45f275b5273698f7c32c8ab20d62ddcae1046ba7f5d58f423e0f59fa5cba6b8c

Analysis

max time kernel
125s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus.Hijack.ATA_virussign.com_bb6efcea0ce29497ba49fe042e092649.exe
Size

108KB
MD5

bb6efcea0ce29497ba49fe042e092649
SHA1

2343e721820bf9a2cb94b2b843cae327a9af9195
SHA256

45f275b5273698f7c32c8ab20d62ddcae1046ba7f5d58f423e0f59fa5cba6b8c
SHA512

245558b18b65028bc8442808a78b2b5394bbb817704029641483cd72cbe82caaec659d0513257fd5da47187f8d08ef6774b490549f1600f249f247eafe679704
SSDEEP

3072:dG6xU6Sfcd4dTdvsF9CwoZFcFmKcUsvKwF:dE6t2vsF9mhUs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bblcfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dibdeegc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejobk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medglemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggjjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hqdkkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqpapacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdgolq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepineo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjdokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedmkmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Janghmia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjdedepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpgjpb32.exe

Executes dropped EXE 64 IoCs

pid	Process
912	Bmggingc.exe
4872	Bfolacnc.exe
2016	Binhnomg.exe
4524	Baepolni.exe
2440	Bmladm32.exe
4620	Bbhildae.exe
4412	Cibain32.exe
644	Cdhffg32.exe
1264	Cienon32.exe
2668	Cdjblf32.exe
724	Cancekeo.exe
4156	Cgklmacf.exe
4568	Cdolgfbp.exe
4928	Cpfmlghd.exe
1552	Dinael32.exe
1776	Dcffnbee.exe
4816	Dpjfgf32.exe
1144	Dnngpj32.exe
5116	Ddhomdje.exe
1644	Dkbgjo32.exe
2300	Ddklbd32.exe
4224	Dgihop32.exe
4488	Daollh32.exe
1816	Dcphdqmj.exe
4628	Egkddo32.exe
3508	Eaaiahei.exe
2748	Edoencdm.exe
1480	Enhifi32.exe
1948	Egpnooan.exe
2180	Ephbhd32.exe
3372	Ekngemhd.exe
1468	Edfknb32.exe
3832	Ekqckmfb.exe
3652	Edihdb32.exe
456	Fjeplijj.exe
4396	Fdkdibjp.exe
4528	Fjhmbihg.exe
764	Fqbeoc32.exe
4304	Fjjjgh32.exe
2328	Fqdbdbna.exe
4860	Fgnjqm32.exe
2732	Fnhbmgmk.exe
2488	Fcekfnkb.exe
1340	Fklcgk32.exe
1924	Fqikob32.exe
2400	Gcghkm32.exe
900	Gjaphgpl.exe
4796	Gqkhda32.exe
2568	Gkalbj32.exe
1936	Gqnejaff.exe
1060	Gkcigjel.exe
4556	Gqpapacd.exe
752	Ggjjlk32.exe
4000	Gndbie32.exe
2092	Gjkbnfha.exe
4468	Hqdkkp32.exe
4152	Hccggl32.exe
4844	Hnhkdd32.exe
512	Hcedmkmp.exe
2504	Hbfdjc32.exe
4692	Hgcmbj32.exe
852	Hnmeodjc.exe
2612	Halaloif.exe
2200	Hgeihiac.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjjfeo32.dll	Daollh32.exe
File created	C:\Windows\SysWOW64\Kamonn32.dll	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Jjdokb32.exe	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Pmhegoin.dll	Medglemj.exe
File created	C:\Windows\SysWOW64\Ofgmib32.exe	Obkahddl.exe
File opened for modification	C:\Windows\SysWOW64\Ddqbbo32.exe	Dpefaq32.exe
File created	C:\Windows\SysWOW64\Fiinbn32.dll	Dipgpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Ddhhbngi.exe
File opened for modification	C:\Windows\SysWOW64\Binhnomg.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Jdinng32.dll	Gkcigjel.exe
File created	C:\Windows\SysWOW64\Mnpkiqbe.dll	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jnedgq32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbpf32.exe	Kbgfhnhi.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Mokjbgbf.dll	Nooikj32.exe
File created	C:\Windows\SysWOW64\Napameoi.exe	Nlcidopb.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Dpjompqc.exe
File opened for modification	C:\Windows\SysWOW64\Ddhhbngi.exe	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Daollh32.exe	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Jnnnfalp.exe	Iloajfml.exe
File opened for modification	C:\Windows\SysWOW64\Lhgdmb32.exe	Lkcccn32.exe
File opened for modification	C:\Windows\SysWOW64\Bedbhi32.exe	Bbefln32.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Cmdmpe32.exe
File opened for modification	C:\Windows\SysWOW64\Pbljoafi.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjig32.exe	Bedbhi32.exe
File created	C:\Windows\SysWOW64\Cmpcdfll.exe	Cidgdg32.exe
File created	C:\Windows\SysWOW64\Ddklbd32.exe	Dkbgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Gcqpalio.dll	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Llimgb32.exe
File created	C:\Windows\SysWOW64\Nooikj32.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Amkejmgc.dll	Cekhihig.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Jeaiij32.exe	Jogqlpde.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lbebilli.exe
File created	C:\Windows\SysWOW64\Alinebli.dll	Lbhool32.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Nepmal32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Gqpapacd.exe	Gkcigjel.exe
File created	C:\Windows\SysWOW64\Dpjkgoka.dll	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Omaeem32.exe	Oheienli.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdgolq32.exe	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Clhgbgki.dll	Gqpapacd.exe
File created	C:\Windows\SysWOW64\Khkdad32.exe	Kaaldjil.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Dikifc32.dll	Egkddo32.exe
File created	C:\Windows\SysWOW64\Hgeihiac.exe	Halaloif.exe
File opened for modification	C:\Windows\SysWOW64\Ilmedf32.exe	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkocol32.exe	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Jdaaqg32.dll	Oheienli.exe
File created	C:\Windows\SysWOW64\Bejobk32.exe	Bblcfo32.exe
File created	C:\Windows\SysWOW64\Bldgoeog.exe	Bejobk32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Cmdmpe32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Jnakbdid.dll	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Eaaiahei.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Ekqckmfb.exe
File created	C:\Windows\SysWOW64\Epaaihpg.dll	Iagqgn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8444	8368	WerFault.exe	342

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpqlfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddklbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilmedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbefln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjhmbihg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpifeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcdfll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpgjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edihdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkjddke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfdjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlqpaafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdokb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgdmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknanh32.dll"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkjom32.dll"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbobjbh.dll"	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbebgj32.dll"	Bedbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojghflb.dll"	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efiopa32.dll"	Bbefln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpefaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdgolq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll"	Bmggingc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgeihiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cekhihig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopaaj32.dll"	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggociklh.dll"	Acppddig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpchp32.dll"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofndo32.dll"	Bpgjpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkclkjqn.dll"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moefdljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbcignbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll"	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conllp32.dll"	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bemlhj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 912	768	Virus.Hijack.ATA_virussign.com_bb6efcea0ce29497ba49fe042e092649.exe	92
PID 768 wrote to memory of 912	768	Virus.Hijack.ATA_virussign.com_bb6efcea0ce29497ba49fe042e092649.exe	92
PID 768 wrote to memory of 912	768	Virus.Hijack.ATA_virussign.com_bb6efcea0ce29497ba49fe042e092649.exe	92
PID 912 wrote to memory of 4872	912	Bmggingc.exe	93
PID 912 wrote to memory of 4872	912	Bmggingc.exe	93
PID 912 wrote to memory of 4872	912	Bmggingc.exe	93
PID 4872 wrote to memory of 2016	4872	Bfolacnc.exe	94
PID 4872 wrote to memory of 2016	4872	Bfolacnc.exe	94
PID 4872 wrote to memory of 2016	4872	Bfolacnc.exe	94
PID 2016 wrote to memory of 4524	2016	Binhnomg.exe	95
PID 2016 wrote to memory of 4524	2016	Binhnomg.exe	95
PID 2016 wrote to memory of 4524	2016	Binhnomg.exe	95
PID 4524 wrote to memory of 2440	4524	Baepolni.exe	96
PID 4524 wrote to memory of 2440	4524	Baepolni.exe	96
PID 4524 wrote to memory of 2440	4524	Baepolni.exe	96
PID 2440 wrote to memory of 4620	2440	Bmladm32.exe	98
PID 2440 wrote to memory of 4620	2440	Bmladm32.exe	98
PID 2440 wrote to memory of 4620	2440	Bmladm32.exe	98
PID 4620 wrote to memory of 4412	4620	Bbhildae.exe	99
PID 4620 wrote to memory of 4412	4620	Bbhildae.exe	99
PID 4620 wrote to memory of 4412	4620	Bbhildae.exe	99
PID 4412 wrote to memory of 644	4412	Cibain32.exe	100
PID 4412 wrote to memory of 644	4412	Cibain32.exe	100
PID 4412 wrote to memory of 644	4412	Cibain32.exe	100
PID 644 wrote to memory of 1264	644	Cdhffg32.exe	101
PID 644 wrote to memory of 1264	644	Cdhffg32.exe	101
PID 644 wrote to memory of 1264	644	Cdhffg32.exe	101
PID 1264 wrote to memory of 2668	1264	Cienon32.exe	102
PID 1264 wrote to memory of 2668	1264	Cienon32.exe	102
PID 1264 wrote to memory of 2668	1264	Cienon32.exe	102
PID 2668 wrote to memory of 724	2668	Cdjblf32.exe	103
PID 2668 wrote to memory of 724	2668	Cdjblf32.exe	103
PID 2668 wrote to memory of 724	2668	Cdjblf32.exe	103
PID 724 wrote to memory of 4156	724	Cancekeo.exe	104
PID 724 wrote to memory of 4156	724	Cancekeo.exe	104
PID 724 wrote to memory of 4156	724	Cancekeo.exe	104
PID 4156 wrote to memory of 4568	4156	Cgklmacf.exe	105
PID 4156 wrote to memory of 4568	4156	Cgklmacf.exe	105
PID 4156 wrote to memory of 4568	4156	Cgklmacf.exe	105
PID 4568 wrote to memory of 4928	4568	Cdolgfbp.exe	106
PID 4568 wrote to memory of 4928	4568	Cdolgfbp.exe	106
PID 4568 wrote to memory of 4928	4568	Cdolgfbp.exe	106
PID 4928 wrote to memory of 1552	4928	Cpfmlghd.exe	107
PID 4928 wrote to memory of 1552	4928	Cpfmlghd.exe	107
PID 4928 wrote to memory of 1552	4928	Cpfmlghd.exe	107
PID 1552 wrote to memory of 1776	1552	Dinael32.exe	108
PID 1552 wrote to memory of 1776	1552	Dinael32.exe	108
PID 1552 wrote to memory of 1776	1552	Dinael32.exe	108
PID 1776 wrote to memory of 4816	1776	Dcffnbee.exe	109
PID 1776 wrote to memory of 4816	1776	Dcffnbee.exe	109
PID 1776 wrote to memory of 4816	1776	Dcffnbee.exe	109
PID 4816 wrote to memory of 1144	4816	Dpjfgf32.exe	110
PID 4816 wrote to memory of 1144	4816	Dpjfgf32.exe	110
PID 4816 wrote to memory of 1144	4816	Dpjfgf32.exe	110
PID 1144 wrote to memory of 5116	1144	Dnngpj32.exe	111
PID 1144 wrote to memory of 5116	1144	Dnngpj32.exe	111
PID 1144 wrote to memory of 5116	1144	Dnngpj32.exe	111
PID 5116 wrote to memory of 1644	5116	Ddhomdje.exe	112
PID 5116 wrote to memory of 1644	5116	Ddhomdje.exe	112
PID 5116 wrote to memory of 1644	5116	Ddhomdje.exe	112
PID 1644 wrote to memory of 2300	1644	Dkbgjo32.exe	113
PID 1644 wrote to memory of 2300	1644	Dkbgjo32.exe	113
PID 1644 wrote to memory of 2300	1644	Dkbgjo32.exe	113
PID 2300 wrote to memory of 4224	2300	Ddklbd32.exe	114

C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_bb6efcea0ce29497ba49fe042e092649.exe
"C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_bb6efcea0ce29497ba49fe042e092649.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\Bmggingc.exe
  C:\Windows\system32\Bmggingc.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\Bfolacnc.exe
    C:\Windows\system32\Bfolacnc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\Binhnomg.exe
      C:\Windows\system32\Binhnomg.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        28⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        29⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        30⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        32⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        33⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        37⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        40⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        42⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        46⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        49⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        50⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        51⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ggjjlk32.exe
        
        C:\Windows\system32\Ggjjlk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        55⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        56⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        58⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        59⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        62⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        63⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3952
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        67⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        69⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        70⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        71⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        72⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        73⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        76⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        79⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        80⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        81⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        82⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        85⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        87⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        88⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        89⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        90⤵
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        92⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        93⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        98⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        100⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        101⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        102⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        104⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        106⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        108⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        111⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        113⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        114⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        115⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        116⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        117⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        119⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6252
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:6384
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        125⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        126⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6652
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        134⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        135⤵
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        136⤵
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        137⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        143⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        144⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        146⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        148⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        149⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        150⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        151⤵
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        155⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6236
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        160⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        161⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        163⤵
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        164⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        166⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        167⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        168⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        169⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6968
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:7160
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        173⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        176⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        178⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3720
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4476
        
        C:\Windows\SysWOW64\Almanf32.exe
        
        C:\Windows\system32\Almanf32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7192
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        185⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:7312
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        188⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        189⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7432
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7476
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7516
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:7556
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        194⤵
        Modifies registry class
        
        PID:7596
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7636
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        196⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        198⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        199⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        200⤵
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        201⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        202⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        203⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7972
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8012
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        205⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8056
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        206⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8100
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8140
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:8184
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:7216
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        210⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        211⤵
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7508
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        214⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7568
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:7656
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        216⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        217⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        218⤵
        Modifies registry class
        
        PID:7836
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        219⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:7980
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        221⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        222⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        223⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7224
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        225⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7460
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        227⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7576
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        228⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        229⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8020
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        231⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7304
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        233⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        234⤵
        Drops file in System32 directory
        
        PID:7964
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7208
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        236⤵
        Drops file in System32 directory
        
        PID:7688
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        237⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8008
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        238⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:7756
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8240
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        241⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8284
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        242⤵
        Drops file in System32 directory
        
        PID:8324
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:8368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8368 -s 444
        244⤵
        Program crash
        
        PID:8444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 8368 -ip 8368
1⤵
PID:8424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afqifo32.exe

Filesize
108KB

MD5
01036047124a257d9a5d74e76922d950

SHA1
f808fcd7497907da732760e0b569291a1f763009

SHA256
95cd5c5a1fb1c4d1601ce311a33dfceea50c52797fc078719d67dbf5102d2722

SHA512
6850a859349a18a7a4e336e53d22cf003b941c9d0d2868d11b73a66aee0bea255575e17b719f4224321bee004ed9b761c733f0af821cdfa07a229fcc56d1aab4

Download Submit
C:\Windows\SysWOW64\Amoppdld.dll

Filesize
7KB

MD5
56726b49cbdbcac3b8203d07545eb071

SHA1
d7abe140bfe562734664e39d6c888eb443f585e6

SHA256
bc0238ad219994d2d37efa25a396099104af427205fc6d3e93fbc74bf59e997d

SHA512
cabb9e1715714fb6c355a6e454f2a90d8ed68bbc071e9139603c71d64064e27fdf9c61455f91d1589c785aa1e7cd19ad8b688ae6fb7ce4062d68c868bfe42733

Download Submit
C:\Windows\SysWOW64\Baepolni.exe

Filesize
108KB

MD5
3600a858c646699e5f8f88d1a8deee9f

SHA1
dd6eeceeb3a19c26b8221390d2ddfeea647993a3

SHA256
2e9b1cb6d728992a5113a648da4f6785c2f32cf42db19c10a621ce9d8dea0d0a

SHA512
7117fa81d9d0abcafe46ac2182810ddc8dba2a941b12b78f80a0e9b26fc57ec51535780e6804d60f3d9feaa87a7285deda996941db8be07b87614b733071676b

Download Submit
C:\Windows\SysWOW64\Bbefln32.exe

Filesize
108KB

MD5
ad1854cabc4bf410e364469a74384e1b

SHA1
e75e51f2ba8b00d368cb01149f8c14294f573bd6

SHA256
ed3a8c5e81c91b1217082102a1bec747c071dfd0d397b63b74a6ed10cb01c5e8

SHA512
d0819fe8bb189b927d7f69b53961c9e82eeb1f2aed7007092ad33ebe13549a42fb99af1e588c1da1e8564142aabc3bfa7c1cba21b5561bddb8f020b577adc63a

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
108KB

MD5
3153daeb1777745f04d56a8fa75bb08c

SHA1
0b94e15297094a14a37258f6c01b2c89a3eb3cbc

SHA256
77bf8ccd1f7441d59ec9970cc36fd3a835bfd683a44ce48a140e18317c048ef7

SHA512
4d572f0ddca862a059424a46d6481cbe681da99f92844029ee97d935c65ddc35935ac6d1e49ae108e974ac036f974f78d48aa1a9f5c8e7203b8ebff5fa1dbda2

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
108KB

MD5
a807d9825cd9d13298f81903a78bf3b7

SHA1
4023dfa62faaea1b3b7157f312283f42b364abac

SHA256
0321e885afb6fd33ce43041c5a9a94da4655fe550b66dd9e8eed5d1463687b35

SHA512
87e2cc52b71641b5fc5f4e784ab882695bc8d62be98b238bb978fafb625a8b4cd3050d9dfd4a9a3fcb06b2bdbfd47dfeb2dbd2efb750a3c51fa37f1f5ba5ff4f

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
108KB

MD5
8d6bdd0697d81ba23200415febe42a31

SHA1
bc4ec849f7ad4a6bfc25aae851cf1dc7f5a1350c

SHA256
822369850140f0d020b134fcd8033b5ba8ffc6008992bb0ea3a213ad773abdb4

SHA512
f5514694bc9d804dcb3b335e897ccfb12c350d50b7a494fe6a32699ac16433f4c28201fa9974859525e56e3e41c89bb2557833968b9ea0a2e63207cfdd64b47c

Download Submit
C:\Windows\SysWOW64\Blgddd32.exe

Filesize
108KB

MD5
b60ed72f755780df91aa3baf561d56c5

SHA1
9aaba77ae3d3a16d44fd5086b1cc1d4982a06dca

SHA256
7d65c12635859e20acf62b4b1d22ebc23aa8aaa5db15b096e8726bb315d230f7

SHA512
26813050d2c8067b9232b4cd98ba2b778b9ce3ec51faff664e481b8ce2629d05aa8c33e5808cc7ef032f0ff0149f0b76587ac7a9d39b91e902cad46773b14343

Download Submit
C:\Windows\SysWOW64\Blknpdho.exe

Filesize
108KB

MD5
e15399899636b16214bc1110014bc592

SHA1
39445b996f66eec0415222904016d3e2d60d9ece

SHA256
4c4024ac5e87935e1dfaed269df4c7aafb9ba94056b8658c58895461838215ba

SHA512
b8c4ca30c2673ea5cc77b2a1ce8826f2527152bf17ac071f0b3cbc291f1e26a4d21af2430f496b92ca1ac643934c58881b99743a6a48f8c9dd0f2cb43cba3286

Download Submit
C:\Windows\SysWOW64\Bmggingc.exe

Filesize
108KB

MD5
8e9ddd058fff180a5138220f92b14b2d

SHA1
186d541f9a727fc0e33620bad25a5688ab53d4fe

SHA256
6f752e14320177e3e1123c979983ddaed500f28e1c1b198b4b3624445c6c2cd4

SHA512
2d0f6fe0c6d56911edc259bed36ae99344f18b02a7bdb6de31a6ad4b66bbfc909f364762c2b1564e6af249835916ceceb1528048caf7e999eb29cc525cb5a8fe

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
108KB

MD5
f3b59ddac287b0dc7304d9c324f27cdc

SHA1
86ff0f303384d32b9f52bdb39852698a59e8f711

SHA256
f2fd82416b56bb3000240a6f7e4a73668bd626325638824081da7caef74615cf

SHA512
ff27654dd303d53f99b8a3dc2b6367d48a10ce6f298f208691a8504e688639e19d62dd15a503ff0840a3603ee6d66f9d1d5b2aaaa388f8f5abaa6f2dde6c92e5

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
108KB

MD5
a5ec8dd1bd4d0c245d90ef8a5e32bd77

SHA1
2a761f2107f6eb7c70e417528bbc30778519fef2

SHA256
7d8f15c59eef239c62ec1d079e4d3388e9f3ac7bbe8517d4bc61e1c3cbc99993

SHA512
046c7e2056319683fc9df21e82f08ba3658461e3ceaeab5c80240a7a4fc73980351939b7ec421f252db81dfd858890790a499e0eb534a1b40f4eb580c303102f

Download Submit
C:\Windows\SysWOW64\Cbhbbn32.exe

Filesize
108KB

MD5
c24bbd39553fb77babf56b20e11e6130

SHA1
e1952561f56ef5d3348b3fa2504c513aff2908ae

SHA256
15eb06f47180b55c0d2f40e68b2b953cb107a86d3eac0031e2a207c00de12105

SHA512
f7a281e62deb3ee79c84c5de4897be925114663f073d67cc56f7845a39d82e62964c0202ad600a631f47939076251b8714d40cc70fe83d185785de163e31adaf

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
108KB

MD5
a18523feaa0cfe49d0ae344bfd85aae9

SHA1
acb3dc5178c059f44d33234c6552c784641a95cf

SHA256
a9a2c35ffdb4b06eadc8201bcb97316326273b8f27668483cf6dac9d021b4b89

SHA512
98df899bc71991b98c071478b87fc15116e0a3665dfda51ffb0fc3959d3e06f46e88c1ae30ca5121b14a90292596dd319cf981569e06986059e2a730edcfd074

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
108KB

MD5
982da24c7a9b4f391edb59e7642cfcd9

SHA1
fd9c682692a7012f0de9cf75d2d052461734cf20

SHA256
fa91f124e83a550f2fc10caa7b80d06130d3094d2397b9c4078a2abc2d2558c1

SHA512
ae4b720b9410a0d755442d4e1a993c25c3519192c37d1120c49f9d08939f0b5659539b2088dcb55e4563cbdbc2df27f29e26ec94317fdb94ef0b11e21c5ae1c3

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
108KB

MD5
6914fb7f19840635b5af3e07e73d9ea8

SHA1
53121653a120239cc800148b356f56cc6ee15d3b

SHA256
9dc93b56996db4e63afcc88be6ae83e65e0ca95eb39790891b677c31b82e0e11

SHA512
c9a8b90db234e8294ddc6bda012a0aa0026a46ac1ee9876afeab10d0ca7a91dde26afd7e587e790c82257f74453cb369f0edbee418ee8bf61a0641269f83d727

Download Submit
C:\Windows\SysWOW64\Cehlcikj.exe

Filesize
108KB

MD5
cf9d4e61a59e251c688a1440978f28e7

SHA1
ce1e4022f0650e9bcea6a5d9a6d9d77356af5982

SHA256
e59deb203e80e4b356f5487eb4b07b27b3ccd01cf60d9acf02169836a0a335f5

SHA512
2426fa1741d53a5406238a07caebe5adf4fa4430513a8d3b890a13cb6b8910fe2e20412592f14a37eb6af8fb61861e8c818ac4f59f52108c14208ad8a7b29014

Download Submit
C:\Windows\SysWOW64\Cekhihig.exe

Filesize
108KB

MD5
e595eca9bb6f9937faaaa5be90ce8007

SHA1
ecb1b484775cef3eace3b83b7c3fd12d18aef585

SHA256
cd5da5945be1094241fc8cc77939ddd18aa15a9eb7213dd8ce4a379708579bce

SHA512
ae9f9476bd8f304bd332d4d1781972304bc6d2279ae6ba29993f785d1b7bb31c161b74dc9bbab21612304c49f857038b96bdeff4c2df2b2da5ad84680d45a0d4

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
108KB

MD5
793ad931a7b0331f9cf040ca2fa7997d

SHA1
5cc313f90923ae8006ea73d17138fec37e2f64a3

SHA256
81f7447bbd13608c151bf86f4c56a2c5c08d2a3b45a0d865d5d31f6f0b920a77

SHA512
14ee10ca3228f0f1deb0656aae02dd285f91f0fc76f801e6ed9c7b66ec7043ef1e3628bba89222eb9c579e1d2d8d1c8f494957164b4b7f71e9ba6dc918da2558

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
108KB

MD5
922ec6f62a7efbcc54a64b1a253bd5f9

SHA1
1fc46800c87716664575bd836f20c83fec68294c

SHA256
dd084765fa3e0fa21fd88367b08a3395bd50e0bf0c111761e4f87c98694f8669

SHA512
7d7f6d01f2fdd5663402c503a2448c4b4d9bd528fa0652394704fe9a2921d10c616e05fe48598861ddeb89fca739d4b6a1c94c92dcda1259ae60181c64f6f901

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
108KB

MD5
e9ba981dd6984012fd845c4573964e9a

SHA1
ae8b411dad41919efe7a863d65d41d1ab140286a

SHA256
d6bc46cca0ea562d3203be2f7665ae0ce98563f30bb28310b4fb43dd146bc929

SHA512
291e25c06d76cc111fd3152df5ad0a98808708e50664e4fcc5bb2c5b02b416696620f79a091d4cd5c70795b87d8b063fec2fed8ed521ebd25bb79a8fdac68892

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
108KB

MD5
df2b6c242986455965d7db4221eded9b

SHA1
3b9f1dc61708bfb7d4837a89097406c18f9c0760

SHA256
1480835bc6c06562a82c1db7aa8c87338473da77411530940b0bd9dfd96f4498

SHA512
ec0692dfd513af846c734e62b24b46f3ff524d6810c3ea76f648b62ea59abc90787c18622312c55e6e734bcf912cb5546fdccd4777bbbfd2633e59783473fe34

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
108KB

MD5
61d4126ae95fca28a653fedfcd320a23

SHA1
d49022426698184927389700139bd133f324dd66

SHA256
900c9eebd6f6e7e0364df4c183c7e5b1cf0785ba5940a6cb18d5aef4ecd5f321

SHA512
59b0148f14d65f40b3012cb90243748f86214b9c62d96f83055b477ea3a9fffde082f0a98c9a784871115bc7962bec9597a18b4011ca9aa41344e4f0589d2245

Download Submit
C:\Windows\SysWOW64\Daollh32.exe

Filesize
108KB

MD5
71d0a73b955edbdb17540b8bc16de184

SHA1
3e0dd41dfc9049c1f7c49a8ec8bfddf3560171c2

SHA256
e617707c1facbd6ed0b6ab814d1759ed85e1307791d564f96cfbb7e7f87a4750

SHA512
24e4439ec0005e854864fd53b7692c34e390d562cc342b23aa30711428e299ae1b0b6a0cf2c795fbd5e4ebae7f6b40a077e1c538a67ce36f8ae179a6e34c72da

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
108KB

MD5
b907d9b750fa70646c56ea013b10f7be

SHA1
82e43cb6db927f3b622b23176244555dbc464d5f

SHA256
fba03257e0a5dd7d260dbd3128f822e046b0d661d9e79af9ae0e46f6545f9f2e

SHA512
cbfc3d087dd69a0bda5f6164b442d5eaeefa8c03e1ce5e893416b68f5b3e39754bea21a6e93e6b947e70fde0ca69b9a3884704c5f3a59f938f59896cf77efec6

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
108KB

MD5
08711aa9d6008d443a9d38afa2e35c92

SHA1
eeaa0a5b66219e75e516c930f4572682e1347eed

SHA256
c9e8b9b6af97a2ea8884f9188abb5411fc4ac661bbccf9c60152a6a3befc806b

SHA512
d0bbd174ac72074ab60af700e8eb35bfa81f4d80c3c27474e3c2419caa8840a0f25fd8f56cab9beb2c7f62e85e0ecf4703851600a96b42a483e0847e46397ce6

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
108KB

MD5
4e6843c63a1820788e8c645a1bfd67f8

SHA1
19ae6be8520171d41877b3823e56ad54fc1b524d

SHA256
3838d4f3012a74643387b00f5b4e13e2c55a641ae519cdcd19d31d64a588e374

SHA512
31e9fff283e9770376771ecb49b55817595b3a55dddb9b15c70ed9492e17529f8eab21eb89194df9f07961d7ab13332db021bd7afeadd0f0be3618447f0757bd

Download Submit
C:\Windows\SysWOW64\Ddklbd32.exe

Filesize
108KB

MD5
b24ecec27b168d143155e1b34cd0d499

SHA1
8c1cd065b7f6055a8f59a44fe7bee61a2db1e602

SHA256
fc89b2c60482a8eb3ac53b250b8392c3f994474cda0298cb258003c186f766e7

SHA512
25bd3f436e92c463a9d16adb3993f2255f0f37dc2890570427df25d56322ca7632d6532fd46245e255fbd57390c373cacaa1b29bbf6bcb1d8e53c1496804a4a0

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
108KB

MD5
547a1f495b18abf10211ddf43e94b7a7

SHA1
e0b3bb5d5905377ccac25c7ae0ffde94dc4ea510

SHA256
031f354ef3e0e5ef6dded29119afa84535e443a34fd21dccdd281c9ccd31056f

SHA512
d89d58abc3e4999df2188508796ea1debac2bd771e7768a689cd0997766f3d603f6165f853b594a7de881626532e20674c165b0d25b284d50f581a67b39cb254

Download Submit
C:\Windows\SysWOW64\Dinael32.exe

Filesize
108KB

MD5
709b8c30009ff3191a2cca42491860f0

SHA1
bc6bb561c61ceb62de3c78ccd0f62dafc5b99fe1

SHA256
d45b0f1714b78d431a5ebb837eb0393c0189253bbb153878000f6724d36bef06

SHA512
69aa8cfbcdc8066091209898208cf8c5dcedc4502cc6b4297ddf309b7c1e99694233d494a1c8def446e3ea80260a82ed5927442cc443f519679ec5f745185ee4

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
108KB

MD5
41e7f9d51d9e3d72a2eff9112d003af5

SHA1
a1a32af81c1fd45f0ffefac67bbf21b92eaf82e9

SHA256
6e99167441c3c81cf6f339703b3d5ae479335f988d5d25d3c514ff2a204a91a8

SHA512
0f75142bf9cb3c335b6ee48e179e3e80a6e30767c5061962bd9dc4f6548392806cd0ff6a76df879d73f3a7eb8bd3f806aef5968ffd9af8fd01d94382a351d527

Download Submit
C:\Windows\SysWOW64\Dlqpaafg.exe

Filesize
108KB

MD5
8477d5ad08594863feab3ea581187c94

SHA1
9b713c3f045540117d078b35ad8fb82b64e49a9b

SHA256
2e7489d5a65a50c5b92acd8df087eeab1b364d9dbf74873904c96d75c3c7a491

SHA512
6b0cbe878c76cb33f354dc05db1c8cfdc6b55a6619fbf606a0b33f8a3505f631fa4c8212d865fb5669c35b7b6399e30959b4a5f87e6bb4308644261756fd743a

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
108KB

MD5
1d7ea8eb57434c26e8a691347d585c6e

SHA1
919c96d35092936243ba182f1ae4c18a4ebe301d

SHA256
3cdd7b8cc7e11b2c10671b2df57d5a3814ff362600a956a0746fabd077a447d6

SHA512
9a9bd8dce024b0fc2d6791dbe6fc685bcdc195520a37b8ab1c653351e6a514e84993e28c11809ff03be5b9aef7728e80a254427bf8077dcd9128e593a6d20fbe

Download Submit
C:\Windows\SysWOW64\Dpjfgf32.exe

Filesize
108KB

MD5
47f90516a5b2b2a46df0b3ef49baa243

SHA1
1d5b88b71486e9d5f45757a253f458a0b6789f85

SHA256
d38405341874c0382b3b46d69b288c4fb4560203a9be7f16a9d60e6c8b309c2d

SHA512
b032be36a5193a5db85df6d34fa6b092e993c202a84c0cb5397d529700b7bbc11d1c4e737086d90e27983ca2ffd47984cdf5bba6a32a15800b2bad80dfe92abe

Download Submit
C:\Windows\SysWOW64\Eaaiahei.exe

Filesize
108KB

MD5
29f51c3bc82aab7dd45d1190355378bd

SHA1
7c3f0ead47950ba909d52622af9564860fc22a71

SHA256
3b59ef0062bc0d4e2e5121768a5fa0b1f053af96dccc0bd9d31faa10dff4bd72

SHA512
007afdd73fb143f20b7060b4a4a09ec4d7079b81d7357dd0650be619b892ddf0814e11cc2226553914d90ece7c886778ab57a77add5eb71f8b900edbbc563c0a

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
108KB

MD5
b368bef02c9e23ecbc91be7f5f72b0d2

SHA1
fb65cb8d3526e14fd931ae0876340359d231e811

SHA256
5800bce4fec3aaaf42824d4ef0d5b32f6fcb0c725f42133730b3d612f30d9aae

SHA512
9da0f3000701412d3e2d59d345255e29dea93d099dbbec754220c744394c4ae6d75cf263a8474e8d6aef983f1443d03badff2ea35f538e3852623ce58f0a8269

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
108KB

MD5
cd9116caea50a3cea13a52afbe473cc5

SHA1
fa00779695ad646c3863e876576d84f1f2a1b24f

SHA256
28d7a6c616a5da3fa49bb70cbc98b48fb016a6ab94f84ec2a48d0485aceee5eb

SHA512
6d2e39c9df75103f649e14418635617b925ae7d8e05fdb36b38276c91a3e50f46242b6b463fd5968a52f29070dc82fdd84028a87346556d17c20055db02faec4

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
108KB

MD5
1a009dd60a019632b6c531e1a3e3f857

SHA1
bb806c9dfd3593876c96289acc85080b865715f6

SHA256
4a737e1052d19cdb78707bc697192adbba689f0d59c2ec3a4623f2999c2766ef

SHA512
2ae493635045f861513a4c04d972e99f53670ad13fce92406e4f110ac95d55dc5de704d6d3ac316ed8f6992e529725065f1196a5739fd107cfc3d785d144c2ef

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
108KB

MD5
8674550b54231dbe120fbb3d8d248079

SHA1
d4b098f27dbf4338fc999c79a7658e4d2b723eb0

SHA256
de81523fb7032c720dd247d59b0b79784d0d12f80442ea08150037fa46c233fc

SHA512
aba5583741bfa343bce16b4be2706a0316e941b4b9668dd9cf747b0ccfaaea5e9f263978e126dc0b7cda58c8cd9e1d67352afb42a6eb32271c70709ecc1bd40b

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
108KB

MD5
52aac50e06745bd1a0b19e3c9db6bc47

SHA1
0a15f741e9add9ba63f0b1927360dbadad20b26b

SHA256
dd1fe72fd0b037c88a2c44c61913b3950b62c82dbeb6d1505b8685559c44caef

SHA512
1944d814ed07ed8eec551ac8d528e29136c3e89538dd294aab23124abc2da16a8daa3a7dacef8116675994179e5940106a53d0c1d5d7a4c296562896e36b426d

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
108KB

MD5
7e0578802120a3b716c72d26fa5ac63f

SHA1
54f34e496a4e56affdf43eecf8c27e3d632f43aa

SHA256
62ec077a4495b5d497ef7c256e19e4a39d57044860f6db29146a42e0861044e2

SHA512
fd7fc63cd7e9541f26b6cc3101a3f33bf466ff9fefc155c9369f385687e1bce60f8c685e42afc537612d7a642bb8875cd1dbbb0e04728a4832e9ff8fb6ac1b8c

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
108KB

MD5
ab846318acace7c657246ef99477d4bf

SHA1
d91b8bba9a4c727a6d37c3911ac5bc13ba89e4f2

SHA256
fea9755f63db030b11a7a6f17e05eddafd4a586c461b84b2bba3f202005e4fbb

SHA512
560f1b4503c9821e7afa8d6e3518cce8b103c014bcfe2bfa3401d927626c0d903219648232c84fc09921dc6c604c02573116e4f1d85ee6cb202a430436b78b2c

Download Submit
C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
108KB

MD5
61edaa6acf25d149e0b97b2646693aed

SHA1
d0b94572475477c259781a7455febd719182aaa8

SHA256
fb888af35eeb6aaf584597e8635d254c30361ff2f9f766c9f63bca58dacd2470

SHA512
9aafc7aa99454e6f473cc37dc67baa827c239d1df504a9266a1ec6e5cdd542d9257181ecbb8e3542ffc66c4b8816c2f6ea789eec712ecab6e7dfaaca1b77716d

Download Submit
C:\Windows\SysWOW64\Gcghkm32.exe

Filesize
108KB

MD5
539ac1bb7a80052bbf10448edd22cc55

SHA1
ec56019d3de552651a09efe05b5dc539cf924d84

SHA256
093bd35624ce999ac850bfdeb69da2d0dbbf217e444ac5ee047ed5cc8f78c8fa

SHA512
8a3bd09dc601ea9a52d51aeef952683105d92b13c364239f9e523228b1c3afdd5ddd26be03a59f000bd1386402c673fb528a98f6560d44e56ea7b79f0bcd5d90

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
108KB

MD5
8b8b1d97e3d00a903b735ab5c5778bd5

SHA1
b52abe0f37a043590ab2d492538bee0bff3551b7

SHA256
5a669a08b3017b2cd87c331e4e15b89109f3b67fa49b03ebfd23e5623349bb58

SHA512
67754874d3009fc00ce4057de0e2f52696444e11d0615bc7ad7f9b61e5f83f37dc5c34924cea027bc8668600574bee7e53df079cbf01ee47b21f098c6b884128

Download Submit
C:\Windows\SysWOW64\Hcedmkmp.exe

Filesize
108KB

MD5
e1dfdd884ecb7e29efaa85b9322f60c7

SHA1
d301eaf5d83526c5084042de3ce88095ea026c91

SHA256
e1ff225480dd445c42442c8fc97259ae61997a647a32677e729412bf47a91228

SHA512
1142d3be4b21b62fa3e4edb578e42244d7690387c3f8f399df975587c92cd135d63cc886187ea07e3c2b11e91570f7cc23ce4ed89c8b16edbe9ef4d538dffded

Download Submit
C:\Windows\SysWOW64\Hnhkdd32.exe

Filesize
108KB

MD5
aca15149d70a5a531803576c0b06bb1e

SHA1
7952e683d13ef07c29f95944b78b8c3174b462fe

SHA256
e750dbf38cc8a5a738c847ad1913a56518377c9e871e9d9f56ed0e39be900640

SHA512
f342e20e387d12b14e1dfa812572f306a110e94bc3722c97e64359f446fcc133ae12cbd937ac2c987e5df6e459d1102aed9fcd3c9e6dee623265b42be9c63b48

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
108KB

MD5
2b0577eead40491f0a4eb77689ce2f89

SHA1
ddce12b4811eb59debe0658e3e74e2ffbcfcb363

SHA256
0b87562d8e0f28c0091b2adaefa92aa431a00113944d421338ad74c6d4a6d400

SHA512
4ab02bc36ee3dd5f8e4a6a52aedf53c39c6ebcad694a75d103c744da95117a02f67b81100aa4636ff030e2fb1ca90c998ce09a7205afbb540c957f3441fbc4a9

Download Submit
C:\Windows\SysWOW64\Lkcccn32.exe

Filesize
108KB

MD5
e581227cbdb53a8351cbe3a6a70e4a1a

SHA1
540a6e61643d7fcd435b9cf5d5a872f824ea6130

SHA256
20b59387ded62950153ae6258cc2e4d5b7efd1727b6ac87bc4d7a7d9e51dcc60

SHA512
e5ae5e09784b2a69ccc7503b9303c8abe11eea7d6f2a7a6f5cc4d3128ee121c116e9d9bffcdfdd0ab9a04803c8f76059b71ece5dd40ed18709d9c5e584ba3bcb

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
108KB

MD5
a530c99a2dfdafa1515410e997df95ff

SHA1
f6946c91fc172073e21aafdf9b818dcd6a38ddf7

SHA256
eb35a485b96cf7a63899a0ede58be8a201190c481796c3ff63707791b4b5e85d

SHA512
46f0bd35e162ebc2bce17117474fcabffacea2a01c3525024abee3d5f720768278748a5e2201e0e252e06c62d2e01684c9407b59cff665ea2af9b2eb9f1641c5

Download Submit
C:\Windows\SysWOW64\Mkepineo.exe

Filesize
108KB

MD5
0ed780a6d49740a1571afb53f0f72256

SHA1
9a4d1e710eaf0c431957e0548ca57a27350372a7

SHA256
4d4e0cb9bb75bee6b72ac9e801c5db2bf4f71b9a585c12ca9e171007c3576f1b

SHA512
1cd495f470121e4ad084ad890521d791ef253804508f6e1727472a7aa13399165afa2d8659913fc19f431f690c81efcee032c53dc18aeaf98e1331bd5584b5ba

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
108KB

MD5
71953f3bf9476296dbe56f7f08cfdffe

SHA1
5a18dcef992b764f081bd623e188e4f163282db7

SHA256
b889df6e74ab114127b4341cb6f82825ac82b2e2f11335d35449f8f3ee2a3d57

SHA512
7c204bc7a1df4471d0841e02279f4dd8d3dfef277b6d2eab8efe432c64608bc1a23e3c8c83c3a1a58505e56465349995c91f5ad53e4c39a365043e638b43df64

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
108KB

MD5
a41ce102df9e6745ed3b63dbe67bf060

SHA1
4db0e4c94aab3fd7f7d7cb685d0a65be5f92e0b9

SHA256
56948daa168f8cfca3dd427b8b43f19e3b2febef4acda60f7f26449b17e3c103

SHA512
ecab86cbabd9346a563b3c63bc0b0a1774400f5b55fa2b76b12ea0f9ba94c8b5f23dd525cd8f77be7083fc262b9fd1767846465f64254df37f8b527457d4ed8c

Download Submit
C:\Windows\SysWOW64\Omaeem32.exe

Filesize
108KB

MD5
38b09ddee4d6693ed75c487a1d7b0e61

SHA1
2bd392868d8cc296a504e01d723b244ec5166b3a

SHA256
ab2db30c1f555c488872ea72920c89b033ee36b8f4daffd5f888be00ebac1e40

SHA512
b4f97ff143ef06655bdc787f9a7cd64022d3b7e064d92ee54a49a71d22f6274e16887d58be8d58bb65037a86b250f6f5b769f9e94cac1c5e5ae1b033700bf56f

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
108KB

MD5
c8de777b5864cad91a46bfe90a5c95f8

SHA1
c16101628d14a59aa191497484fd877a4b29ce85

SHA256
5a5c4f371545f624d3ef612a718b406674a894df7b538ab055eb44ed98c00698

SHA512
8e5f7025cffb8e9f4d54b619d449d16b7e7c60528f628303982355f7e8a6d2a7bba2635341f99606b5a7febc321c224b2f455c96c8c97b8c4daa49eebc5945f0

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
108KB

MD5
89dee30654ee8d1eefdc4f635eba4066

SHA1
ec93aa03f868b836f3ebfc4787e1eba7e61a15c8

SHA256
d27fcf98afcf82141619fc423d1ccc7d22f210f568b17c750131354b9cefe850

SHA512
46e105508ffb0393768181f0453101b725a29da61e7c834e448927fe2ddc52542d314830e059fc79a93b22a4c6d7a53b91e75c6d720837d0cea6ed9d9b3b45d6

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
108KB

MD5
22df4387b409f75ef1982e4b5e25b61f

SHA1
500a2ef567d6c6673e3101565a55a3fdac91f759

SHA256
7043b8edc4e566ab018689bf74f3baf78ed4804fa92e4c7c7210213fda43507f

SHA512
dff543f80ab873ada43260c1c227e3e05c892503ed90f01c0cd5a4dae799b8a0d83794dbead2e8c6d47d2d2fa42cbbd47cc994cca4f4bbf7b924953c35b93817

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
108KB

MD5
604ec4af3cf452a0fe1a00be464061c4

SHA1
7162ede011b48cef59ec6c9d9f327c344bd0edde

SHA256
df34a82543949caaeef643092bc3d900ba2842b6ef3f9416d757a6d188d76880

SHA512
81d289946a1f778be4b6e1dcf54d49280bc8a700665504d5f39c4f80785b9a7b8b3caa01edb95bf4e355d6fa4b08bc271dbf445c773c7b16586a455882cb7969

Download Submit
memory/456-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/456-2024-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/512-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/724-612-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/724-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/752-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/764-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-542-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/900-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-549-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1060-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1264-604-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1264-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1936-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-561-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2092-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-575-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2504-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-610-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2732-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3508-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3652-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3832-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-457-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4000-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-619-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4224-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4304-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4396-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4412-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4412-588-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4468-404-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4524-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4524-568-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4528-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4568-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4628-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4872-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4872-555-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5116-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5132-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5172-470-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5212-476-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5252-482-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5292-488-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5324-613-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5336-494-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5384-500-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5424-506-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5432-1867-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5464-512-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5504-518-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5544-524-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5584-530-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5584-1938-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5640-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5680-543-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5712-1905-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5816-562-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5872-569-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5932-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5976-1866-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6012-1897-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6296-1855-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6504-1733-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6916-1826-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8180-1638-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8184-1668-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads