d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 02:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022.exe
Size

275KB
MD5

2d3d49024b5c920bf840c49752d0460c
SHA1

43ef2ef67246fe7208fa8e90eb077cd8575b4031
SHA256

d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022
SHA512

8cad8da55abc20b7b78305efcbf22b0cbc0e76ea3e750f5eebeb362483194f1a49916dac2e7b8c4e189ff3b0c7deadbab49101149119127592ea55b50dcc0541
SSDEEP

6144:juMBrlMgzL2V4cpC0L4AY7YWT63cpC0L4f:juMhL2/p9i7drp9S

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe

Executes dropped EXE 64 IoCs

pid	Process
4188	Kmncnb32.exe
1980	Kplpjn32.exe
2592	Lbjlfi32.exe
1156	Lffhfh32.exe
3704	Lekehdgp.exe
428	Lboeaifi.exe
4412	Lmdina32.exe
3188	Ldoaklml.exe
2464	Likjcbkc.exe
4468	Lgokmgjm.exe
3308	Lmiciaaj.exe
2364	Medgncoe.exe
1992	Mpjlklok.exe
3468	Mlampmdo.exe
1624	Mdhdajea.exe
832	Meiaib32.exe
868	Melnob32.exe
988	Mdmnlj32.exe
3964	Menjdbgj.exe
3720	Mnebeogl.exe
3716	Nilcjp32.exe
1428	Ncdgcf32.exe
2348	Njqmepik.exe
2736	Ndfqbhia.exe
3016	Nnneknob.exe
2284	Nckndeni.exe
1480	Olcbmj32.exe
4308	Ogifjcdp.exe
4640	Opakbi32.exe
3640	Ojjolnaq.exe
3544	Opdghh32.exe
5044	Ocbddc32.exe
2288	Olkhmi32.exe
1016	Ogpmjb32.exe
3656	Onjegled.exe
1208	Ocgmpccl.exe
4052	Ofeilobp.exe
2504	Pnlaml32.exe
3904	Pcijeb32.exe
5096	Pjcbbmif.exe
4452	Pnonbk32.exe
3420	Pdifoehl.exe
3196	Pfjcgn32.exe
2720	Pmdkch32.exe
3368	Pdkcde32.exe
3804	Pflplnlg.exe
3708	Pncgmkmj.exe
5036	Pqbdjfln.exe
3524	Pfolbmje.exe
4472	Pjjhbl32.exe
3552	Pdpmpdbd.exe
3528	Pfaigm32.exe
5068	Qnhahj32.exe
2032	Qqfmde32.exe
2760	Qgqeappe.exe
4912	Qfcfml32.exe
2296	Qnjnnj32.exe
3416	Qmmnjfnl.exe
1724	Qddfkd32.exe
1040	Qcgffqei.exe
4740	Qffbbldm.exe
4312	Ajanck32.exe
1996	Adgbpc32.exe
4044	Ageolo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Baacma32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5480	5244	WerFault.exe	208

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 4188	1020	d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022.exe	83
PID 1020 wrote to memory of 4188	1020	d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022.exe	83
PID 1020 wrote to memory of 4188	1020	d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022.exe	83
PID 4188 wrote to memory of 1980	4188	Kmncnb32.exe	84
PID 4188 wrote to memory of 1980	4188	Kmncnb32.exe	84
PID 4188 wrote to memory of 1980	4188	Kmncnb32.exe	84
PID 1980 wrote to memory of 2592	1980	Kplpjn32.exe	85
PID 1980 wrote to memory of 2592	1980	Kplpjn32.exe	85
PID 1980 wrote to memory of 2592	1980	Kplpjn32.exe	85
PID 2592 wrote to memory of 1156	2592	Lbjlfi32.exe	86
PID 2592 wrote to memory of 1156	2592	Lbjlfi32.exe	86
PID 2592 wrote to memory of 1156	2592	Lbjlfi32.exe	86
PID 1156 wrote to memory of 3704	1156	Lffhfh32.exe	87
PID 1156 wrote to memory of 3704	1156	Lffhfh32.exe	87
PID 1156 wrote to memory of 3704	1156	Lffhfh32.exe	87
PID 3704 wrote to memory of 428	3704	Lekehdgp.exe	88
PID 3704 wrote to memory of 428	3704	Lekehdgp.exe	88
PID 3704 wrote to memory of 428	3704	Lekehdgp.exe	88
PID 428 wrote to memory of 4412	428	Lboeaifi.exe	90
PID 428 wrote to memory of 4412	428	Lboeaifi.exe	90
PID 428 wrote to memory of 4412	428	Lboeaifi.exe	90
PID 4412 wrote to memory of 3188	4412	Lmdina32.exe	91
PID 4412 wrote to memory of 3188	4412	Lmdina32.exe	91
PID 4412 wrote to memory of 3188	4412	Lmdina32.exe	91
PID 3188 wrote to memory of 2464	3188	Ldoaklml.exe	93
PID 3188 wrote to memory of 2464	3188	Ldoaklml.exe	93
PID 3188 wrote to memory of 2464	3188	Ldoaklml.exe	93
PID 2464 wrote to memory of 4468	2464	Likjcbkc.exe	94
PID 2464 wrote to memory of 4468	2464	Likjcbkc.exe	94
PID 2464 wrote to memory of 4468	2464	Likjcbkc.exe	94
PID 4468 wrote to memory of 3308	4468	Lgokmgjm.exe	95
PID 4468 wrote to memory of 3308	4468	Lgokmgjm.exe	95
PID 4468 wrote to memory of 3308	4468	Lgokmgjm.exe	95
PID 3308 wrote to memory of 2364	3308	Lmiciaaj.exe	96
PID 3308 wrote to memory of 2364	3308	Lmiciaaj.exe	96
PID 3308 wrote to memory of 2364	3308	Lmiciaaj.exe	96
PID 2364 wrote to memory of 1992	2364	Medgncoe.exe	98
PID 2364 wrote to memory of 1992	2364	Medgncoe.exe	98
PID 2364 wrote to memory of 1992	2364	Medgncoe.exe	98
PID 1992 wrote to memory of 3468	1992	Mpjlklok.exe	99
PID 1992 wrote to memory of 3468	1992	Mpjlklok.exe	99
PID 1992 wrote to memory of 3468	1992	Mpjlklok.exe	99
PID 3468 wrote to memory of 1624	3468	Mlampmdo.exe	100
PID 3468 wrote to memory of 1624	3468	Mlampmdo.exe	100
PID 3468 wrote to memory of 1624	3468	Mlampmdo.exe	100
PID 1624 wrote to memory of 832	1624	Mdhdajea.exe	101
PID 1624 wrote to memory of 832	1624	Mdhdajea.exe	101
PID 1624 wrote to memory of 832	1624	Mdhdajea.exe	101
PID 832 wrote to memory of 868	832	Meiaib32.exe	102
PID 832 wrote to memory of 868	832	Meiaib32.exe	102
PID 832 wrote to memory of 868	832	Meiaib32.exe	102
PID 868 wrote to memory of 988	868	Melnob32.exe	103
PID 868 wrote to memory of 988	868	Melnob32.exe	103
PID 868 wrote to memory of 988	868	Melnob32.exe	103
PID 988 wrote to memory of 3964	988	Mdmnlj32.exe	104
PID 988 wrote to memory of 3964	988	Mdmnlj32.exe	104
PID 988 wrote to memory of 3964	988	Mdmnlj32.exe	104
PID 3964 wrote to memory of 3720	3964	Menjdbgj.exe	105
PID 3964 wrote to memory of 3720	3964	Menjdbgj.exe	105
PID 3964 wrote to memory of 3720	3964	Menjdbgj.exe	105
PID 3720 wrote to memory of 3716	3720	Mnebeogl.exe	106
PID 3720 wrote to memory of 3716	3720	Mnebeogl.exe	106
PID 3720 wrote to memory of 3716	3720	Mnebeogl.exe	106
PID 3716 wrote to memory of 1428	3716	Nilcjp32.exe	107

C:\Users\Admin\AppData\Local\Temp\d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022.exe
"C:\Users\Admin\AppData\Local\Temp\d2981a3ddc1204e17ab888c07f487fcf7283d65839e08a01155e4eef3d35c022.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\Kmncnb32.exe
  C:\Windows\system32\Kmncnb32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\Kplpjn32.exe
    C:\Windows\system32\Kplpjn32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\Lbjlfi32.exe
      C:\Windows\system32\Lbjlfi32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        34⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        37⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        52⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        57⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        59⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        60⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4184
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        75⤵
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        80⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        104⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 404
        121⤵
        Program crash
        
        PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5244 -ip 5244
1⤵
PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
275KB

MD5
be9957d24a927a5824e84137f7ea5e24

SHA1
9fffadfc24021c84b8a337cac112043d73aa3068

SHA256
772c15a7556cddba058c25aefa8dd80e46483d895288262ce647a719e4d01935

SHA512
0e0f67b7c3838f052e9729da198269bbeb30d856d4833679a87bac43f7286f1b1afef4f817450effb4223b0585bd2fa7cd1331be455020e5257b4a740989d5f7

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
275KB

MD5
c723e0e584befc485c454b490857abdd

SHA1
d14eb15f5c6800a1f9a728bb51ad8eeeec139e61

SHA256
a832d6ff55316ab0e2ee8329df929d21f4e4f05c537064ed4a6b35f169323fee

SHA512
cada0414055f7a3143bfe9484906fa5e333cd3871cb41fcdbe5b8bd279e614be81220b93d594c6bb984e151f9d39fb2586b1c8d76b7e941931fd2f3f3e0df32e

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
275KB

MD5
2f7f678fb2403ad1bfb593bfc9a52b26

SHA1
a3671633ed243c1429232c4fbb9833270c1e1d69

SHA256
3d37eb819c1349556b9f266ea3f6b2e1aa36f90c042ad9022d408f2ded568fa0

SHA512
4510bec744c199a49a0a2b46d137978dbcfe292768fef6a7480a45b245461700a085279a76fd0e135a6e2693150467ffc6bf5ac923a0675a7d0065f32a83b821

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
275KB

MD5
6ecded85b735387fe192bff8c205df4b

SHA1
5e115f7b3b0d38498e6daa40d9b77a380692a6c9

SHA256
9befe6b0a2a65cad8c77b6ccd031397f0a6061ceefcf9470cd8c6f1a8991fd77

SHA512
44fcf979834ed1b944d05c3b66a3d82292be105130c11cf061c0b0048ef2a257bf57e375a94a7261e68d18129598df0dadfb6220f53cea656210f6cde8210c1e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
64KB

MD5
d43992540eef0c934fe02ea2728c4099

SHA1
a09812b8fe0a0f92c590503254a057c653c4d1a6

SHA256
b0cf03d16ed87caa15d61cf69bd8726fd61273d36044f1fcb07fc7a5150a1717

SHA512
0b3cb2b79e06527d73048d9c1681a7f271d8a77fafee58609dd8eb605d9e658bd4a616afac4e08b929373ff2335275a8b0bab355510a503e3396816f93c4e08a

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
275KB

MD5
652437a8b8355c5163928c28e3fe0356

SHA1
a47740416272db8da3780455159639165aad14b9

SHA256
f8ddf7ad3d86c7ad779d6db4cd21e363304ebd7ed9ea769fbe03f6e55975b02e

SHA512
72cd0874ed586ada152e0c5464c1d7722c2cd84b4c937b66c22a9f2e72833f3be64c378430c55d8570f780b65cdde116e1e483857b632fbea3bcf92fb708125c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
275KB

MD5
deb57e21b84a3df7890031b90179285e

SHA1
237cb24e627f9c87d947cd4b9928e5a5e70be671

SHA256
4cf5c95865995d35ba78215086e5d83010f475071287a16b71c3c7b31d3d6527

SHA512
0d0a360b105ee6a494cc7052a12bf93af34950100fa3b890c2ce7d41b6dd06dabcdcb555e00c993d1ff71c43e499936d969ca4851e10337b28436fa03bd3cfc7

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
275KB

MD5
37fa17295643dcfe0dac1c45bef624d6

SHA1
50985591caae55412deb6f7958c9a7548983ffff

SHA256
54a600b10636e95448a48119ff4c121fc60adcd0d66b225370a6e5e25a1975e8

SHA512
ad7ee57cb636c606ae8490bce88710433834ddd2a29ccd7889660ff5848b7397cf9c4e23ecffe5fe09477f5746adb670748089e1f3a3d91ce11d1b338cc4f66d

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
275KB

MD5
76bca257164f45c7a95f03e19924ad88

SHA1
24b716e66292ad8a2f3e67707eb391680e01e2fa

SHA256
e919764813a9745cd4737d7da5eb7b24a3d5aac49cd8322cee0ded8523397fca

SHA512
93b3704391f30f544b063ea9e494a14f1324412d3af5753cf465ccf61d39d6e24a2790e171ad5234cdd6f73389ece59f2d988475ac220f7d7c2a8ddfd67ed7f5

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
275KB

MD5
f354eb390498983b870b1cb93b86257b

SHA1
df20510c9ddf93e69f461a06e486eebdfa266452

SHA256
27c722cca7e3e413c12bbbfd3fbf140a8a7d0e3ae8eb789f11e1fa22ffc78c81

SHA512
e65631a2651b4dd182ccc1a9a29d058ba54e470932e4355afe3badb5104a3601dfef9a8a3fb382b4583a28215762dff6a6ad46c5c8f6a2c32bd7a433ca510c71

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
275KB

MD5
7beed9833f6326ce8436b59bf06d8131

SHA1
d96a2ebb0187938341b221894b8165e5ede717c6

SHA256
b6715d32790c762112bbdce617af24315c7c2b724d014da47d6e7e8046e8cb2a

SHA512
55e27177a6e6482723fc5ec68631dc5bd6e9320831926ec3c34763ccb9a4159af52a810636393ba945163933b4db3bb4597bbef2687df2f8fe31619b8f446d0e

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
275KB

MD5
e35ab846fcc82fcbdcd2ab6c88e5d3ec

SHA1
0cc44a9ea97db0c6154e9792ac5eb47fd98bb836

SHA256
7a70dd1422421c570c63c9d6017e7f7c9ec162138c45ddd40d173f4a0308d2d8

SHA512
8e92f89b7674cbac6d4e556bec556870ee1af5bb2a7e1c1b99eab309f3baa1ca6261a9e96ad25e1eb7d272af6dda3fe591823fffc39bee6a56aa13d48ea87ee6

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
275KB

MD5
8bb959d3fb32bdd421e94b7991350c47

SHA1
fd4431c05268c036d08c2d0404fa410d201c938b

SHA256
fd72060db0b510a607b0460a022f0455766f34a66b4d87de1000c5739915fa23

SHA512
75f1852bd03fb98d56fc34f61201a800914c5eedd191dff6fc3136965b2e6e5beb10abfb0e62dd22afc4285125db7c62112a81afdffc71fbd024c6b3cc66c283

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
275KB

MD5
d37c7b5b01a112207b78655f920a9c70

SHA1
a8c9a445a17806fe318afb9b150b5192d7bb51e6

SHA256
7191b260e2d43e13dd1dbc3e5ed825a058ae13a09c7719cf5973ca7a5f1705e5

SHA512
13bffc54a9e1402bc5cab60cdb1035a3488f059a9f93b1ccaa5bf555338faf30d1a4f07cba2502330a0022d079cab09fc5d302ae8a5a6f5849e6eeae7fad1008

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
275KB

MD5
770c84a444d13d353991fb3c564e410c

SHA1
cf83ff50cbde967297339bca40cf9a9a58f6e183

SHA256
0c08f3dd1dcbdb64c5409008058a75e19f70b44140dd0a9f062c95649dd2a0c8

SHA512
8c4bc73eba004570b94305cf663e8f2487f6cd290c59a83097b0247e9c4917224e1f0c6dfcb11395520751c5044fbb819a73531b73d47e5dae2f18d0e349e4d8

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
275KB

MD5
b52b636ad678e8d2925ea8aecd721047

SHA1
d6b827e4434eeb3c8e37608b0f3e95f3d9adec27

SHA256
2968931d6f2eec3b7c3ccc40e9162398a338acb5342194b73c7fabf312476c14

SHA512
0951a00d2704ab7205e5c855407400b8ee4722f2d1e381b7e5254863a498e665b4e93f6c7f22ef1b1657ad18863a7a89b720ee212f089784d5f930491f38d1a4

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
275KB

MD5
8270d71bc0d85376b29d6de9eafa59f6

SHA1
dd50d8d3fb86888bcc0e199cb905f035495275a8

SHA256
48a653911b36d2263343af1295e2ee0d74b8b9bec39df95c1201da496933c01b

SHA512
b965625c996f140e7d211378ff3fe518edc435a249c8e9cfa31c4b3c91024e0336e9674c26c41e932b7bd2d0e7b3483526e914b502da8484ba5285c175f11482

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
275KB

MD5
4267f2f608251ff612c66747f5fed405

SHA1
83e8bb5309bb0550faa400c78e69c32de4b689b0

SHA256
1a5f244d3916345cb21d1060e032a03d32fd792c8f377eac323d7e93d4e990d8

SHA512
7afa23b23d565459112add8905523937f4b7f8b774ffc4acab973a0ea7a048e14ff72f0e52891b48950117887b117edfc11af0b22ad424e5a846f792a31a486e

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
275KB

MD5
da81c1754a5a37197b0eeadba70d6929

SHA1
c636eeb86eac8766c16969b46c55cc723a3ddb7c

SHA256
ba0c98a9ee3e7bdd39efa47aa6b3859d658b47a0e8059b03a08bd1606a22166c

SHA512
24dff25906cc0453d71e76c74746eb134deff9e0f30db3bd74baaa51c25864e6506d04ea17176c402d38e7be78daf56da7b8e783949eee026a972892f0b0c884

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
275KB

MD5
75832ca65f4c288aeb47eb1316635c2f

SHA1
76429386167c6a5f135c7a4a1110c7fdf2f7b8e2

SHA256
3ebc0b6ac70916daea92d8b640a4ce5af0707d11fd9ebec701befaaf9ea08352

SHA512
b2e1d42273c29e57c2311e4822832eaab6d39c5c01acfe44e1c0ac64506ba225de108c9052079a3982a168718046a1faa87cb88f3e23e9f551c5478e92e47d86

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
275KB

MD5
34c452d39aea8ca73141d3cb658be690

SHA1
9e82a5fddf74a46b658a19d0e72ea13bb2233266

SHA256
e7171f0f19a2321525e87e55d86917946c1802946d100d1eb93be6744f12819e

SHA512
1962a54581f1e1d4264cf5b7e8bc69f5333560b0d6d7f1726b41b9a6317d8aeba9d86483a8de6ed1e86cce4416c270c06e91a5199509ecdc41aa0e1a265608b0

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
275KB

MD5
18de72d0ef4921b7daef47d3c21359d3

SHA1
b2877808d4f2792fe2ba5377e8c69ce5dff821e4

SHA256
313af5c17eb549b333c7ffafb86c0adc123b909a233872b17b9e890c98e80b64

SHA512
f2652b918e2bd58d2dd042e98aedbc646d16f8d6189a5b5c659952b3e9cafcb42186efe6111f2dd992eed379d735e9dd74e538b320fcf5317cbb5491b11b880b

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
275KB

MD5
c628e1c5536c39f49bbab7037985c0b6

SHA1
9e5b57801366e7de24d75b466555db20765f3b80

SHA256
735ab93a7060fa2d506e4f05f2206e722cd7c5495ff9106fb1aa620f153612bf

SHA512
c88373f18c28920f4344364f050a5ceabca56e088731d0b94ac875e1e7d716b99e0c8637014f20b853964249b15a13529a4e267b855c2b80956050f6f2e48950

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
275KB

MD5
a63a90d3c6ca2c4348f23d0148333228

SHA1
78ac4c87f7cf1db3882d03f14b1f7304c77d4282

SHA256
7560f165fa9dd59ff1b7ca5cb7f8330318ee1059416cbc1fd79209f4819b8481

SHA512
5987c106c81a40dee646f1f55d81e72e8b7d5e73bf9c417e7d3371158d7bc70b1fc8ed60c6f1fb0203ae813e6e24137bb59f5abec319db3b38e8741553d93552

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
275KB

MD5
c46f2a18e44e6b2973f01a4605765d95

SHA1
e321a7e3b9f436939d2f54f83e8ecbc45c5563fe

SHA256
b3bc179ea206edbc8014422358276e732c802c4da5463fb04156f0c47420f4d2

SHA512
fcc2a8bfac14057c74d28c131ba5d5d2eb0a688987db7c175f01be506f0856b2e4fabdd220bbb00cd04382636445e416f914ec37232c79d873dc90aad8a3cb09

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
275KB

MD5
dd03de35456df70c79e1eb6dadd45d6a

SHA1
b99d1936c8143e1ea728f9115097970c2c2bc2cb

SHA256
797a1972b3d46e64a5ec6fe936617b5f6a042047eaa37792ef7e2916898e25c0

SHA512
f08ce779dc58c46e8dba5fe8e9d032e550c1e7ce211f257a39ff9616ebbbd36b3a29031be122732195e4dd2875a5c6b7e811180b1b1fe8c14cc832d00d67d6ef

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
275KB

MD5
441582e571e53a8b48240cc6d32c5c13

SHA1
3ddbd12289017097ea5e47d07c9de024fe288c9e

SHA256
1a9b8f807209d5390196579d0f2f6d466a14b9b7f2f58293cfac35eee66aec57

SHA512
26d06392c7650e9547f3fdae6cd897d6131f4af203716f73db628811df379be807f00ac7013d9b7e197d33d8d37eef728011f817c59ce2c009fb218fbb3420fd

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
275KB

MD5
ea8b183f8f7203ff0e662f5c8a1b9fec

SHA1
a951edd86ef2ec9099d4ef20d5c5b7e406ba430f

SHA256
a52b867b6a502b8e0a5fd0595ae295d33bd57a5f57be07c3c6f4a1fa8c906e38

SHA512
bdf68b08b69db09e8c41817010afe168f6b6c74e1981d5ae78b02742de002cbaefa0a0530f7d2091fe7a0d8f181af3bb6b6433abaf365be4ffa572548c5941f2

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
275KB

MD5
c8055785333f778bc375c30cb79a3baa

SHA1
b5e47c4795c41e08ce8293fff9c9de5d7885a43d

SHA256
35fe2fc22327af147ab617e154717c3ce0dfb93d1c46db2e1b3f741b457c17c0

SHA512
aed49465c19ebf14a0456736fe7939a3af24da1f57c8b60bfc2b36cbf8d41bf62d1f11a65c7cde273da8d5113bd0297437cebed4acfb3b496f947873819e1a3b

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
275KB

MD5
0e464b5271e8cf8c9fc09cff5dd58bae

SHA1
a9ff0b1f3c02261db4251277f13747da1cb58934

SHA256
a318ea2ad5e654e3e83f839cf58e79996b713cf480f8781aedb0f29bd30ac7c7

SHA512
48c553c560ab51616540e4ece34f3160ba40046c32a077e1a3743aabfd2e8e3b1cfcb117c03f6f081f9bc8da6260bfd8680d42ef01bc8cf0a8a32911075e2795

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
275KB

MD5
044f6fa77b5dc9531782ce2998ebbfee

SHA1
df3b5af5fdf02f3541f84b84fed31a6724dd8f79

SHA256
64cacea8b6f426b96c7900c66a37773e75537709d08a492e92312b5e5631f494

SHA512
6f84ad12ed23c45010d1490d753f48f6148adad22e59b627d9793160741f85afced3c02433a854b9eb7e7d70be0f2b1616e74b6ff97856242c1c49589e258ae9

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
275KB

MD5
9e28b55212755300dc4e791a72e78cdb

SHA1
40df1ca70286817c54122a3dada8ead3ccd0dfc6

SHA256
8d69775c66a9997c0ec79d07e675e4c82ce93b5feea61b73c5e924c710689227

SHA512
62bab75192859eba8a1126298af3629059ff0c366797cdbf729415572061611a33d8f08fce9e59910cf709d6bc8fd4e21a22ff0096a04d580954b0442bdee3cd

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
275KB

MD5
b07887c9117f900b45543573b856c35d

SHA1
26e55a254e406443eaaee66f663891ee93a9e29c

SHA256
605ebe43d379808c8427f90f42ce7df5f15a6999735d93c988651f62afd4f0a8

SHA512
c94f6f2f63b64e316b502b86acf4c4f3b942addaba45b07fd26f2a3d67d210e27e86b0ad86448c0233effb58149e23fb16d3f8331e2260f14a26d36b81563e6d

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
275KB

MD5
8da87e2d3b395f3c8a5157a9eea1f7c5

SHA1
5d2253a0ae94f5f5800ec0b41a56de120e5ca5e8

SHA256
09ad08ae3390c4a51178f2f186dc0f14ff25d81ea1addf09abaa95123f2d6608

SHA512
ff89989e8361b824599c0f57b4f99ceb5576d6507f9f6ce2f8b88724affd7f508ba4fe7bf28b3bbb1a4150e8b2a26ed48776bbe1deaea18cb9495067b8ae2995

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
275KB

MD5
324692e54796b1fc1fae28e0e848a26f

SHA1
c18e3b6b39516fbaf56d96007b771fdbee2bc5b1

SHA256
22f0de20686677bf5fcdc474d6b648f1bfadc30d4934c82fc2caea2b2fbb2392

SHA512
666fe326b2fd4b8ef7373aefc65cb6b7be9f299ffbc0e4051efcbafb628f968073140af014fee6a38518f15099ee8531f893aadda7070f1be324f4d45c10c7c3

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
275KB

MD5
7722c5a941eae577667dc0fa1e5fc150

SHA1
ee43110296782fbe3c9d5ed5865b68f2efcc67db

SHA256
1d07b0bfe523b0ff36fecf20ca791c346b5d7238881bbc1f1e519550646490b2

SHA512
37408c429a049983139a5aa201c3673412273ca216404c7322706792bc34761c7838667d487b177889cba5d05b2726ac45d0bc67db86eb9d30c12c6a2f6a59b4

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
275KB

MD5
cd2f780fdb0e5c2a6590f9e81497667c

SHA1
2e0c6653c67506982271026015bbaa49f22956d2

SHA256
fb13639b6757f0c3d218d1a1f85d8c3389eb7dc9e6364d804cccb8a157e8e0ea

SHA512
2edbf3e3fbdd7061d2b019b7d0413f4e950b17a5f9a65709279c829f05eaa2c40799a70c507e6c2b2ec12fd57e15885270db5b98206f1c1f7b1fc6b689574bcc

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
275KB

MD5
77874352e24a77fd1d18bbae8a3579df

SHA1
27c380fd0f0a09d4fcd348a6647f2e8bc9539e5c

SHA256
b3f5aa7557c17e6aa4578a4e27b4a33264e9755accf9dda6bfa35b3179f622d0

SHA512
104c834e37c03ce1177d1b6bb1817c12a99f283e7103ad3ca7f9cc6832da3fb01372273d4fdee58f4d62a3f8693886ec25083f27ea70717416a81213133bd71e

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
275KB

MD5
b7c52bbd232d7408084a1dcfb0a27112

SHA1
d1e6952d3fddefa58b3d580b25fac07d032438e2

SHA256
9c36986995652e9d184623c41698a25b762186e960afac1674918b416a7f606c

SHA512
1cf58717c22bbfe075499dcf1c3d42eeb6ce52639e08a818f8c28577b218f5eeb056edc6eaff2e1eee1b8a7a8e054ddd534a50941f9d45ae05f2a2af1064a238

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
275KB

MD5
d44df39a26c14e7a07f0a79ef7c5b8c2

SHA1
432507c2dd169a281702bfcd1214cbafa3cf3469

SHA256
4c4ffbf8c5dd1299fb3df105749e6c589614fc3e7b7a308e4b1a185329f57e02

SHA512
18ee82571f5b37b94dc8c229716b4441d580a2b0864eabb760962c86fea2fde0782cd1bf00f2234926526ccd3c59327d8ead2615bf6daed2398881c9e7b33c9f

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
275KB

MD5
7c88985d3ddd470443cfaab0c3d7cf04

SHA1
92d76f58e12b30ea95f27ab41e05b27b640fadd8

SHA256
623ee283c47331d2c0b7a72f61183bf9de771306d594b5be37214961de999476

SHA512
81c4f8de9f9db0f76a8d608f11f1eda4729a455fcf49354d094569f4e0f2d029d9d2b8ea53725dc59dcfd5e29146e455ecce8fa4e7c571d1ad83a2d65e60eeff

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
275KB

MD5
b013b0e57a9358d2ceeaa5874971f513

SHA1
67da6194c44ad6f220960ffdb6c24d82cdec05dc

SHA256
47f022736d5f4145e61322d8752b97483bfb05e06843bbdf613e0d20ee7f8b4e

SHA512
d54869d7682b63564b5a29faa41df60ca035082e6f1966aa8aede2ce7b6c30ed8f3bbcca5c215091372f6e44e9a4b8f334e66fb9ef480676162fcee62d52808e

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
275KB

MD5
d00e8899bc84ba24096ad60d44f9fd93

SHA1
0ef25d83c8beed951835ec453d11795ffac2bdb4

SHA256
40f7e97120c48b552113e3bc13935f8682623f1913a5182922e34c191549009d

SHA512
46b9340035e280748a077d134149140711746d6e7d01cb5fad5041adb6504c8e9f01fc11a5eb935d3b58a4e178c52bc19fd84da3c1eafca66cc84bfd0c06850a

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
275KB

MD5
e3396e9915befdf2e9da9fe117b4cc12

SHA1
70a8890fdb996a6c012296ec746e0c0421839f40

SHA256
470fd0ffea2553f2857d7579b99df40186a24a0e3f96dba308a6a2420d1bab0b

SHA512
6a2c20c2e1db6d648b6577b2e868a70e221ebd718cab91a4e5788e50175d856482bf06ab074deb80f4e545e5c1bc0d2f95e2138fb1d184cbf668cf1a875a969b

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
275KB

MD5
a4884e17a561c1878aedcc8dc7ebe972

SHA1
32f64a3581f75424d561db233da119af8886c5e6

SHA256
f5fa420d695381bb9fa4393b9c6c45f353ed7aee8c9fd3963502a3f9e210939e

SHA512
f9872c4740b560e2470d45134320f97c4c2e189fe501e8593930e7c4f74e667bf51ef51dc98d83d7fc02b6ecce30274c1de9bb8e36070001f245ffe8778597b5

Download Submit
memory/428-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1020-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1020-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1020-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1156-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1980-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1980-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2364-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2364-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2504-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2504-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3196-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3196-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3368-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3420-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3420-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3468-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3468-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3524-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3528-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3544-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3552-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3704-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3704-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3708-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3716-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3804-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4188-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4188-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4412-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4412-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads