015566edf375f046aaae8ae137569a81b4d2474acaccc09ae0729cf667395bb4

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
192KB

MD5
622bafa8c9a83e87fc42807af9ce65d0

SHA1
5adbbb467c277b955928bdd996cbdbf235bb1fc6

SHA256
e9c433199d7efdb289ebecc3211976ee6ff4595b2ab8351ea5fae11745646dcd

SHA512
3b3e782ed4ebe3d8001f42cc585bdf9dfa11d475b4e8bf005df6e0ed94184633eebd5b630a7d85817954c2be0ea03a3c74243459712301f01334894d0be28342

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
192KB

MD5
c05d4138ad16d249fa890ff53ef38922

SHA1
5ad2130805ad9abc642e862d9685b6cf2b4f95f7

SHA256
24c76c317158acc1e8aa0b1210beed91ac195c295850a66aa9ae012eb2cfe1a0

SHA512
b46a506a70d0cc20351ac724531567cdede2f3d9627547e155f015167cbaa499068b32b535fe48e14d65b74d908849d776c9ee434748bbe2e2d58f8ae8ad061c

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
192KB

MD5
103b20729fb362438cb8adde868ab8b2

SHA1
80b226855c8b9d36833273d10849cc26cb604e56

SHA256
bcda294fbe99bd2180696b7ccf2b68c6657cdde284d69949dc64ca453371d345

SHA512
1011dfc01a228437db637858ed6e4d12883824b438441c7af38612c9a42102ba5c82745e4dea3788df2dc5914756c0d8c92549ee12ff89d3617404e350c00330

Download Submit
memory/544-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/808-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-746-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-803-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-750-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-804-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads