6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 22:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6.exe
Size

80KB
MD5

62af170a7529156c089b8bc54ee13bda
SHA1

a53cf7742f3ed18e6826bf86cd0d620df15f299f
SHA256

6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6
SHA512

6cc92793547fa52beb7f1ea3cd686e00787679edbd82c93f5b3e4f6787c9f5c972313689a7602b361689265d3a622e5e9b9f82e8f0914b9239ffb0a7afb40e74
SSDEEP

1536:kW9n23U2InzOrwuO/HWjNSfcwDsM2gGDgHFeJuqnhCN:V9mUnzujhSfNXOuFeJLCN

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgkjhe32.exe

Executes dropped EXE 64 IoCs

pid	Process
4388	Llemdo32.exe
4188	Ldleel32.exe
4816	Lfkaag32.exe
2364	Lmdina32.exe
1676	Lpcfkm32.exe
736	Lgmngglp.exe
1356	Lmgfda32.exe
692	Lpebpm32.exe
2120	Lbdolh32.exe
4964	Lebkhc32.exe
960	Lllcen32.exe
3220	Mdckfk32.exe
720	Medgncoe.exe
2720	Mipcob32.exe
3632	Mdehlk32.exe
4528	Megdccmb.exe
4060	Mmnldp32.exe
4644	Mplhql32.exe
1720	Mgfqmfde.exe
2284	Miemjaci.exe
3000	Mcmabg32.exe
4612	Migjoaaf.exe
1620	Mlefklpj.exe
624	Mdmnlj32.exe
1724	Mgkjhe32.exe
3132	Mnebeogl.exe
2468	Npcoakfp.exe
2316	Ngmgne32.exe
912	Nilcjp32.exe
1532	Nljofl32.exe
2072	Ndaggimg.exe
3700	Nebdoa32.exe
1396	Nnjlpo32.exe
1564	Ndcdmikd.exe
4956	Ngbpidjh.exe
4516	Neeqea32.exe
3008	Njqmepik.exe
1316	Nnlhfn32.exe
4040	Npjebj32.exe
3340	Ndfqbhia.exe
3048	Ngdmod32.exe
2444	Njciko32.exe
3140	Nlaegk32.exe
1568	Ndhmhh32.exe
4544	Nggjdc32.exe
3804	Nfjjppmm.exe
1368	Nnqbanmo.exe
3640	Oponmilc.exe
1660	Ocnjidkf.exe
2452	Oflgep32.exe
2596	Ojgbfocc.exe
4288	Ogkcpbam.exe
4620	Ojjolnaq.exe
1504	Oneklm32.exe
4272	Odocigqg.exe
3588	Ojllan32.exe
3068	Oqfdnhfk.exe
3304	Ofcmfodb.exe
3268	Oqhacgdh.exe
2332	Oddmdf32.exe
2660	Ojaelm32.exe
3124	Pmoahijl.exe
4712	Pgefeajb.exe
3516	Pjcbbmif.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6620	6512	WerFault.exe	233

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4388	316	6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6.exe	84
PID 316 wrote to memory of 4388	316	6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6.exe	84
PID 316 wrote to memory of 4388	316	6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6.exe	84
PID 4388 wrote to memory of 4188	4388	Llemdo32.exe	85
PID 4388 wrote to memory of 4188	4388	Llemdo32.exe	85
PID 4388 wrote to memory of 4188	4388	Llemdo32.exe	85
PID 4188 wrote to memory of 4816	4188	Ldleel32.exe	86
PID 4188 wrote to memory of 4816	4188	Ldleel32.exe	86
PID 4188 wrote to memory of 4816	4188	Ldleel32.exe	86
PID 4816 wrote to memory of 2364	4816	Lfkaag32.exe	87
PID 4816 wrote to memory of 2364	4816	Lfkaag32.exe	87
PID 4816 wrote to memory of 2364	4816	Lfkaag32.exe	87
PID 2364 wrote to memory of 1676	2364	Lmdina32.exe	88
PID 2364 wrote to memory of 1676	2364	Lmdina32.exe	88
PID 2364 wrote to memory of 1676	2364	Lmdina32.exe	88
PID 1676 wrote to memory of 736	1676	Lpcfkm32.exe	89
PID 1676 wrote to memory of 736	1676	Lpcfkm32.exe	89
PID 1676 wrote to memory of 736	1676	Lpcfkm32.exe	89
PID 736 wrote to memory of 1356	736	Lgmngglp.exe	90
PID 736 wrote to memory of 1356	736	Lgmngglp.exe	90
PID 736 wrote to memory of 1356	736	Lgmngglp.exe	90
PID 1356 wrote to memory of 692	1356	Lmgfda32.exe	91
PID 1356 wrote to memory of 692	1356	Lmgfda32.exe	91
PID 1356 wrote to memory of 692	1356	Lmgfda32.exe	91
PID 692 wrote to memory of 2120	692	Lpebpm32.exe	92
PID 692 wrote to memory of 2120	692	Lpebpm32.exe	92
PID 692 wrote to memory of 2120	692	Lpebpm32.exe	92
PID 2120 wrote to memory of 4964	2120	Lbdolh32.exe	93
PID 2120 wrote to memory of 4964	2120	Lbdolh32.exe	93
PID 2120 wrote to memory of 4964	2120	Lbdolh32.exe	93
PID 4964 wrote to memory of 960	4964	Lebkhc32.exe	95
PID 4964 wrote to memory of 960	4964	Lebkhc32.exe	95
PID 4964 wrote to memory of 960	4964	Lebkhc32.exe	95
PID 960 wrote to memory of 3220	960	Lllcen32.exe	96
PID 960 wrote to memory of 3220	960	Lllcen32.exe	96
PID 960 wrote to memory of 3220	960	Lllcen32.exe	96
PID 3220 wrote to memory of 720	3220	Mdckfk32.exe	97
PID 3220 wrote to memory of 720	3220	Mdckfk32.exe	97
PID 3220 wrote to memory of 720	3220	Mdckfk32.exe	97
PID 720 wrote to memory of 2720	720	Medgncoe.exe	98
PID 720 wrote to memory of 2720	720	Medgncoe.exe	98
PID 720 wrote to memory of 2720	720	Medgncoe.exe	98
PID 2720 wrote to memory of 3632	2720	Mipcob32.exe	100
PID 2720 wrote to memory of 3632	2720	Mipcob32.exe	100
PID 2720 wrote to memory of 3632	2720	Mipcob32.exe	100
PID 3632 wrote to memory of 4528	3632	Mdehlk32.exe	101
PID 3632 wrote to memory of 4528	3632	Mdehlk32.exe	101
PID 3632 wrote to memory of 4528	3632	Mdehlk32.exe	101
PID 4528 wrote to memory of 4060	4528	Megdccmb.exe	102
PID 4528 wrote to memory of 4060	4528	Megdccmb.exe	102
PID 4528 wrote to memory of 4060	4528	Megdccmb.exe	102
PID 4060 wrote to memory of 4644	4060	Mmnldp32.exe	103
PID 4060 wrote to memory of 4644	4060	Mmnldp32.exe	103
PID 4060 wrote to memory of 4644	4060	Mmnldp32.exe	103
PID 4644 wrote to memory of 1720	4644	Mplhql32.exe	104
PID 4644 wrote to memory of 1720	4644	Mplhql32.exe	104
PID 4644 wrote to memory of 1720	4644	Mplhql32.exe	104
PID 1720 wrote to memory of 2284	1720	Mgfqmfde.exe	105
PID 1720 wrote to memory of 2284	1720	Mgfqmfde.exe	105
PID 1720 wrote to memory of 2284	1720	Mgfqmfde.exe	105
PID 2284 wrote to memory of 3000	2284	Miemjaci.exe	107
PID 2284 wrote to memory of 3000	2284	Miemjaci.exe	107
PID 2284 wrote to memory of 3000	2284	Miemjaci.exe	107
PID 3000 wrote to memory of 4612	3000	Mcmabg32.exe	108

C:\Users\Admin\AppData\Local\Temp\6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6.exe
"C:\Users\Admin\AppData\Local\Temp\6e4b02f3a0af75c03e78b8e588814b3ad6ab4137148ddf35b22ca675cc4f65b6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\Llemdo32.exe
  C:\Windows\system32\Llemdo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\Ldleel32.exe
    C:\Windows\system32\Ldleel32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\SysWOW64\Lfkaag32.exe
      C:\Windows\system32\Lfkaag32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        28⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        30⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        32⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        50⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        54⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        65⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        69⤵
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        70⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        71⤵
        
        PID:844
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4032
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2584
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        78⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2400
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        80⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        88⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        90⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        100⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        105⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        107⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        108⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        112⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        114⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        116⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        120⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        121⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        124⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        128⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        135⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        139⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        142⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6512 -s 408
        145⤵
        Program crash
        
        PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6512 -ip 6512
1⤵
PID:6596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
80KB

MD5
3fe38808f924d90be25afc964719a51b

SHA1
26f9bb14a5faef51af27045148a981683fcbe75d

SHA256
a445ab1bc2327bbf4606dcc9e0525d5332d05c7f18fcfd2dfebfbd75a88c8c16

SHA512
a1f4d2978e31fab34067045b2baf068e83872318a253d63f074b1eaecf945f4b4180c83d2f843123b0fb92f87c24dad36a0ddd645764b3cb8ecf42be795f9bef

Download Submit
C:\Windows\SysWOW64\Amhpcomb.dll

Filesize
7KB

MD5
0e5da89bcb5c368631944f9ef747bf40

SHA1
c1a68c7829f98d69a7b5d864c35c38e5ccb80018

SHA256
3baefaba70a55428e17e76f781a02b86d80b6b5a110ca184bbbc88d37d7471a1

SHA512
8a5109ebf36f2eb4b2d661b875611d09a701dbf991857c5f7358d0394a2b68ee45518eba70419a4f0e371a094da6f3519f434380aeb6042d0cb1c506fb4558d6

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
80KB

MD5
d92c34715b7d8ee5dd2aba144e2008bb

SHA1
3bfd110d213422a0b71eea004166b515299d7806

SHA256
5ba6f40d3517a3280f0cba48957624595263e5d7a1cfcdd6e489acf8495e7d3f

SHA512
f87af709d990950c49c82a42aa0d61a3992453b2c512986fad08332c47a2be1549c11fc3a6fa76b193080d9b6568b9c96354471e1361a636faf208cae0d41596

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
80KB

MD5
3f4fe674bc2649ff90cbb6aa3ed2fbde

SHA1
9e5a04e3514639ae0055a115220887b4358de5f3

SHA256
6892202d1f546bdfed50f844c95125cad981120cfa2a04bb5e56d6847cf20a9d

SHA512
640defa1fa897c5a06a6eedaf6f5c914cc14d7b0d070abf188ad52a8a41a00d083e0fcd4d3a1b5df26d29c9f968033a7cab5929f2c9a2dc3eb80d745f9f27f42

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
80KB

MD5
fa6f5600a373c37a4326cf71e8398acd

SHA1
8485ddcf8f60dc560c21c44a44c9a9f007d57a58

SHA256
b9d03a659ccb0706f050d605df598de2435daca4958b51b8e4aa4f2a7c60c557

SHA512
b4ffa54f8afbc1d951f85519c74c97b2f6a0fba11e2dd6db13ac0ca66cd75f4f84fa645e0d8945c6804bf3bb206899c2d4071d0f7bf2c53fb2e8131e9dbaf6bb

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
80KB

MD5
5325be19a9034db9685295d4a9ccee3c

SHA1
1b073cd8de7e8987fc52f7c594085487f2930b91

SHA256
d4d0db9b78bbdad77f835005781c47afddf6c21a7ff1fa8d0eb6a89a58e11b2d

SHA512
dc9c04dd7fe6a7fea868a940e39665028f2d1f56128fda1abf48fab2e2cee24818426785c50dc5ed28afcc7410931ce982ee3c193147c78e58a1380889f4d698

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
80KB

MD5
7ea5035bf8dff36439bfeada31be185c

SHA1
fd6fa868d554cf52ad36aaa8b5c323fcf9750a9d

SHA256
d552ea4d9ad564c8d469c26be4a51d5d7c6f7ed2779a5b828366073d6f5da047

SHA512
6a46c23a8e50704bfae5252310a5fcff20c57b0c7af2e62ba9a70249f890daee97b11a4521e3deebe6000668a98f404907dd8eec248132051f4f81b4ca4b2342

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
80KB

MD5
adf056d9c4c0043384a1550b9257ef36

SHA1
caac65a4def92af6bcaf727963077868afc1a776

SHA256
48aae21d52e8dc2354a5e0140fb5961cf8067e9814d95157da35066f57748777

SHA512
745b80119bd55806db7d1bfaa3f28d5e37c5fff366a21b452c246fe8d67ef6ba7c1d341c8bf926bfaf7b90b3732bfe17e16b7c145bba88ddfc10d21e2003466a

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
80KB

MD5
f41d6b51d11727e32b2a8b607786333e

SHA1
5ae2a8b52fbf42f28d024aac4fce67a3c62bf5c3

SHA256
8815a845adadcceb9483b0f4b9106a0cd3ce9811e1b8d61134daa2772581ce57

SHA512
bbc11453c3b802ab00a0d33fbc933b2fbb4905b40127fe3d87d877ce2d26f60d3304bdeca0a78e959ca10fde1144431857894c844cfc7468fe43d8f1c074ba8c

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
80KB

MD5
827480aad11255bf4a57da3937ff905b

SHA1
d363a4a52dc3dc5fec88c8f0cfa5b48dd67ed353

SHA256
69b25d06db1d89c7f94230b3c1465dd29b60b3718b79f9209ef8ac2f6dd0f765

SHA512
04400da60336c28df28da0760687a723945607e8882bd52bcb14f3620956ba9c5a2f8455bfbdba78b09c730f895be78064cb0b35627a0677be2de1df90cd365e

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
80KB

MD5
2725321c6c7838d4e8a3f5f1197efaa0

SHA1
4ec7989e554fbe79e4b4d7d6146a7e44f6a89e34

SHA256
8a2af669b47d8a4dd5065f45aa41a5f5aa994afc75e7d1c2f8518ce4c7f09d29

SHA512
240e53ebe2e8815ea2646acaecc8b0af52c7e52e2576bd74cf4606ad0c0ad77fcb4f685035d65dbe5e12b000129c134e34a73cc165496fc39f167697fb4dffa7

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
80KB

MD5
3205563ae50293ab395348dd9fa3dbe2

SHA1
cfda4fb548f9ddbcd45309c4c869f5ace6c35462

SHA256
a67087e4560629ee7a06969b33faf5bfaaa019d290c8cd1ef7bc2a8c42c36b91

SHA512
7cf64d767db4ceebf88c1da2aff57b7dd74188e0962c7e4f37401072dde0d529613a29f5776fedb330268eb94dd420e00685d5042743cca18f5c68e27ab0be2e

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
80KB

MD5
11a63042a184c52934da29c790309f99

SHA1
4959e6ff5e3876ed56fb9d0ca2d10f32b7792a19

SHA256
f3d542b9f00a6f8c29c5ad28e81562bda67cd64718fd02f4d6ef52e8065c9bf7

SHA512
7e4e23df36c3f54b7be90d6b4bcca5f9af5aaf6fff8928dd76e4f17afa9e9e4a583d07598092a36dcc11a9582bd7e3b076566733e92d78892bc2c0190c0ce8a8

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
80KB

MD5
9f9510687cb3eb042ce3d7d7a4670892

SHA1
0941e6194746c481e21a7114697af96a983219ec

SHA256
246dac83b9d143414fa13c8712b6731f1c51e5737bea9596d912569e5a45d64e

SHA512
0dbf2b708b6eb4c570e7a21f975390b09d2af422148339f84ba00220402a2a1387dba19f985a6a0a380ce0a7a0787133f234e5da126c1b2471e7b4e45e647843

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
80KB

MD5
0a8c48db9839379e0005f84db3cdad09

SHA1
e347a30efdda39b7d3821c76e7b4d2b3ef763963

SHA256
416b29d90026d57c1b6eaf1e7e5ff37e5529aa1bcc98a9b3e49ea1ed1ef62e46

SHA512
ee2ae8d4711d37b5a78e240b5d688e3e95f1cacd47a9d4f32d1e99d071300ea9fe5a921058ac62f33e72f3d988853e8b09a66691af1204fc93023f4f2ca29cec

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
80KB

MD5
13f961347fac9b54d61ee2cca9d4cd52

SHA1
46d5211ca1f3ee41d8b960d51fcba28bf930c883

SHA256
d93d54f960fa206ce4e12778b262f50e84485b3645597a2ea55da869a23100c9

SHA512
be22d18cb553146ec159ae6a0fc064194d76572dd60a5c71467af60bfb12e77b4b0f40247195151b1ba7bbe12291c4d7a8137e643890cc605657ba71dcfc4614

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
80KB

MD5
877802dafa4141c7e095d0b247d81f59

SHA1
30b638c4de465217cd1c1162ed82a8e32ed45adb

SHA256
2117e75e964a03566418dc5aa52e8e25b7845211b98a54eb183d0ae99a828935

SHA512
fa7b3e8f18f0497bb412a6c30794d985ed502e821152336feb2b0702fb9eda9222a46f5428012e815ab3358a06abd2489ee2d640b5a35c938ebfca462fcc8fa7

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
80KB

MD5
a1d137273f01f0224193b737206c04e7

SHA1
bb2811a6d1f52b7fe04cc14bec97d162cf1a1588

SHA256
4bcc402dc332d6820a25ef710f0e904d5ef4d34875f1c5ae52007eecbfb0e9a7

SHA512
0c1b39f2b0ff5bc0d0cf75c68cb585c0e819e3eb6546b87ceceee748c69d1c14ecff5027ee2cfeacadff6d2e5725b1d3b287a3e92761bcde7b6540478d9723c1

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
80KB

MD5
471b4b9e9b009d2ef5941a6b23452d25

SHA1
318b58c1d3f8f08c0525298654706b3e5a4fba38

SHA256
5dfaba854b18d0ab49975e0e9edfa090488c840be3f0cbf1c4081d7877d404d8

SHA512
306f7fe26b2413e3e022d09ca06928333f032ea2a41d8ecc481032921b6740843b332841dc16be2e8d7552d1bfbe13ea9a82cd2dff4dc0a73e8de90ea312e926

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
80KB

MD5
7b2b96d697ddace2250cab999b4549d1

SHA1
684a193057b87bb6fced9d1f35b18f5e6b26c755

SHA256
2f0ca7b49078d2adfdadd45eebf446658590ae676ea8695b540c6edae60a36ed

SHA512
1c5dda1eb75397a416cdafcd6232e06e645d58d783c7e782cae18ee406adb4510e19676e8e825e253e804bc538300f9e385a2d0c4814828356b000dcba3f7cfe

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
80KB

MD5
f3446e50e7caa56a362ee7519a9b04ff

SHA1
d2d1477112139e79648c61702a65486851fa36c0

SHA256
c3d64fde5a808d8739c23024257d87ba1c1d1095748a46b555cd7855199b8fd6

SHA512
429281343fb8cfe03aa57c155b9f8e1b1dca3c60aef35cc215227c12e8e5add1cc8717645623316f1e9e7199463b799509251eebd8069df33f71d8f765e5cd8b

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
80KB

MD5
2ba13d8b8e6d845cbbd7dc0dcb9e835e

SHA1
ad215a47051599d6846c17f86aaf9d16f22dcf1f

SHA256
b7e6b63680cb7996f9902c77fcc9a997ebb7dbb860f8c8b9784d60a5b2638143

SHA512
43b5b74b4a6ec8966b10bd44b7e35b95495809b55f07934ab60c16262f533057b3dd60aae49327a3d7ce86875ec8acc44bcc747693d3374dbab31658f274bbc9

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
80KB

MD5
0abad54d23eb97d63ee586884221fd8f

SHA1
236c925a43bf96d81e787258bf8ae29d7c8224f7

SHA256
9fe50cc07d1cfd4a203cfffe5b0f0e8226332ad4bc4f5efe17af896a74fab45c

SHA512
f78639ec66867e07bbec4b8155c6911e1ef20cc442f89a987774b21e8fc9d6f112d2c6fb680049ca62a8cb6e2ebc0d34f641065442c1d6d3773de4eb913155b5

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
80KB

MD5
7e518d454d28bee700cfabb932ea1ba2

SHA1
cf12b5fe8a09af72a589a6a609ffa303448ec9a2

SHA256
230afaf22776e66e36200669cfdbcfa1b84c6c5c521d07cb6f58ed5ca4b0b4c4

SHA512
d2806f7774c6482c4b6871ba8cd25eda0153b3f5117182aced0ae4b7736f82334640b21f415d288db55598f45a52bd2ed52595d896ae7c508ef16b7ba87936dc

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
80KB

MD5
cc3fcd3c20a4c4597464bb14784af37d

SHA1
369302795c5bf0c021de681f63a33118c658b98f

SHA256
db96aa77daf494d1b8c522a80f22599a00fba0d0c56ff5b16135ddfd4afe5143

SHA512
f48a2b7c3ce52ff3ea32a71a2777d527a14bc9c26990948359739f7fbfae7b1506488cf98bdea9cf41e0229d516656b3eb204d97de4f453e4217ccab186ab7ec

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
80KB

MD5
0e04e38032cc2e7b756c152a6e9fa409

SHA1
cf2f063402170490811c681ce39396231e9d9b53

SHA256
ef7ca5a49a52d270f6fb011f29745692addc07e02397fa73f5d2a61269ea2070

SHA512
973eb75385c015ed78ed86bccccbf8320b76f58c1a1f5fdadb4ee520fff7d9a938369f2cbeec2c8ee1f82fa3cae08bf6b437d3860325f7b5039109db10b05d5f

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
80KB

MD5
a0e77ef7ff5651a3b0ab4561bfff3569

SHA1
3b9e4fc365c495bf6fd4a28f7e96eee771a66f90

SHA256
4d20286e71a9e84cdcc50610348d1800224102bf07f08becf1e1037eb511540a

SHA512
f8a48d7fd2028b294fd17c323776b301af2f26d82e7d2715fd5b1b243aceb195c673213aae993dee46ff9f22249daf8b8e28ae5853c4aa56e48c76b8a60816d4

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
80KB

MD5
2a9adc4fbbd8606e01691ae83388a9e9

SHA1
ca20d8900624027c3ddb1b707d2e064745899379

SHA256
e5f6dc365851a173db037fbf50d6c47aeade7b5bb88f4ee240410e0368d39ba1

SHA512
748baf81ce08f9a0e4e2c65ea54c6cc2921df77cc304fb0eff178c05dbfb4ad3147ef14140fdd345a4cc99e765743437acfc22e82d6239a35673b7e23b3db70f

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
80KB

MD5
4b15511a2a8f0fa22830fd0e0eedc9a1

SHA1
ef0f116e7091e7ff795270db1866c11ac50d0a1d

SHA256
5e6dccb9be932e7a802e6f1a17b115e661a51403d040930216c8ec7319c0a3ac

SHA512
bd23761e4a34b2b8d46587a1bac95250a6f92450487d9c7ec61d2e5312bd1e042b4a2b3e104ec7180141155754b1623e764ce281937bfa7b26786a2a9ed4d112

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
80KB

MD5
7912d91ba8f6e4568896df392bc426e5

SHA1
f8983b7a25eb21a37906172e9b2ae997178f162f

SHA256
3e5810917965a7b61725f7fd60504d9e6f933467d7ffc3cf3b180b67066792c8

SHA512
b6dd4029916d97aacb46db79fd0abfce50ddb4ed0e2d949074955e13d2a0eb6128d878ff3b8325dc38c342fb534c0c868ef4b65f641567a5f4506450b8a8359a

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
80KB

MD5
f0c2140e4bfca74c28ff86eb0d668ad2

SHA1
8e3eff56c70ec7e644b4bf871fd94be957180c4b

SHA256
85d70aee9e87df4fe2e8302636f7d43026aac061acce6d111e6a49a87031412d

SHA512
78615cd3a533ec2acf8eef979b9f3c1715b2a8ab3f0a087fffae91e49086e991267faf9b54ff682dbcb3f4b1c0798fd97c72d65af9caeda599de189f78eff528

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
80KB

MD5
61132dbc13b51aec631031f8f4166296

SHA1
efec693371c1a8ce1dbe12760d98fc75509e1088

SHA256
33b61c48d86c83389f3ab3b41a683d3e044cdd6b5a20113662e2517c52999398

SHA512
217fb27e5358ae814ea5375e19b3fb1973d29cc7022ba0fbaae5ee2cc0201e66989a06d861c8332849ca45a192bb77875864b73e8d33ed4de3548d28c599dac8

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
80KB

MD5
54380a272ebfb0ef6b198551e36d0c21

SHA1
0ad856069f97cd05d3c99329770667a3a0b10c9c

SHA256
8f679a41566388acd7e0a08d62f01ecc513994fe8cf14339f2e3a5e204be8b1a

SHA512
43f37f75b004d0abaf0b60d58ce7b9a835a7bfba166b611eae7e27d41a1fbd559628f218674529f602e5eac07cb130f66504fbded55559afbbddbfc98c3f0eeb

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
80KB

MD5
cabfe69121941e52a1c1d4f1cdce8c9d

SHA1
4f34125a0e7ca97500bc16a3a84089a70c38dc4e

SHA256
910cb09b7ccd69f2e89176ac726d7ba4fa4607f72c8e4118af29fe957ccf8122

SHA512
e04194276773c5941b15962aca1d922d17da19aee81311438b229d2475ab0684ba2f9530644ea5959832d206ec2ea87885b04b347b66ce9ee6fc1f029500b677

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
80KB

MD5
4d8dddf16dc17d79bbbec7d7e13ad33f

SHA1
e09bb229fe9647db7d97e0468535a836b4217520

SHA256
cae55ef300131757acb293493186c7138d86058e089c5fa2a3816c1268ec8b68

SHA512
45d36099f603216e329f2ac40e72e51e31af9f20b64ccc20548d9a96763b1fb3990520932735ee1fc58d97e6c12ec34e95ba2f847720d6424e040ca01e4f546e

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
80KB

MD5
10802f3f6be8e5792c2b9e18a3b91ea0

SHA1
3e7a810c42267270e61f26fd0a615dadafd68af5

SHA256
74983869d71100b37ab3fbb3216947839500fddd82e48c6eb8490923745ac2d1

SHA512
f5e71e0f7b6fc525a53ba69e9334289e02ae0fbbae911ec6412a5761892ab4671c893650ff6119b2025c8e6e2afa3f5b919c5e7bceb922031f469e0b5cdd4ca0

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
80KB

MD5
ee582f603f02960477461fe73ca7f0f6

SHA1
a576886265cab61401e02754bff489fdc8ee4359

SHA256
954bbe31b28bedaa4573a92fbb110f711e09f4e20677a9eeb98f778ee32b3fd6

SHA512
b36d457fa91ecbde45d9547bcdd4252d6bdcb97b6c874c60e5ffdc881c318e6169e2ade40a8f2b015888061f13ce73842be0e553c0c73f5b7bfb89b79bc8081c

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
80KB

MD5
a3d89fd62669797d0794239b944650ba

SHA1
2b0484f194401d64227c14d2a3c098fce9331478

SHA256
9ab1718f7a85a168f43e1b1f162baa127b82c9d1c0049a1dfe1196c685230373

SHA512
5cc3c163681760156ff8b64c9399802fa632a5128179d06b9c7ef03c72186df6435d63ba968211e70dca6010b3f7893d54523bf0ee6a91f97e581dfa17d97dca

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
80KB

MD5
ec77f1653213e133fc51bf683011bb5f

SHA1
7cfccc56c2e94345053f8e57eb55fde191812004

SHA256
f99349654b4392a89859de92168f6c8d7ee4c304a30f98befa5723c2fe3bdcac

SHA512
cc3c912da65048c5dfe8f8c343a9ed9bafd732c52ef222a37f76a9500fdaac349524f89cc6896f8a3ffe897ed0eaa1fd29945df1bc0d478ceccdc0929e13a05b

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
80KB

MD5
4989dc950d38d17d2b7166e258ebf83b

SHA1
50a54d163917823bfa3dc1f41273cf0edf22161a

SHA256
da0dd15c899ec4e3a8ee762b88d5b9eb358ad67174df733a62d02ce1fb24714d

SHA512
9aff88191a65e2d98c8fbb1e26145f97ae352632e206397f34935de362ee7a9e52c1e39aa19861f87ab419432b74faae8371ba6365b55221b641d6878beee6d0

Download Submit
memory/316-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/640-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/692-597-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/692-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-487-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/912-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1356-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1356-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1472-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3068-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3132-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3220-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3304-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3700-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3736-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3804-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3920-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4032-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4208-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4288-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-518-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4964-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5132-563-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5172-570-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5216-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5248-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5300-591-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5348-602-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5396-604-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads