fb7842864372ee885d923b309974799229e21d425915fb92f6004c2c20319cc8

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0cdda50495bc6fce6dbc7833cff9510N.exe
Size

96KB
MD5

e0cdda50495bc6fce6dbc7833cff9510
SHA1

dd1b4ee22172c52833da611961e824f5b4adecbc
SHA256

fb7842864372ee885d923b309974799229e21d425915fb92f6004c2c20319cc8
SHA512

d4928f2f92f5e8df7aa42863b63726ccabca6ee123a13e68473cc578c46a658989320ba9f9f910472de6d02e7cd45634914d27aa2cbcd8d816d0654901f7964a
SSDEEP

1536:NxIcjY4BPPZL+s/yPLMpOTmA9XV0kNK0pBWWduV9jojTIvjr:NxBBPP/MAOv30kNR/zd69jc0v

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe

Executes dropped EXE 64 IoCs

pid	Process
904	Lffhfh32.exe
2316	Lmppcbjd.exe
4360	Lbmhlihl.exe
4576	Ligqhc32.exe
2860	Lpqiemge.exe
3184	Lfkaag32.exe
2556	Liimncmf.exe
4236	Ldoaklml.exe
1612	Lgmngglp.exe
4032	Lmgfda32.exe
4016	Lpebpm32.exe
4348	Lgokmgjm.exe
800	Lingibiq.exe
4620	Lphoelqn.exe
1016	Mgagbf32.exe
1560	Medgncoe.exe
5020	Mdehlk32.exe
436	Megdccmb.exe
884	Mlampmdo.exe
3112	Mgfqmfde.exe
1320	Mmpijp32.exe
2676	Mdjagjco.exe
4752	Melnob32.exe
3284	Mlefklpj.exe
4540	Mcpnhfhf.exe
1108	Menjdbgj.exe
3656	Mnebeogl.exe
3136	Ndokbi32.exe
1736	Ngmgne32.exe
3968	Nilcjp32.exe
1172	Npfkgjdn.exe
4960	Ngpccdlj.exe
2832	Njnpppkn.exe
4320	Nphhmj32.exe
2332	Ncfdie32.exe
2876	Neeqea32.exe
5012	Nloiakho.exe
5096	Ncianepl.exe
4824	Njciko32.exe
1220	Npmagine.exe
2808	Nggjdc32.exe
796	Njefqo32.exe
3788	Olcbmj32.exe
332	Ocnjidkf.exe
2796	Ojgbfocc.exe
3080	Opakbi32.exe
3076	Ogkcpbam.exe
3688	Ofnckp32.exe
1748	Oneklm32.exe
2388	Odocigqg.exe
1692	Ognpebpj.exe
4140	Ojllan32.exe
1048	Oqfdnhfk.exe
3508	Ogpmjb32.exe
3548	Ojoign32.exe
4024	Oqhacgdh.exe
376	Ogbipa32.exe
1636	Pnlaml32.exe
4936	Pqknig32.exe
3876	Pcijeb32.exe
3536	Pfhfan32.exe
4880	Pqmjog32.exe
1876	Pggbkagp.exe
2348	Pnakhkol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Lmppcbjd.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Lmppcbjd.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	e0cdda50495bc6fce6dbc7833cff9510N.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Gebgohck.dll	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6124	5796	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0cdda50495bc6fce6dbc7833cff9510N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e0cdda50495bc6fce6dbc7833cff9510N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 904	1832	e0cdda50495bc6fce6dbc7833cff9510N.exe	84
PID 1832 wrote to memory of 904	1832	e0cdda50495bc6fce6dbc7833cff9510N.exe	84
PID 1832 wrote to memory of 904	1832	e0cdda50495bc6fce6dbc7833cff9510N.exe	84
PID 904 wrote to memory of 2316	904	Lffhfh32.exe	85
PID 904 wrote to memory of 2316	904	Lffhfh32.exe	85
PID 904 wrote to memory of 2316	904	Lffhfh32.exe	85
PID 2316 wrote to memory of 4360	2316	Lmppcbjd.exe	86
PID 2316 wrote to memory of 4360	2316	Lmppcbjd.exe	86
PID 2316 wrote to memory of 4360	2316	Lmppcbjd.exe	86
PID 4360 wrote to memory of 4576	4360	Lbmhlihl.exe	87
PID 4360 wrote to memory of 4576	4360	Lbmhlihl.exe	87
PID 4360 wrote to memory of 4576	4360	Lbmhlihl.exe	87
PID 4576 wrote to memory of 2860	4576	Ligqhc32.exe	88
PID 4576 wrote to memory of 2860	4576	Ligqhc32.exe	88
PID 4576 wrote to memory of 2860	4576	Ligqhc32.exe	88
PID 2860 wrote to memory of 3184	2860	Lpqiemge.exe	89
PID 2860 wrote to memory of 3184	2860	Lpqiemge.exe	89
PID 2860 wrote to memory of 3184	2860	Lpqiemge.exe	89
PID 3184 wrote to memory of 2556	3184	Lfkaag32.exe	90
PID 3184 wrote to memory of 2556	3184	Lfkaag32.exe	90
PID 3184 wrote to memory of 2556	3184	Lfkaag32.exe	90
PID 2556 wrote to memory of 4236	2556	Liimncmf.exe	91
PID 2556 wrote to memory of 4236	2556	Liimncmf.exe	91
PID 2556 wrote to memory of 4236	2556	Liimncmf.exe	91
PID 4236 wrote to memory of 1612	4236	Ldoaklml.exe	92
PID 4236 wrote to memory of 1612	4236	Ldoaklml.exe	92
PID 4236 wrote to memory of 1612	4236	Ldoaklml.exe	92
PID 1612 wrote to memory of 4032	1612	Lgmngglp.exe	93
PID 1612 wrote to memory of 4032	1612	Lgmngglp.exe	93
PID 1612 wrote to memory of 4032	1612	Lgmngglp.exe	93
PID 4032 wrote to memory of 4016	4032	Lmgfda32.exe	94
PID 4032 wrote to memory of 4016	4032	Lmgfda32.exe	94
PID 4032 wrote to memory of 4016	4032	Lmgfda32.exe	94
PID 4016 wrote to memory of 4348	4016	Lpebpm32.exe	95
PID 4016 wrote to memory of 4348	4016	Lpebpm32.exe	95
PID 4016 wrote to memory of 4348	4016	Lpebpm32.exe	95
PID 4348 wrote to memory of 800	4348	Lgokmgjm.exe	97
PID 4348 wrote to memory of 800	4348	Lgokmgjm.exe	97
PID 4348 wrote to memory of 800	4348	Lgokmgjm.exe	97
PID 800 wrote to memory of 4620	800	Lingibiq.exe	98
PID 800 wrote to memory of 4620	800	Lingibiq.exe	98
PID 800 wrote to memory of 4620	800	Lingibiq.exe	98
PID 4620 wrote to memory of 1016	4620	Lphoelqn.exe	99
PID 4620 wrote to memory of 1016	4620	Lphoelqn.exe	99
PID 4620 wrote to memory of 1016	4620	Lphoelqn.exe	99
PID 1016 wrote to memory of 1560	1016	Mgagbf32.exe	100
PID 1016 wrote to memory of 1560	1016	Mgagbf32.exe	100
PID 1016 wrote to memory of 1560	1016	Mgagbf32.exe	100
PID 1560 wrote to memory of 5020	1560	Medgncoe.exe	102
PID 1560 wrote to memory of 5020	1560	Medgncoe.exe	102
PID 1560 wrote to memory of 5020	1560	Medgncoe.exe	102
PID 5020 wrote to memory of 436	5020	Mdehlk32.exe	103
PID 5020 wrote to memory of 436	5020	Mdehlk32.exe	103
PID 5020 wrote to memory of 436	5020	Mdehlk32.exe	103
PID 436 wrote to memory of 884	436	Megdccmb.exe	104
PID 436 wrote to memory of 884	436	Megdccmb.exe	104
PID 436 wrote to memory of 884	436	Megdccmb.exe	104
PID 884 wrote to memory of 3112	884	Mlampmdo.exe	106
PID 884 wrote to memory of 3112	884	Mlampmdo.exe	106
PID 884 wrote to memory of 3112	884	Mlampmdo.exe	106
PID 3112 wrote to memory of 1320	3112	Mgfqmfde.exe	107
PID 3112 wrote to memory of 1320	3112	Mgfqmfde.exe	107
PID 3112 wrote to memory of 1320	3112	Mgfqmfde.exe	107
PID 1320 wrote to memory of 2676	1320	Mmpijp32.exe	108

C:\Users\Admin\AppData\Local\Temp\e0cdda50495bc6fce6dbc7833cff9510N.exe
"C:\Users\Admin\AppData\Local\Temp\e0cdda50495bc6fce6dbc7833cff9510N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\Lffhfh32.exe
  C:\Windows\system32\Lffhfh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\Lmppcbjd.exe
    C:\Windows\system32\Lmppcbjd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Lbmhlihl.exe
      C:\Windows\system32\Lbmhlihl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
      - C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        27⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        31⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        40⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        47⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        53⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        61⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        72⤵
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        73⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        74⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2224
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        80⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        88⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        98⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        103⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        111⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        112⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        116⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        120⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        123⤵
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        124⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        125⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        127⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        130⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        133⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        134⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        136⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 416
        137⤵
        Program crash
        
        PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5796 -ip 5796
1⤵
PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
96KB

MD5
f08305643559a01676f36aba58223a2d

SHA1
db071ad81baacca182bb28880c13ea7966b6e2d1

SHA256
ffd9cb06e5f08fa2d4857371edbf90ec4be83f00053a5172cf386379803063c4

SHA512
dbdd804abf7a966b85e005f98a184f82be49e98f245b01f940257d484856ba3719f24e420fdba06ad52601180856908f01e537b36579be4cadefb7e652d37064

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
c35ccb13fd2fe5dfab3155ea221d61a0

SHA1
86025bbed42b153d63a5bd46fdd96c577277dd56

SHA256
4a082f3ea824d82c614c89464b340bacd2efd27502849e9beecbe2b8b98d770c

SHA512
42593bcd7687d8e017e6819fc4eb8219cd1ff8cb2e02b1d3409f6c0d2c292aecf8522459a6ce2b870200fc51ee8f931d1840b0b7a728818c58ba1713b36eefa4

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
0baa14bf54191c47d24cc67707a11f82

SHA1
cfacb5ea463bcd079ebc7d262113af7d593f6ea4

SHA256
3f22af9e92b0c7504549ea8cc580005451a379748a6c8e7e18340bc95699be48

SHA512
dcf9b94aabcbe57c5c3745fc7951a1f57ea6fe68f3c76f04d2e0fb081f9ce7efa8dc21d8f746e4a7823230535fcc49d8a9cff2700a8c06751c1fbf86bf51bba2

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
96KB

MD5
0d4f7d31e07d519e611f35cb8db49d56

SHA1
2a2e1e73e41d060cadbb0643fd875d9a65698298

SHA256
82add85d4e1eaf0b7adc15f68b2db27d7170dda0502be6d7fdf409229ed150bf

SHA512
14839ea7871bd5b15b0e3eba7e74fa09c6efc63e024afd820e83454aec57c61ef596fd34a29462648470346ae79b1ac87f28a5283214874d820f56fbc4aa2b12

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
7d51bc0ecb0da17122505c61f747ec76

SHA1
544c676d89613f90cb739648d7029de1db5c5fc2

SHA256
a87c4a09310031498bd40c705c03cfa8dcbf40a6f5d7b4f632092d3d3ba6c51a

SHA512
5132db433df498ea84dafafe1f4a62f6c455c4a9a30cc44bf5693324b99217db1a018e47261d4e1f1555d5a3b0e5d45cd18cc8e19140a22c3fd2cce05f38fed9

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
eba1728f1626c71381ffc46b2970d88f

SHA1
2c011b677dca081340e88654116fb66d88c71d96

SHA256
2a4a004e6b04a984adab0d63d09c02fcb64fa349dfef2b6152340d5fd47e4bde

SHA512
685bf79d377bc6c86979159b96ff95c704f1d7d0e394c83bd271bec58d94288adfc03741b5cb191ab260a99fd9aa08387ad82a1c1a4b2ed15242c085adf049a8

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
8ee78d2a2e7bfd71dba8dad97b58b36b

SHA1
7c75f924a98f5acb6a9da4c4837ec459fe2a631d

SHA256
bc9ce1b993e03776b31488153f683319852714af482d8102bfb2867ee5b1ab62

SHA512
6c53759d0c7aa7128678ce5ce9df70ceaa49a3a4387200b4da8cff4b4e3e6ca443025938045627d72ebce579ccb10a962a521366e663a52bd05952eb9c309c54

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
8fc193b962aba96711e39988283be6fe

SHA1
4d2d905fbd3dabe56a662753c8f66f6f9640ac74

SHA256
5d3656424e558b96d658b5c96d0d1a2136476440d30047fc346b7a915cdb1933

SHA512
131a20203ae138e0726f0bd8d7df63bf6dde2b46dcc032d3d60591b263c3875a52ba7071d11771197276e25bce3f187dd424924c9872a7be71a0aef02ab0a804

Download Submit
C:\Windows\SysWOW64\Fojhkmkj.dll

Filesize
7KB

MD5
51920915f4a17a30b0aef05efb5d7bd4

SHA1
2c3f9a18d07323b18052dbcd28e0530ba2dd1f70

SHA256
3daf91230e846e5172bd1bc944ba507186a6d10ce15a04594b9ac5fc0209c591

SHA512
11e10202ef03cf9113d71b38916cbc89a1851d98b80d8c3105ec3353de189a8163de8257ddaa3123c23ab8accaff7f2b968ff07c7c2275323d94ab8435998597

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
23120500ff7bff70edd9ff5e862eb4c8

SHA1
a165c634758f956b4ced1b8150b0061f86dadd6d

SHA256
3ef47fa9a4d68c9594e6c589bc1c2f6b5bb384431521b804be13db8195dc6bd0

SHA512
35dfe71d200a68267ae6720843496f8a24d1a1e4b5286676bc2dab93c23676a4faabb5a768ff5f41dc6d4962111b4094a824fd22233abd56cad7b30ae1229fcc

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
96KB

MD5
4bb575baade556bea639f402b9500d73

SHA1
f8e746e2aff2acd75bfabb5517beebacba513182

SHA256
a118568219e3fa13fab17acc41cc5af015e4ebd04bf3ebec4cb65dd788ae205f

SHA512
3050da9c9b6e0064c7c54075a7194d0ecf785ac20a02371c061634962ea979c9a8ad7851d55ee685e92376aac428109f8f956ba366d8b0efbc8d00e6c7338596

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
f1bb193d48c6f0dadfccb776f49ea501

SHA1
1a625ccfd806ad7dedaf3cc44e5981d4e37403d3

SHA256
9ab52295ea3c50b57416f8c7cda3aa9fd45255b76cbbd92a6ad42f20273bf21b

SHA512
58d79c97b9b2cc3208c278f49d34a647845d0ad14eeef77b52269ba18012cd09e4e84727e70bb16e0b5399f6d6cb29d4d9c50d3ed293c49844da5a37c42a0fb3

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
c79b51dfb2ea97070e749a6968fdc0ff

SHA1
730fb1e1f8b6d80c63c184a87c6d78f54fcad964

SHA256
dbb0c3b88d4702901a523823ee7eb6773b6d95a5d77001a7a652acb81c5bce98

SHA512
72a27f3153cbd316a81012044197ae0de6a1b650de909ae9dbd8b8e8c497f3b1e0c318991f3ae067cff53a157081059f4271d5721979b2c3f6e9341851647125

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
96KB

MD5
9106cd95c84d574e62d98c1ccccf02f1

SHA1
49eaed72925c88d0f2b3ffcf5d76f29059018173

SHA256
f5087857fa6ecfb273e5f1d208ffda88168ac8d4fe698b4018ec65501f9953fa

SHA512
7360570f513f3462008ab3b0943db3c8c98bbc48ece386a811387e177a3778e9dfb172a5a8c4619a4bda768e32e64b474f7d16b7518bbf6a67f5b371db818317

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
6370b8eec5b8c37acd8e34d7da7fad2a

SHA1
761f011da657b2793b660970481b087b13ad9d0b

SHA256
3026161e8a96ded939e107ab2810dfdd1357b3eec9844713cfebc2e559c2fa69

SHA512
d521a71b2f87ecc187dc8016768ccee61e74b615d8dff87f75dcefa41ce2ede9d04778f8b71a94bfa440d6cf112c6acf10b8d8e8d04933c05d73ca797486618f

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
96KB

MD5
0086bcbe50eb36f441a52cfbab34e7ba

SHA1
07e805f20b88da4a2051afff6221b392f4d03773

SHA256
235d7cf488ebae2dc1c7e71e7a31355108c932711109d3965273cf48a7aba041

SHA512
89cdea4b4bc255e8c5c9cba3faa2c5a6eaf04dca647154ba43583b8cd6348821d479702226472f0a54fb87a216dcd6dba439b4ee464f0af9fd2764dfad230658

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
09a2afa2a03c5c18a7c67bcb806bf7fa

SHA1
5a17c86cdf2d730d3687bca1d174e21c8f056d9f

SHA256
173514c7caf959c379633cf0933a44b2776de07b777187568b3bf3ca043cc369

SHA512
9d37d8ed2fae92ac065240a277bccb5cdcd69b8a2e8a63be6b833c866c00a4b08ecf60d3c416a273f943cf1fe1b7edf169aeb25808c2e757363691d87606c080

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
96KB

MD5
bf6e3f40d4d3696b6d3075e654accbd0

SHA1
97dcba7a0b3f646b54e31106be0d0246b6c7ab8b

SHA256
c58ff602c5ea01ef05578b0ffbe165edf2d847924cf7de74e92b35e5e54af110

SHA512
dce7e7841cab43e44bd91dac6e9ba854d33092bfc0f1301ef372fcb0756279c47b8d40a505eeca6ba685a785450622460f2b92c02c1617c287ee65875ee6cf83

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
d12fca926d8a4d28d2609b5ad31571cc

SHA1
4ed25d08c1c015a2be9ca10c742f7b401edc7ba6

SHA256
cb39981dc644f3ae7e99169c5cd66214672044b50b6761479bdc66514d685e90

SHA512
13bf4f1279ce65cc8cbb2a697b835889312c41821b7544510abf311d7e5faad927b95c5d8c66c5cf4feeaee2beb839a48709c494852126aab1cad753e355822e

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
96KB

MD5
6ed8e61a1e0e7bdeca94fde6f73cb75d

SHA1
e10aa545fdc3c5c07c24787ca88af4928e1bf2c2

SHA256
6bfa29dfa8005a41735f1fd593fcb706ea43e22dda901e63f28e5631a6b30693

SHA512
ed2de8bd00723463cac3a253f01b7ff07c9aac5c1f5a9afbb735b51248d8b71ba03fa3cc912c5dc742d1f9b2ff793269ecf8de12f0c74638e89e42f31d7c7f50

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
96KB

MD5
4c561cc8659f89306097962f0744690f

SHA1
69379461fece91a5631dc324a56ef6d9964d6b0e

SHA256
07ac427c6c662484d1cdacca45ba74f35a9b9709b1e0cdb851e1f48c3c8f286f

SHA512
71cb0d1aa10e8c6ce432c06009289c366a83a51b597232c7c157b482c0db4b4b68170ff323877b6f2a87d900d27ed4f7f8ec678da3f0914c5f22dc333b317f41

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
912f85a7ca92009851e2763ea98ee3bf

SHA1
7c0a6f758aa02d7abd3b0b69d63c6ba98b5c21ac

SHA256
ecf87778d4912fcf5621eac05a79243004ec0ca2314b8691e977d382b9b71d78

SHA512
d93561f0bcf821b12f82321cb7f06f9a2b3553a2985d324eadb55f88ad4fe492ed99fc7cf2e9fd088b30ae8e6014faf378fbcb54738aa01420e13df590039610

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
96KB

MD5
ade53dee454260db13f1820916a7e7a9

SHA1
651999b17d6020b672e7a1808c93bf461d03de18

SHA256
abe1ce208261e31b94cb7ccb2adb3fd6eef56aafed65209ebef41f0328e432fc

SHA512
5a257c8c1df08b5af957afa5648db6cf867ca1ac2917977bcf1a2cb2598ff59b6337d2da78c1764b71b69f6ff4f4b7a72fddcde87c7a1e7a1793c01e6a7c220f

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
96KB

MD5
f9a2e8042a8ae91c6282c4ede18c41fb

SHA1
845b32aa5f07d01552b55623b8d1c56c6df92409

SHA256
80c55df509a255c051e04f3ddc83fd523fcfcba70a9acad1b670e42a97f1b7a7

SHA512
fb2b283d0b08dbd81de6445e7386f59149828c1b7a16d4eed9385843a089d5a9546bbca2665a5039e461c79652069e0752d5b2080f43c634696e1784e3717ee2

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
dc8a77db7e3c016951739e15e53922a3

SHA1
eb734344b60d4ced5da9091decfd5e226e8439e3

SHA256
d3790b86cb43ccabefa4989121090f4f411a46dec5dddabd5bc2e25a07ced7ff

SHA512
0714209fda9c852b005055c863c5a779be7c4e2a7ddc11439c7800022b6bc960ff8a64486c49c0d5742f55d810de4cb0ab706eb63e940bdb06b1f1a544abfe48

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
96KB

MD5
1e901af666073bf8139d2bdab9b265e0

SHA1
52171c5b8fb7b168450194363dc91e5ef97b2338

SHA256
57d05217b629ef975649457ea2b60f4b306caf7752f16afc624d39ed6139bc4e

SHA512
b32bcaef86555c03fd8809bb1979faccb9d870fd8bd0f6cf4a6a379b4e40ea3c075f22bf1e4327247e89bd7a03fe7fe975528d65b3f6b908f9c9b1c9e40c6def

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
96KB

MD5
c514140e781ceafb42462bd5ca17b43f

SHA1
a183aba3bbfb4efe4e81565f4d9d631d3a47c4d3

SHA256
28ada20f7d1d2bba3ec4512ba2ae8fb5d145c6623c60d11c1c9b918ba51913af

SHA512
48625e45bcd17ff5d50f99cb1dc542863471050ea182a57b8ed1fcfcb99f7e750841d3667d4e856888db21d79e651a51bf9487c089d23888bc37bc9d05357a36

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
96KB

MD5
389a172e7d18fefeaa26945381ac5dfe

SHA1
7ca6a8cc44c338b2f8f1fa9ccd6a360368a47a17

SHA256
9f99ebbdecee98afc93d7a5f662462bd5eadbd7d6bab105b8d58f0fd413876c5

SHA512
bdb115b4f5ecd7e099246cf0c7d2c8e2b236cc7f4f3ab06dcda7b23634a0c5e6eb8e3d19c592b060f667fa5d1fbea06891a008225cb0381b71b4bbccede80fe0

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
96KB

MD5
15a5730088b3b50d970e9e6e1dd94eb4

SHA1
0793c68ae095cd75fff85770cbc5bfdd5b2e0d60

SHA256
492962ba71de5b696acb6ed6e6139e3cd6a01f55a844d80bf35a11772946a5f1

SHA512
e5df64bb300585b5a2267a9dc9d72830d6e059798592a1bfdb018edbbf3baf5367aeff616e0ab25d50eafdaa030902bc58f426df81b095b942f60a33c4b1cc32

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
691c203b5a131fcb5af8359c160f2b74

SHA1
c1392e0458cbe60d4418a24401b16897d59b3a0c

SHA256
0ce104a9712143a21bac4bf2aca814e709cf5f4427cc1ecff5a6f3ffcb4a1743

SHA512
d83961214c9512aacedf3c8ffc1645c78be835652b63205ed647bec3f173d76b9294f4ca9b865886692cd6e1fa2b888689f8dabf8123b8434bc8e962f3c56baa

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
2e2983d9cf2238067d00aaa2c8423b20

SHA1
ef667d71b20c72d7bf0c128e95db1b137c1c1613

SHA256
793b06645be04fbc8c4a69f770f1f32eee56e6936bd7befcb8b68c0240c090f8

SHA512
4902308e03ab2eb13d8cb28f8fbf36481bb1c09afd4d41fa64c84b5c30bfb2e7e04c46896baf1510dd3fec35868ed14b3cca1b20a9327d5950b60cb15bb3ed14

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
96KB

MD5
0d275e866b525f494d281b1d264ebf66

SHA1
39b527a938d4015d0190c281ad723049d14286c9

SHA256
09adfd0608ce71bf894076f17bd4b90a993187b17ce701b65294d09cba06c133

SHA512
b485d3af0855a12777894acf8a6971ef044b2a1bbfed7a0809490b55c2abde4d99a3e121a1d46179e7fa1bb9669caf205cc5dfc99958daca3796f7804396b05f

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
7b879f17319f888281f00414dbd9de64

SHA1
9696445bebc4812afa841f3471fa9e42440481f0

SHA256
c36cb161fab9aed70b4693fd5f2e9f53e85c325015db73910325bcd1994ea9a6

SHA512
3617f6f6ce2d54b1b21a5f8773037db8bdf270930f0ac0ea0d4413851860bdf972926394ea7aaf029add6056b9efa3e2a82b9f474fdbf27ea8d8b763bee571c9

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
a5201f15f45367632ae5094994294fcc

SHA1
9e10cf80ae92d14cbcdc68a7263b12931a0dbad5

SHA256
7994365accb69407b318ad9551e78c5cdd463f55be8d8559adc8b54f3881b9eb

SHA512
6ec47ae0793cb742da00b5d091f86e2215fc301e700127b8641c34ba307de5814d6625989e8db7e72712a332b830a006c712355ede3773ddf6356c87e383d1a8

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
96KB

MD5
fb88cd7726546b28666e2342b052fe8f

SHA1
44269e794cdb4cb191ff8ed60695bc4325c696ee

SHA256
89c4c1c5aaf406732195c3c48024d4aaaa6746733dfc3c7b9aed9bd57ba4fd37

SHA512
1bc4a46ab0348884b272bb183958473fc27890bb5474bc8075b884c954bfa0a41d452d4885cee03aa59a3b0fa3f63d1426b268749f35182be3a9fd91c11c0b35

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
96KB

MD5
66b877a094fe04b527339895cb4aa09f

SHA1
925ae7ab8a42499c143bafe18649fb58237b7cec

SHA256
db0955d6f8255a639cbb737a1315c25895d306e65d79286db12a9b73aa3b21d6

SHA512
64ef4b39e45745de7cd5b756d335fdfd43b1ef7c21daa126c0683e3f01aa1028ce9936dff43170de68f85ac4d5dbc9c4741692ef64a0fb8918c205f69100df6c

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
779a57be46ee0775e4041f4f868896c2

SHA1
abfc392ba74a1a919c04b60a11d3a7f715fdf77b

SHA256
df4a8369f81d10a8cacc51b65caed40001eeed43e9a16aaf4ec90f7c783cffa4

SHA512
3ce75229f0abd2232a34cfaad15c6152f205483c9ce03e5108b7273590b4e3e5713afbad41641c578572dbc25a7935c4ce0b56e3993adde2f3890b9827541890

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
5ee971ed8c954e354e89151eb7369c92

SHA1
8de1360d513bfa24e3b839ce82948e92e6e7bd06

SHA256
4ac5200d5558a0a1ca944edcd5aed2998947c842791362d8819e247023a5343a

SHA512
f44948922f9a0185ad08d49fdf80b399bc8eaf197b9a911f63131429f332c809248878b4e31816ca9e896cf70d64ed0adefe1cb3b95b6213b8ca3c2ec5012584

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
8a229f0377a7090ed1a406097f957074

SHA1
8f69da02a96d806f4027e15c4dab3e4d44db8a8c

SHA256
4c896ca7b22b99e272b86ccba1be32a57e58f37000c9f4b29641d0132f967ad4

SHA512
63d981e8bd61cfb2d9c27a94609129bd1a883b2db58c5ae6f4c802f5c70a07e05d2be9dce6238f6f19644003d2d12dade1815ec686e098078d5ddc834c441d3c

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
d9c5dad587adf2ab2fd1a1aea186faed

SHA1
e1ca6a02ec241584d9efc486786decbd773bf686

SHA256
d20e229222728b7143fbb6903389b982271acfeb148b1a30ca1040974d2cc196

SHA512
07dbcc42102844ef5f14de4800cc72f31b1ae1dca375b1d815c069ea7cabc9e221fc6b4756995f9cfcdf55ea8c5ee9b2a788f43b2d655944b8cd29215115453b

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
db3901931c07ce20b18ab0ec37879639

SHA1
1d73d3ee67665476f05f061cecb283b5de5accb9

SHA256
228db51dbae9fd7077d4445669c7c0bb0ecb5da2f05edba92cef76a6257de61e

SHA512
70ead4ebc1ada6220332fa1c39af28e75e87e403bebdb91c8b402e15707144cbc0223d73adb1ad6a8f46a9976c8119115473f6c56c6abc587fe64b0f59a551c7

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
96KB

MD5
05b014b2bca82fc31864e198bc6a70d2

SHA1
677e5b8fa2d590fd5abaf88106376715d8240d37

SHA256
1ec30dc7a61da5a6c7047d256afc8b3af761b025ef9cbf8f2f785d2eccbf9784

SHA512
650309d7bacd7e2a397ae69f3f0657663ebfcad0bb73643450b87ecd1917646e2ddfab1725f841334b8f9ddcc1d2096c956d37bf69ca262ff2a746d9529590e5

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
64KB

MD5
8860f94d5bc61c730a6bdfc5fdb3fdc5

SHA1
e69648b0b0a2acb50b8a97f4e38393435c5db744

SHA256
23b8c1bffb475920e0a867da9225a55d156ed113d79cfbca6c8d2f1b2c8e3985

SHA512
57abe4a96478fd877eb2227a0745b8e370bbd1bad59c2cdc491dc4c8b761f85f29635f7a8bdaa6e0375c1a198549a3f800755ccbadec44c71f7cc7ab779400da

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
5b6018579f342aa91f3c21aca3548bb8

SHA1
7d31aa4048783450dd979809f96a9b86c7ae8ae2

SHA256
ab0a1c6443b91e6a7fd3fa978b2547de3cefaf81a5188ebe10464ffc0ccb5a41

SHA512
f077796e7487d54c5d99e78d8293c16d75c1897888ed4f47eb678a5689e550f6aae875bd198e3a5c8ebcade2c739ee0e9af684d117edbfa1600e2a5f8fe6ff02

Download Submit
memory/332-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/376-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/436-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/796-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/904-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/904-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1016-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-503-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1108-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1172-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1220-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1376-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1560-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1692-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1736-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1748-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-561-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-527-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-515-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2280-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-553-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2332-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-588-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-521-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-574-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3076-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3080-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3112-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3184-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3184-581-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3284-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3296-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3508-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3536-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3548-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3656-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3688-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3692-509-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3788-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3968-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4016-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4024-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4032-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4140-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4236-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-533-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4320-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-560-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4392-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4540-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-567-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4752-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4848-554-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4880-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4968-547-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5020-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5132-575-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5176-582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5220-589-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads