063f61a32674f5bd085a639ade8fef11d2255f29da3683de86d3c50515417af1

Analysis

max time kernel
95s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

063f61a32674f5bd085a639ade8fef11d2255f29da3683de86d3c50515417af1.exe
Size

96KB
MD5

7f6f2da271ef48d93f728cb6d6897885
SHA1

4879870a658d2d3cc276ca22f8947e6caa955669
SHA256

063f61a32674f5bd085a639ade8fef11d2255f29da3683de86d3c50515417af1
SHA512

90ede91b1e55746e02458891f7adee06b58ca1828cf6f60ef374d604b45992dbdc8e1934580fb4a95672b0794ff6433f26767b8961dc3954b2ac09053cda68eb
SSDEEP

1536:7EKg5QnDVMgkE01qBPg2rUMj1MeQAPgnDNBrcN4i6tBYuR3PlNPMAZ:7s5W1G1qB42rTzQAPgxed6BYudlNPMAZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe

Executes dropped EXE 64 IoCs

pid	Process
668	Lmbmibhb.exe
2568	Lpqiemge.exe
708	Lfkaag32.exe
1824	Liimncmf.exe
4560	Lmdina32.exe
5004	Lbabgh32.exe
4280	Lmgfda32.exe
2912	Lpebpm32.exe
868	Ldanqkki.exe
1456	Lebkhc32.exe
2772	Lllcen32.exe
4948	Mdckfk32.exe
376	Mgagbf32.exe
5048	Mmlpoqpg.exe
3920	Mdehlk32.exe
1756	Mgddhf32.exe
4808	Mmnldp32.exe
2900	Mplhql32.exe
2564	Mckemg32.exe
2084	Meiaib32.exe
4632	Mdjagjco.exe
4108	Mgimcebb.exe
3624	Melnob32.exe
3332	Migjoaaf.exe
1620	Menjdbgj.exe
5016	Mnebeogl.exe
1724	Mlhbal32.exe
1904	Ncbknfed.exe
4912	Nilcjp32.exe
3352	Npfkgjdn.exe
4316	Ngpccdlj.exe
3212	Nebdoa32.exe
652	Nnjlpo32.exe
1472	Nphhmj32.exe
976	Ncfdie32.exe
2960	Ngbpidjh.exe
4212	Njqmepik.exe
3236	Nnlhfn32.exe
2864	Npjebj32.exe
4272	Ngdmod32.exe
1644	Nfgmjqop.exe
840	Nlaegk32.exe
4528	Ndhmhh32.exe
3356	Nggjdc32.exe
5012	Nfjjppmm.exe
1404	Nnqbanmo.exe
3140	Ocnjidkf.exe
2856	Olfobjbg.exe
2332	Odmgcgbi.exe
4836	Ogkcpbam.exe
2360	Opdghh32.exe
3476	Onhhamgg.exe
1660	Odapnf32.exe
4320	Ogpmjb32.exe
4444	Olmeci32.exe
3716	Oddmdf32.exe
3088	Ofeilobp.exe
716	Pnlaml32.exe
3232	Pqknig32.exe
720	Pfhfan32.exe
1000	Pnonbk32.exe
744	Pdifoehl.exe
4240	Pclgkb32.exe
1720	Pfjcgn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Codqon32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pfaigm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5836	3944	WerFault.exe	208

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 668	5040	063f61a32674f5bd085a639ade8fef11d2255f29da3683de86d3c50515417af1.exe	83
PID 5040 wrote to memory of 668	5040	063f61a32674f5bd085a639ade8fef11d2255f29da3683de86d3c50515417af1.exe	83
PID 5040 wrote to memory of 668	5040	063f61a32674f5bd085a639ade8fef11d2255f29da3683de86d3c50515417af1.exe	83
PID 668 wrote to memory of 2568	668	Lmbmibhb.exe	84
PID 668 wrote to memory of 2568	668	Lmbmibhb.exe	84
PID 668 wrote to memory of 2568	668	Lmbmibhb.exe	84
PID 2568 wrote to memory of 708	2568	Lpqiemge.exe	85
PID 2568 wrote to memory of 708	2568	Lpqiemge.exe	85
PID 2568 wrote to memory of 708	2568	Lpqiemge.exe	85
PID 708 wrote to memory of 1824	708	Lfkaag32.exe	86
PID 708 wrote to memory of 1824	708	Lfkaag32.exe	86
PID 708 wrote to memory of 1824	708	Lfkaag32.exe	86
PID 1824 wrote to memory of 4560	1824	Liimncmf.exe	87
PID 1824 wrote to memory of 4560	1824	Liimncmf.exe	87
PID 1824 wrote to memory of 4560	1824	Liimncmf.exe	87
PID 4560 wrote to memory of 5004	4560	Lmdina32.exe	88
PID 4560 wrote to memory of 5004	4560	Lmdina32.exe	88
PID 4560 wrote to memory of 5004	4560	Lmdina32.exe	88
PID 5004 wrote to memory of 4280	5004	Lbabgh32.exe	89
PID 5004 wrote to memory of 4280	5004	Lbabgh32.exe	89
PID 5004 wrote to memory of 4280	5004	Lbabgh32.exe	89
PID 4280 wrote to memory of 2912	4280	Lmgfda32.exe	90
PID 4280 wrote to memory of 2912	4280	Lmgfda32.exe	90
PID 4280 wrote to memory of 2912	4280	Lmgfda32.exe	90
PID 2912 wrote to memory of 868	2912	Lpebpm32.exe	91
PID 2912 wrote to memory of 868	2912	Lpebpm32.exe	91
PID 2912 wrote to memory of 868	2912	Lpebpm32.exe	91
PID 868 wrote to memory of 1456	868	Ldanqkki.exe	92
PID 868 wrote to memory of 1456	868	Ldanqkki.exe	92
PID 868 wrote to memory of 1456	868	Ldanqkki.exe	92
PID 1456 wrote to memory of 2772	1456	Lebkhc32.exe	93
PID 1456 wrote to memory of 2772	1456	Lebkhc32.exe	93
PID 1456 wrote to memory of 2772	1456	Lebkhc32.exe	93
PID 2772 wrote to memory of 4948	2772	Lllcen32.exe	94
PID 2772 wrote to memory of 4948	2772	Lllcen32.exe	94
PID 2772 wrote to memory of 4948	2772	Lllcen32.exe	94
PID 4948 wrote to memory of 376	4948	Mdckfk32.exe	95
PID 4948 wrote to memory of 376	4948	Mdckfk32.exe	95
PID 4948 wrote to memory of 376	4948	Mdckfk32.exe	95
PID 376 wrote to memory of 5048	376	Mgagbf32.exe	97
PID 376 wrote to memory of 5048	376	Mgagbf32.exe	97
PID 376 wrote to memory of 5048	376	Mgagbf32.exe	97
PID 5048 wrote to memory of 3920	5048	Mmlpoqpg.exe	98
PID 5048 wrote to memory of 3920	5048	Mmlpoqpg.exe	98
PID 5048 wrote to memory of 3920	5048	Mmlpoqpg.exe	98
PID 3920 wrote to memory of 1756	3920	Mdehlk32.exe	99
PID 3920 wrote to memory of 1756	3920	Mdehlk32.exe	99
PID 3920 wrote to memory of 1756	3920	Mdehlk32.exe	99
PID 1756 wrote to memory of 4808	1756	Mgddhf32.exe	101
PID 1756 wrote to memory of 4808	1756	Mgddhf32.exe	101
PID 1756 wrote to memory of 4808	1756	Mgddhf32.exe	101
PID 4808 wrote to memory of 2900	4808	Mmnldp32.exe	102
PID 4808 wrote to memory of 2900	4808	Mmnldp32.exe	102
PID 4808 wrote to memory of 2900	4808	Mmnldp32.exe	102
PID 2900 wrote to memory of 2564	2900	Mplhql32.exe	103
PID 2900 wrote to memory of 2564	2900	Mplhql32.exe	103
PID 2900 wrote to memory of 2564	2900	Mplhql32.exe	103
PID 2564 wrote to memory of 2084	2564	Mckemg32.exe	104
PID 2564 wrote to memory of 2084	2564	Mckemg32.exe	104
PID 2564 wrote to memory of 2084	2564	Mckemg32.exe	104
PID 2084 wrote to memory of 4632	2084	Meiaib32.exe	105
PID 2084 wrote to memory of 4632	2084	Meiaib32.exe	105
PID 2084 wrote to memory of 4632	2084	Meiaib32.exe	105
PID 4632 wrote to memory of 4108	4632	Mdjagjco.exe	107

C:\Users\Admin\AppData\Local\Temp\063f61a32674f5bd085a639ade8fef11d2255f29da3683de86d3c50515417af1.exe
"C:\Users\Admin\AppData\Local\Temp\063f61a32674f5bd085a639ade8fef11d2255f29da3683de86d3c50515417af1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\Lmbmibhb.exe
  C:\Windows\system32\Lmbmibhb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\Lpqiemge.exe
    C:\Windows\system32\Lpqiemge.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\Lfkaag32.exe
      C:\Windows\system32\Lfkaag32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        24⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        38⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        62⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        70⤵
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        88⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        90⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        92⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        104⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 404
        125⤵
        Program crash
        
        PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3944 -ip 3944
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
06f476533738e8e8c6bdd93ec71da303

SHA1
22040621e110548ddeca3b77be9bf10a5edcfead

SHA256
967ab890d133708af43755df15c8efb0d9babfc63f3664bc7c8df295bd8440b6

SHA512
5067b3a5a7d79801df2d1dfb9fc259d95573d245e7adbdbd5e821750dec7d2707bfbfcbc86d5d694f5cbb23985435f7e2d7db77df755dd10aafdb8bc40f778a0

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
96KB

MD5
1df4acffc85ce537075470e349299218

SHA1
78aa250ef897dc62a628fbbaf397e0de63ba64da

SHA256
be79c59625ab5a74d45575ee3d5635d22ccac459b070af22dcda572c361e0506

SHA512
995bb6a50c0a28bb85be737fc7f7297a0f6e772215a71d88387d8f04aafddcbe8a8128cd5161ee4aac7a790fd3217563282c2f0b85cd6efdf60994bd47921e9e

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
1a095eee1f9ceb544c1f9b387b9d71bd

SHA1
0958da496db0ac4a6c3c6332a900831263825172

SHA256
a1429c6332c699be1cf81fb0c41d621e352f97ad780e0f4e9f7d5e9cbdf7a30d

SHA512
7f769b6ed1eb08d12a64bb793db6f7284d94893f34cf0c8a234450f8103a5ab7ef243027e877af38fb4f896823cafb65a154d633eeb25a1a4d5ba3b9d8601093

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
e6f4e7bde3fc5c52844490de51546ef1

SHA1
68356cdbdf0ae5ee3f2219b9bcd345d729708cf7

SHA256
0e1479dd2123644857b9187f1ee4780c8cc851057eaeb2b8a2fa1a6374e3f5ea

SHA512
6cb04fdcd8bd4c0afe67f1245d0c2cbca6ed78391583a2800d5011bd72ad1407ccafebe9abcd3930c6370a5d5a6991ffe926273286bd5b23caa9513324121c11

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
636e175b935b98fcbc177ec3f7127305

SHA1
180eb9854bd36df0fecae8fe23369e4120fe6505

SHA256
7e008fa263c5e57065a1c12886bf901d7b1caace7ceec1bf7a457bd5dbcd3e4e

SHA512
5126d3e908caadc00814aaa4b3f80f6c1e7333bfff0a635f4994bd6c00c9c83155e7ea3337386a224928bdac1542c6ebe7b7105b75b84b899c7d75c2af81be69

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
845f38210d6a229a81b997da9a3260a0

SHA1
b185951789fde56fbdf8c344bb2a70805312a067

SHA256
13dadc68e883ea88f3366cc6f643abb7f9739159786f5d868d4c9a0f6ccff38b

SHA512
4d699b1fa5ec97a4ec2ff721398dea180eb99d57176ec7bc3fb195688cdc2c3586425a8e6ec11347530db4eae30c2bc5e26f6da163823cd9283547099e6da14d

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
ca2b93ecedf1a158d7ae57a1f102a519

SHA1
41a22c0f0cd89e6f8af825f744aaa0a343605985

SHA256
00072ba199ecd70e7a4acfd750bc3d3e90e40f94ae8c716583c4bfc602c3eafe

SHA512
e762986db9f76cd9e8882f87f0f85a22e33046609fc55da8d5fddaebf0a36f0466fc25e7ae8547f51766e9287ef5faa29e8922e9c08419763f02b98faf5932c3

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
96KB

MD5
979a0c774765509f2524822685701963

SHA1
6c6f612fa0c40f80509422542c4e1c7c8685c8e2

SHA256
d02e2683c8c69b45d7a7f3230ad63f5ba0603eaab86592ffbf2981b557ce9cd5

SHA512
6d9002a47450825d7b02372a2dc2ce6b1d25265ed311d97d03a15492e563c8272ce763a8535125c1fcdacbcb82419f7c38e51f5375e14ee85b5da45045c48bc0

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
6e46cd689a9dc0ae4d514c424e639a17

SHA1
f35a50cef3f66e93c60608e4df0800c4b7095f15

SHA256
e965c6f201d8ab8259f2cbfa84bab63f918168f559fa6a4e6f09864bc18a5cd9

SHA512
37ac838dc4a3d5fade4b114a38f9e265f03d20de7a607c381ac0bfc5be15bfb8e3f60448ebe0e008c59d2e5dd310b3021ba09e15c3d882e5791632e5e2f83569

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
b0ddc2097f5a007da9bfe3207e6b67bb

SHA1
a86dd706328b1e14be6a5a8f6dbb30409d8ef146

SHA256
4c0fcd7037690830b1d43e063110baed65d423cef1918d6b8b848d85a275c057

SHA512
56ede9e7182ad08d4fe077d170d8a819dd193a81fa8455a03615ce579af11a322ca9e2cc90113f081b6851923a9ec4f1a44689937938af6fc2048a3a1d552a77

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
36adf58c9b6ba3be8a5afe1ad880cb1a

SHA1
aaf6e0a72aa1351b1eef092614063b21023e0fb7

SHA256
545edf6687aa0b933755650befb691d10d236e3d7a6be0a049dd8f5e4df00843

SHA512
22bd265d8efbcf504e6b3d54dd031fa9993281eaf7451b78eaf2c165129ddaa4091973ad8f95481f2a6d8822b7a8184d19f913d78afd188f3650a6cfe4468d49

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
8b7d66c7165b615e248e55c2eb6f3833

SHA1
9ea7a9ebfbd016d4b848a713894eace7ea8cc19b

SHA256
84f1799c1972bf802372dcc402ab6960b41c152c5caf9115d716415d8104307a

SHA512
db0c4465fe1438b38dc518c47a394c6d135df1607b7b441056a9f56c343c271d17e15df0c9a396d8e68d7fd2051bb8160bc03001314c17f1f4a11be4d8fa5da1

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
41f9cb86b35163ce319efc07ac78d3b7

SHA1
d5d260ae9f132abfa240b16cbf854d725a4079d8

SHA256
98cab4ce1103f0f0a2af5bf61b6dbe8d847be3012b315d76f551dd3adbd960ff

SHA512
b8992615df322114797712af0c21c7f3448fc42df13505f668356d578e3b04c965a948e896b1cc579017eff2c9943073e2dca2f9492fd394c6f8a4f91822869b

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
f468d35afac5254b70976444f1fba64d

SHA1
c73db6eb704d363e2b14e53015e66dd66aaba5e5

SHA256
15f976585b68faf060a421c6857caffa1cd34d080f6d4050f58794763e766fb7

SHA512
eda88fff05344c49861b04fb97dde9bb25878ffbaa73861a4e2af64a53a5c854f7286a21261d9f08b0b228f232679b6902acd08f40090a5a29d71c1b3688e09a

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
4ec830b991b6990350d6bdc59d499d21

SHA1
bddb7d700a9b7d314eeb4c167f1cb14a75b50659

SHA256
ac92c41e03232647a28942c1835cd1aa55ce5e7b65620e6fed549c43f7dbe4de

SHA512
b6a5a7aaef31f105ee29b7839c6d02cf2ba8005b5b6b5f0eec72e8fe18b3beca0084ffd693599cb0e468e8ec229ce55d86376fe8b9e81d526e2818dfce9d2a53

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
96KB

MD5
45a6124428c70dfad66520dc19cb7107

SHA1
a6b6af916785e8466ee57e0fe4d7125bc35ff936

SHA256
671ce72c022244284eb60e471b8f2f2ebeca3aff05c2b4190b80b04315ed162a

SHA512
3460a55ba8f036b41d46bbb974f1771493e5bd4a7818e59f57ebf0d6b090bd6f82a5f6e6a5b18a1a46456a4f83943ed249041aec36c7d6074d3ce0a66c7e63ed

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
66833275ce0a88e8ace4cd0293bf46ff

SHA1
95d5966e92c33be9026604fd660aa9d5866961bd

SHA256
bd85431a6480f643240fa8b784c8768a8789f186e4b7bacb26c6b266151b7bb6

SHA512
4e08b4d24947c233455f143533cfe56af00cc5c6cdf3d8c885148530ab38de1deb639d4465b7382b18a284580998b36fa56743edd4db7d519bed4500f6f2f09c

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
96KB

MD5
c8cd2422a0fa3c513cec3a8eedb5cf03

SHA1
31dcf6946ab5c1176ad66a875a0e399f7f16612a

SHA256
85e41a91d0aa3d05daa61a56835ed62d3038b532800be6a7776ce06d92b31fca

SHA512
9befabf94223a3b5d0ee177155a87e1f560d75324ce031303713a9e975b26ecc365e2f0df064ba56555dfe7de7aec60ccaf5140afc149688cb0ba845b40e5baf

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
96KB

MD5
ff97d0567184113befcdc507e9e98243

SHA1
b086995f7a9abd350ae2c7bdc5232f11239b7fc2

SHA256
07e974d0f5a8b80942bebb2978cbadb8451bee114a9249100070988bd777d782

SHA512
5138985cb2b6db1edaa2b887c158cde9b1b43d37b3b90e2eddde78f275d89867b6f971930b32ca2a4cf1597854ed552331e57594516ec6af224f1f5a673379f0

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
0e18bf985c241cdd722f49650c49ec3e

SHA1
1f09b33747b514e85dad1348a330f062e177a312

SHA256
3cb244d64b7dcfcbd0edcdb08100143d7e56b73810b65d1de713c7490fcdff1c

SHA512
1949c8f586359050b27212156beba60d6e9f831767c10151627ab21eea6eb6843e3922840233df935b0e447faf615898c0cd32ad104672fa966d6e8d9837bfaf

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
2e3fffa101c669746fd5c5b94d357512

SHA1
f8589c74ca0d9763e11a5ed383acbe3308d075f4

SHA256
280e25729129d4b57dc07589607acb5b79a83dc94cdf25d8efd8faa55f927afa

SHA512
dda6e5338ef3d7f726c472fbbf3f8baa0b2e657a6e2144bce938ca35ebab3f4a87f6a2dd1e6599d01d7ff4e8bc2a7cd4f899f33f69178753693d4283041ab65b

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
271905e7172b828bd81813d606645347

SHA1
452c1f33a2d575c27f3d74385c84e627d8d0c337

SHA256
0d3a171bb30c7543f5444b5c0e09d8a674418e7bb76226f0e899cf153c0461cf

SHA512
ae5bb9637448e742c295e2e58cc7009322217e73f56fb3fbc80f6e6c1bfcafee44feb32904a149ba5ae75d2c040b20a2c623dedcf5b5a9771787a84589e6c56f

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
96KB

MD5
3f4f7848e0ef906d379d974d76d19dd3

SHA1
18e9e5f94756463b91c1ba25b8b0b45b64e3554e

SHA256
9eab5d43cfeaad746741272658542f099ca9dce97bf4fd0fa238444c1a6ebc02

SHA512
f69ce02f88f6f657778ab45dee3b81339efe5b94511f7146ef68f0ef06fd0d12720fe000a54495e2692e2a5e3ab7d1ef3e32ef972c890d3e30fcf1033724dc66

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
ce7e4bcaaf5dbf49e3a4f0047c03bed5

SHA1
a96707b23e6a0dd25186dff1f276c1f1ea5adba2

SHA256
ef909751c8218aae5b2afcc7c202e878679e22ff6c4d7f976e970ad7b0c6383a

SHA512
7bcf06d560fc40bfde879b405b4407ba1eab1c48404dca593d2f52a2346b5c9b0f9f8255b0972a50fdb6a55e3940b28a3f7994413756911e1e3e82a34753c3a4

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
96KB

MD5
e3aa4acd493df7fa426073c0ecb6936e

SHA1
6d2d003022f911bc34ecac99c383c51a092813a0

SHA256
f48823301a2b5b70bda318ab416f8ee2330c16f17e5ddef0e9c8811f562c48ad

SHA512
2e16f0738fc0791ddb08b6ebc190398bc107963ec15cca40a8a6b54ab9fb38a2ef57ccc2e1c64e3791ef81622c7b7b5af3c670fa27a0812f8c83f0b5aa8c47e1

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
086fe421f4dffe539c89b9500ccde682

SHA1
f8404bcc778a4247415c61fa14915bdae8f7e048

SHA256
4643cd85cd82b804b5880244bbded7207550873af43ae6c3e115141a91ec934c

SHA512
8eadd8839444591f9b3a1a66d52b4739647e833cef46434123c46a6fe40dad56470541ce3e7396e68d153a3cf7a614480fe96e5f8669b256d0af3d29397aebb0

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
dd9a12bb93074b6ecebcede833a9778d

SHA1
0c102d4d7524acb31059f48b5af343091bd2fbbe

SHA256
f1f0c3998571c32e8969d6a13a06c97a6b96bae457a6f58d8da1e166ea2776af

SHA512
6ba40d314ca6fd85300278ac2535136868236e0fbae1422fe69a3affbf3647d1c9cc1ac332a083383eecc8d3da72a80c741e11611b1a52d5784109fdfe18d8fe

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
96KB

MD5
2170b175164d48c60eeed2ee3f3b0273

SHA1
ab415039a7ce1a0faa11fe306fc119911539b31a

SHA256
e8763f28da1a3d46870279521abace50390e13030118a4910eb17e70d66a6b28

SHA512
ba2fe3906c03ef1ed59e5aab9e967414228d8afceefc3d2ddaf2aac42ea1cb6f632e77e0ead9efeae9c82ad9e7b7ad575be3c7c7eefbad4defc1c2022446c4b5

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
3e4edac1cfad398f675030cc60432769

SHA1
fd2e9f261947596845ce29b3a8e6c43f957067ad

SHA256
80eacd88bf2db7563dbc0d2c635148c55b0de58ab4b1038aa166f504391eaf3e

SHA512
ffba9de95b6bd66d6426921e08e3097aa4eea4ffb92259d57924c8a5081154dc725ca034cbae7f518d0d73800acf8b87980c7a13c6b31ffbdd4b440b0744c5cf

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
e1b3518b7ced336a334484b4154ebb26

SHA1
8e2febf6aa729a5a50a8b01e035fa795aa0531b7

SHA256
72d7ec250879165a8f7d9edee5f9ca231ef020eef13812b2b3b4dee9fd0aae4e

SHA512
e0dab75d4c6ecb0d90499bbdb79d374799acbaef54377404a62b83e2cea365e5d16880fa847c9f7f7db79e688c123e36c399b065dabb941cd8fc74a1e9f62069

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
f80a2d27ac6d0e1ba96f0488f0d958bc

SHA1
ce4183d2f3ad50066740ec6598137272d6fdabad

SHA256
006f9455d1e804db62c3beeee4647f38b4bd5ef729afcb5f57a6c6b338da1732

SHA512
30a598c9977f757155adba7ce0ed062f433c6fcef9b5d7c3abd87a0707a435d378d21ac4cff2bf149a81d09621a15e790e3cb8953fc93e4798699b37d41cac3b

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
96KB

MD5
684964ac91e1d42ad4577c60b1751da4

SHA1
897c96a240d98023680ccf85e8b3dbf829a732b9

SHA256
d420a0f454ffb45d2ca4e2fb333544c122ebb991868207c5ba14eb4e09db7f3c

SHA512
4bda5156b2ad866346d8c872f587d3489a668490f2d2564aeffa0fac060998d2a06b106a36d910a0c4e362d3e8231c382a7e0340f7b3c97b4879e1f433818c69

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
96KB

MD5
64c0838cf020a4104852908d73d5b8f8

SHA1
8f8be7f0a23df33c567cc6525c3ed5b4438f336a

SHA256
a42b85adce532a209105845d7dff6ab8b3e0bb9c98a6068a28fe180fd84d00fd

SHA512
c35cd4ad4494b118a54b7f88bb5bdd3157b81564711f4e1ff0020c24b752cafe884917526ce6962a60d372c56fbf023b0c4858abc73127d89850ee7f12f00a31

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
96KB

MD5
8a40c4f087f9a48eabbeee307b4ffd3f

SHA1
cc0806adf01e14516b8f19f8550002b4c25aa1ef

SHA256
214d0395c75b7b6f19721a82563b258cb245af5d8fdbe40dc4653b606927bb31

SHA512
52416d5960894f6a294e507cd10dd1dddd26b0ca4a0e7f86e97fabce2b65872c3083dfaea3eeee7971a907cd3b0e36a0b7fdeeafe66a00cb924cfb8a142aea28

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
96KB

MD5
3e8e0e81646280db41c807d4d1fd3076

SHA1
c49a5598ee010bcb2d0bd31d61358c4cb1f2b9b5

SHA256
3974f0da58c9c795c01e74c0b7c6f35c1877841b25d69334c213664b77f99b3f

SHA512
8aa07a792bbe5505bff0781c4ae46b329c515b3f844736d7cec44e259ea64c4f8da534d948dfba801898eefcfd425dd48c40ff16060f96c9175935b211ced385

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
96KB

MD5
c4dc3f750f0f8e927cb1e2528b4efbdf

SHA1
97e8b225451c720c008e90c00f815dbb2291e622

SHA256
180fe208a35d48b009be4923a0fd06cff84b761a1790bc73bd72cd8e28a3ff07

SHA512
859b8317e7185f66f3232959d7b59340108b3dfdce0bdeb778728e5d33e114d7e8fb50d2a130e8013cf80018e6813a7c34508a79dfec0f380f19318eac97d2e3

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
1a80991ffe5b82f6392f2f1ffc44e068

SHA1
59702372db128b8af07f7a9597926bcab8a5fed7

SHA256
0b8b8549c86815c107733ba0243a7d114bc85335426d37518e9e59a872e5c4eb

SHA512
4b34e56e6abd6b540e8468441aa88ab0102fedb44f88708cce1f1bdbd1e941536a43d5745fdbfe6fa9560c9c070040c2ce58cae8f5a344ece15cace04f3f3062

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
8b81c03bbc9b75b4700808279ed4595f

SHA1
33820e15ac6a59484071a75db0c1d0454b66ef8f

SHA256
000e20d37c87e2ccb516716ff6cf4ce7b377250e2f251b22549aa58392afd380

SHA512
11067f26f92032b25b204097dd7df300d342bb1cea2eae1ce06db6ace1e88d63e059ad4bf431c9b164e6cca037339b5b5636b4b867c2e67264fe637306cf34e0

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
1321561c13cb1ffe6c8cb916c107307d

SHA1
10cb76c5166fffb908a3e4ac153ab8c87b270ab4

SHA256
64a06e514668ae973db61d7d7911fccdd1555ca2dd16da786e6e013b4d45a074

SHA512
7fc8fb12245498f6f7083b7b38981d532e36cc02b8ccbad4c4bd6ded7ba5ab704319da14baaff94d47c045f552434908d036002930df33c2e27f6e21ed84bc24

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
c6bbbdb414ac4f0eb55972dbdf224a22

SHA1
e0709c680bd05bae24bff584e27b076d3f54506e

SHA256
9ce0ae71f8bf1194da885761eeb89892f7f4f4a7eea29a92aa571572f0524d42

SHA512
b05abc33478506f0c757d0b39b28626726de015129504de03fc6c41779f4b98aee4a61e5936e4fc86bd425215602fe83582ee158c01282f57436b42c14ad18e4

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
ec687c3b7c4e81ceab4bd3fef8bc323d

SHA1
a1feaf703e190d520e454294ea21c289c7bd48b4

SHA256
03872123cafed5f5c42beeda230e156f1924131956c01ebbe08cd31bd41179d4

SHA512
017edecabf92358894aa87fd1dde8d9d4fbc34fc09d6fb6f0a200c6f7f840ca1324263d0399bc2d35a6dc104c9dbc80413c66fb63562a5fcc6316dae5ce015ae

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
418524c443bea1581f3f96376acc75a7

SHA1
96b1b49cfda1a5b3c00d21bd71fde7dca2409e0a

SHA256
921a21aee79abc251b054c5d24b0984fb0c6e801f2959f063fdbe7c3be9ede07

SHA512
003e16a926c9d830b82d4b5d6f4785693d7877e5d3ae133a0104085f1c8b9e618cc4772bbcb1239bd1fd9441689ce177b86f9d43b0095abe27ac2457b5f67e27

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
17d89820a05f1d4b0516db8a0cf6556f

SHA1
04da5c757265b5f28d5ea82349c3fb99a9b53772

SHA256
e8dfa93bc2ccfd559e56d96713f113830a0c459c352dd40be195279bc1c56710

SHA512
3d70bd4f8481fc8aaf982fd471d2cb7d5ae143430b40b278162c6a3f2bcf180c5dfab82edc88d41d7582f04c2592c6987105fa7e0ef15e1ffa597745737b8517

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
c4ad2a36ed2f24d122578ce96d44a9e4

SHA1
11a7248d382545c1fcd1aa71b53e3ec60855ec5a

SHA256
3f527989da50c3858833a1a0ae511d8e73d3fb5a4ab78ce4ca69a6dcd8412465

SHA512
9d15d85c19e8698cb79c9ecdfd5389171eb6259eb8b62073606cfff5b23b462fe8857135aedd03ecaa77615db820f866a40f80f918ea151779ab59a29e3f4884

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
96KB

MD5
a135d4fd7d2ddb7b2acda832e43aa13b

SHA1
c0bbfe6a9483556e4272732b6e2f98d954d78c67

SHA256
8c19dcdcb25c60ca617200e272f7eb145ee3b6231c91900c4aaebbcbfa89d02e

SHA512
401b43859953481215362130403361014f3ea18751c3b0505aee8f360ea334b4b9ed5226ddc62d038b77a0c8ac6011ef70685ce59101db2ee011b16491ed4d54

Download Submit
memory/376-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/652-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/668-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/668-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/708-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/708-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/720-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/744-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/840-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/976-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1000-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1228-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1352-504-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1376-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1404-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1456-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1472-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1620-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1644-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-479-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1716-533-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1756-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1760-560-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1828-515-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2084-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2284-513-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2332-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-594-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2520-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2564-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2772-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2864-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2912-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3212-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3236-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3332-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3352-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3476-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3532-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3624-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3716-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3920-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3924-591-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4108-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4212-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4240-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4280-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4280-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4328-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4364-473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-573-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4528-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-541-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4632-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-567-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4808-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4912-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4972-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-588-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5012-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5040-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5040-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5040-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5048-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads