8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b

Analysis

max time kernel
96s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe
Size

115KB
MD5

860575d37d483b61859283a4d5be70da
SHA1

0afa8f40bfdbd1472e9e97c0ec3344ff13ef54d4
SHA256

8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b
SHA512

ae306e85f6a2afc6d27f05cdafd4af66ee684779da1b6759d1a316a7a361b30b0c1d7eec9b07f1170bbc897a6f05145fcade6bba3ec16b000a633712a3d320da
SSDEEP

3072:g0RtqHWjADrnMWSGRC5dbrIR/SoQUP5u30KqTKr4:HqTfnMWSGA5hrIooQUPoDqTKE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe

Executes dropped EXE 64 IoCs

pid	Process
2836	Klqcioba.exe
3424	Kdgljmcd.exe
2064	Leihbeib.exe
3528	Lpnlpnih.exe
4976	Ldjhpl32.exe
3556	Ligqhc32.exe
4848	Llemdo32.exe
4820	Lenamdem.exe
396	Llgjjnlj.exe
2032	Lbabgh32.exe
1512	Likjcbkc.exe
540	Lljfpnjg.exe
3676	Lbdolh32.exe
4612	Lebkhc32.exe
1992	Lllcen32.exe
4648	Mdckfk32.exe
1624	Medgncoe.exe
2796	Mmlpoqpg.exe
868	Mpjlklok.exe
2380	Megdccmb.exe
856	Mmnldp32.exe
3396	Mckemg32.exe
2816	Mmpijp32.exe
4312	Mgimcebb.exe
2944	Mmbfpp32.exe
2096	Mpablkhc.exe
4168	Mgkjhe32.exe
4760	Mlhbal32.exe
4240	Nilcjp32.exe
3892	Ndaggimg.exe
3608	Nlmllkja.exe
1808	Ndcdmikd.exe
4420	Neeqea32.exe
4944	Nloiakho.exe
4516	Ndfqbhia.exe
3572	Ngdmod32.exe
3980	Nnneknob.exe
2044	Npmagine.exe
2972	Nggjdc32.exe
4468	Olcbmj32.exe
1476	Odkjng32.exe
3236	Ogifjcdp.exe
4052	Oncofm32.exe
1212	Opakbi32.exe
4176	Ocpgod32.exe
1488	Ofnckp32.exe
1220	Ojjolnaq.exe
3964	Opdghh32.exe
2664	Ofqpqo32.exe
1468	Oqfdnhfk.exe
1900	Onjegled.exe
2852	Oddmdf32.exe
4252	Ocgmpccl.exe
3508	Pmoahijl.exe
1296	Pcijeb32.exe
4016	Pjcbbmif.exe
2560	Pjeoglgc.exe
1572	Pqpgdfnp.exe
1924	Pcncpbmd.exe
3092	Pflplnlg.exe
4920	Pncgmkmj.exe
2976	Pqbdjfln.exe
4480	Pfolbmje.exe
2000	Pmidog32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lebkhc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5708	5564	WerFault.exe	212

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klqcioba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 2836	3748	8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe	84
PID 3748 wrote to memory of 2836	3748	8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe	84
PID 3748 wrote to memory of 2836	3748	8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe	84
PID 2836 wrote to memory of 3424	2836	Klqcioba.exe	86
PID 2836 wrote to memory of 3424	2836	Klqcioba.exe	86
PID 2836 wrote to memory of 3424	2836	Klqcioba.exe	86
PID 3424 wrote to memory of 2064	3424	Kdgljmcd.exe	87
PID 3424 wrote to memory of 2064	3424	Kdgljmcd.exe	87
PID 3424 wrote to memory of 2064	3424	Kdgljmcd.exe	87
PID 2064 wrote to memory of 3528	2064	Leihbeib.exe	88
PID 2064 wrote to memory of 3528	2064	Leihbeib.exe	88
PID 2064 wrote to memory of 3528	2064	Leihbeib.exe	88
PID 3528 wrote to memory of 4976	3528	Lpnlpnih.exe	89
PID 3528 wrote to memory of 4976	3528	Lpnlpnih.exe	89
PID 3528 wrote to memory of 4976	3528	Lpnlpnih.exe	89
PID 4976 wrote to memory of 3556	4976	Ldjhpl32.exe	91
PID 4976 wrote to memory of 3556	4976	Ldjhpl32.exe	91
PID 4976 wrote to memory of 3556	4976	Ldjhpl32.exe	91
PID 3556 wrote to memory of 4848	3556	Ligqhc32.exe	92
PID 3556 wrote to memory of 4848	3556	Ligqhc32.exe	92
PID 3556 wrote to memory of 4848	3556	Ligqhc32.exe	92
PID 4848 wrote to memory of 4820	4848	Llemdo32.exe	93
PID 4848 wrote to memory of 4820	4848	Llemdo32.exe	93
PID 4848 wrote to memory of 4820	4848	Llemdo32.exe	93
PID 4820 wrote to memory of 396	4820	Lenamdem.exe	94
PID 4820 wrote to memory of 396	4820	Lenamdem.exe	94
PID 4820 wrote to memory of 396	4820	Lenamdem.exe	94
PID 396 wrote to memory of 2032	396	Llgjjnlj.exe	95
PID 396 wrote to memory of 2032	396	Llgjjnlj.exe	95
PID 396 wrote to memory of 2032	396	Llgjjnlj.exe	95
PID 2032 wrote to memory of 1512	2032	Lbabgh32.exe	96
PID 2032 wrote to memory of 1512	2032	Lbabgh32.exe	96
PID 2032 wrote to memory of 1512	2032	Lbabgh32.exe	96
PID 1512 wrote to memory of 540	1512	Likjcbkc.exe	97
PID 1512 wrote to memory of 540	1512	Likjcbkc.exe	97
PID 1512 wrote to memory of 540	1512	Likjcbkc.exe	97
PID 540 wrote to memory of 3676	540	Lljfpnjg.exe	98
PID 540 wrote to memory of 3676	540	Lljfpnjg.exe	98
PID 540 wrote to memory of 3676	540	Lljfpnjg.exe	98
PID 3676 wrote to memory of 4612	3676	Lbdolh32.exe	99
PID 3676 wrote to memory of 4612	3676	Lbdolh32.exe	99
PID 3676 wrote to memory of 4612	3676	Lbdolh32.exe	99
PID 4612 wrote to memory of 1992	4612	Lebkhc32.exe	100
PID 4612 wrote to memory of 1992	4612	Lebkhc32.exe	100
PID 4612 wrote to memory of 1992	4612	Lebkhc32.exe	100
PID 1992 wrote to memory of 4648	1992	Lllcen32.exe	101
PID 1992 wrote to memory of 4648	1992	Lllcen32.exe	101
PID 1992 wrote to memory of 4648	1992	Lllcen32.exe	101
PID 4648 wrote to memory of 1624	4648	Mdckfk32.exe	102
PID 4648 wrote to memory of 1624	4648	Mdckfk32.exe	102
PID 4648 wrote to memory of 1624	4648	Mdckfk32.exe	102
PID 1624 wrote to memory of 2796	1624	Medgncoe.exe	103
PID 1624 wrote to memory of 2796	1624	Medgncoe.exe	103
PID 1624 wrote to memory of 2796	1624	Medgncoe.exe	103
PID 2796 wrote to memory of 868	2796	Mmlpoqpg.exe	104
PID 2796 wrote to memory of 868	2796	Mmlpoqpg.exe	104
PID 2796 wrote to memory of 868	2796	Mmlpoqpg.exe	104
PID 868 wrote to memory of 2380	868	Mpjlklok.exe	105
PID 868 wrote to memory of 2380	868	Mpjlklok.exe	105
PID 868 wrote to memory of 2380	868	Mpjlklok.exe	105
PID 2380 wrote to memory of 856	2380	Megdccmb.exe	106
PID 2380 wrote to memory of 856	2380	Megdccmb.exe	106
PID 2380 wrote to memory of 856	2380	Megdccmb.exe	106
PID 856 wrote to memory of 3396	856	Mmnldp32.exe	107

C:\Users\Admin\AppData\Local\Temp\8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe
"C:\Users\Admin\AppData\Local\Temp\8d7dfb4d3da236fd172be88c6c3b684a556ed2bec152a2d621954728946cb44b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\Klqcioba.exe
  C:\Windows\system32\Klqcioba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\Kdgljmcd.exe
    C:\Windows\system32\Kdgljmcd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\Leihbeib.exe
      C:\Windows\system32\Leihbeib.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
      - C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        27⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        61⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        64⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        68⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        69⤵
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        77⤵
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3696
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        93⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        94⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        99⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        102⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        105⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        116⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        118⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        120⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        122⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        127⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        128⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 232
        129⤵
        Program crash
        
        PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5564 -ip 5564
1⤵
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amddjegd.exe

Filesize
115KB

MD5
578e568317ec70b52534cc7060a75c30

SHA1
1737a938593c59a32c08e9de4a20e4a8db2975ca

SHA256
b8fdb2c91ffe18967297378741a97f929a29187308b94ec98e1a725b981e0a37

SHA512
1160eeffa6c7dd83b623fd9168294a6445115bcdd2c562bb45e5bc8c3b956fe91d34d7eca23d812a6c84de65475a7420264e95176a5d4a14253aff00808d757b

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
115KB

MD5
4e1b44d131d0b6f82618d13d0139c752

SHA1
706b7e2a602c8a603544a8aed25d29900f1c49b5

SHA256
a2762e2d335e9a60dff4d0bc22afd607edd00796bef3a933157cb66eca484012

SHA512
e31b8c75b998c95ef16d571d614c46c122830ff811b581494a4dcfa5cdca9af87194bb6e26cbcf4588b88697ad4cabc2be4b639009cb28bf56428dd08e0b6228

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
115KB

MD5
e7c021ed03dac0f95180ba31d390de26

SHA1
d1388c9122eaa53454d71449cf3072a131600606

SHA256
998ed4b780e1169af74aba09095115a06c524354c0cac66f2975550953ffef28

SHA512
b47e3c0777c5129c8dd02dd681263a97871b1204633b0e04a40bdf9db9aee375c0feec5bc262e393bd9ceb79ac77cf097cbe74dd4669ff93d25b77d67f39a8c8

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
115KB

MD5
0496756d719bf7962df8c38c0efaf72c

SHA1
9e26595fe4c491a102242d860e19569759134bed

SHA256
3243ff7cb96ce929ddeef6cf6d6d92c3c16f06685a7fc7c1260bfa76c05da127

SHA512
b42ad269f2d119a9f0a280b749fbc1c10d42f0c9c07344d5a7599e853156fd455030b963dfb13cb255f4d2c0e2b94917ef75bec740ff8b95d830715511772f20

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
115KB

MD5
861c998002a35e37b99a1c3c1b4591ae

SHA1
62033334e786a65251bcdb89d9d545f94190af8f

SHA256
6c8aff21d1088be8520e1380e9a2417446b118189f23eacf290f9a2fae649ab4

SHA512
83b70b06fddc09a5f5aee802188fb7595d64959240c3ba7d304421a9e3c46b91e439c666e1ab2b3d82420ceb4efceb1e1cfc9138b1f1b40a755ddac2c9cf036a

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
115KB

MD5
085b1f4e07f8b54e340a0792c0950c54

SHA1
b37bc9615c4c32e9e0b72690edd86feac422b11f

SHA256
ba685715e3e80a67579211d24aa45430d9fea3754e13b17077456ee167c8e4f8

SHA512
34e2a14c52588f888e04c1bffab7db0bb56882c8e3b96f42a522538f15790bbda8c54ae8030be94be9ae95dac0182fdd116cd1cc0be7c581d3662b7011cf3f63

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
115KB

MD5
1c9550da7159509397978748c4303a40

SHA1
4684c35b8033e9f18ec8d39b638e7b306f9b6219

SHA256
904c9ec50394153f2e8a113d97905ac3f742967a89ec793c59915f74efb96f34

SHA512
0ddb598c4c79daf9e351159f1c0377a982951c756c96b4a994ee792e473207bc14dc52f948fb0dbc33fa641f904e8aa52644e9427b82d11063dd48cac6ae1f66

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
115KB

MD5
027de61411ccc9a8f54a9e22c0b404a6

SHA1
af7cfee797bf2f02679e11cb0cc80fda9ded2afc

SHA256
6af2636f7b6cdaca3677e28902a467aa4dea169932fa65c75874816a9ce3bc34

SHA512
98dee52e6630fb09988bb241e9b4c3ceebd93ed55683a8e88341b7d86907a33b90fe4616bfe166d46f3f169ed5904e263d38722b78c1dfd4601f63cdf20902b3

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
115KB

MD5
65049c2dbac5c86817ee17e350e1fa29

SHA1
3f1f495bfe650a7ef5590a9980cfaf844b7a7c1e

SHA256
78e2773578048d3b9a464e294f73de2e080d4057497ff8c04b071d17d35555be

SHA512
40970ceaff42cc322006e7ab0131e4dafbdd559f5ac00274ed748231e0b866b2cca9720b736c0314cc9992e97ff4b45fb578b4990f7e935c16ebbb4dbccbc424

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
115KB

MD5
95d80384aef7244605d84f932d7cc168

SHA1
874d2a2432adce58a6cec0c86af64a12b84f6095

SHA256
156137ceb88b00e3ec790af94e88b94c9c5bbf229bd12d4f5981447a84cf30a0

SHA512
b6dbeab177d4dd5bef51611820e5f9c648a9ed3ea6093f2009650ae82e6d2743939d7dce65dae4b910f4c993ed9e520ed3b645caaea427be94dac6e375b1cab0

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
115KB

MD5
dba4bf0f9512ac04a747782f2013f6f1

SHA1
fd2328f7805de685ff9619a67bb84048cfb10c9a

SHA256
d1a860db2589de5000cd3a47b630aad0f415ea435043a3256b9b940d4f12b25d

SHA512
3ee3673b79db55310ca12e25d7ef9ba271875594af4fff97164b6a2ff8bc4ce28bb6c8cef7f05ecc3f954dce8af90a9624fc48e282a8b95588575cd52093efa6

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
115KB

MD5
c2e5769d25da22fc63754462291b45fd

SHA1
39fbd47f374c001cfb4c74fb48db688ea2d4b3be

SHA256
ef4dfc58b708985d7864c8c126dce66864e2cf02c8c9ecb7d095a066ff2b8dc1

SHA512
65a4349c97ef861964e8225c43bdcd63b06fc6f91e1f8204239b5fe535273523f89deccf7394d8b58a0c369c2c29f3874c2cf80e46da2e6b767c27f23e9c28a7

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
115KB

MD5
b8915e0bf42c421fad3f953560d2a6a5

SHA1
36179c3aaf44848118177860e60de97d6a5dde01

SHA256
c6c03c08152c9e52c54fb3f23c51648c86905a84148e35ccff15f82bcdb2e865

SHA512
804d2c05f8e893b5596d0c73ba796c89a5b408f79caa393a9314653022fa4277fe29ce02128b9becdc14dda848e944589b405d0b8a962770b4e92e809e2ae932

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
115KB

MD5
eaa5ed8779fadf8d27cda1128fd1b435

SHA1
8765a542a5d9def226c7122f73e6d1280fb8a23c

SHA256
b79868199d504aaf504c5ce8574ce3ee979aa7ac8d886b33a34ccc6aff73bd41

SHA512
6c667d8898c40894ca23d7452fa94c2f78b78541d28e6b7e73fc4a631032ae042578e1c495e337fe17f195c12321057cdedc60a2e65bd1c5dbaa54b2d7a4e3de

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
115KB

MD5
f06ae7c0a26fde0b1243d53285638548

SHA1
a1e861e7dcab829619f753bf73e19220d2ec6c22

SHA256
dfdf546123f8e803e460259adb14cf2442370deae979b41a318a2e9a014debb1

SHA512
ff262bc6504420d610f11709579487f39e835b3dbd5b85b03a3067e45d8dca9afdfb50fc1ac4437f4417361cae42e787f659f62bbdc84c3aacecbecbe9550804

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
115KB

MD5
9deecb8e895a4f7ef7015814b056f600

SHA1
f88015a9c6e0112a0a6d21c07b639492e1410d7c

SHA256
23a807bcfec2fde50716f96db74158dc69f7652c16d683c738ee14c2e4ada73d

SHA512
92d4b22d063a821df846c6d60f35dc97ce3ea8023898e34f4c051860a6ba9a2f1607f8398a43708a8c2117250bf1b0aec460746cc6d973bbd0c46f289483ee68

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
115KB

MD5
cb6e779d35db68316b11c18cd0d36cef

SHA1
55873b39e2c05e0e95b6a67a5370964f63900039

SHA256
39e78a7b0b8a1fd7fd855727f12e79863f07e040d7aa56eb32c33e9f5f656472

SHA512
5e7c8423d776575ee768ab96d6d94d456cb3d46df5cb920f300253933d8129a344785a4e65369429d46def4a70f195bea50692b7a736cdab439b8af5f0367a28

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
115KB

MD5
ca0172d2d6100139b3a4ecd0e0fc425a

SHA1
825404aab690aa20510dc86ee70649b77c2a642e

SHA256
562fa62438ac43a1b6d35de52e2e00501e5b4bb62348334fc667c085ce56e18c

SHA512
b8b9f19376d98ea40db2766089d1a9deb180a7e79f649127e0e9947a17d0ff0f2598fe1a1fe950756ec38d2f270e2700f50e8d84c0f650c888b9290ace79eb3b

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
115KB

MD5
644a8f5f199ad858a9615980d4e89f57

SHA1
cc8bb964e7b3aef24237ef7c388452768a458c59

SHA256
15e4803994bd32746b7c3003ced9351d1ac5ddd5bb9ac25f1db1b07521d1ac75

SHA512
b5c7947ef74d90bbe06870df0f1e8df30f91a45a8069380919f3c6e1c59e1f80369a3e08fe8ef802522800095e84cbc954a26c241a6993fc50e34ebc9a1cd69f

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
115KB

MD5
b7c3e0204df62239a10c7ca2fd4b09de

SHA1
7ec4c110f1598c5f3fa042a04b71db4fe37d9a59

SHA256
11168f30c8de8c22f8094100dafa7c9c3b47edc329bc952f2d5366f2eca51498

SHA512
414c4ed4120fbc3fde63c62891dba63058666788ac793ec29928cd760c5e44e63fc82f089228d93d405bdf18b731ef1dfe00e8dc42852bf36825caaec2492983

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
115KB

MD5
e3a402daa31efea1b2d64fc1ab9f79f0

SHA1
e90d95c888141c8dae0b6bfc5d1c439c857514f6

SHA256
18e43bc2c4aaaf885c106e0c78e53e239bbf6a046166c8ecc8cd8ad57366f085

SHA512
fcb5f06db2b87b6fe1605cea39222a7ef47fcbf04c1dddc33d4522a2f2cbea5ca60a4e0230fdfbcc35e03197595d6a06f54b533e1dd9f21856b99921e85b90d4

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
115KB

MD5
36c37f5c5384595e3fbd8779a140ec7b

SHA1
83ba0062c7947ef418b053dce2629ef0b17c1f4e

SHA256
6192325fe0d28a96a86ea9b121cc877ad9a1b5e94d12a2cc5c3e0e1ae007270a

SHA512
55606f5c1f0ac0e18a3f44395c80dd989f860a5db1165419971c7f7e68332938a76cdd9018b58c8d5741551d13dcd89a309f1d3a46dc032f5bcc96ea3de046ec

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
115KB

MD5
07a61eda95196ac3e0685287a89ea936

SHA1
0061e8bf52ee14b1829f597aa0e1623c2eca63b1

SHA256
c02d193cd2a8738e4e7f736dd495c34edd656824f930d7b892ad3ed830db36b2

SHA512
8a14b851d807e49018bd3c56e875b08c5ae1621e4fe1970d3f2a7d3f7ba7fffdfc421898d86ea93073e307b21e3649ca8c56dedb203a833a80a1a55684e3c5ec

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
115KB

MD5
0c94caf626c56e7a6b0bcae65e1ea4f7

SHA1
32c30c97f9209d44cb8059dfb4fd4945c6905c86

SHA256
8137526aecdc81305138b1536941a0a1186bc4ba203d3484883130b4631e2725

SHA512
48b6788c66505f49ed8ac604eb5a7db267545a85217e98b2b7b1e6bcf492d3aca39c10dd14ec24888b36466a5497f47b0fbfcb6287a08a571a157cefc204f7d2

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
115KB

MD5
f2f32524aa204563d1e14e25f9eee2e3

SHA1
05daf01c85cb4856b03518edab3b51aa5b040576

SHA256
37620e07b1f4c201ebd176f13b78c0e6d360b27d9134e78746e8009de61e7de3

SHA512
5d54ad2ac1300d4174d5935467a64dd2d07aff26870aeaab303d2d59ab7e8816e0be4ae1d7322b9307fbb987fdba0e01a9e5cf52832b153d5d1ce47d62ebd0cf

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
115KB

MD5
50cd2649009e97272b1cfa4a706c0213

SHA1
77b2e5518f0b29c8f31128bee9fe502b123cf994

SHA256
a325f0f99ee0d77fe2195234fd062c9ff8875d40e9b4792cd5e94da42fb0cfc7

SHA512
226b64083b1f145785634e5d8467325c549023bf4ac4fecfa1c5ab18b90573e08a3b2e1935bf09fc4cddcbf178506d150a21b75584472c30e06e7c31758ba850

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
115KB

MD5
1582fa41deef64f9b100d0442d601325

SHA1
5305c5f040215b43a1c2441f95ff31405c7fdcbd

SHA256
1859ecec14595d6fa820cfdb9efd516366dd865a5c54e67b9045260d6fd20046

SHA512
3d84001eb5652d303a245fe1e49e9ac696229e0c28e402d252ab6794dbf2b111cf0ef5fed2c1a3a70e0aeffe92bf741b7e1502117cfce785cd11867f008f51b6

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
115KB

MD5
3e59e59de9d6171bc904cffa44770db7

SHA1
8fe28b9f7a997189b4ab001e9c4c66d7b7eb48f5

SHA256
7c163cacb9e444dd12333b76b5f303ec8bd5631036cc792c68efbe60776ebc89

SHA512
acfb6e1f0757ab536c332910e98d20dbbc2fc18f5bedb09a880618b1a71caf7df0f98301d89600fa9708d83a18ee74fc5fef71ebf93e13ae1b4aa3989e684482

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
115KB

MD5
ee8fed7e6989c10140aeeb56ad45812d

SHA1
91b2ae3ffabe97f340504de3ada4c17ce1e2b33c

SHA256
93c1ba088b0fbd3ed7d7945d3dba82df7caa458204c481c8efbd8b1d2d18fb52

SHA512
8349ad43c9cf0d732af93a18942da54f3e275735153b2b32a4680837e2ad86e7c0538ef293119757495a0a92ceb9f4083af85d9b76f94d4a89d2f82cdf94bc7f

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
115KB

MD5
8735a9fab5616d401a29be47c910c2ab

SHA1
f1d8182872ee5d5638790387fdef1372b584c0ff

SHA256
c18bf4ac0900686151677a79cc7f438a798f8d4b49bc241eae7352a16d43e94a

SHA512
81d2f77fb474aebc21c22ac1af11b2843146e642a245e1ded86ec5560b01bf234ac9bbe67c863061d3a65c56440d4a43c614107b8239f430a8f051b0a11d5688

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
115KB

MD5
f5335835da903da9e0a075e7a864e47e

SHA1
37f7846385908ec43630eaa37cbbb55353197c10

SHA256
d854bd53d10781ee61da28d0f162a3b8141e59d1d6fa1e21df47ecd0ede541e8

SHA512
fa537c2f8b2c056778f281fe86caf618827f684929e482bb2e7a13103adf011f47e2ab25b0252ea49511c59d886b067b822438928b32e0ec67de857e77067448

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
115KB

MD5
b42813c96aeadc638a1e2b5de6fd23fd

SHA1
17ba157d35222b2ac865f2ce6c4c1b0367441024

SHA256
0bd53cd2daa09f30f1b6fded7739be310f5caa4c450d3fe72eb9d5256dcca6bf

SHA512
b1dd57e6f7041b756007c74bfabe641394365d70eae0772e2560fdd54a672049de2f21b2f285f29016add81d33b29123f48618217ba9b1e000e612e30265d7fb

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
115KB

MD5
3355514fc6e2502ab22871dd50cee6c2

SHA1
9d258114b683f0c2e7d7bfabb74c9ab542e01a54

SHA256
8127ab026268a7e4c5f12de2b14e12675d00473c119a3d4b55ffc46eb14db9af

SHA512
676a0bdbf0a51a4c25d901a69752e0e5a8551e09dc6379ef63e0be90641dcb366c91239e0f8a340b45512cd4b9ca89fb093c7805cbe6e5052b5aad157ec93cb2

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
115KB

MD5
de9646320f8176095087c7393feb816a

SHA1
20acefb41035972bd92e1d954ad69035a2b41b0c

SHA256
294b334d249bf296d4b04ff54086da9f4df82f1dcc404c36da8b5ab99b82a79f

SHA512
5a76a9805a27fe8273c87df08779be3d06de596b05977e37cc33190ce82f8f79585b1e9ced8fe5d8ca951ee87b8ce5c678533d64dfdb5d83b71b389b3184b337

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
115KB

MD5
e23f48e05deba8fbe64374a09b9e09a3

SHA1
be489b9021bb807d577cdcb362e57ee32fde0c66

SHA256
a1ed83f7897d8aee4bbe032104d195623efbb464574492ffbffa0d827335883b

SHA512
6defc558b36b58199de91d03abfe41999eb0d092d6b6f82e64a85396d5240cb0c330f3664cdb2045b4cc1d00881c2290840cb1327d9286d1d3240edd4301ddb5

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
115KB

MD5
3d78aac7bb3a9719fc865b72434437fb

SHA1
067b29b6040e819ee23ef66d7d531a1e0fd099bb

SHA256
7d4248c0ab1e1fe1a854317b2a776e3169248b72b3fa627b84ae3cc004ba9c06

SHA512
155c6db4466341e0405f1fbdd37c563ee5fd16c8bfac7c5ada3af90d11a4f4db3776cec88d43c656e8e757b6fe07c4403b70605781095740356860af14c4352a

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
115KB

MD5
f2a26f4cdec068adef15b6b8bf58ebf7

SHA1
6fef01e03fe7020d1af75d523b6ed1a56bdb665e

SHA256
56fdf30c6b081586bfa96070d913ef31dd1d8e3d423cb1230b55ffe626d78d33

SHA512
5d3f95284c1fb0c0ccdc2270e4bed03bf200e9a27364a15f9b010ff9307645d11e1e4f89410b7ca8222bb08398a4053be40b58c785121b321782b712f36c8add

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
115KB

MD5
71af0c56df84bf04b2f2529faf1ea3d7

SHA1
d209fd4faa517de6f0aa89349db55975a970609d

SHA256
9e5c1ac33ae1ff66489d81f150de03f32f24301d8fd517e4b1a139f317e2b546

SHA512
c1db70785e5fe985df7979eaa1949d8f588bc48c7c48dd5802cbbb36ac85b4c12d4f4e63a9cd1059c2ce1efafc37e17a35a26274ae890d553333c2f1f95070f4

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
115KB

MD5
1d6f4c7ffb093d03708a1d69f93dcdbf

SHA1
5af1aa047cc3994d0e051bf8bc9f1932799a0552

SHA256
08654b4815fe1aac5f49520b9b1ef4a6236ff0062ae26788a41478ad2478d611

SHA512
2164490ca12ae7ab2c22dc149a473076507474eb61482e015dd87587081c1af779c53010fd95e0930e86dc4e4f12e23d8fb33d8541e9dd08e641a7e9060578c6

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
115KB

MD5
fa65a2127941a95d7c792acea96fdf5d

SHA1
7d2f16af978c63ba334c29d7da3241caf4fb9478

SHA256
150ff36675edda9442c53ddea8708de9d32cc07b645734872b9c402121b6411c

SHA512
054aae88c95f3636b1a54de689f3722baf8e260181ed89ec2d4b0506b0136f96a0d02c61ea243e9e636cd0e1e1b61ecd85dd352ba4915c837ab53d2107e8ca03

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
115KB

MD5
4b17b87499b6ec3d75e8db65918bcd3e

SHA1
e14bf656718e6edccad82e6be65328627ff4f094

SHA256
0ebb021ceb215d8492e9c26500cc425f7de851aa13e1270c98c4079dc7140760

SHA512
8cffb1d2dc6a0bfb724e82f173a8eff8f43a83a3c523201bcaef1436db5e1e949e442771735df004f91fda551497018f905ac6de4471f07fab16a33b17248ccd

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
115KB

MD5
86fae0972c13cce363eca53319353baf

SHA1
08e1c0fed950912007d49944f6ae5e55e1c33cc1

SHA256
7957cb8f44bf8f05df284e80380133c231e109813e8d1283c9a9e1c7b9da60cf

SHA512
012da3b08dd81a54b56ed1aab43ae8e2826ef4edad4abe3be524ebb170ede56a6fa96f9960b15b9f988f416344168ebe164fbbf00bc536aa338ec15588780bd1

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
115KB

MD5
b869e040231c578051a9088c3797a097

SHA1
7c095346e90b3bb80cbd490b463fb4c61a1cbf95

SHA256
0e6f414fe92461182d23ae5bb1d98fc77a7d9c0a36290148428e15494ac6dcb6

SHA512
41a221b38397ebcc5c1be46454863fb33fff9d3d907ff200a02e2cff71b67b3d1581442f6c7d6133cdc6838614690fc62ed214db9c30023069417bcb80c1a812

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
115KB

MD5
430c1f21ef57a0b54cb872bad4cb121d

SHA1
2e3b9fffb609f547aa3c2121aa2db6f2bbc38289

SHA256
0b5fbe795ecb2e7e5ff2475c721d56ade57a29ee50c6143f97a0de2321710419

SHA512
be1fd1bde19d2501e2f3e5b6124b0cd35ab0c2121a292d933f9bbba59019af71f1cc968a468e49b1d169305a821403df7a64345e78ce4a01b8dddaa9cee745bb

Download Submit
memory/224-468-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/364-528-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/400-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/540-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/856-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/868-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/980-508-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1208-567-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1212-329-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1296-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1468-365-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1476-311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1488-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1512-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1572-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1624-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1808-257-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1836-547-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1900-371-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-420-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1992-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2000-450-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2032-81-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-456-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2044-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2064-560-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2064-25-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2096-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-541-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-522-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2380-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2560-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-462-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2664-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2692-585-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2720-474-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2728-535-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2796-149-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2816-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2852-381-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2944-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-438-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3092-426-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3236-317-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3396-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-578-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3424-553-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3424-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3508-389-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3528-37-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3556-53-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3564-510-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3572-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3608-249-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3676-105-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3696-598-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3748-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3748-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3748-534-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3892-241-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3964-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3980-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3988-492-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4000-480-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4016-401-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4052-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4168-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4176-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4240-233-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4252-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4308-402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4312-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-557-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4400-591-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4420-263-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4468-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-444-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4504-561-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4516-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4612-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4648-129-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4760-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4820-593-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4820-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4828-503-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-586-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4920-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4944-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-573-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5064-516-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads