db8409d86f08a93522e372cb2cd101d9b985074abbe3eadd1ced4aaf11357d48

Analysis

max time kernel
104s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0d8ed136efe3508b1158efdf67d3f20N.exe
Size

82KB
MD5

e0d8ed136efe3508b1158efdf67d3f20
SHA1

b4522773cd9fe1e184fda247eea4a57ec4823065
SHA256

db8409d86f08a93522e372cb2cd101d9b985074abbe3eadd1ced4aaf11357d48
SHA512

c650331649442b838b2a6f052d25e20ffd28dcfee18d9336e2f54ed955c6335fd76be3e62fb3d2ee9f0a550eb2a013c0caa675fd5c9202cf03adbdbb0d2088f2
SSDEEP

1536:8QaWft9tE9HpL1t6UfPW62L72tpm6+wDSmQFN6TiN1sJtvQu:M+2JL36DHatpm6tm7N6TO1SpD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e0d8ed136efe3508b1158efdf67d3f20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe

Executes dropped EXE 64 IoCs

pid	Process
4308	Medgncoe.exe
4016	Mmlpoqpg.exe
4292	Mchhggno.exe
3944	Mibpda32.exe
1112	Mlampmdo.exe
4196	Mckemg32.exe
1108	Meiaib32.exe
884	Mlcifmbl.exe
1640	Mcmabg32.exe
1604	Melnob32.exe
4768	Mlefklpj.exe
4964	Mdmnlj32.exe
4368	Mlhbal32.exe
4704	Ndokbi32.exe
3528	Ngmgne32.exe
1524	Ndaggimg.exe
1992	Ncdgcf32.exe
2580	Ngbpidjh.exe
3500	Nloiakho.exe
3492	Ngdmod32.exe
1712	Njciko32.exe
744	Nnneknob.exe
4820	Npmagine.exe
3744	Oponmilc.exe
3380	Ogifjcdp.exe
4892	Olfobjbg.exe
3144	Ocpgod32.exe
3780	Ojjolnaq.exe
3364	Opdghh32.exe
516	Onhhamgg.exe
4508	Olkhmi32.exe
3644	Odapnf32.exe
2904	Ogpmjb32.exe
512	Olmeci32.exe
2728	Ogbipa32.exe
4008	Ofeilobp.exe
1952	Pqknig32.exe
1564	Pcijeb32.exe
2920	Pgefeajb.exe
4348	Pnonbk32.exe
4948	Pqmjog32.exe
456	Pggbkagp.exe
1572	Pnakhkol.exe
4236	Pdkcde32.exe
3984	Pgioqq32.exe
1476	Pncgmkmj.exe
4316	Pdmpje32.exe
5028	Pfolbmje.exe
2940	Pnfdcjkg.exe
2176	Pqdqof32.exe
3012	Pgnilpah.exe
3820	Qnhahj32.exe
4416	Qqfmde32.exe
4920	Qgqeappe.exe
2364	Qmmnjfnl.exe
1480	Qddfkd32.exe
3936	Qffbbldm.exe
3548	Anmjcieo.exe
2872	Aqkgpedc.exe
1948	Adgbpc32.exe
3320	Afhohlbj.exe
1324	Ajckij32.exe
1696	Anogiicl.exe
1704	Aqncedbp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6608	6484	WerFault.exe	232

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e0d8ed136efe3508b1158efdf67d3f20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e0d8ed136efe3508b1158efdf67d3f20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 4308	4372	e0d8ed136efe3508b1158efdf67d3f20N.exe	84
PID 4372 wrote to memory of 4308	4372	e0d8ed136efe3508b1158efdf67d3f20N.exe	84
PID 4372 wrote to memory of 4308	4372	e0d8ed136efe3508b1158efdf67d3f20N.exe	84
PID 4308 wrote to memory of 4016	4308	Medgncoe.exe	85
PID 4308 wrote to memory of 4016	4308	Medgncoe.exe	85
PID 4308 wrote to memory of 4016	4308	Medgncoe.exe	85
PID 4016 wrote to memory of 4292	4016	Mmlpoqpg.exe	86
PID 4016 wrote to memory of 4292	4016	Mmlpoqpg.exe	86
PID 4016 wrote to memory of 4292	4016	Mmlpoqpg.exe	86
PID 4292 wrote to memory of 3944	4292	Mchhggno.exe	87
PID 4292 wrote to memory of 3944	4292	Mchhggno.exe	87
PID 4292 wrote to memory of 3944	4292	Mchhggno.exe	87
PID 3944 wrote to memory of 1112	3944	Mibpda32.exe	88
PID 3944 wrote to memory of 1112	3944	Mibpda32.exe	88
PID 3944 wrote to memory of 1112	3944	Mibpda32.exe	88
PID 1112 wrote to memory of 4196	1112	Mlampmdo.exe	89
PID 1112 wrote to memory of 4196	1112	Mlampmdo.exe	89
PID 1112 wrote to memory of 4196	1112	Mlampmdo.exe	89
PID 4196 wrote to memory of 1108	4196	Mckemg32.exe	90
PID 4196 wrote to memory of 1108	4196	Mckemg32.exe	90
PID 4196 wrote to memory of 1108	4196	Mckemg32.exe	90
PID 1108 wrote to memory of 884	1108	Meiaib32.exe	91
PID 1108 wrote to memory of 884	1108	Meiaib32.exe	91
PID 1108 wrote to memory of 884	1108	Meiaib32.exe	91
PID 884 wrote to memory of 1640	884	Mlcifmbl.exe	92
PID 884 wrote to memory of 1640	884	Mlcifmbl.exe	92
PID 884 wrote to memory of 1640	884	Mlcifmbl.exe	92
PID 1640 wrote to memory of 1604	1640	Mcmabg32.exe	93
PID 1640 wrote to memory of 1604	1640	Mcmabg32.exe	93
PID 1640 wrote to memory of 1604	1640	Mcmabg32.exe	93
PID 1604 wrote to memory of 4768	1604	Melnob32.exe	94
PID 1604 wrote to memory of 4768	1604	Melnob32.exe	94
PID 1604 wrote to memory of 4768	1604	Melnob32.exe	94
PID 4768 wrote to memory of 4964	4768	Mlefklpj.exe	95
PID 4768 wrote to memory of 4964	4768	Mlefklpj.exe	95
PID 4768 wrote to memory of 4964	4768	Mlefklpj.exe	95
PID 4964 wrote to memory of 4368	4964	Mdmnlj32.exe	97
PID 4964 wrote to memory of 4368	4964	Mdmnlj32.exe	97
PID 4964 wrote to memory of 4368	4964	Mdmnlj32.exe	97
PID 4368 wrote to memory of 4704	4368	Mlhbal32.exe	98
PID 4368 wrote to memory of 4704	4368	Mlhbal32.exe	98
PID 4368 wrote to memory of 4704	4368	Mlhbal32.exe	98
PID 4704 wrote to memory of 3528	4704	Ndokbi32.exe	99
PID 4704 wrote to memory of 3528	4704	Ndokbi32.exe	99
PID 4704 wrote to memory of 3528	4704	Ndokbi32.exe	99
PID 3528 wrote to memory of 1524	3528	Ngmgne32.exe	100
PID 3528 wrote to memory of 1524	3528	Ngmgne32.exe	100
PID 3528 wrote to memory of 1524	3528	Ngmgne32.exe	100
PID 1524 wrote to memory of 1992	1524	Ndaggimg.exe	101
PID 1524 wrote to memory of 1992	1524	Ndaggimg.exe	101
PID 1524 wrote to memory of 1992	1524	Ndaggimg.exe	101
PID 1992 wrote to memory of 2580	1992	Ncdgcf32.exe	103
PID 1992 wrote to memory of 2580	1992	Ncdgcf32.exe	103
PID 1992 wrote to memory of 2580	1992	Ncdgcf32.exe	103
PID 2580 wrote to memory of 3500	2580	Ngbpidjh.exe	104
PID 2580 wrote to memory of 3500	2580	Ngbpidjh.exe	104
PID 2580 wrote to memory of 3500	2580	Ngbpidjh.exe	104
PID 3500 wrote to memory of 3492	3500	Nloiakho.exe	106
PID 3500 wrote to memory of 3492	3500	Nloiakho.exe	106
PID 3500 wrote to memory of 3492	3500	Nloiakho.exe	106
PID 3492 wrote to memory of 1712	3492	Ngdmod32.exe	107
PID 3492 wrote to memory of 1712	3492	Ngdmod32.exe	107
PID 3492 wrote to memory of 1712	3492	Ngdmod32.exe	107
PID 1712 wrote to memory of 744	1712	Njciko32.exe	108

C:\Users\Admin\AppData\Local\Temp\e0d8ed136efe3508b1158efdf67d3f20N.exe
"C:\Users\Admin\AppData\Local\Temp\e0d8ed136efe3508b1158efdf67d3f20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\SysWOW64\Medgncoe.exe
  C:\Windows\system32\Medgncoe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\Mmlpoqpg.exe
    C:\Windows\system32\Mmlpoqpg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\Mchhggno.exe
      C:\Windows\system32\Mchhggno.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        23⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        25⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        51⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        52⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        59⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1408
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        71⤵
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        73⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        74⤵
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        81⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1284
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        85⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        86⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        87⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        91⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        92⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        99⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        102⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        103⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        110⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        112⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        113⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        114⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        116⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        118⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        122⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        124⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        126⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        130⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        136⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6220
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        138⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        139⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        140⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        141⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        143⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 220
        144⤵
        Program crash
        
        PID:6608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6484 -ip 6484
1⤵
PID:6552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
82KB

MD5
d9da691312a582fb85d8520cdfa4722e

SHA1
22b9687ffc991d49a0c43b873119207fb81fd265

SHA256
46c308dbbf21834282e49fa093a077a1d7354586228ddc19f8d367473b5b71a4

SHA512
1e6b55a86eb66133b19c4b9017c69c1fad4dc755faffec03e2e2a417f8461ce5ee13f8a616d801c6338831f2f725305c209397728ed86191afb780415a6c66f8

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
82KB

MD5
6dc8a4e3acd08a025c9686639614f64f

SHA1
026ff9c79ec45f1ba95923522be666b0ca2b1a02

SHA256
21d2392b975b65b831feba2d4cfb355b8a19c1da02277d61a8c13ff55a62e10c

SHA512
7167815c3e052421375ee75d98d54ea1baf721ba7490552b69c878cb4c9d6be915ade9325289d143cca82a04d2889f8ae7fca2815eabf666a4b6b2f9187c9170

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
82KB

MD5
187b2bb57c6eba971bdcde35d700b4d5

SHA1
d92a684a6817c6f3f7f7ba423fd719916afd8e74

SHA256
2b82adb1efb61a1ad2a7e928965a122df37ad462e5d5e39c3b9e78243310c552

SHA512
6fb861ee1f98d9b30378ba5add23c342c01ca6dfc88d330ba4b692dbc5d3f87e323aa64e5255a44a1ad4e066adbcde330d20dc631e4858624b8c42d5b96cdb89

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
82KB

MD5
f01836d1b7e8c5630c90686fd01fbb48

SHA1
e95a11767998c9cee66d0575d2f457249daa8c7f

SHA256
c4804db0448d2486f9524be6ea51e47909d3539c7dcaf7c46986537a74038a5c

SHA512
8d5c5bb1321062c488411d3cc1e6e965a4690cad1a4da02ada989324653c22dfeff939e01e7fa60c865a0eb462f2be003edf31755b04cea6dc0c0a73100e81a5

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
82KB

MD5
8cf24629ca073b10e7525e0de7ff8486

SHA1
64d5225bbba6a6d2f78a84bbba15cfc8e7e9ba12

SHA256
49b5cb40af4ffadd492b3e53284a9a9987e7bb3803ed790a9b54f1effa9c07f8

SHA512
97db8452b0aee151d443a4c44a09ceb37f102143a40e7b2c020366efc424a57efc4bbada3d24b77240b6876e8362307973d7faac8e38adfb4bfe8fbc986eb926

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
82KB

MD5
ab0b2552c5bc980daa3a3233a86887f3

SHA1
a2297c16fdff8b17d5319f5c57251e9433a17b1f

SHA256
f36ca9f42b04cacd96c71a4687bfdc2a2677c3009777ffaffd985bcddd33e30b

SHA512
95b950c34d68a03afc2858c0745f1e5359e18957966c2d4285e8f51fbc2f646b7b0f5f2f6ffd6b52acb5ec93770a2b0bd7af09e42817b5bc945557a9de10505e

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
82KB

MD5
a19ac11958bc2072a3a78cc93671f3d9

SHA1
738898f06dcf0bb7156d75c7b724c5467bcad371

SHA256
57b0c5dbb803562f52b1c6749167d8c5ebf2ca2715a3a0ad5c732001b2b77cba

SHA512
21f05b511a3cdbd75ed27955851989ea9716b70ac977efd91b056614890755d4c6740d9316ef7da138e5a7f8c5c39b503db1bebea3e3f145dcff88a7499cd867

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
82KB

MD5
a42c701be509657d6b76c2e3e344e40a

SHA1
282300fa9ea080ad5c8b03c39b7e08f4c523fdc3

SHA256
2b110ea7312d633d6a44404f74bb69a6a62146511a73d03e1ee7386d2c7418df

SHA512
63b82b98681ad7c13309059184b1ce1ea08db8e626768a95aee82eed0093c5eb4398e69301696ce782857dd19bdf1a8f5e34edf031546c265729b3571c90b378

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
82KB

MD5
81c43c5f4651a7e2c364644cdca02ed0

SHA1
085436776c72059036e394116451776bb4ab614c

SHA256
edc7da008e0f5eca7a823240e463eda4ea69ba72f6ef697efe2b06ea4e47289c

SHA512
4821f1fc701e294a3857745eff7c8d1df76cfd6d4f6d3c2358a300f5b54d6e91644c84b7f17cdd7b9984e8ad25c09e92e96ccf83797fcc88ba5162372a2cbae1

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
82KB

MD5
ae80e29a1a01db8803842be97aa8da6e

SHA1
4e7c1a120732b6406c96e1d46571be36f2626e12

SHA256
249974ebaa7e083bc1dbb4c8262075ecc07e40faf1a9a9048438c207ab2cfc2c

SHA512
5b68451570f04f44ff7af3fa7ef8e82310c8619777488530ba3e01055de9d6b6e95bde975ccc93141a8ddc215bab1e000ab4ea08826d0c76d20d1fb805142ec2

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
82KB

MD5
86822e5512c230b20ee7d200be63bbff

SHA1
77ba093ddc46c6cac3bcd20fd44974efd65be9c9

SHA256
3e6d02154027f18cba99494e48df00ba09517be06a9285918c9cdc71eb8ab19d

SHA512
09409791ca9b4fa5ed40906a39db07161d7ceba926ab15561e69b272ff79f96d25ded24b813b27e069c71abc3c6c2ecc2ad2e38782759b2ca49bcd2ecf810a93

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
82KB

MD5
8e669f357aa2d5d70691fb08bbef07a0

SHA1
aa8693df586a26f54d4134077fa4e38e08cf5c76

SHA256
a5a7a91b48098ce16e1579882fcc704e2d2b4b7971858cf3525b49ac683f8997

SHA512
d3e31a3f776d30077ea1d38de58837a61695e2f472a5f0d1d31149559bfbd1fe8a344665f88ffa6063f19dd23d13a22850f2953b55b79be2eb340ad825d6be43

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
82KB

MD5
dc7a787b2cbbba43de6ea5bb177e73c5

SHA1
2c853f046e60d27dff62ab0174ac525674e37324

SHA256
c4f9e4dd7ae60ead7b420e0b755fb1e83499e6cff986cee8bd70b3c4afc9f879

SHA512
de0031eb120cadda6337de4834ed9da2709dcb347cd7c3394b6e6fc74cfc435b985999db212a42e3c18f6d36a6f933dc4eb5bae6a01da6830eeccdd6a88f32b7

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
82KB

MD5
6c4fe2ebae8cb0e6e212d152f399ed7c

SHA1
8b89280bfc90d561baebde5b5a876bfbf4a1fb0c

SHA256
bdcc7ab2bb54116c2fb78fbb4bb88952e01cd2f8ab6b743ac3b42dbf2374a046

SHA512
4a3cc24fed8a97b7c6d01c24e5cb307a4941d496306770caccdb10bcc4bcfc07d220595e2f1da2b6a1f8bc04e251de9f4ee12bb34479e19a8645fa335aa1b9cd

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
82KB

MD5
b3a0b997e952e15910e9a794f42fa4e2

SHA1
c0389403ca3b09c8e7a654c8287c95152b5827d3

SHA256
2f319eb8a2e46408b9436a04f2e3f540f9c47fc8abd8f7fe5c221da73c78fd33

SHA512
4f4e4e8219e3fdab4f6ba9f0be964e829d55b1662cc9ed8b2a528805ce58f571140fa92a740c9a0a7e16ebb72122f212b3360099ff4dbf7c52e1cf140f357c04

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
82KB

MD5
eef7d3e64b1da291386a5af2fd90e54e

SHA1
c7749d380191c8b67faaec9538debd42a9747a89

SHA256
bf031295142fa5ade261ca4b00d2c6f9b392a80cef47b63e77745815e8459f5c

SHA512
540e5d119759d1c0c9a6b527e2ae59ce0f026113c961b132a2ac53dd34377e80896abc4e410109a4530ce64fb0043f8a40a0b8408fafc0ca306b28a0baa18401

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
82KB

MD5
c7ed3050bbab36977196cf1cafa56eb3

SHA1
456d5bca714567500028f19efba1c16451212f31

SHA256
51fc4bca35ea85888e299b2669393c26118f24070fe7b267caf30d60acc7744a

SHA512
f382511bb38d11516ca643d7aa40437ecb54d7f06bcfb6d3a14ceaad27fb43d20f673ce8cc343deb87b37ce5b277d9316cf4a3ad7a6094dc924790526b71b4a3

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
82KB

MD5
b9fd1dbfbeae6e3f17d1125bbc9a7aca

SHA1
64dfb49da9546c7196ce8734228c4ab171ad710f

SHA256
3c5167d9c2db92e23a9d85b46d44caa7eac82fabd73a853783b0d8842fefca9b

SHA512
d3649a2e91bd863c24dfd37dcedef6721bd937a71f360a65f66e7286459261faef5442807c92892a1c44c3cee1d56daef9802fcb7050cae3cea80b243570f831

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
82KB

MD5
64a1f881bf53b88e2925203afc63dfb3

SHA1
42e76445230e5f04928828d2d42fbf11483f211a

SHA256
e4a51659c52e86cff255f0c152294396cecdb0578041413d178005852716104e

SHA512
890f8a9400fc5c4dcd27bf36ed6feb09d06afa643a528f8e151683daa9792c988fbc704cdc07188db26c2cef72ed52916e6039bef699258fff2d8a0c8d953f7a

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
82KB

MD5
20e44d569d5b4ccbe90a45783b94d13c

SHA1
bc6c2be6d0b01dc5ed43216b4bded41d8d537af1

SHA256
f5b69d90fbd64d7ee1639d83612bb9706514fcfdaba02612d17d83a4be9917a4

SHA512
ca9417a2302a9a67a2f7947029af7a5c3ba3380d99da8ffdcb95ecf4be8d0e3315e7edfc1ba7aa08a66d3587871ff51cf02f0bbf8246f32cc706a9120902743b

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
82KB

MD5
b9803bb1a32e27a779140c31b8bca1b3

SHA1
0259aa619d3c1412bc0ce3979e114ec5727d2c5a

SHA256
4257dd63fe176f10568aec89ba5d9182315c7b6a9be7fc1a256ad7461d05870f

SHA512
f06158570990ce1908b77974a8440c7d1c4b34a1eddda3410cb9dcf3c2636d26df3cb160d50af0c621a037dc6b2f12482df3602788b5e535306939e6f28b4408

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
82KB

MD5
1648d772904b7ca05205d4dfe11e653c

SHA1
1d1e2d21def1857a071e6e503f77785fefcf452d

SHA256
c6d3f818dace673f736022814297c079e6ce90a4d4d0f48068a6153daf2d612f

SHA512
b6e8ef9b1feb0b1cbf05bf0b5dd4258aa388d701e050ab45c39d44c38439e297ea4676007198959e086118a9b9b04534d8ec2f410dab46cf00ad731e68cdee62

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
82KB

MD5
563b976dc1daebfb1f1de82afafb0bfb

SHA1
bf37c1d2654bfd8a185e7820356a08d9b4627ad2

SHA256
276c4714188ac3d37a5817aa3c6029fabcd1a8cef7b47cc7c66e749024395f65

SHA512
0d01ad50ad5b91b964946436c25dba9bf06cc3c6867dec4d39c215f85308f9c759dd2c0b11e784a8d03983c11729f5be59fb3fee1b3964f5221ff9b0a098fdcd

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
82KB

MD5
3ce02dfb949c57b644b1890595734192

SHA1
500d98cd6430665548f597690f9da287a7285ed5

SHA256
2782db2592b06938fc363a16425040ccb03631cde2fa33b5ebcf933f96ac039f

SHA512
78f4aa25ed6c605b275b296ca367e46bf1bdc3cc3c47cf48b05c4ed95dd55780c82d795a2eab0efd25e6103702b81d1446cebe08176da8a881cd17f09cb4ac84

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
82KB

MD5
4eeb8de216fd8f0c194491965c2aae54

SHA1
496e6d02f9b58ccbf9c54d2f348f9221569eef40

SHA256
f986cc34d716c091ee962e6eba52476b9e048abc0e0b3673cdee0581bc3a0564

SHA512
2c8f6e7328b2bc8cc9364df7418eef138a47326c060d19a660ed63d02fe8b45a5ab0eae0f95899b8fad8feb59064e3df2858a566f92a627864802a33615c6081

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
82KB

MD5
4121f43c776c982383b78631825a29f3

SHA1
8397330856fcb86a9c160575ac43eacaff450c06

SHA256
271948453dac0c3786fa6fd6601d22f75d005829d32ded9ee90a07146f6d9538

SHA512
799e90f956ae554da5d8afa43255974ddcad62545733f375efc06e2ccee92005142ad99698d91ca453b65b9c45996a02c549ea44c75d8490554f3b64beb07f52

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
82KB

MD5
d2ed150910904de329e77536cb6dc9e2

SHA1
eb0998f4f21128d6f5f0238c84cd1de7c536e98e

SHA256
f85701f057ab93101d29868746d24b985cd902ab0a6167ca56ec8dd45197b47d

SHA512
d56b22803db4bb722482a0e4ba1ea7c66cb56dc662ef8063afcaeae17c5e1fa8bff1a475326f9d86ddc52167ce608ae6733bcd782099d963d2be4f2d086f58cc

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
82KB

MD5
33173297799da1f47b8c46a84c7a9f01

SHA1
e85fd95962a59c9409e94506ad71db90b646ce38

SHA256
a5ae7e8d3168474261ea5f45f2724abb0151ab09676cdcf678a702d385613dea

SHA512
0db6bb0c2841ea0fbd7d372f1987ce709276b97ac790eacf0528d5f450f18879d3f3b7584a55f1786f871b5ff3ac03aded04b2ea9e93788f413a0c32a186fa60

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
82KB

MD5
ccafc358c2cd041b5b9efd4da4db68a0

SHA1
76840f0bb32a2302399dc5e159e1fa1525365d39

SHA256
d3a3c0902cefa52888cf7a41a1e328d87d5d7d4946fadc3d620d1c4c35e2af99

SHA512
e84b314778586831260200f6e3554fffc92028c8400271cff69685358d6b5b2b4469274f189257aec95d1c50958a6aa37cb8f006422301f79170dd5a24ad9b4b

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
82KB

MD5
3a336070ed9190f348ed2613ed9937b7

SHA1
d00cfc6b7c001be5ebcd484776ba258ad192fa46

SHA256
2e7c6bb31408d8b7b7def9931fad7543108a24c8c568960be8e6f24e4bdbc36f

SHA512
50d22251f78a3713e6e3356c3d5b9ead1869981fdf25d5c8152200879cd6f11f8b96b49aa385de2ed087452febe1b530950b289af3218f910dd77d79b44ff574

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
82KB

MD5
eace1078640f5e947d255d65e02f12df

SHA1
2ec2c092fffd880932506a2576abdfd493e8b611

SHA256
6340762b89519eeb300ac38c6906a89202f2cf083ac9a85bab8a916ffa8cb196

SHA512
786541f3af0d401b7b8502b600dc7fa43db288fe70fc1b70de74d2b358a840661dbcc5147c9939f2fcc9cded2cae9e26f54f73cfed8cc598eaa9bfd329392e2f

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
82KB

MD5
1d6dddf370329d375129fd68e278584d

SHA1
eaa265d0bbeac88c20d1e1fe424e1acda39e6427

SHA256
42ce13bfe479c02a18254709e9a37fc4108130188dc15312661ce3a8dd9f1020

SHA512
cb51da9f418ea07c6dc4e7838104d20fb5f0cc6035ecb3128de6696018f163b7b78192fa17df791f806a718267ac35983c78f0fa09fc9b4a524f88fa49d37ba2

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
82KB

MD5
86a446ba8a1d14bc3d12664cefc6b530

SHA1
3d0d5aec54b6edf62c72f303a58302c4861003bd

SHA256
e4d2333ab2ff70554947617643daf7d0b761ef7f8efc1cfa717b7af41ba00d52

SHA512
8d38a8ce90300cc1d006a50b288c7be33d7c7f1a11e8054e46f9e094dcc0945fa1555de23f7c2fa4362f6a83d2b8db31a299914911a88fecebbcbc15520c3008

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
82KB

MD5
a05898164a07a468edc061763d0446fe

SHA1
50acbf3036af79f2c23db367e9a384160e6bb698

SHA256
6a02213b38fa50062b22d81b259de11f16794a8b5a4ea9abde533f837d44b27c

SHA512
4d3844afea86dbc0681b4d85f6d13fe0dea34d43bc6972d26f7fe427d2489edb36df629cf5a5bc09cb251409896c368774e959f5032784a35a8970c41f1acd51

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
82KB

MD5
69c7b11e7cec24d973d3cda7103201af

SHA1
20f055679c87d599ef4435d86496572eee1cc40f

SHA256
63cd9e39f6849b4f9a24fae10eaf99771c539478ee3efeb4a95552a2077374e6

SHA512
468630b26c30408d34314260c8f80b0676ca693925f156cb8ebaab23d7898454bd2fe48db220925c3ecbff5eb88c35dbae39c6cba1e1c686db648695d2e570d2

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
82KB

MD5
232a5d3a0fa09bcfd78267b524e56f03

SHA1
5972e29504b3af53b8901c93bea4c11f55184e2c

SHA256
3f490c4afaa1423c67ed68c87e9f1c9c64067af44a5a60f34e71e960b179fbe9

SHA512
e76a48723ecefb276d513f7776578dc5a9523f495f9d7e46a9c35630856bfed293b65fd335aba22042aa75f5f20334e4b7971515f4abdab3f5c4abd1a275e63c

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
82KB

MD5
7a18b912147149bca9706c66c3469122

SHA1
a079dab664d809bfb992dbe61d2f7e3f92ed2158

SHA256
a935a51c79389e23aa9ecd0b2a06af9da5abb2d54c7fa4484268ba8e45bc97d8

SHA512
fb6d5fc91b7f9524af6dc9a0cc13a50009bb143f788ebbc4ba066ad628b1771caf36e2c526b2d4910acc1ee6e2b460653c64e78ad013e321db96206e968d34a3

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
82KB

MD5
a1702dec590be6cde7d8fef4456f7eb8

SHA1
e9041a9fa7fda355efb5c151db41a323baa79753

SHA256
409d4ce71634a091336bbc65cb59c4707b909d80c14798f93b025ca0c76f2784

SHA512
9e3f6df9e3b972026ade5041878d27e0163e7efeadf1284c49b49b68eeaeb6d286b7ff24a2f30e7ad02fbee15c084637cab4a3461651d2f7096c732a0c40cb41

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
82KB

MD5
df5dbf3e0de33d2ab0ac99c2db3dae8b

SHA1
324bb146f8612249b3aa2667e8fc6c202bf7a6c7

SHA256
c595ca4b89b439c241be033206796858e1a1326ef652c4b2735d24145ef883eb

SHA512
1344feaea3173d92ae1a7c8ed3a5985371c66c0f76c1bde2ea5023af66b3ae785e76e2644509991117f9fd37a824f90c84b5003d8f86a13a1b2b08d581285eb4

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
82KB

MD5
6b2358b5d140a26ab3849af9e684a243

SHA1
18a8cc7de43c785b705c88a9f7fa8d3a67bcc099

SHA256
181d25eeebd9dd09c2b67012c7db00f9d0a567a0809cf06a41b31b9950e3a33f

SHA512
7ab6e58c84d46ccbca4a24e83a7e3306256c6edd620603c19274a6c33733bd442b4297eabdedb5ae4f63c9a4dbe8dcc5ef11bd23202b54fb748dcbb24cf263ee

Download Submit
memory/456-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/512-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/512-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/516-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/516-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/744-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/744-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1108-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1108-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1476-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2920-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-408-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3744-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3744-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3820-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3944-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3944-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3984-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4008-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4008-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4236-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4236-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4292-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4292-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4372-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4372-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4372-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads