c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0.exe
Size

1.1MB
MD5

b2f0a15b99214d550445014b3dc2d5e6
SHA1

0640172ed82cb06ca7d76035f65b2a72e4b709d1
SHA256

c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0
SHA512

d7e8800a77a2ad8c5fc6ace20aeabc993e2989814acc3e297edfa5d5878ee0e865f42962a2eb59d048cb118333bf1ac82066635b5496e5acecd4c7cb0a1936f6
SSDEEP

12288:tOvZrQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQX:+ZrQg5ZmvFimm0HkEyDucEQX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcfhof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkoiefmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fljcmlfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomhdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edpnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfembo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehimanbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekemhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmhale32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fljcmlfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe

Executes dropped EXE 64 IoCs

pid	Process
4072	Ekemhj32.exe
4140	Eekaebcm.exe
4220	Ehimanbq.exe
4332	Ekhjmiad.exe
232	Eocenh32.exe
4568	Eabbjc32.exe
4056	Edpnfo32.exe
4420	Ehljfnpn.exe
2036	Ekjfcipa.exe
5084	Ecandfpd.exe
3124	Eepjpb32.exe
920	Edbklofb.exe
4920	Fljcmlfd.exe
2040	Fohoigfh.exe
4484	Fcckif32.exe
4748	Febgea32.exe
5096	Fdegandp.exe
1792	Fllpbldb.exe
5064	Fkopnh32.exe
656	Fcfhof32.exe
1688	Faihkbci.exe
1592	Fdgdgnbm.exe
996	Fhcpgmjf.exe
4656	Fkalchij.exe
3312	Fomhdg32.exe
380	Fakdpb32.exe
2068	Fdialn32.exe
4440	Fhemmlhc.exe
4320	Fkciihgg.exe
2260	Fckajehi.exe
4796	Ffimfqgm.exe
3288	Fhgjblfq.exe
4652	Fkffog32.exe
3396	Fcmnpe32.exe
4396	Ffkjlp32.exe
4208	Fdnjgmle.exe
2360	Glebhjlg.exe
1404	Gododflk.exe
464	Gbbkaako.exe
3216	Gdqgmmjb.exe
1152	Gofkje32.exe
4060	Gbdgfa32.exe
1680	Gdcdbl32.exe
4936	Gmjlcj32.exe
3820	Gohhpe32.exe
396	Gbgdlq32.exe
1284	Ghaliknf.exe
3272	Gkoiefmj.exe
4976	Gcfqfc32.exe
4388	Gfembo32.exe
4852	Gicinj32.exe
4912	Gomakdcp.exe
3292	Gblngpbd.exe
2420	Gdjjckag.exe
3564	Hmabdibj.exe
2432	Hopnqdan.exe
3336	Hfifmnij.exe
4932	Hihbijhn.exe
1912	Hobkfd32.exe
3920	Hbpgbo32.exe
5160	Heocnk32.exe
5200	Hmfkoh32.exe
5240	Hodgkc32.exe
5280	Hbbdholl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lbkdpj32.dll	Gohhpe32.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Adecfl32.dll	Icifbang.exe
File created	C:\Windows\SysWOW64\Fakdpb32.exe	Fomhdg32.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kfjhkjle.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Gcfqfc32.exe	Gkoiefmj.exe
File created	C:\Windows\SysWOW64\Abckpb32.dll	Jmhale32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Gdqgmmjb.exe	Gbbkaako.exe
File opened for modification	C:\Windows\SysWOW64\Ildkgc32.exe	Iifokh32.exe
File created	C:\Windows\SysWOW64\Kpeiioac.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Mjddiqoc.dll	Jfcbjk32.exe
File opened for modification	C:\Windows\SysWOW64\Jcgbco32.exe	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Klngdpdd.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Imfdff32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Immapg32.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Eekaebcm.exe	Ekemhj32.exe
File created	C:\Windows\SysWOW64\Aogmoeik.dll	Fdgdgnbm.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Ehimanbq.exe	Eekaebcm.exe
File created	C:\Windows\SysWOW64\Nghjpm32.dll	Gododflk.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Hmabdibj.exe	Gdjjckag.exe
File created	C:\Windows\SysWOW64\Jianff32.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Imfdff32.exe	Ieolehop.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8428	8312	WerFault.exe	364

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hobkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifjodl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehimanbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hopnqdan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gicinj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbgdlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkalchij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdegandp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekhjmiad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faihkbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcfhof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iifokh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdcdbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifbang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imfdff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glebhjlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edbklofb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhcpgmjf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghaliknf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iccbgbmg.dll"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkffog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkebndc.dll"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkoiefmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbcdnbb.dll"	Gfembo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaheeaan.dll"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabqkgan.dll"	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icifbang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jianff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecandfpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbbkaako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcinbcgc.dll"	Ibjjhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fomhdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhcpgmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adopjh32.dll"	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblabf.dll"	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icifbang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmabdibj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 4072	840	c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0.exe	86
PID 840 wrote to memory of 4072	840	c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0.exe	86
PID 840 wrote to memory of 4072	840	c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0.exe	86
PID 4072 wrote to memory of 4140	4072	Ekemhj32.exe	87
PID 4072 wrote to memory of 4140	4072	Ekemhj32.exe	87
PID 4072 wrote to memory of 4140	4072	Ekemhj32.exe	87
PID 4140 wrote to memory of 4220	4140	Eekaebcm.exe	88
PID 4140 wrote to memory of 4220	4140	Eekaebcm.exe	88
PID 4140 wrote to memory of 4220	4140	Eekaebcm.exe	88
PID 4220 wrote to memory of 4332	4220	Ehimanbq.exe	89
PID 4220 wrote to memory of 4332	4220	Ehimanbq.exe	89
PID 4220 wrote to memory of 4332	4220	Ehimanbq.exe	89
PID 4332 wrote to memory of 232	4332	Ekhjmiad.exe	90
PID 4332 wrote to memory of 232	4332	Ekhjmiad.exe	90
PID 4332 wrote to memory of 232	4332	Ekhjmiad.exe	90
PID 232 wrote to memory of 4568	232	Eocenh32.exe	91
PID 232 wrote to memory of 4568	232	Eocenh32.exe	91
PID 232 wrote to memory of 4568	232	Eocenh32.exe	91
PID 4568 wrote to memory of 4056	4568	Eabbjc32.exe	92
PID 4568 wrote to memory of 4056	4568	Eabbjc32.exe	92
PID 4568 wrote to memory of 4056	4568	Eabbjc32.exe	92
PID 4056 wrote to memory of 4420	4056	Edpnfo32.exe	93
PID 4056 wrote to memory of 4420	4056	Edpnfo32.exe	93
PID 4056 wrote to memory of 4420	4056	Edpnfo32.exe	93
PID 4420 wrote to memory of 2036	4420	Ehljfnpn.exe	94
PID 4420 wrote to memory of 2036	4420	Ehljfnpn.exe	94
PID 4420 wrote to memory of 2036	4420	Ehljfnpn.exe	94
PID 2036 wrote to memory of 5084	2036	Ekjfcipa.exe	95
PID 2036 wrote to memory of 5084	2036	Ekjfcipa.exe	95
PID 2036 wrote to memory of 5084	2036	Ekjfcipa.exe	95
PID 5084 wrote to memory of 3124	5084	Ecandfpd.exe	96
PID 5084 wrote to memory of 3124	5084	Ecandfpd.exe	96
PID 5084 wrote to memory of 3124	5084	Ecandfpd.exe	96
PID 3124 wrote to memory of 920	3124	Eepjpb32.exe	97
PID 3124 wrote to memory of 920	3124	Eepjpb32.exe	97
PID 3124 wrote to memory of 920	3124	Eepjpb32.exe	97
PID 920 wrote to memory of 4920	920	Edbklofb.exe	98
PID 920 wrote to memory of 4920	920	Edbklofb.exe	98
PID 920 wrote to memory of 4920	920	Edbklofb.exe	98
PID 4920 wrote to memory of 2040	4920	Fljcmlfd.exe	99
PID 4920 wrote to memory of 2040	4920	Fljcmlfd.exe	99
PID 4920 wrote to memory of 2040	4920	Fljcmlfd.exe	99
PID 2040 wrote to memory of 4484	2040	Fohoigfh.exe	100
PID 2040 wrote to memory of 4484	2040	Fohoigfh.exe	100
PID 2040 wrote to memory of 4484	2040	Fohoigfh.exe	100
PID 4484 wrote to memory of 4748	4484	Fcckif32.exe	101
PID 4484 wrote to memory of 4748	4484	Fcckif32.exe	101
PID 4484 wrote to memory of 4748	4484	Fcckif32.exe	101
PID 4748 wrote to memory of 5096	4748	Febgea32.exe	102
PID 4748 wrote to memory of 5096	4748	Febgea32.exe	102
PID 4748 wrote to memory of 5096	4748	Febgea32.exe	102
PID 5096 wrote to memory of 1792	5096	Fdegandp.exe	103
PID 5096 wrote to memory of 1792	5096	Fdegandp.exe	103
PID 5096 wrote to memory of 1792	5096	Fdegandp.exe	103
PID 1792 wrote to memory of 5064	1792	Fllpbldb.exe	104
PID 1792 wrote to memory of 5064	1792	Fllpbldb.exe	104
PID 1792 wrote to memory of 5064	1792	Fllpbldb.exe	104
PID 5064 wrote to memory of 656	5064	Fkopnh32.exe	105
PID 5064 wrote to memory of 656	5064	Fkopnh32.exe	105
PID 5064 wrote to memory of 656	5064	Fkopnh32.exe	105
PID 656 wrote to memory of 1688	656	Fcfhof32.exe	106
PID 656 wrote to memory of 1688	656	Fcfhof32.exe	106
PID 656 wrote to memory of 1688	656	Fcfhof32.exe	106
PID 1688 wrote to memory of 1592	1688	Faihkbci.exe	107

C:\Users\Admin\AppData\Local\Temp\c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0.exe
"C:\Users\Admin\AppData\Local\Temp\c6ff9504812c75eb899e9e48ab2bb5efc81047aa5ee9ddd265773e8ec61ba7e0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\Ekemhj32.exe
  C:\Windows\system32\Ekemhj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\Eekaebcm.exe
    C:\Windows\system32\Eekaebcm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\Ehimanbq.exe
      C:\Windows\system32\Ehimanbq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        28⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        29⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        30⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        31⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        32⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        33⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        36⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        37⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        41⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        42⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        45⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        50⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        53⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        54⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        58⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        59⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        61⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        62⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        64⤵
        Executes dropped EXE
        
        PID:5240
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        66⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        68⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        70⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        71⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        73⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        76⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        77⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        78⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        79⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        81⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        83⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        86⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3152
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3620
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        92⤵
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        95⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        96⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        97⤵
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        98⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        99⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        100⤵
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        101⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        105⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        106⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        107⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        110⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        111⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6156
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        113⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        114⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        115⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        116⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        117⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        119⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        120⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        121⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        122⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        123⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        125⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        126⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        134⤵
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        135⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        136⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7156
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        143⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        145⤵
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        149⤵
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        150⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        152⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6304
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        154⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        155⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6492
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        159⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        160⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        161⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        162⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        163⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        164⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        165⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        166⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        167⤵
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        170⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        174⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        176⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        177⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        178⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        179⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        180⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        181⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        182⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        183⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        184⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        187⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        188⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        189⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        190⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        191⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        192⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        194⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:6352
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        196⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        197⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        199⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        200⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        201⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        202⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:536
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:6660
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        206⤵
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        207⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4604
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        209⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        210⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3672
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        214⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        215⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        217⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        218⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        220⤵
        Drops file in System32 directory
        
        PID:7176
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7220
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7264
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        223⤵
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        224⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        225⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7400
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7444
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        227⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        228⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        229⤵
        Modifies registry class
        
        PID:7584
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        230⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7668
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        232⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        233⤵
        Drops file in System32 directory
        
        PID:7764
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7816
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        235⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7932
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7996
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        238⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        239⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8084
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        240⤵
        Drops file in System32 directory
        
        PID:8128
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        241⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8176
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        242⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        243⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        244⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7348
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        245⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        246⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        247⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        248⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        249⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        250⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7864
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        252⤵
        Drops file in System32 directory
        
        PID:7968
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8048
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8124
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8184
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        256⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7248
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        257⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        258⤵
        Modifies registry class
        
        PID:7476
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        259⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        260⤵
        Drops file in System32 directory
        
        PID:7724
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        261⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        262⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7976
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        263⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8096
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        264⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        265⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        266⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        267⤵
        Drops file in System32 directory
        
        PID:7984
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8164
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        269⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        270⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        271⤵
        Drops file in System32 directory
        
        PID:8120
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        272⤵
        Drops file in System32 directory
        
        PID:8256
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        273⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8312 -s 416
        274⤵
        Program crash
        
        PID:8428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8312 -ip 8312
1⤵
PID:8380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aainof32.dll

Filesize
7KB

MD5
45438cb36b22acad94fe97a4ddeeb43a

SHA1
8b8637aeb5f1e7cdf62693b19516a35991226c1a

SHA256
b3f745a6286ee2db2f980645e286090fc8d18faa0885f296fdaf00d8513b7ce8

SHA512
2a30821f2d1ba7e2afda926b9ece97cedc9894c196397c28e548c01aa2b7e1e96f7be2d9b8d5874b5b532408174aa0d2f3b9541f6fe4edec323472c355e1faf1

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
1.1MB

MD5
67c6c48ad0e74bebc414f1c616c59c85

SHA1
52e544a91950b7accd330b6b4504ab281f79217f

SHA256
d129e8ba4cc33018ad72a1ecf5b8ec80cbc64c825818551b86cc888521eab2e5

SHA512
a8ffb9957f8de93618e191785b256c5df4573f948a6555c1d9cbb366cc1da0422693bfb62ca3c246ec6c98d2d5c26494326c134762be2976ccd95534f73af308

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
1.1MB

MD5
93d2c96dec632e0f8e0eea5d2cd6655a

SHA1
07241f321eee85d02d5f375a43870dc0afb8fac4

SHA256
bd3769a6f6c925b3982da18a047e6414fee0cd6d41b366d16ce52d23b4ad7530

SHA512
93fa96ee9a148a969a495e1a40bf3c8e7496a84c41f2bc810598c0b27513a35a7969b037c9b8bf8829f8325aab85b4d6781bea7fac8ea762fcb9ec1d33161052

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
1.1MB

MD5
a6a23f6757c0d465df4531e9b1b569d2

SHA1
9e371b010a6fcf2c95ddd0590e15485b4384039e

SHA256
147fc1fb346344fc8481f0d019d40dc315daeaea6b928bb7b945bfdc78d4119a

SHA512
ca3cbecef9ef8dd3f7ddd0851085a41d207ce019e171fcaab46f0f6afdea5b738313bea3360cee4d12582b646428e8d2eb1d34479ced6d9c1fcd55c5cd53ad95

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
1.1MB

MD5
7050c92c38e74ba014b5c20b6d0ac284

SHA1
482011cad81ae59805057106056ce78090d1c19a

SHA256
220d9033f881f197ac466eb14fbb870ef77b9cd0666e593a76423fb866dcd7ca

SHA512
afd283fecd94634f613d20f8b3055ff9325d25e9d844d9138aff33c3eaddc04628ca233c9b16e9d5bd0d121ef00c617cb12b91d7be46882edc4e59e8f6ea09f2

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
1.1MB

MD5
58ce8c0ed920151e6341512cb229d4bb

SHA1
1b81b138d0126c7a31810ec7642a7d2343746791

SHA256
358d8db5103cb9e328cbc8e090ca87d0c438e36995863e3fbed69fba43cc4887

SHA512
b7b23a1cb91118ba31763fad9c8ad4f690fa5e5542f961fbd2933d7339d875f51a57d5f77b7f9e878fbef3cd404dc463a0373f1e9dcff6ac41db2b1e7825044e

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
1.1MB

MD5
3e3b7d2d2ca934d144db6f7cb67d2cb2

SHA1
8f8cb9740a3456a04c54407ee954082bf65644b6

SHA256
a5eaa8644fc4987a63c6b85172cc9f9e6d5afed18ba3eaa30a9ae91bffc60e7a

SHA512
1c3708bc18e24531cbe767b3b2077de4069a4619105baf2ada824bfe9bd3c66b206e7b06e2d3facfbc85fcab55c276cb094fbc711bcffaac439ac303ede54e2e

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
1.1MB

MD5
fd8bf0b1d3f59e74b920ff601ee7622d

SHA1
f95a3453ef7166a980b3803f7d5dfc6090c8a707

SHA256
7343e13e10a0d8d305fb79b14c509d81c93e96136145bd0ad173d9a1104b3f7c

SHA512
9b39045b463c905c35ab050e1ee7f5c55cb7496d505f3d527fd8b4503d74ada6afe9d8e28694d7d7b211b109daec4a54c2b01d9aa59a59d26454316f4ac15092

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
1.1MB

MD5
e4bd46889c3e0308c4a250116714f1b6

SHA1
bbe6b3f0489ed6b28118381e3fb4b3abfb96fcb1

SHA256
f15abc012694c03aacb571c2498fc6f146b94a017e8c2fae0883f52dd8770898

SHA512
4ce1c30d078cd4b42fc9e78f6fb32fb277bcebf9bc0c48f25b127a423e660e01e28e8f19a9cf3c73c50586aec42bfaa8154b5ba687c8d4b2fda0c42d809a063c

Download Submit
C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
1.1MB

MD5
1ce75b864d06a7756d1d1ce0dd671f47

SHA1
fc35833d316d1a75c4ea16c52faec5d8caf44233

SHA256
04d9afc9fe791e1bde0e62a58165191c8c2148836ed09b337b5ebe0e05d13b07

SHA512
11aa5e3a884979bfa71f64b4cb95a2d17f81491792fd13dc114abc50aabb5bd3796f081ed927b95b0ad5d4b88ff1f5e7a33226a41260aa3ab783955e6a246d0b

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
1.1MB

MD5
1a8152f132305ae05613e4dc13783986

SHA1
c09311520831320e236dcf58a2cdcc3ee3597e38

SHA256
38e545194b311f318d4555482b6af8238aaadd6b2f6d6046ef744c58418fd3c0

SHA512
07168fc40334a35ce45bafe561c497912c639b6071ab58236acc1fe7211b09a7d8e6e7dd0a47ebd585f5902e390d145ce6e7b6c49025d5a80f790cda0b0a963a

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
1.1MB

MD5
c7cfb15475835b52102215be406852dd

SHA1
a468fe28d9eec8c907600dc8465a0d6805f65aa5

SHA256
1a995f4f36dba154aa89bbb2865b27cfb8467794a16d7f7012f1e6d81b46394c

SHA512
74d0a3cda07b93ca45381903bf0f570415c7313ce455f67df07730e278a98197ba5f8d6fcdb057856fcda99da88273102c8370eca720e627186b565f3356617c

Download Submit
C:\Windows\SysWOW64\Edpnfo32.exe

Filesize
1.1MB

MD5
f7a4ea1a5e4e7896644ea9d3cbb9cc2a

SHA1
b88b871eb133629e8a3a34d45ec19f4f5d4e741d

SHA256
f4dd19f6abb2c87311796034be6c2eb04c13a5c082e4c7577745281125b57002

SHA512
98c8ac1ccb0231a7fe277efe11b9c783029f0af5b75c4176a3f18648a8d7d80d98d86a15d5922390c50fe69d66d6c2a3dd0deb1ba99317b6b463aa829743509b

Download Submit
C:\Windows\SysWOW64\Eekaebcm.exe

Filesize
1.1MB

MD5
0804258a61ad3eafa105c37a6cf63ff2

SHA1
5269d25947d984c15807bb06db7d71f7f43eb2b7

SHA256
ddfae0f6d626a541753b736ee44b3ae6ca4dc6a4b5c9774784611abfc4c1c6d4

SHA512
9800407d6f4001b636d36f684368f4e97124763d889bd8f1e6e31daef5370ac6f9c2057a77bc7d2867c5c6357c86e62f3a47b4df8a770cd2b0c8bd8d9b43362a

Download Submit
C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
1.1MB

MD5
6e6929420bf00d4e56b3d95589092465

SHA1
53ef417951d2113af102a8db16a529671709c7d9

SHA256
8b4caaa1350e7d8aa871386b5564913c68410c7d6e18e12af10a3ebe9c218b8d

SHA512
cf59b01947b364a80370d4acce9d1fbf83cf69378c04bdb8d2e48b6778853755a90db5b262abb9450a7d32de2680fe07e96f3037b9346144bc45d94069598115

Download Submit
C:\Windows\SysWOW64\Ehimanbq.exe

Filesize
1.1MB

MD5
89a2b6b8b59d298b48fa325df3870a28

SHA1
52fdfa2a55a9c868f40b40ae08dfa3bb150050b7

SHA256
6e1cce65760a6bd56ded6844b5970a5825475b83f49a442d1a25724b3f1a1797

SHA512
117bf17f03db8d47a6cb4e37158efeb33ad666d4a3f1e05a3d462e84adc89c6aff6a9740b128877562085014128007589f89ddb6cd2a3e0ddd7a17b5f5f7551d

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
1.1MB

MD5
793459bef806a289d0d508592e0dfda8

SHA1
20a2e162ba5653da0d752971c67a397757922d56

SHA256
bdbe67843bef5809ef2c431baa07318a96e87d2e1c3c41626c30f31526fca5f6

SHA512
909ca625549d784c5894adf51c5b5e02269030789100543f2b52a444511c7dabf4e43d9fe1db3029345972b797e8e7280f70bff5df37c0ecee2e4e14cd7b00aa

Download Submit
C:\Windows\SysWOW64\Ekemhj32.exe

Filesize
1.1MB

MD5
7f54e7006e28cca79e234ef1a4510919

SHA1
5e5e2ebefbd100fd141c74978b309e645e1d245b

SHA256
af5227468ebdfa4a6a9f1730da185447964c31532c2c1222986a5bfce3a434b0

SHA512
291f94860d3de890b2baa62fdb174420ede41849654922e4555e7d719303b9d98a8d8586638ff1bfc8c906648e4e0ea59cba16836c65fbda25a0cf8221b3e586

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
1.1MB

MD5
5322842abbe84e2005b07cb3f8d5a4da

SHA1
c27791257b690e0ff866fc98c7bef3884ebbb8a8

SHA256
a36fe8c9e398d9b045952879716ff689b2d58831a0862380a55c448275999663

SHA512
7a6be23109c5f6d18aafbe0fc98d7b235fabffa60dfec08c7fe8dfddfb92b315df6c8c44d74c6c41aa8b27a64f6d0d77134aa99c3d2cea2e8b57fb049dfdcd93

Download Submit
C:\Windows\SysWOW64\Ekjfcipa.exe

Filesize
1.1MB

MD5
8b61f1111f3d8336172aff49b7b6df78

SHA1
59dc254c940b59caa142b9a6384ea14e33bb9f23

SHA256
235e55bc51a9957872e940b916764cef43d88537f817a50bb19e4baed984e89d

SHA512
0dc337198c7ab968b4e2df0365fb8915a6511d71be3c76e9a6ea4e2f1a3af79d0c00694d8b1020c9a38d3b67592c8aab6a87bd4230cdbc0bebe90e51eef0afdd

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
1.1MB

MD5
f4de551313c27d859ff320621ed74170

SHA1
7b0f9886d05e431afc31e90dea20df8f0656b655

SHA256
4e09ccd737a8ca595f2427e82f05eca69686d4d2e39ef5136a350065072b0ed2

SHA512
1ce22ab8c75bfdf0294cf4e4c06d8aab2dce2889c8487f5cbb33af4b451a2ce0e138d82c95ce055fedb29301c9b05cda7ee69e4be011101695a529f7d58fd5bb

Download Submit
C:\Windows\SysWOW64\Faihkbci.exe

Filesize
1.1MB

MD5
5201770ec7501d494e144a4837eece1a

SHA1
98a6316c936eaa8219ae23384723ef90e96f8ed4

SHA256
40f2095eb42cc4b12b347d6996566a5b6485cdf32133fe27437413d559bf87c2

SHA512
db75c670ef236a2c50f5184e65a86c677f7fe0b8574c8a41c4ab36ac583210ef3d239d11154cfd823cd479c52522047984e941522add8630296807841f490432

Download Submit
C:\Windows\SysWOW64\Fakdpb32.exe

Filesize
1.1MB

MD5
883314f4cbee75867582aedc4cf7f235

SHA1
5bb4416efbd79548efdcd25bcad5771badad3454

SHA256
52e86d663d99b249c57ec1a7001eb54458082d1fd4daa30237c586c80a156369

SHA512
47bac049ef9d5e78308ba6c49f7f649c5497e5cc9dba1cd22dd18d68531bd0c0583bca9ed0066224f5c9d1c60bb4ddc3e006bfc62af65ee730e91cbfd00e959d

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
1.1MB

MD5
b2f48fc2f996a7fd67ecba6473432cb6

SHA1
7e6efd197d3db703fe063ae5694064b4e7e05bcf

SHA256
572aa3497c3818aad14b19e1d55ba142fc9ed0183b1a52d3227eeaee4275473d

SHA512
16ccdebdbbb2284259f647e5cf87dc31f8aa5825cd87166cac0ecaf004903683081f10638d6906c3b2214f6cfeddfdb4db361d7f41ef16cefef82edd50cb5f19

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
1.1MB

MD5
dabdfcbe89d772ed587ad1e644bf5942

SHA1
151790505e5e1edd7060796ee41426bde594a5f7

SHA256
381f6cb9df8a531a82a77103aaab71f671fa56eb1ba38edd166e8d80a85f2e87

SHA512
27d219d751ffabe1625b537d704e5d24253da01c471121f1fce09c1dc86c55722c9b21ea4cd071a17372c91f40242021225a55a79e7d6195e4f681b26d9e09d4

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
1.1MB

MD5
8de5b87550800af63b20f324e12a535e

SHA1
b9a0c83264b90c608aaba0aa66b82f488c5d3def

SHA256
f4f143c3b5fd6fb260bc11c1405e520782750528cd5331f19c13fe0b1dd0adc0

SHA512
8366c733b344da3b320f707f2ce06a57b7a29213820267ec5b007dfbde7129ba9fc5f83efdb1f533f89a4d3caf5eecf7d666ace96b482a64308dbf9f5f87629d

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
1.1MB

MD5
bb36372f5997ec10a80850b3494cd081

SHA1
ee00240bce93bf47cfa2abd1d93322ed83381d2e

SHA256
ff8a3f1c4b616b28850282680465560b82dc73b3578499be05e29e727a818248

SHA512
c75b9bb62566682fac22732e57ba1a967076bf5bda16adfdf019bc0773e01958b91201f9d436ef24b710aad6b0e61671f29387e46e072002e53de5c7231f057d

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
1.1MB

MD5
5bb9c26b6615a89a714bb533c5a87c89

SHA1
6717161928328a3ecc988e25e321ac3e910456fc

SHA256
2861129cbb9ea054279beb50652b35c7ea462f42d52402c925365350073fa01d

SHA512
0732536400d8e920901e86667c9cf1e26a6b094363d62a77d6dc88dd9487ffaae3edba6690c6a0a01102cced3ac2261d65c3264a74c67fee1a0b4b936ba79edf

Download Submit
C:\Windows\SysWOW64\Fdialn32.exe

Filesize
1.1MB

MD5
1004a484224351ccb4c9737ce8c80e53

SHA1
9f8cfe430cf3311f7472062c3529bc84bf477f14

SHA256
f3020e1c2d325cbdecb25d0ce01d4ae40d519f7de9e7729c2249dfdc0ab7668b

SHA512
d4559b99a178c200e713d8cb854d7b0c4f928b946ebe62226ec1b93d44d4ff0e62df51675ed085ef5830e8b2434c83730a97c7c5373c511145349b10d0e46193

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
1.1MB

MD5
17d18b222877bbab49e939f572dfcfeb

SHA1
8d3174b29667a51dcc21006c3fb469e27825bdb8

SHA256
8ac88a2dd1f7201beb3c831995883c82ce4b0d506ec3f6b4747cefb80508f919

SHA512
bd9908f392b681c18c6ce391a5f874636a9ef2571a7accc7924ad37904fd2bea9f21846de3978f6d20283af81f49fcbae4d0b898c0b51846e021a0d352ef4495

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
1.1MB

MD5
9fe67e3ec0cbbbe30cb3c99a7a9746da

SHA1
a6405cf7fef7128d43cf2124c1c54efe4339ae23

SHA256
29dde9f5c4a156af8b479ac4e3883c0cc3f545f6b829bde2042ba88427d1bddd

SHA512
b4d6f539490bc013a51b55f2318374d31f05dab6338c922af0280ab9167c9f6d222cf72431e0362cd8035bff9a2831327b550eb6435b8ef39a374479d3d833df

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
1.1MB

MD5
ff5f908dc485eb27fa7a76c441daf5b7

SHA1
29e207a6a9b30ae4f014eb10424b57407bdf2638

SHA256
ee3959f6bada3169a733b062306da7df30fa42bdbddbfb3c6d44742f0535a682

SHA512
b084fb972a10c65f6b7dee0a0fc51728ede84d210e23d760a9469c26df10891dfc3be8eaacf4fa90c717e6facab7429bc0a8676a3746daa03d1b9def04b48e83

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
1.1MB

MD5
ee2a17d3671a1d6ec16fccc3ba2bf811

SHA1
366fcb4e6e248b2915356db862d81f63d5789717

SHA256
c2063dd32e0a104f804189030305054e17a1f7143034108a8f897e9a95050866

SHA512
d58c0d604cfdfb589c60aab1b4d321a7b93e72a86e0513f6e491cdb1c379a9f2f899a7ae2ab4f7eac4556cc49995862a357275831742999009c0caa5c527fb9e

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
1.1MB

MD5
fb9363e6fb907cf289d9eff96694c559

SHA1
8681a3523a3b92a7cfde27fdf9ecc013273114ac

SHA256
5199686762ee7f9b073eba2b02eecc21eb9196192629376b7931c1dfbbc20612

SHA512
2016b71689c5eb909ac6c087a3972b0dd9970d0a802743a0c1d5f4ad8a2d74ca88ea94a2becff612e6c63f33f01aa472c26474020184060f481dc5fe6060ec15

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
1.1MB

MD5
c8133cb3dee020ae0484e478f8c2df18

SHA1
3d2bd2d7311dd702938a2eb2cc61b139743210c0

SHA256
22c5bc6dd084f3092cf0fbd668c85e8fdf727ad5a6debb39c9e3dcf78466d72e

SHA512
3af27f72894fb6b9d30547e8c6dcc7b1a52ff4062b71687cd5ea41f1939e76ce5d35c2987a4a3901e4187cd12dd04fdc48949c13b70ffa40940b28e87a22279b

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
1.1MB

MD5
1b8bfe91f95a56580dc278cffde1a57d

SHA1
79c6494234fd4ce4311a3a6393fd9c57926e9fd0

SHA256
316083011d46546140484f9b76ae232f536259bf1f71012e521486190742352b

SHA512
0371fa90ee3f8d167ef158c5bf5bb637044e65e0450fc1b16e26a829a96d4a303055fb0cda0b6250b208c995b69309eeb352e391a35e93e341b12954572b219d

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
1.1MB

MD5
e809685f81fce6bd7e603fa2b8f0e764

SHA1
8d1eaf82d300f74354ac10590944f35d3056ed66

SHA256
85120b6b38b7263d7f2fd0c7d8785a69a7878607f5580e5651ac5ac3ac8751d1

SHA512
67b2359c9860281316b80f6794eeed08364ad696c28afca529471d9cde0abe70c312e4c686a3798da7e878e5cc4caef88718d6754074a3faa7ddf11faa430ba6

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
1.1MB

MD5
35831152b9a09b3c10047862231b4424

SHA1
e958a427aa12ed75ca49356e4e037a58f5f752d7

SHA256
e4b7bd762dfad5ef6d69f52116faa2576780005e752c78b6ed662f9cca5bc512

SHA512
085e0425172611d52d60d1bcdc00bde6e71c7a2b4238931468e5dae0dfe838144b91f5e13833b3a7d474ba34a4dcbb65651fb60e368eddde97e50d10c963be94

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
1.1MB

MD5
a8f6834b2efeb644ffd79ceba9f606c1

SHA1
a56f808079cea2cc98d8fa7958d65479e0ec59a2

SHA256
c748349766ab9b92fa796e20b00c385cdacb323511530de6d0201eb5fa86d022

SHA512
1815ff769d8e9f73ea8fc278f54c7cc3c997c8c2c46184e001c84a72d6d2f42fdeaed6460f91da2c6be35061e6f8bdd17f9794f74abc86e4e65f9e3818678e66

Download Submit
C:\Windows\SysWOW64\Fohoigfh.exe

Filesize
1.1MB

MD5
02337f3eebb9377e31dc6462e09196d6

SHA1
d0cd4aff7a0364c3a86355198354cb2405cb538c

SHA256
c7e651cd4b285f4296f402da0cdbf8e72502665b7baa6ee6d92c402feb773784

SHA512
f879db5c8ae0bc10243dcfabae5c01f22a76a3494dc6145180b93b4790994f3a860cc1b235982cdfef1c1b3d8f826d83f6139c831bd88a0a417bb974c96ea0c4

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
1.1MB

MD5
bdb110a9664f599b33a8576143ad91ce

SHA1
59075e3319c8117af27787387dcd51df6277d7c3

SHA256
3a5c528c5ff013e283418846d97f336295547b97fa72c5c9ef0ee9cb4bf7ea32

SHA512
8cb959bf6b7c0b748187f59dec522806b1a2da332f8ed41bde69384afdc0fa0780077bda8e01f9d6ba6c0ee497b59cf82512c7891259366250b0cf419e18b288

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
1.1MB

MD5
c0bb073435c40c25875c80cc3db11564

SHA1
e797e465f0e8a6ecf48708c93d653c1cb6aaca61

SHA256
6753aeb76f8a8f4c12e4a8f1bb57f57fe91164413dc9dcff8264fe7c5ba97902

SHA512
3f1a57796c8d8357c208c04b5efbcb6bb2e5070e7dc1e4410e3a031d74671e11a2dbbee961a8913bac72d23a965a5a9fe62f1698ddcd525cb4316aa5046d05e4

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
1.1MB

MD5
41e937ab55c27368ee2e1683f2907666

SHA1
b13d1a9c672fdd11a9c2b30c04977ac64ae8b64f

SHA256
0ad722aba9be107f4d956635c052b04a943cf066253892ea8a5e18298969a726

SHA512
0aba2c8061d6466175c3c6ae5a5ee961447acdc8873e280393d1c5ebaca1e6799d14acdb251427409e1a67eed0bfb2abfc8c4e1eafb0fd088067b32a86f99780

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
1.1MB

MD5
045927fe6cff10592098b26360065b8d

SHA1
9e084a5a145c4037053b6e74201651937ee29189

SHA256
0699a0f333d1941dc886eb407882109ce0dbffd2289240631bb9f0a9b5c34fee

SHA512
e775564cfecd2d9203f3e1c4dbb8a25daad5cf1fcd3add825dbb0bb927e4e231cb132812715c58a84409502f2d44586f0a1c3ad8b2f8bf2f52ef47b65e9cbf87

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
1.1MB

MD5
298e9683e72a0f357fdca2772102b6f9

SHA1
6dec147852cbe70b7db77c07fbab48196366b799

SHA256
dc90e6f39a73d0d233aa5758d30bcd16f2fc1eeca3499292f07eab84f75ffc35

SHA512
90e2db7396582d99ac9835cdcab20fafd2acfdc6c0548394b0b10fe0e1a2597a55ba9b2d7ba14577544a50dc1b3ed24306a82afa28818426115f6d0af2383bbd

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
1.1MB

MD5
4fdd07fb3598e2556e73b8a8aa09059e

SHA1
1879e2a25901dd367ab399498b5195cc3be84e5d

SHA256
47d8eda858177e6da95f2ae2ab90ba398bb7d5cb20841079a30028f4c8ec69e5

SHA512
07e9528ba7178335c284d2914e890b6a5287e47782770a4d8eb127d73518a73cbb7bd354914b9c7ead5c74b797acba22e19f773696a0b4db082249a84f121c0b

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
1.1MB

MD5
f7cd15cc868ba383e78b3084cc18a29e

SHA1
d2c6b52bcd643740b264e1594e0402dcc01657d3

SHA256
794a04295b426675fcff68d699fb67f760cf0f07ddd6a1f8d9c8aeb27f969998

SHA512
ff353630530150bafe4d1db7fb0186b03694c480bddff10571780fb65672944228d3c9476f7d9e2fe1c8327a940362c627b796ba316552aa3def6de96321d913

Download Submit
memory/232-44-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/380-215-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/396-347-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/464-305-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/640-605-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/656-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/840-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/840-84-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/920-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/996-191-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1152-317-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1284-353-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1404-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1592-183-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1680-329-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1688-175-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1792-151-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1912-425-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2036-76-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2040-119-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2068-223-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2260-247-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2360-293-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2420-395-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2432-407-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3124-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3152-593-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3216-311-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3272-359-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3288-263-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3292-389-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3312-207-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3336-413-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3396-275-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3564-401-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3620-611-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3820-341-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3920-431-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4056-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4060-323-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4072-93-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4072-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4140-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4140-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4208-287-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4220-28-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4272-617-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4320-239-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4332-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4388-371-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4396-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4420-68-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4424-600-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4440-231-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4484-127-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4568-52-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4652-269-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4656-199-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4748-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4796-255-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4852-377-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4912-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4920-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4932-419-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4936-335-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4976-365-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5012-587-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5028-623-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5064-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5084-85-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5096-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5160-437-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5200-443-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5240-449-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5280-455-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5320-461-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5360-467-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5400-473-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5440-479-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5480-485-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5520-491-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5568-497-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5600-503-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5640-509-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5680-515-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5720-521-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5760-527-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5800-533-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5840-539-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5880-545-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5920-551-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5960-557-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6000-563-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6040-569-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6080-575-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6120-581-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads