5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b

Analysis

max time kernel
134s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 22:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b.exe
Size

96KB
MD5

d6636b50cf5c24002090a68f91a61b80
SHA1

6261ddadd33b77191108440807b17ba3325fecf2
SHA256

5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b
SHA512

9bf5741c0fad8630ae7ffbdfd489c0effeb6cbb069f0b215118f98023e0a475f00f062996371287b66ff22f1d42538ec19454d0edc48925c070ff9d429b41efc
SSDEEP

1536:OlyQSZqG2YzDoYTPUd4FKCckn2Dp9ilkilRNDK+pwKl0BknaAjWbjtKBvU:OlyzRptwOFcDgm+tYknVwtCU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgfifjmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdadmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaplij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnjbllng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ippbfgfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbbfofnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hblblcgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckibjqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Canaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfcnlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eocaln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Badnkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnibkhho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkmfghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgajjnio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddafipck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcanen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhofhqhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfajminj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnhmgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchcfmqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojcnqblh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohenmnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnmqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ielknndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjflgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjibcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dofkfica.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eklogn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jopocbag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimqjlih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jliige32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbpkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbcjbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpcjckom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojqakbnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlhkqmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjpfahf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnibkhho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Canaae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jejgpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phkhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieohdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmidepp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filolqem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmqmcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgacal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhbemag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eocaln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enmgiinb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bomoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofkfica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhdbalf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoenbmkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnnhce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dabjmddg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhgdgce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmeaja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmacckmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhecbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehhbemag.exe

Executes dropped EXE 64 IoCs

pid	Process
4676	Bdadmi32.exe
2208	Bogija32.exe
2032	Baeefmdc.exe
2988	Bhombg32.exe
4304	Boieoacm.exe
4532	Cfcnlk32.exe
2028	Clmfiebf.exe
4820	Cnnbqn32.exe
392	Cfejakhg.exe
4444	Ckbcjbgo.exe
2992	Cblkfl32.exe
632	Chfccfeh.exe
2268	Cncllmdp.exe
2212	Cfjdmj32.exe
3048	Cldlidlo.exe
916	Cbadakjf.exe
1060	Clfiodjl.exe
3852	Coeekpip.exe
3056	Ddamcfgg.exe
4524	Dhmidepp.exe
1732	Dklfpqod.exe
1280	Dogaqo32.exe
624	Dnjbllng.exe
1412	Dfajminj.exe
636	Dhpfienm.exe
3232	Dknbepma.exe
1172	Ddfgof32.exe
4736	Dmnopcdd.exe
724	Dffchi32.exe
4364	Ddicdeao.exe
4168	Dmplebaa.exe
3080	Dfhpnh32.exe
4600	Eboqci32.exe
2488	Emdepb32.exe
1484	Eocaln32.exe
5032	Ebamhi32.exe
2128	Emgafa32.exe
4144	Eoenbmkm.exe
3600	Ebdjnijq.exe
2164	Einbkb32.exe
868	Eklogn32.exe
3548	Efacdg32.exe
2332	Eknkmn32.exe
2976	Enmgiinb.exe
684	Eiblfbmh.exe
2892	Ekahbnll.exe
2804	Fbkpog32.exe
2380	Ffflofla.exe
3896	Flcegmji.exe
4792	Fnaadiim.exe
3064	Figeaa32.exe
3936	Fleamm32.exe
4516	Fenffbog.exe
3420	Fpcjckom.exe
544	Fbbfofnq.exe
4044	Filolqem.exe
4888	Fnhgdgce.exe
4544	Feboaa32.exe
2644	Glmgnlbo.exe
4472	Gfblkdbd.exe
1368	Giqhgp32.exe
4588	Gnmqpg32.exe
1500	Gegilagl.exe
4088	Glaaik32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gbkieeef.exe	Glaaik32.exe
File created	C:\Windows\SysWOW64\Pdaacjfl.dll	Ioglmcib.exe
File created	C:\Windows\SysWOW64\Dgpcekbo.exe	Ddafipck.exe
File created	C:\Windows\SysWOW64\Qdiokffi.exe	Qmofnl32.exe
File created	C:\Windows\SysWOW64\Heocgcpe.dll	Joblhaoe.exe
File created	C:\Windows\SysWOW64\Dahoqo32.dll	Klehcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngalhimj.exe	Mmlhkqmd.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfhj32.exe	Nmcnkp32.exe
File opened for modification	C:\Windows\SysWOW64\Oafplmim.exe	Ojlhpc32.exe
File created	C:\Windows\SysWOW64\Ojcnqblh.exe	Ojqakbnk.exe
File created	C:\Windows\SysWOW64\Bcbood32.dll	Gnmqpg32.exe
File created	C:\Windows\SysWOW64\Gbpbqd32.exe	Gpafdi32.exe
File created	C:\Windows\SysWOW64\Donaghmi.exe	Dgfifjmg.exe
File opened for modification	C:\Windows\SysWOW64\Nmcnkp32.exe	Nckibjqk.exe
File created	C:\Windows\SysWOW64\Phkhef32.exe	Pdpldgnc.exe
File created	C:\Windows\SysWOW64\Bhecbb32.exe	Bpnkaepm.exe
File opened for modification	C:\Windows\SysWOW64\Egpllidl.exe	Edappn32.exe
File created	C:\Windows\SysWOW64\Cdkpihfd.dll	Hokmaecp.exe
File created	C:\Windows\SysWOW64\Enabaf32.dll	Hiodhn32.exe
File created	C:\Windows\SysWOW64\Bgpkafbe.dll	Nnbjeb32.exe
File created	C:\Windows\SysWOW64\Phcgei32.dll	Ckfejkom.exe
File created	C:\Windows\SysWOW64\Dodnqied.exe	Cdojcpen.exe
File created	C:\Windows\SysWOW64\Dogaqo32.exe	Dklfpqod.exe
File created	C:\Windows\SysWOW64\Fbbfofnq.exe	Fpcjckom.exe
File created	C:\Windows\SysWOW64\Hmojdl32.exe	Hegaco32.exe
File created	C:\Windows\SysWOW64\Jiajek32.exe	Igcnip32.exe
File created	C:\Windows\SysWOW64\Dknbepma.exe	Dhpfienm.exe
File created	C:\Windows\SysWOW64\Qpeaip32.dll	Eocaln32.exe
File created	C:\Windows\SysWOW64\Lehilecg.dll	Edocjn32.exe
File created	C:\Windows\SysWOW64\Hlhakn32.dll	Bomoim32.exe
File opened for modification	C:\Windows\SysWOW64\Bdnambdq.exe	Bmdipi32.exe
File opened for modification	C:\Windows\SysWOW64\Ckoojl32.exe	Chacnq32.exe
File created	C:\Windows\SysWOW64\Gdhciaop.dll	Dfajminj.exe
File opened for modification	C:\Windows\SysWOW64\Kgecem32.exe	Knmolh32.exe
File created	C:\Windows\SysWOW64\Aghjbk32.dll	Kjflgh32.exe
File created	C:\Windows\SysWOW64\Ddnpledi.dll	Nmaafp32.exe
File created	C:\Windows\SysWOW64\Dibhhdgm.dll	Ojqakbnk.exe
File opened for modification	C:\Windows\SysWOW64\Cncllmdp.exe	Chfccfeh.exe
File created	C:\Windows\SysWOW64\Ebamhi32.exe	Eocaln32.exe
File created	C:\Windows\SysWOW64\Nikjmfli.dll	Agfgho32.exe
File created	C:\Windows\SysWOW64\Enggccnl.exe	Egnofi32.exe
File created	C:\Windows\SysWOW64\Kcmmkl32.dll	Bdcjhb32.exe
File created	C:\Windows\SysWOW64\Qdngkklj.dll	Cldlidlo.exe
File created	C:\Windows\SysWOW64\Gegilagl.exe	Gnmqpg32.exe
File created	C:\Windows\SysWOW64\Jgejnp32.exe	Jonbmb32.exe
File created	C:\Windows\SysWOW64\Ngpphf32.dll	Fenffbog.exe
File created	C:\Windows\SysWOW64\Hofcfe32.exe	Hlhgjj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjibcf32.exe	Mgkfgj32.exe
File created	C:\Windows\SysWOW64\Ofbpccdp.dll	Hbdlldmk.exe
File opened for modification	C:\Windows\SysWOW64\Nfnoje32.exe	Nnbjeb32.exe
File opened for modification	C:\Windows\SysWOW64\Gpojoi32.exe	Gmqmcn32.exe
File created	C:\Windows\SysWOW64\Hmqoji32.dll	Gelbgp32.exe
File created	C:\Windows\SysWOW64\Mgdlkifp.dll	Geiebqdj.exe
File created	C:\Windows\SysWOW64\Cdegmani.exe	Cagkafoe.exe
File created	C:\Windows\SysWOW64\Eeklmjmc.dll	Efacdg32.exe
File created	C:\Windows\SysWOW64\Cgeojn32.dll	Mjdihffk.exe
File created	C:\Windows\SysWOW64\Lmliln32.dll	Egpllidl.exe
File created	C:\Windows\SysWOW64\Ljiilhph.exe	Kcoapn32.exe
File opened for modification	C:\Windows\SysWOW64\Qjecmpkc.exe	Qdlkpe32.exe
File opened for modification	C:\Windows\SysWOW64\Cfjdmj32.exe	Cncllmdp.exe
File opened for modification	C:\Windows\SysWOW64\Gbkieeef.exe	Glaaik32.exe
File created	C:\Windows\SysWOW64\Gpafdi32.exe	Gmcjhn32.exe
File created	C:\Windows\SysWOW64\Iimqjlih.exe	Ioglmcib.exe
File opened for modification	C:\Windows\SysWOW64\Dgfifjmg.exe	Dqmqip32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7552	8180	WerFault.exe	350

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfajminj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flcegmji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejgpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgacal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbadakjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coeekpip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioiibcgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngalhimj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jglqoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apibfecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daegbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbcjbgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbnfke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbiegc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojbcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkmfghl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgejnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhpmmed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfejakhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glmgnlbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hofcfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlkdoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhpnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqcjppib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bomoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onqffqbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cblkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giqhgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geiebqdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmhccmod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emgafa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohgalnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnaadiim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejninfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eoenbmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgmbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohenmnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqmqip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbeogog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpldgnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cohoekpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhpfienm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmgiinb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gegilagl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioglmcib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dklfpqod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmeaja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cneagf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chelipbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpojoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmojdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpjai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjecmpkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eocaln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eklogn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgecem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbbfofnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phkhef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paheikig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqomop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmplebaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loodknfe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjehg32.dll"	Aabhoiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgecem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lchcfmqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddicdeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpnkaepm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonjidoj.dll"	Hblblcgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daegbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dagdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enggccnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddfgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdlkifp.dll"	Geiebqdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ippbfgfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Babafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebdjnijq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdodkl32.dll"	Hbiegc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhjjinc.dll"	Ljmbgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibikekhk.dll"	Nmcnkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phkhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjaoenni.dll"	Bogija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiglpb32.dll"	Eiblfbmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionap32.dll"	Nfnoje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpldgnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffffcnam.dll"	Baeefmdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmblpel.dll"	Lnkknfbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmpmdnf.dll"	Ilipqhjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aohenmnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekgnahak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doofdejj.dll"	Ekgnahak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqpnf32.dll"	Gpojoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpifgio.dll"	Hechhomo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoenbmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojpbg32.dll"	Eklogn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbidoqpa.dll"	Iolfhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lqenob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njbeid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banhkhgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgmfohgk.dll"	Dagdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpipfp32.dll"	Hlhgjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebqfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diebpcao.dll"	Eopnlgkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbeogog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbbofdpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgebmd32.dll"	Lgacal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phkhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcanen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdiokffi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiomol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klkfmeji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmacckmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljeojkf.dll"	Bdnambdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckfejkom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jicgjkbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkdbf32.dll"	Klkfmeji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hechhomo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipbokgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojcnqblh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpldgnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klkfmeji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joiqbc32.dll"	Dknbepma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmlhkqmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dklfpqod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jonbmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmofnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmacckmi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4676	3536	5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b.exe	84
PID 3536 wrote to memory of 4676	3536	5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b.exe	84
PID 3536 wrote to memory of 4676	3536	5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b.exe	84
PID 4676 wrote to memory of 2208	4676	Bdadmi32.exe	85
PID 4676 wrote to memory of 2208	4676	Bdadmi32.exe	85
PID 4676 wrote to memory of 2208	4676	Bdadmi32.exe	85
PID 2208 wrote to memory of 2032	2208	Bogija32.exe	86
PID 2208 wrote to memory of 2032	2208	Bogija32.exe	86
PID 2208 wrote to memory of 2032	2208	Bogija32.exe	86
PID 2032 wrote to memory of 2988	2032	Baeefmdc.exe	88
PID 2032 wrote to memory of 2988	2032	Baeefmdc.exe	88
PID 2032 wrote to memory of 2988	2032	Baeefmdc.exe	88
PID 2988 wrote to memory of 4304	2988	Bhombg32.exe	89
PID 2988 wrote to memory of 4304	2988	Bhombg32.exe	89
PID 2988 wrote to memory of 4304	2988	Bhombg32.exe	89
PID 4304 wrote to memory of 4532	4304	Boieoacm.exe	90
PID 4304 wrote to memory of 4532	4304	Boieoacm.exe	90
PID 4304 wrote to memory of 4532	4304	Boieoacm.exe	90
PID 4532 wrote to memory of 2028	4532	Cfcnlk32.exe	91
PID 4532 wrote to memory of 2028	4532	Cfcnlk32.exe	91
PID 4532 wrote to memory of 2028	4532	Cfcnlk32.exe	91
PID 2028 wrote to memory of 4820	2028	Clmfiebf.exe	92
PID 2028 wrote to memory of 4820	2028	Clmfiebf.exe	92
PID 2028 wrote to memory of 4820	2028	Clmfiebf.exe	92
PID 4820 wrote to memory of 392	4820	Cnnbqn32.exe	93
PID 4820 wrote to memory of 392	4820	Cnnbqn32.exe	93
PID 4820 wrote to memory of 392	4820	Cnnbqn32.exe	93
PID 392 wrote to memory of 4444	392	Cfejakhg.exe	94
PID 392 wrote to memory of 4444	392	Cfejakhg.exe	94
PID 392 wrote to memory of 4444	392	Cfejakhg.exe	94
PID 4444 wrote to memory of 2992	4444	Ckbcjbgo.exe	96
PID 4444 wrote to memory of 2992	4444	Ckbcjbgo.exe	96
PID 4444 wrote to memory of 2992	4444	Ckbcjbgo.exe	96
PID 2992 wrote to memory of 632	2992	Cblkfl32.exe	97
PID 2992 wrote to memory of 632	2992	Cblkfl32.exe	97
PID 2992 wrote to memory of 632	2992	Cblkfl32.exe	97
PID 632 wrote to memory of 2268	632	Chfccfeh.exe	98
PID 632 wrote to memory of 2268	632	Chfccfeh.exe	98
PID 632 wrote to memory of 2268	632	Chfccfeh.exe	98
PID 2268 wrote to memory of 2212	2268	Cncllmdp.exe	99
PID 2268 wrote to memory of 2212	2268	Cncllmdp.exe	99
PID 2268 wrote to memory of 2212	2268	Cncllmdp.exe	99
PID 2212 wrote to memory of 3048	2212	Cfjdmj32.exe	101
PID 2212 wrote to memory of 3048	2212	Cfjdmj32.exe	101
PID 2212 wrote to memory of 3048	2212	Cfjdmj32.exe	101
PID 3048 wrote to memory of 916	3048	Cldlidlo.exe	102
PID 3048 wrote to memory of 916	3048	Cldlidlo.exe	102
PID 3048 wrote to memory of 916	3048	Cldlidlo.exe	102
PID 916 wrote to memory of 1060	916	Cbadakjf.exe	103
PID 916 wrote to memory of 1060	916	Cbadakjf.exe	103
PID 916 wrote to memory of 1060	916	Cbadakjf.exe	103
PID 1060 wrote to memory of 3852	1060	Clfiodjl.exe	104
PID 1060 wrote to memory of 3852	1060	Clfiodjl.exe	104
PID 1060 wrote to memory of 3852	1060	Clfiodjl.exe	104
PID 3852 wrote to memory of 3056	3852	Coeekpip.exe	105
PID 3852 wrote to memory of 3056	3852	Coeekpip.exe	105
PID 3852 wrote to memory of 3056	3852	Coeekpip.exe	105
PID 3056 wrote to memory of 4524	3056	Ddamcfgg.exe	106
PID 3056 wrote to memory of 4524	3056	Ddamcfgg.exe	106
PID 3056 wrote to memory of 4524	3056	Ddamcfgg.exe	106
PID 4524 wrote to memory of 1732	4524	Dhmidepp.exe	107
PID 4524 wrote to memory of 1732	4524	Dhmidepp.exe	107
PID 4524 wrote to memory of 1732	4524	Dhmidepp.exe	107
PID 1732 wrote to memory of 1280	1732	Dklfpqod.exe	108

C:\Users\Admin\AppData\Local\Temp\5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b.exe
"C:\Users\Admin\AppData\Local\Temp\5b14a002bdb670136fcd33076420fc6be1105f232e92dbd6efe8f4027838952b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\SysWOW64\Bdadmi32.exe
  C:\Windows\system32\Bdadmi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\Bogija32.exe
    C:\Windows\system32\Bogija32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\Baeefmdc.exe
      C:\Windows\system32\Baeefmdc.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\Bhombg32.exe
        
        C:\Windows\system32\Bhombg32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\Boieoacm.exe
        
        C:\Windows\system32\Boieoacm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Cfcnlk32.exe
        
        C:\Windows\system32\Cfcnlk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Clmfiebf.exe
        
        C:\Windows\system32\Clmfiebf.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Cnnbqn32.exe
        
        C:\Windows\system32\Cnnbqn32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Cfejakhg.exe
        
        C:\Windows\system32\Cfejakhg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Ckbcjbgo.exe
        
        C:\Windows\system32\Ckbcjbgo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Cblkfl32.exe
        
        C:\Windows\system32\Cblkfl32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Chfccfeh.exe
        
        C:\Windows\system32\Chfccfeh.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Cncllmdp.exe
        
        C:\Windows\system32\Cncllmdp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Cfjdmj32.exe
        
        C:\Windows\system32\Cfjdmj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Cldlidlo.exe
        
        C:\Windows\system32\Cldlidlo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Cbadakjf.exe
        
        C:\Windows\system32\Cbadakjf.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Clfiodjl.exe
        
        C:\Windows\system32\Clfiodjl.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Coeekpip.exe
        
        C:\Windows\system32\Coeekpip.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Ddamcfgg.exe
        
        C:\Windows\system32\Ddamcfgg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Dhmidepp.exe
        
        C:\Windows\system32\Dhmidepp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Dklfpqod.exe
        
        C:\Windows\system32\Dklfpqod.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Dogaqo32.exe
        
        C:\Windows\system32\Dogaqo32.exe
        23⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\Dnjbllng.exe
        
        C:\Windows\system32\Dnjbllng.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Dfajminj.exe
        
        C:\Windows\system32\Dfajminj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Dhpfienm.exe
        
        C:\Windows\system32\Dhpfienm.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Dknbepma.exe
        
        C:\Windows\system32\Dknbepma.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Ddfgof32.exe
        
        C:\Windows\system32\Ddfgof32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Dmnopcdd.exe
        
        C:\Windows\system32\Dmnopcdd.exe
        29⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Dffchi32.exe
        
        C:\Windows\system32\Dffchi32.exe
        30⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\Ddicdeao.exe
        
        C:\Windows\system32\Ddicdeao.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Dmplebaa.exe
        
        C:\Windows\system32\Dmplebaa.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Dfhpnh32.exe
        
        C:\Windows\system32\Dfhpnh32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Eboqci32.exe
        
        C:\Windows\system32\Eboqci32.exe
        34⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Emdepb32.exe
        
        C:\Windows\system32\Emdepb32.exe
        35⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Eocaln32.exe
        
        C:\Windows\system32\Eocaln32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Ebamhi32.exe
        
        C:\Windows\system32\Ebamhi32.exe
        37⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Emgafa32.exe
        
        C:\Windows\system32\Emgafa32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Eoenbmkm.exe
        
        C:\Windows\system32\Eoenbmkm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Ebdjnijq.exe
        
        C:\Windows\system32\Ebdjnijq.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Einbkb32.exe
        
        C:\Windows\system32\Einbkb32.exe
        41⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Eklogn32.exe
        
        C:\Windows\system32\Eklogn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Efacdg32.exe
        
        C:\Windows\system32\Efacdg32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Eknkmn32.exe
        
        C:\Windows\system32\Eknkmn32.exe
        44⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Enmgiinb.exe
        
        C:\Windows\system32\Enmgiinb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Eiblfbmh.exe
        
        C:\Windows\system32\Eiblfbmh.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Ekahbnll.exe
        
        C:\Windows\system32\Ekahbnll.exe
        47⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Fbkpog32.exe
        
        C:\Windows\system32\Fbkpog32.exe
        48⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Ffflofla.exe
        
        C:\Windows\system32\Ffflofla.exe
        49⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Flcegmji.exe
        
        C:\Windows\system32\Flcegmji.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Fnaadiim.exe
        
        C:\Windows\system32\Fnaadiim.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Figeaa32.exe
        
        C:\Windows\system32\Figeaa32.exe
        52⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Fleamm32.exe
        
        C:\Windows\system32\Fleamm32.exe
        53⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Fenffbog.exe
        
        C:\Windows\system32\Fenffbog.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Fpcjckom.exe
        
        C:\Windows\system32\Fpcjckom.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Fbbfofnq.exe
        
        C:\Windows\system32\Fbbfofnq.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\Filolqem.exe
        
        C:\Windows\system32\Filolqem.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Fnhgdgce.exe
        
        C:\Windows\system32\Fnhgdgce.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Feboaa32.exe
        
        C:\Windows\system32\Feboaa32.exe
        59⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Glmgnlbo.exe
        
        C:\Windows\system32\Glmgnlbo.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Gfblkdbd.exe
        
        C:\Windows\system32\Gfblkdbd.exe
        61⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Giqhgp32.exe
        
        C:\Windows\system32\Giqhgp32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Gnmqpg32.exe
        
        C:\Windows\system32\Gnmqpg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Gegilagl.exe
        
        C:\Windows\system32\Gegilagl.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Glaaik32.exe
        
        C:\Windows\system32\Glaaik32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Gbkieeef.exe
        
        C:\Windows\system32\Gbkieeef.exe
        66⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Geiebqdj.exe
        
        C:\Windows\system32\Geiebqdj.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Gmqmcn32.exe
        
        C:\Windows\system32\Gmqmcn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Gpojoi32.exe
        
        C:\Windows\system32\Gpojoi32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Gbnfke32.exe
        
        C:\Windows\system32\Gbnfke32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Gelbgp32.exe
        
        C:\Windows\system32\Gelbgp32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Gmcjhn32.exe
        
        C:\Windows\system32\Gmcjhn32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Gpafdi32.exe
        
        C:\Windows\system32\Gpafdi32.exe
        73⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Gbpbqd32.exe
        
        C:\Windows\system32\Gbpbqd32.exe
        74⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Genomp32.exe
        
        C:\Windows\system32\Genomp32.exe
        75⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Hmegnmaf.exe
        
        C:\Windows\system32\Hmegnmaf.exe
        76⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Hlhgjj32.exe
        
        C:\Windows\system32\Hlhgjj32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Hofcfe32.exe
        
        C:\Windows\system32\Hofcfe32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Hbbofdpn.exe
        
        C:\Windows\system32\Hbbofdpn.exe
        79⤵
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Heqlbpoa.exe
        
        C:\Windows\system32\Heqlbpoa.exe
        80⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Hmhccmod.exe
        
        C:\Windows\system32\Hmhccmod.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Hlkdoj32.exe
        
        C:\Windows\system32\Hlkdoj32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Hbdlldmk.exe
        
        C:\Windows\system32\Hbdlldmk.exe
        83⤵
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Hechhomo.exe
        
        C:\Windows\system32\Hechhomo.exe
        84⤵
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Hiodhn32.exe
        
        C:\Windows\system32\Hiodhn32.exe
        85⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Hlmqdi32.exe
        
        C:\Windows\system32\Hlmqdi32.exe
        86⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Hokmaecp.exe
        
        C:\Windows\system32\Hokmaecp.exe
        87⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\Heeeno32.exe
        
        C:\Windows\system32\Heeeno32.exe
        88⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Hmlmol32.exe
        
        C:\Windows\system32\Hmlmol32.exe
        89⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Hbiegc32.exe
        
        C:\Windows\system32\Hbiegc32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Hegaco32.exe
        
        C:\Windows\system32\Hegaco32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Hmojdl32.exe
        
        C:\Windows\system32\Hmojdl32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Hpmfpg32.exe
        
        C:\Windows\system32\Hpmfpg32.exe
        93⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Hblblcgc.exe
        
        C:\Windows\system32\Hblblcgc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Hejninfg.exe
        
        C:\Windows\system32\Hejninfg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Imafjlgi.exe
        
        C:\Windows\system32\Imafjlgi.exe
        96⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ippbfgfm.exe
        
        C:\Windows\system32\Ippbfgfm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Ielknndd.exe
        
        C:\Windows\system32\Ielknndd.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Imccokef.exe
        
        C:\Windows\system32\Imccokef.exe
        99⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ipbokgdj.exe
        
        C:\Windows\system32\Ipbokgdj.exe
        100⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Ibplgb32.exe
        
        C:\Windows\system32\Ibplgb32.exe
        101⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Ieohdn32.exe
        
        C:\Windows\system32\Ieohdn32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Ilipqhjo.exe
        
        C:\Windows\system32\Ilipqhjo.exe
        103⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Ioglmcib.exe
        
        C:\Windows\system32\Ioglmcib.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Iimqjlih.exe
        
        C:\Windows\system32\Iimqjlih.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Ilkmfghl.exe
        
        C:\Windows\system32\Ilkmfghl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Ioiibcgp.exe
        
        C:\Windows\system32\Ioiibcgp.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Igqacp32.exe
        
        C:\Windows\system32\Igqacp32.exe
        108⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Iiomol32.exe
        
        C:\Windows\system32\Iiomol32.exe
        109⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Ilmilg32.exe
        
        C:\Windows\system32\Ilmilg32.exe
        110⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Iolfhb32.exe
        
        C:\Windows\system32\Iolfhb32.exe
        111⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Igcnip32.exe
        
        C:\Windows\system32\Igcnip32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Jiajek32.exe
        
        C:\Windows\system32\Jiajek32.exe
        113⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Jlpfag32.exe
        
        C:\Windows\system32\Jlpfag32.exe
        114⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Jonbmb32.exe
        
        C:\Windows\system32\Jonbmb32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Jgejnp32.exe
        
        C:\Windows\system32\Jgejnp32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Jicgjkbp.exe
        
        C:\Windows\system32\Jicgjkbp.exe
        117⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Jlbcgfad.exe
        
        C:\Windows\system32\Jlbcgfad.exe
        118⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Jopocbag.exe
        
        C:\Windows\system32\Jopocbag.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Jejgpl32.exe
        
        C:\Windows\system32\Jejgpl32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Joblhaoe.exe
        
        C:\Windows\system32\Joblhaoe.exe
        121⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Jndlfigd.exe
        
        C:\Windows\system32\Jndlfigd.exe
        122⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Jglqoo32.exe
        
        C:\Windows\system32\Jglqoo32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Jliige32.exe
        
        C:\Windows\system32\Jliige32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Klkfmeji.exe
        
        C:\Windows\system32\Klkfmeji.exe
        125⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Kgajjnio.exe
        
        C:\Windows\system32\Kgajjnio.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Klnbbegf.exe
        
        C:\Windows\system32\Klnbbegf.exe
        127⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Knmolh32.exe
        
        C:\Windows\system32\Knmolh32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Kgecem32.exe
        
        C:\Windows\system32\Kgecem32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Klblnd32.exe
        
        C:\Windows\system32\Klblnd32.exe
        130⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Kjflgh32.exe
        
        C:\Windows\system32\Kjflgh32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Klehcd32.exe
        
        C:\Windows\system32\Klehcd32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Kcoapn32.exe
        
        C:\Windows\system32\Kcoapn32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Ljiilhph.exe
        
        C:\Windows\system32\Ljiilhph.exe
        134⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Lcanen32.exe
        
        C:\Windows\system32\Lcanen32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Lfpjai32.exe
        
        C:\Windows\system32\Lfpjai32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Lqenob32.exe
        
        C:\Windows\system32\Lqenob32.exe
        137⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Lccjkmef.exe
        
        C:\Windows\system32\Lccjkmef.exe
        138⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ljmbgg32.exe
        
        C:\Windows\system32\Ljmbgg32.exe
        139⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Lqgkdacp.exe
        
        C:\Windows\system32\Lqgkdacp.exe
        140⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Lgacal32.exe
        
        C:\Windows\system32\Lgacal32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Lnkknfbi.exe
        
        C:\Windows\system32\Lnkknfbi.exe
        142⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Lchcfmqq.exe
        
        C:\Windows\system32\Lchcfmqq.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Lnnhce32.exe
        
        C:\Windows\system32\Lnnhce32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6288
        
        C:\Windows\SysWOW64\Loodknfe.exe
        
        C:\Windows\system32\Loodknfe.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\Mjdihffk.exe
        
        C:\Windows\system32\Mjdihffk.exe
        146⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Mfkimg32.exe
        
        C:\Windows\system32\Mfkimg32.exe
        147⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Mmeaja32.exe
        
        C:\Windows\system32\Mmeaja32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6464
        
        C:\Windows\SysWOW64\Mgkfgj32.exe
        
        C:\Windows\system32\Mgkfgj32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Mjibcf32.exe
        
        C:\Windows\system32\Mjibcf32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6552
        
        C:\Windows\SysWOW64\Mqcjppib.exe
        
        C:\Windows\system32\Mqcjppib.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6600
        
        C:\Windows\SysWOW64\Mgmbmj32.exe
        
        C:\Windows\system32\Mgmbmj32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6644
        
        C:\Windows\SysWOW64\Mohgalnj.exe
        
        C:\Windows\system32\Mohgalnj.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6688
        
        C:\Windows\SysWOW64\Mcdcak32.exe
        
        C:\Windows\system32\Mcdcak32.exe
        154⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Mmlhkqmd.exe
        
        C:\Windows\system32\Mmlhkqmd.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Ngalhimj.exe
        
        C:\Windows\system32\Ngalhimj.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6828
        
        C:\Windows\SysWOW64\Nqjpqocj.exe
        
        C:\Windows\system32\Nqjpqocj.exe
        157⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Njbeid32.exe
        
        C:\Windows\system32\Njbeid32.exe
        158⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Nmaafp32.exe
        
        C:\Windows\system32\Nmaafp32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Nckibjqk.exe
        
        C:\Windows\system32\Nckibjqk.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Nmcnkp32.exe
        
        C:\Windows\system32\Nmcnkp32.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Ncmfhj32.exe
        
        C:\Windows\system32\Ncmfhj32.exe
        162⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Nnbjeb32.exe
        
        C:\Windows\system32\Nnbjeb32.exe
        163⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Nfnoje32.exe
        
        C:\Windows\system32\Nfnoje32.exe
        164⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Ojlhpc32.exe
        
        C:\Windows\system32\Ojlhpc32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Oafplmim.exe
        
        C:\Windows\system32\Oafplmim.exe
        166⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Onjpfahf.exe
        
        C:\Windows\system32\Onjpfahf.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Opkmnj32.exe
        
        C:\Windows\system32\Opkmnj32.exe
        168⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Ogbeogog.exe
        
        C:\Windows\system32\Ogbeogog.exe
        169⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Ojqakbnk.exe
        
        C:\Windows\system32\Ojqakbnk.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ojcnqblh.exe
        
        C:\Windows\system32\Ojcnqblh.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ohgnjf32.exe
        
        C:\Windows\system32\Ohgnjf32.exe
        172⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Onqffqbo.exe
        
        C:\Windows\system32\Onqffqbo.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:6680
        
        C:\Windows\SysWOW64\Pcnoogpf.exe
        
        C:\Windows\system32\Pcnoogpf.exe
        174⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Pdpldgnc.exe
        
        C:\Windows\system32\Pdpldgnc.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Phkhef32.exe
        
        C:\Windows\system32\Phkhef32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Pmhpmmed.exe
        
        C:\Windows\system32\Pmhpmmed.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:7016
        
        C:\Windows\SysWOW64\Pnhmgp32.exe
        
        C:\Windows\system32\Pnhmgp32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Pjomlq32.exe
        
        C:\Windows\system32\Pjomlq32.exe
        179⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Paheikig.exe
        
        C:\Windows\system32\Paheikig.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6208
        
        C:\Windows\SysWOW64\Ppkfdg32.exe
        
        C:\Windows\system32\Ppkfdg32.exe
        181⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Pfenaago.exe
        
        C:\Windows\system32\Pfenaago.exe
        182⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Qmofnl32.exe
        
        C:\Windows\system32\Qmofnl32.exe
        183⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Qdiokffi.exe
        
        C:\Windows\system32\Qdiokffi.exe
        184⤵
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Qjcggp32.exe
        
        C:\Windows\system32\Qjcggp32.exe
        185⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Qmacckmi.exe
        
        C:\Windows\system32\Qmacckmi.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Qdlkpe32.exe
        
        C:\Windows\system32\Qdlkpe32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Qjecmpkc.exe
        
        C:\Windows\system32\Qjecmpkc.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Aaplij32.exe
        
        C:\Windows\system32\Aaplij32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Ahidfdjl.exe
        
        C:\Windows\system32\Ahidfdjl.exe
        190⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Akhpboip.exe
        
        C:\Windows\system32\Akhpboip.exe
        191⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Aabhoiam.exe
        
        C:\Windows\system32\Aabhoiam.exe
        192⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Afoagpod.exe
        
        C:\Windows\system32\Afoagpod.exe
        193⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Aofihnpf.exe
        
        C:\Windows\system32\Aofihnpf.exe
        194⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Aadedioj.exe
        
        C:\Windows\system32\Aadedioj.exe
        195⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Aganmpma.exe
        
        C:\Windows\system32\Aganmpma.exe
        196⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Aohenmnd.exe
        
        C:\Windows\system32\Aohenmnd.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Apibfecb.exe
        
        C:\Windows\system32\Apibfecb.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:7076
        
        C:\Windows\SysWOW64\Ahqjgbdd.exe
        
        C:\Windows\system32\Ahqjgbdd.exe
        199⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Aojbcm32.exe
        
        C:\Windows\system32\Aojbcm32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Windows\SysWOW64\Aplokeap.exe
        
        C:\Windows\system32\Aplokeap.exe
        201⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Agfgho32.exe
        
        C:\Windows\system32\Agfgho32.exe
        202⤵
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Bomoim32.exe
        
        C:\Windows\system32\Bomoim32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\Bpnkaepm.exe
        
        C:\Windows\system32\Bpnkaepm.exe
        204⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Bhecbb32.exe
        
        C:\Windows\system32\Bhecbb32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Bkcpnn32.exe
        
        C:\Windows\system32\Bkcpnn32.exe
        206⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Banhkhgp.exe
        
        C:\Windows\system32\Banhkhgp.exe
        207⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Bdldgcfc.exe
        
        C:\Windows\system32\Bdldgcfc.exe
        208⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Bmdipi32.exe
        
        C:\Windows\system32\Bmdipi32.exe
        209⤵
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Bdnambdq.exe
        
        C:\Windows\system32\Bdnambdq.exe
        210⤵
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Bgmmin32.exe
        
        C:\Windows\system32\Bgmmin32.exe
        211⤵
        
        PID:524
        
        C:\Windows\SysWOW64\Bodejk32.exe
        
        C:\Windows\system32\Bodejk32.exe
        212⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Babafg32.exe
        
        C:\Windows\system32\Babafg32.exe
        213⤵
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Bhljbajg.exe
        
        C:\Windows\system32\Bhljbajg.exe
        214⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Bkkfomik.exe
        
        C:\Windows\system32\Bkkfomik.exe
        215⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Bnibkhho.exe
        
        C:\Windows\system32\Bnibkhho.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7276
        
        C:\Windows\SysWOW64\Badnkf32.exe
        
        C:\Windows\system32\Badnkf32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7352
        
        C:\Windows\SysWOW64\Bdcjhb32.exe
        
        C:\Windows\system32\Bdcjhb32.exe
        218⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7416
        
        C:\Windows\SysWOW64\Bhofhqhd.exe
        
        C:\Windows\system32\Bhofhqhd.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7476
        
        C:\Windows\SysWOW64\Cohoekpa.exe
        
        C:\Windows\system32\Cohoekpa.exe
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:7544
        
        C:\Windows\SysWOW64\Cagkafoe.exe
        
        C:\Windows\system32\Cagkafoe.exe
        221⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Cdegmani.exe
        
        C:\Windows\system32\Cdegmani.exe
        222⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Chacnq32.exe
        
        C:\Windows\system32\Chacnq32.exe
        223⤵
        Drops file in System32 directory
        
        PID:7684
        
        C:\Windows\SysWOW64\Ckoojl32.exe
        
        C:\Windows\system32\Ckoojl32.exe
        224⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Cnnkfg32.exe
        
        C:\Windows\system32\Cnnkfg32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7784
        
        C:\Windows\SysWOW64\Cdhdbalf.exe
        
        C:\Windows\system32\Cdhdbalf.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7832
        
        C:\Windows\SysWOW64\Caldle32.exe
        
        C:\Windows\system32\Caldle32.exe
        227⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Chelipbl.exe
        
        C:\Windows\system32\Chelipbl.exe
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:7916
        
        C:\Windows\SysWOW64\Canaae32.exe
        
        C:\Windows\system32\Canaae32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7956
        
        C:\Windows\SysWOW64\Ckfejkom.exe
        
        C:\Windows\system32\Ckfejkom.exe
        230⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Cneagf32.exe
        
        C:\Windows\system32\Cneagf32.exe
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:8048
        
        C:\Windows\SysWOW64\Cdojcpen.exe
        
        C:\Windows\system32\Cdojcpen.exe
        232⤵
        Drops file in System32 directory
        
        PID:8092
        
        C:\Windows\SysWOW64\Dodnqied.exe
        
        C:\Windows\system32\Dodnqied.exe
        233⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Dabjmddg.exe
        
        C:\Windows\system32\Dabjmddg.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8172
        
        C:\Windows\SysWOW64\Ddafipck.exe
        
        C:\Windows\system32\Ddafipck.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7184
        
        C:\Windows\SysWOW64\Dgpcekbo.exe
        
        C:\Windows\system32\Dgpcekbo.exe
        236⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Dofkfica.exe
        
        C:\Windows\system32\Dofkfica.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7396
        
        C:\Windows\SysWOW64\Daegbd32.exe
        
        C:\Windows\system32\Daegbd32.exe
        238⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Ddccop32.exe
        
        C:\Windows\system32\Ddccop32.exe
        239⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Dgbpkk32.exe
        
        C:\Windows\system32\Dgbpkk32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7632
        
        C:\Windows\SysWOW64\Dagdhd32.exe
        
        C:\Windows\system32\Dagdhd32.exe
        241⤵
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Dokdah32.exe
        
        C:\Windows\system32\Dokdah32.exe
        242⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Dqmqip32.exe
        
        C:\Windows\system32\Dqmqip32.exe
        243⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\Dgfifjmg.exe
        
        C:\Windows\system32\Dgfifjmg.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7840
        
        C:\Windows\SysWOW64\Donaghmi.exe
        
        C:\Windows\system32\Donaghmi.exe
        245⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Dqomop32.exe
        
        C:\Windows\system32\Dqomop32.exe
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:7988
        
        C:\Windows\SysWOW64\Ehfepm32.exe
        
        C:\Windows\system32\Ehfepm32.exe
        247⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Eopnlgkf.exe
        
        C:\Windows\system32\Eopnlgkf.exe
        248⤵
        Modifies registry class
        
        PID:8120
        
        C:\Windows\SysWOW64\Ebnjhcjj.exe
        
        C:\Windows\system32\Ebnjhcjj.exe
        249⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Ehhbemag.exe
        
        C:\Windows\system32\Ehhbemag.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7268
        
        C:\Windows\SysWOW64\Ekgnahak.exe
        
        C:\Windows\system32\Ekgnahak.exe
        251⤵
        Modifies registry class
        
        PID:7460
        
        C:\Windows\SysWOW64\Ebqfnb32.exe
        
        C:\Windows\system32\Ebqfnb32.exe
        252⤵
        Modifies registry class
        
        PID:7584
        
        C:\Windows\SysWOW64\Edocjn32.exe
        
        C:\Windows\system32\Edocjn32.exe
        253⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Egnofi32.exe
        
        C:\Windows\system32\Egnofi32.exe
        254⤵
        Drops file in System32 directory
        
        PID:7740
        
        C:\Windows\SysWOW64\Enggccnl.exe
        
        C:\Windows\system32\Enggccnl.exe
        255⤵
        Modifies registry class
        
        PID:7820
        
        C:\Windows\SysWOW64\Edappn32.exe
        
        C:\Windows\system32\Edappn32.exe
        256⤵
        Drops file in System32 directory
        
        PID:7944
        
        C:\Windows\SysWOW64\Egpllidl.exe
        
        C:\Windows\system32\Egpllidl.exe
        257⤵
        Drops file in System32 directory
        
        PID:8064
        
        C:\Windows\SysWOW64\Ebepibdb.exe
        
        C:\Windows\system32\Ebepibdb.exe
        258⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8180 -s 232
        259⤵
        Program crash
        
        PID:7552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8180 -ip 8180
1⤵
PID:7428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaplij32.exe

Filesize
96KB

MD5
021b7335ec3bb0b64cf63483045b64e3

SHA1
ae8be8cfb0c3fbd80411fc2f5c0759ab415c4dd1

SHA256
bdaf82278b90809acba03e9939b49ca55826a33f16883ef9c96352c4c35a45b4

SHA512
3ee666ae3d530b90f6220230b8579f1dffd997c38828870df597d9692bfea144c87f8905a624c6b84fd645738b08d733510ded20e16a7c4e53ac610a92c535a8

Download Submit
C:\Windows\SysWOW64\Aplokeap.exe

Filesize
96KB

MD5
0897cae0dab14befd218f889763ed53f

SHA1
5cc7d623a2b5ee5ea44a8b25de321cfd60fb7f6d

SHA256
7d6271b03429f435e2ea1d9329391515b2bb029959c2fa86513b3a1c3171e65a

SHA512
40328d4edb81cdc6ccd7f5dbe11be5cbfc0d220e848f1071c1f6181a2b4debee750ab75bb38ec58966b6612f0aaf70a96e23d3f19d96bd872f12b787539eb1ee

Download Submit
C:\Windows\SysWOW64\Babafg32.exe

Filesize
96KB

MD5
adbe1360dce8c7a30c19363de68b5621

SHA1
9a751f1e87eccfae68871d2414f88ce58f286c86

SHA256
d098ee9a6824e95d9e7d5f12e154ee538e73c435762bf1534e14d7884fbbd1d7

SHA512
bcaa4c0317390a81d969cbfe96e3a6e725ac542a7afc1384d490d313a2feb7fa7b7689e2766b0ccb8d7e3432f87a4e9d531c63d91cd8fb5bc7baeb51e603edad

Download Submit
C:\Windows\SysWOW64\Baeefmdc.exe

Filesize
96KB

MD5
6d70b3cf632b5226391ca481367ab78d

SHA1
83058d4001d5739eb40af88a955e47c32c06ad3d

SHA256
017195d81a383318996ae48242441f349454d8f9fb20e31c78fec615ce074695

SHA512
6cf508123b01b0c1e624ea38c0f4a01faaba0fd3b8702817f3e59b60e6fa0c716333280d4b250211e1b9eb1ef6dc09e59028d090960d98ed1f38221c8d98e603

Download Submit
C:\Windows\SysWOW64\Bdadmi32.exe

Filesize
96KB

MD5
8f0654e6f8f194c38ae4e972e40d3832

SHA1
433bf970a34b41cccc487bc217d14c8dc39746da

SHA256
97b64100ab00ec9fdabad09520e2f493c84b5ac87d95d686f8bf7352de24f258

SHA512
4e575c899b48b21940f29283e263f635216d4650f05e40a0fdf3d040d0d460c432025382d56daf2f5141b7728274390cf78ccc3813a1d9e829a3eab51f053931

Download Submit
C:\Windows\SysWOW64\Bdnambdq.exe

Filesize
96KB

MD5
803a53e1987aaa3eb8d40b4a1b6bdbda

SHA1
7538ba6c5940f0135e23a9c00b2bc7a76d4a6e90

SHA256
7ed3c9d5d5d21583b7edae24eeb9d4d1ea6b25630153cf2d4e726ae202c55e43

SHA512
5109b84d5ae4f5eb78bc2e8662fefcafbe4b6c32f57bd53ccf3fd467d58009c38d78c028ba10eaeb3a2307b2b8f06d458aabfdb566aaf20a102d07e74f1f4be2

Download Submit
C:\Windows\SysWOW64\Bhombg32.exe

Filesize
96KB

MD5
8a00c49c1a2e49c4b52dc40ccbe29ab5

SHA1
c946172565ad00f9070557c965622fcdf624d2fa

SHA256
826fad2afb2cb84ade3713df2aef7ce77678dfc5dcab8bc4addef17f8ce48bff

SHA512
896aac7808aa4c57f4d2e490883fffe21604288dd6355b5196f0168942a56350d7c129d39e90a59631b60db36bb4c5c690912ad72a77100310daa8e4c0adba3d

Download Submit
C:\Windows\SysWOW64\Bkkfomik.exe

Filesize
96KB

MD5
74da3cb4cef4839e25e243c6d50d23bd

SHA1
42323d38b6e64d8854e27077d45a2ec53eeea9a1

SHA256
f3c17cb3094460a5954f4cbd34a366df6f9e5a2180f254febe5649a29b471040

SHA512
5f5850728a103efadb166079ee3954131679f5005a9c46db4863e3142c7bc4719c07b104ccbe59117df62105abb3d8b09176b7c0d9d607cbfa284a747e6839f4

Download Submit
C:\Windows\SysWOW64\Bogija32.exe

Filesize
96KB

MD5
71e63db9e71df2513e355fecf5db9950

SHA1
1552cd56cc8893a6d99c96d398513871944aabd7

SHA256
6adc3c8ad3cc432c07722c47620a630d91b6fe6c1ad49f61624f270b98bd6a9c

SHA512
1d7eaf4563bdcf5c6b571dc1d49ed1a394a7c2a017b7d2984d0c74b0ff5183f81a7120a850bbad842d12c1eb1dd57eb627fd8b961fab0ca22f315df8c3a14e8c

Download Submit
C:\Windows\SysWOW64\Boieoacm.exe

Filesize
96KB

MD5
bd0492cf6665590ca8edfa18de7129f9

SHA1
37a1d5caa61cbbd8f32e74eacbf427a99fdffa90

SHA256
3afa6dc38a30d1e34777031b20092ef8b0768d4a683ae913b944096a2ce53bc7

SHA512
4c174a3b85d739826b961874d4536dfc3663b19b817c564baee8eca429350667d8fed91ebb5bc4c5b1ec46f9ea37c9bcafc4a76d289e1a3963e433e08dbed28b

Download Submit
C:\Windows\SysWOW64\Cbadakjf.exe

Filesize
96KB

MD5
900ae6843494482ceb7ff28aba1b69a8

SHA1
9efbf85e9db41c674a5f63a12d7baf1abb14eae7

SHA256
665fd087b2d17535f26c41b7083741fdf52da967dc0257d14495e4bd830a5884

SHA512
d9f1757d2f83ef892e25f99faaa7fabe4728b3343fc9bef31693f8179e9561740771313bbe8eee6750e29f890178c1c49f6340c741ffd13e7ce8468570d2c830

Download Submit
C:\Windows\SysWOW64\Cblkfl32.exe

Filesize
96KB

MD5
be4250b96c8a4f27f23e357ee618ffc6

SHA1
644487ca2468fcce61e2032edaf2bc6eee45662a

SHA256
9df4e3e6a2db50d1784472dbf6e488e982812dd848d261f85eb1b28b9dc5df1d

SHA512
cfd7c0eecc750b753c7f5fa3c1e8851461b3f8a006fc087279017b6525c392a81eef1cd33d9e507524f6bd1e3205a64af14ef14d373ec1a28fae88a06de2304a

Download Submit
C:\Windows\SysWOW64\Cfcnlk32.exe

Filesize
96KB

MD5
274a55dec842ac4a8133dbdefefdff4d

SHA1
6d838dc09a4a99ecf220c1fd3fe5b099cd74fadf

SHA256
3bfba2b599fd52a754f7f4e32a735f43530418250349e732b5640801bbe84d74

SHA512
46230f5f3232d0eb43bb884f2a4dd6c4fb3aad263d2fc26bb90c8690377bb54387f2b6ed021eab6429b454a42db8974a21ebc0e7ad3c26388bbc34610415d706

Download Submit
C:\Windows\SysWOW64\Cfejakhg.exe

Filesize
96KB

MD5
a9145d1e5a108d14c5d59e76996f0b6a

SHA1
0a79b4dae6bf55b94dfe3f5ab74be5f38dcb608b

SHA256
7404f2539f810840196ba963c407f75805f52b8a2b76d3053049febbde608061

SHA512
79357e69499a7edf27a89ba6ed907743f7c75709e15bda5637b7ed1a015652ff56c212ba101435c9e7d2db3ab2bd4d9a1fa365dcbc162b4069e8eee582e2702a

Download Submit
C:\Windows\SysWOW64\Cfjdmj32.exe

Filesize
96KB

MD5
96aaa420a94d720f71227ad8b88fd567

SHA1
239b90982e16f59cde39bc887be2865f7e41dd45

SHA256
ae62b1ac3ebb541019ecd1b0c6021b713f62bb866143a3fd7fae58e99789dd0e

SHA512
429e00896c17ec468c94870d660ca32d306afd473a077272ac7bff0991227e6bd095a70ee8be88946a2521261ea0a18b7ad306b655cbdad28695a03773954823

Download Submit
C:\Windows\SysWOW64\Chfccfeh.exe

Filesize
96KB

MD5
dd2e444356f72cce67aa15906bb7b587

SHA1
009fb3b952ab8b6d842b11427f1bbccda81274c9

SHA256
f496fbab1d0f46ba2eabc7956b53e657f4525aadcdb18890568d4267ee7839c7

SHA512
57613903918ebf4539aef242c2761e76d4ebb4403d1fd2c9576dd747267e15d43b140795965ceb07153e179299dafa52e1dfd1150cae1ae94f67bda3582fce5a

Download Submit
C:\Windows\SysWOW64\Ckbcjbgo.exe

Filesize
96KB

MD5
3c74f31296c2fe525815f7540cddd746

SHA1
faecde3a8e2ebd0385be0bda07354a18df9255d7

SHA256
fb804b44e798d526ace20907283ee88fc1d0481ff23e1a133cfa4c858e4cf5fc

SHA512
1dad83196b396dbecd9f24def3bd17d614b97f83b178c3123cde037b7d0a462c0c80465c6dda88fbc8e3d9a3f0fdd2d7a4997e625847c04fb03ff35650667929

Download Submit
C:\Windows\SysWOW64\Cldlidlo.exe

Filesize
96KB

MD5
e68615c2d9ff4abe9e631f549ca15b49

SHA1
bd0919a604e8688e0b1d5a2152b04feb91a035e4

SHA256
31a9e238ebbbfd6545aa2478b196aadeaff97d81be5b726d741f753f2ea2c9dc

SHA512
25d062be324636e83761f34c38ce597dd61cb5b65ec2eafbc9c394ffac4cf849c5b9fb04648af41fccdea9ffa8bd465eeb7cf3df59f6943e1500b9208c8b7a1c

Download Submit
C:\Windows\SysWOW64\Cldlidlo.exe

Filesize
96KB

MD5
0a9cfdbf344740771a71a413a6be16b8

SHA1
0b57268b4c7247cad7e24814798947bed80fc2ff

SHA256
602d1e28d369e5e11d77fb563972b1b2670c8ad389aab8333220aece75443079

SHA512
01e48ef1b7ab5661a82cc70e2d256e25d4fcde62f84e9ae54a2d6416af543d6671a8b98ebac0bdea03d382a0f46df541a6cbd02bc3eabb2221b295cf189e523e

Download Submit
C:\Windows\SysWOW64\Clfiodjl.exe

Filesize
96KB

MD5
ba0e8a513a844dbabd9b8dca80fbf781

SHA1
f3ce96cc7139bfa8544898451967d612af3ec9ec

SHA256
876942a61b0da5f047ccd87be7ff42ec9a661ec18933ad226e3abc71bd356927

SHA512
e131a9c08e33a39fbeef06df96311cca2a7f85f3df7c6b5a7f2255952b95998fb87245430193038e4298f69b5b805efb1ecd8bd559bd4f4c9ba688c8b41a12b4

Download Submit
C:\Windows\SysWOW64\Clmfiebf.exe

Filesize
96KB

MD5
28a63d96a4080b6eb0dd408722b9b491

SHA1
238d614a9f2f98f8c359bf903161a320b6bd97a3

SHA256
290dfd8d2bade6c43ce9aa9463c3887ea939c01a7f304b1fcd4701cc392661ae

SHA512
9e5074a385a35307b461b13940e1bbdf34a8c435dccfef7a46d1113dfe68fea38996cc9fca0c7631086fb5e6433ea3f6b6d5f353d7be7e90da259d434732136c

Download Submit
C:\Windows\SysWOW64\Cncllmdp.exe

Filesize
96KB

MD5
700d6a62033ab839baa20468e6feb360

SHA1
e1e8bc702e7c7954dad58d62047a915b11f67640

SHA256
d3688c3a0b753177a7661615d7872f31a069e86fb802dc3ce7207e7991c4b3fe

SHA512
1bfcdc808b6f7d1ffcf6d257d576edf44baa482d39cfce25bd28c314c2d23a4b07d9726d432b0007d830f392adb98c3ad9a84b1ec4dd6532c0965026216de5cf

Download Submit
C:\Windows\SysWOW64\Cneagf32.exe

Filesize
96KB

MD5
c08f5f0d2e6d999795cfb9f0d36de60c

SHA1
5bafff8a828c21ee6cfeff37efd1bb8405547973

SHA256
4aa625a96206fa761b65b98c52204bfac3c03ed53246ddcca3e6e51665401b57

SHA512
dd4d08c0e7afbd6d2016382c5472f91142994e6714cc70ae664377cb7cb27bb9c981ba0792204e584a8502a22358212adc139721a4e0d76605f9209fef914acc

Download Submit
C:\Windows\SysWOW64\Cnnbqn32.exe

Filesize
96KB

MD5
7bf01d49d2b6ebb1c16c3c9f57db0c55

SHA1
581bd68094e9aecff4170d8c1c3edc8f79e5b46a

SHA256
537a8838adf3a00d538ed405d959a71202667771f4bc7799d5a190ff7e81d86c

SHA512
002b1ea58c89d3089040879539d48a933ceab36337202e77536d85a9c0e13b8e1f4d0f918fd6d2953fa8461eb92bb5378b38221c153383952b7493f27ee4f098

Download Submit
C:\Windows\SysWOW64\Coeekpip.exe

Filesize
96KB

MD5
863bcf1395ccc5d8866ac4c9b012d695

SHA1
670abd1ced04d3a41559183f75857e5613ce3058

SHA256
b4580722b1a1d5bbbeedced83e7b8852b6fe1359ae0820846264e702e941aece

SHA512
5e7776531f183328836c7931d3ec7002f937d46e51a8b897f2d1efb4f08230c88626da5b1cc3652a54bb4915e027b97b40534c7ef5fbf730786df3f482008bf3

Download Submit
C:\Windows\SysWOW64\Ddamcfgg.exe

Filesize
96KB

MD5
3c66bb9da72edee829edac6be715d303

SHA1
d5d8131f93721f3fa0b2276f6abf5198f327ca95

SHA256
2cb479ea558d001ecb451a0fe7a466ce39bb493469fb08e8a9fb5e6edfcad8bd

SHA512
ccc34fecbbfcf523fbac6a2d08c0bb0d94c1b1fe3aa904d9f2c793586da13a631089a016e4d3cc931636cff415ff0034430018e8acc3c2795e0bff361b641864

Download Submit
C:\Windows\SysWOW64\Ddfgof32.exe

Filesize
96KB

MD5
827757e18fb0ed646145ccbca3f7edd6

SHA1
9bf740e06b63bbd4a8237b8afc01a468c515f5a6

SHA256
a4d153e0221fd30d5954d2d5f45601d83b6df7081cf69c4c42dc56ad2e644c9d

SHA512
9022b046598b4176f8a539671bf710a6a0212cd54088d9cbbb2f60f7c1c45627e2ea3c1dfcbc62a925121ec0dc92a01a35e82649c9e8b4939aeef99c098dbd67

Download Submit
C:\Windows\SysWOW64\Ddicdeao.exe

Filesize
96KB

MD5
7e2cb01242bf02f2f79e333aa87d4065

SHA1
387af82586ae1aae1faf7ba17c23d1ef1751a3b7

SHA256
83e2c3dacb609415164dce2efdf0af24c133be30efbcc51b226d58859d24cd71

SHA512
d30a2b50ce927697a3f584461a5dd215991653ea70ded34bbb176106d70a39548e8b1f699f70698e6d755ab4000af81b09e0b0a1e958191c0170ef6f177d06e1

Download Submit
C:\Windows\SysWOW64\Dfajminj.exe

Filesize
96KB

MD5
af0ada6dad9f0f7c19eeb0e89d73c28f

SHA1
9821235ce8c318c3fc9a04b13210b8eb1e92f44b

SHA256
47851ae7f3fcdf450ba117a8554b87b7d7d4192a77f6d9736574eed5a2d97387

SHA512
ff9cc23dbe847003dfc78cf105051df38c682466a9fdc9e55b305842f163449b2b4bfba683883d39622d351ce332745a6dcfa5c93d80370990a4b5d71fed531b

Download Submit
C:\Windows\SysWOW64\Dffchi32.exe

Filesize
96KB

MD5
8f092a6fa751d104612b0cd8e4080fe5

SHA1
8e16210156de6b59fa7dae26c387cbb8f80b2507

SHA256
1eecace144e8ef8a4838d68c24a9fff25b68490630a4d5132526d3d9f36da299

SHA512
bfbbd88219e2e9b0a07f0a69b7283b59a98b764de662063a7bbc668352124f345ae95218a6904d25c865af10ba75e8bbee44b5266ff67dc9f24fadf3fb4b548c

Download Submit
C:\Windows\SysWOW64\Dfhpnh32.exe

Filesize
96KB

MD5
d873b6fcf55492438a030d63bf1e9bb1

SHA1
b2766db320d2eaca1bbbefb5a5e3ec712d025843

SHA256
61165c733f4f68874df7f9d77d7e03b9663ccc1806764e67984f3855de65632e

SHA512
ffa8f3f6805617a06b9ff84bd8842f76df88a19f24e1b48e7e9918ff4a2160a1c81fd485e532d18c1f3e4e6eb966ea7fbcdb473994dbbd22d81f8af714b0f882

Download Submit
C:\Windows\SysWOW64\Dhmidepp.exe

Filesize
96KB

MD5
871394759002e23522c542a4003df6e7

SHA1
569c405523c24a7602e91e783dadfbaf9e66d845

SHA256
bafd0883da8ae5d5672b6f4589bcb22afc68450b553b94bef94fcac3968a3434

SHA512
9ea7f9df9de34627d38e5e0e8a8013fafd02b1040d1c5e4a55eef0ef141a9ee7edf52dbc060950a074e023d525290c875a7ed166664937607e2a3dd4a2b0e88b

Download Submit
C:\Windows\SysWOW64\Dhpfienm.exe

Filesize
96KB

MD5
80a11c813c56756237f1be66a63f5702

SHA1
9462f3ce4fedcfd2eeb644cae1cf43f8c6100a4d

SHA256
65e558f89d07b67723ae74362780d854b182ba9f26b7fad9f2f4044a9ea5d343

SHA512
0d6510ba5c427e530c7ac1b7753af08389d8722d0e1dbd60e0f40c50135d08789a5ec1c7f16852b0232b130ed2c4f2eaf918542f37e278e47de056389ae53e94

Download Submit
C:\Windows\SysWOW64\Dklfpqod.exe

Filesize
96KB

MD5
e2efe484c29e4c3ee8404949813d1f4c

SHA1
c44d018190b5bf6acf8569e163e0e500d47f12e8

SHA256
eb0ae62a2bcca2e42af1eb66576bbc1d62fbbe5e215a9e25c1330438aded7c70

SHA512
b40eaad17b4e4001dc8ba0b662b24026eda0439e44836c3f3e0376a5d7ed718b10c875fbc5db2dd482d699f89de2e66aaaa465df8b271d80b7551241c2221507

Download Submit
C:\Windows\SysWOW64\Dknbepma.exe

Filesize
96KB

MD5
5b5a5bdcefd6dfae3357105276254ec5

SHA1
376ba99031510c008d36efb846437725c12a9379

SHA256
0c1c9116cd3b88ada578d066f545409f508ea708af9647d6ef3d10dd802c4089

SHA512
f8bf37a841f9b46f4474d0e26a18890f73a211b598d5e82c7badd4ec502bd9bc87b2df9cd5b6518f564dd5c7ab3b34e4c467bec766d6d0c3e54c7f91d6d898d2

Download Submit
C:\Windows\SysWOW64\Dmnopcdd.exe

Filesize
96KB

MD5
d7b944d82276007cc0d671f0916c2798

SHA1
91373fecab422868f79a8a4fcde0c5f62283fb67

SHA256
b3854751634f753d4c4fe42cb1b9010f313299a236403266907bf4893254ebd0

SHA512
585a24e1e8925ff6042bdd451f41475e13b241e817a6c522a5d86088448fdfaf2935dfa84e670830a6987f45f042ff064cad578e6463dff7723bd75a1e2a2908

Download Submit
C:\Windows\SysWOW64\Dmplebaa.exe

Filesize
96KB

MD5
e4ef74b73d6ceec22422edffeb68a654

SHA1
67043fc73f2a89215b0e72198d1288977a5b9e14

SHA256
d70c546be6e17e9504252d5f49ceb33af06366a4cf4b87384bf2c7dc547e9f76

SHA512
e70bc108be9be5beee47353bc5c2201417b8b582334ac69c8e659fd9ec40e48067b75e5a0ef8b63d809948c6ba212188596a88b75e7be73f7c2f52ca636319e6

Download Submit
C:\Windows\SysWOW64\Dnjbllng.exe

Filesize
96KB

MD5
fbd31c593a1eb201ae59ff48584a2605

SHA1
147c1f748eca829b359cbdb8367d416938213fbc

SHA256
1a0406a6e5da8bb2763a49f7d45f94b153a990d416f1e9be056e40bbbd828cd8

SHA512
2f7595946a1c6e13de7652a613dcef0a7e3cd52c1069db051c9e9dd3493017db8b886275bf46b63f373021de4f7fbd56b7176907c3d3a616ba73bcd5fcedb227

Download Submit
C:\Windows\SysWOW64\Dogaqo32.exe

Filesize
96KB

MD5
16baca2e20686a15d0f3c4336435d034

SHA1
875265fc8479081119dc20961e3f24851ae88f71

SHA256
fd21c56b8c3ca7adfa15aa513b11ce5e0806bcc4ebf2ba75d14d08d730222ec9

SHA512
ec47a5e98286c71803fb94cc8cf83b3d1df454059c8f1f143d0658420fdf1f146f36a424dca25b73b13a8996bf463bd8931dca4eef2c6ff7a0ebe1f602f5163e

Download Submit
C:\Windows\SysWOW64\Dokdah32.exe

Filesize
96KB

MD5
334b54a1b49911b7d21a2ae1ab2b4623

SHA1
206419170ac9fda562362e40322b154521fcc73a

SHA256
11a25132d19fdd6e6fbf44143e6b7df6e8e1b46468cc0d452cb068dfd22d36c0

SHA512
8234ae44a05f16591a4c59ba16f11399b13f954974d14e16f898d58a731deec007f2c7af896cd77e7349895586096ca03f5da066a3bb15235c583ac84af73ea5

Download Submit
C:\Windows\SysWOW64\Ebepibdb.exe

Filesize
96KB

MD5
44bb1b5f9c3a0b98c2218500d1291089

SHA1
d3fe9fa2c02988a481bb2d616b8371224559ca49

SHA256
6e46f5a9e582b02625f91b8c289f79a377635de8d70b1f4cacb5c79301a080ea

SHA512
ea3b4f86106e825aad32ee942c2471b68a32bb622d71636fa0ee9af108347e0fdff6a0011057772f4e3ff9f819a8f6ec17cd339a26d48669272b09876eee93e7

Download Submit
C:\Windows\SysWOW64\Fbbfofnq.exe

Filesize
96KB

MD5
7f8cf6c8f3e03c0e005c2fdaff433b8a

SHA1
2e76c58c1e6934d3a24128b491cc1eb619a18679

SHA256
67ed9060b822087ae79e2ccb02c03d0a423ffd387d97f6d908a909211f20dd37

SHA512
345b200b08af03d17f976d49a7dd391c646af1ff1a69d7b6e80aece1bac108e0e467fc3461ca2bfced3077aa0244df2278f19fbae7a68ec2b728538e16efd5f3

Download Submit
C:\Windows\SysWOW64\Fnaadiim.exe

Filesize
96KB

MD5
c359a8846314cc8446e2d970d3354d08

SHA1
d8d5dbac01d590e75d0306831a7ac97ac9607455

SHA256
6ecca47fdeae3deb17f80102280396098acbdc917d8b67460cacd31917bd0c1a

SHA512
37f97dfc0cc49a353470d27d5449ddf177655037dde3bad920209f6a9742fa6fa34aa75d7befed638b1519da7b7f30fad98f748bd38196b5acea922b0257c53c

Download Submit
C:\Windows\SysWOW64\Genomp32.exe

Filesize
96KB

MD5
ddd9be82cd497a0c3593710cdc6312fd

SHA1
8dce1bbf29e2b4d0d6128b57938239ea1cab5adb

SHA256
2f0ce183010f83376efffaf7455452473649e6ba7127b395828e89eda9483e7d

SHA512
f144cbf988c4da8656796b2cd62916c13d924bb5f0945e88d8dcef252ef3f97cf8a0cc29ddbe4cea62b5b93919a070409845c5c47637bd4f9153c78f5300ca6f

Download Submit
C:\Windows\SysWOW64\Gpojoi32.exe

Filesize
96KB

MD5
f50cbbca67b7725307c4ae36c759f32d

SHA1
740e022d76b3ca002808750ddbe66571db27756a

SHA256
b91c71d37816bd534a6ba759c23cb8a3b5d2d079288bd196d20995faceb8dff9

SHA512
ae2d2c72174f8bbd77ab234d35ab736aefcd564bbffda70b8c7d4b55f56e9d6585f01b67b3d7c5d0c6786aa597f5870975ce9af12480bf0cdf1e77066a66a955

Download Submit
C:\Windows\SysWOW64\Hbiegc32.exe

Filesize
96KB

MD5
69a6132709b1b7171a338b5768103012

SHA1
c5b4817384641d5860546676187d0e039173c9a7

SHA256
52d2dc4783c81f1345cdce9de58b85e983f8246d5378d5bda481d8b11bff00a5

SHA512
21e9321102bbbb20af384ee79dba75429949757f1c4d54860aea1dd0a0a135538d7c42e08236838fe500828e8200172b2dc5eb51d82e57994cc9a09a6aedab48

Download Submit
C:\Windows\SysWOW64\Jejgpl32.exe

Filesize
96KB

MD5
8ff47e075a46db122c0841150f26bd4b

SHA1
e864428be49f92e8b0d4be804cd979d8db286308

SHA256
181b68c01d6d65bd8c014d4b840e38409e39528e0747bb3038e300c80d5c7564

SHA512
39659ae2fe04cc36ca3bfad4163941fb87066644cbe505eb243b8e6c62ae809258368e02a62e23067e0dd934c1a8cc22fb2452bedb69cc58109f2ce16926db95

Download Submit
C:\Windows\SysWOW64\Jlbcgfad.exe

Filesize
96KB

MD5
082e753ab6c51059e517e4b4964e9d4d

SHA1
3195b90c9114c5d1156c943dec9e54476351bbfe

SHA256
729b0c957b6633b8a1921adf0cb8f9fc52d74636470b641c4fb02b116f155951

SHA512
934ce86abfc9bcd0cecff17450f77e7d04a5a437e8a66e294e5cb691ccdfce195e2c1a65f612882732e2445fc5f2b395fd5a2a6be4dd138473b27c4bf2968298

Download Submit
C:\Windows\SysWOW64\Jndlfigd.exe

Filesize
96KB

MD5
79af9b947ffd03517105844e1ad23584

SHA1
1663313315025ecc2bee1c180b42578992e9269f

SHA256
465aa596a8030512ec14c92027f4aa6f14837d446f4ccc115a70e19bcfa3602b

SHA512
ab3f7ffeea8d565dc942f322c3cfff25050811d459e019a9de17a9c00f3a144e812fc7a0e6faec1defc4e50bdb56cfe4f8ec70f59b3533bd89f1ad2bbf8db2bc

Download Submit
C:\Windows\SysWOW64\Kinkinfg.dll

Filesize
7KB

MD5
6082f6b50aebe5c362fed6fbd9730813

SHA1
59642f5e3ca4bb9ef6566741ed3c69585e55f520

SHA256
9b72d8693ec17d73d2c42b31c591e85457afa28f7761f227338bf2418976db8f

SHA512
ded44298ae07c6a280f8b42318d52a9c0f6b1b8975ae8a0a520ccdbd42dcb77696d535fe921b501c7cb7cbcff44c403900ae3630da09c4cc13fbfa99ea9494df

Download Submit
C:\Windows\SysWOW64\Klnbbegf.exe

Filesize
96KB

MD5
116e440ac72646ee97ddb3ea8e508076

SHA1
976938faa94b6515500f1a049d1fc97dc7970b48

SHA256
3c9d4f2c4b7264a796b09c54db03e4fc4b5b6448448aaaa823ddd5abc335521a

SHA512
33625c7739b327851330a46d231cae3787db4c352f7b9877c7773d8c9dcb8a2d9d69eb4d2496d35f680ab7aa907bfd083804ed350575a72fef56ddb1ab8fce1b

Download Submit
C:\Windows\SysWOW64\Ljmbgg32.exe

Filesize
96KB

MD5
f0ec03e9829ac9b7dd2e1125b6356725

SHA1
eae369763160b781668a5246f9296efeab323ac9

SHA256
8c0aba1c86f37a73812ffc018d1b8ef0c2c7a876bd77355e68f69fd72cf7e073

SHA512
d988cf597634cdb34895be95fe3d419a25027602fb1634c7a4e558934a9e76b864609f2f7796067474844d8f70ac22d011b63b4c9d9901bdc47210044fe22a9b

Download Submit
C:\Windows\SysWOW64\Lqenob32.exe

Filesize
96KB

MD5
997c30afd0281aa37e89b21f7c411092

SHA1
b1d30a0cfd3476bed43b17d8fdebf85aa81bb3ad

SHA256
2db44e4942422244267a32d5e40bae9afadf4d6eabd7f815380507389ddefa73

SHA512
233366543186a75957196ed44bf0d60a61c74159a177d3191cb308b813ec4633a761c152781021a6e2f88c1f30fc779f13c4b90f930db6387794ade93848d02c

Download Submit
C:\Windows\SysWOW64\Mfkimg32.exe

Filesize
96KB

MD5
b1c78732b35ad4d18448043d23632fc7

SHA1
f1bd253d694318c05d8c42ad963f72e9ad844566

SHA256
948250ea0494ab1bd2c75f578b6e2eedf7bba6e65c0d1ce9a7275c200474376f

SHA512
d4e01c8f0a3685e0913fa80ff06ada7905fd43b80e13790c6e38ad518a483b5897ed5eba8c84bc1ef0ebd116b59d928902698830da9fe99c777fec0c2684136b

Download Submit
C:\Windows\SysWOW64\Mgmbmj32.exe

Filesize
96KB

MD5
4248022652709c3583b4f4ef9ecfa9fb

SHA1
e62f9cc09025b2955d1bcc266a8dbbd97664b2de

SHA256
6748b077bbd033bd773cf8edeef169a91cfc9cfacbceb3d5527994c978a56244

SHA512
7cc5c8025d5babefe844bd9e0fb2956d2ae0838d7ca1b3141f17c005703b1e08a5b8b27b342edf04941d18d16bc8ebcd032da82a16691a2855b701a069fb90d2

Download Submit
C:\Windows\SysWOW64\Nfnoje32.exe

Filesize
96KB

MD5
ca8044c36f8b8e0c490176df3961b361

SHA1
a7295e0067648c710ecf2e95248bf3b0b0c02a6d

SHA256
351cd3123dc4bb682d5bbd76476bcdd1eb71a504ee9306c0070fbe3da28a1c22

SHA512
7b228fe3e84a61d18a68cf02adf07b1f461239552bbc5b595c5552703ff71c76b2ffa19ced2a95c7ccb5affc029acdd0bf540cdf74ba5bd61539689a8da406e6

Download Submit
C:\Windows\SysWOW64\Ngalhimj.exe

Filesize
96KB

MD5
ef7cfe5e206d17067cfbf8a1eb7cb47c

SHA1
6b431d3c88daa451e08a8b6fc35fc3b0f65c345d

SHA256
c913311bfb276efb90b7992527fb50909f57281e128900b379d6178de440a38f

SHA512
2370bd36f8b2255026f861701b9e22d6dd5e4cc8287e6b4001febde8f092c98774f0c12ee9b6c3b74a0974fd6b2cac467bcc9d39681ec4396720aa547990cdaa

Download Submit
C:\Windows\SysWOW64\Nmaafp32.exe

Filesize
96KB

MD5
76176aacfd125392a779104bbfbc8d1b

SHA1
b2fae27297614e0c0c509b92848e75b839fbfd7b

SHA256
31b799149fa7367344a33fbffa7c2bc89a448eb14fea1c094c82914088b9b09f

SHA512
04ab306ff42dc5f038f5c1d2b0c3c33949ea517da1b3bb17547922ca11823961f337465425feb2de16d19a5c2be76c39ecf8155047bccaa30a50f382d94d55d3

Download Submit
C:\Windows\SysWOW64\Nmcnkp32.exe

Filesize
96KB

MD5
3c05b80c937f6ab93ba39920eb4a70d4

SHA1
adc9634c6ed34bf7f867a22a65f765afb7edb70a

SHA256
dcd2c8b59ab0f2fa6dfa47c5723ac706888037fe26bef563c8dd7367eb5475b3

SHA512
6c9b8d6c46833f30fb2ddc3ec7fc928314e617a95f98ab3af1b4fc42d6d60954dadc5c5b76b677dbd75f8a26303c17fd9ed19beb4b5cdd6be36375def5a08b70

Download Submit
C:\Windows\SysWOW64\Ojqakbnk.exe

Filesize
96KB

MD5
77ca79750aed7bf21e6ed216e0f90551

SHA1
3a7417906a5f79a69e0173d2a3c0b8a7d14d6ef1

SHA256
2dfddad1fc55579d9fb33b540b96ee684ef72621779a0c224901654ef9c354d0

SHA512
86006aac5efe42d3d2f369fbb6c90df6280a47f42986b9ad54f282b3c4199c4f8ac24f5f4fb965b81af5f4ee3deecb1ee473ab0fcb39a2b0e149eb4345e4536b

Download Submit
C:\Windows\SysWOW64\Onjpfahf.exe

Filesize
96KB

MD5
a8657689acf45c6f98b3f9f85036bbe1

SHA1
14f6d888171f463c643fc894c59e83983a18d062

SHA256
d15c353fb6c1034c499ac8d6eb1a0184d8d6c8f4797cb686c196a8464e1fabaa

SHA512
718b8435ef7bba751887765fdd873e93b128198486f294ca6ef1618757ceddbb1fbef730c4119a159f42eda0f389632fef548d1801034a734ca2f5f4a8f5ba44

Download Submit
C:\Windows\SysWOW64\Pmhpmmed.exe

Filesize
96KB

MD5
6b394ba90fb124584dda2eaf039ec5c6

SHA1
f29d76bcb6923a14a7a0aea19e7aeaeae2b6c8c0

SHA256
d228345e3cf9536b7eb53816fab2e587376ba021ff96b979046fbf07d3ee4e24

SHA512
0e80f75dd6cabf24c0b99002a8a350c71f631d774c71f17eb0e392891f6235e5ad1ef25518cc6e6daa1cfa6f3648da9b8876506c1f420af0186d857c654fda30

Download Submit
C:\Windows\SysWOW64\Qmacckmi.exe

Filesize
96KB

MD5
27c3c8b88c31aa5fcbfe1c316016f57f

SHA1
04aa8b66337a190cf59dfa7f00bfdd7e2cd6d376

SHA256
45c9df97c41e25006c9a4bdaec9c8620122de360510481db5bf3950c7739f8b4

SHA512
17e0259789c2c5ed6966037f73f1e8f5fa82605ca8205a269ae50136650955be07c33939065c040b0d171e46711dcc25de8a0fc3c92a43c9bff1dab0eadfc11c

Download Submit
C:\Windows\SysWOW64\Qmofnl32.exe

Filesize
96KB

MD5
760a710e01850cd1b8bd6862a2e4f398

SHA1
91e280ce415ac71132d32dc0e19a81a83e947dc7

SHA256
e48f11ba37d412e070a97eee1db44bef5e83051e4259f29a8a76ce4b715516ad

SHA512
1ff236a7ba96f844f318a4deb3627ca42a29a7c7c40962c565be0979f8123c2f1b6ac40aebbeb1a292742c375a0ede624d1057bc7cfebb94933b7c511ec24e3a

Download Submit
memory/392-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/392-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-427-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/636-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/684-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/684-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/724-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/868-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/868-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1060-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1280-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1368-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1412-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1732-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2032-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2032-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2164-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2208-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-261-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2332-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2488-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2488-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2892-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3080-271-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3080-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3420-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3536-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3536-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3548-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3548-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3600-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3600-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3852-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3852-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3896-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3896-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3936-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3936-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4044-433-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4144-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4304-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4304-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4364-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4444-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4444-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4524-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-137-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4544-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4600-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4600-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads