d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18

Analysis

max time kernel
101s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Size

128KB
MD5

78090ef4bfc6cf47c2abb36639bf2690
SHA1

4d4d3278bda005cb28407c65d7bda682f0ff95b5
SHA256

d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18
SHA512

fab6adbc1d4bdfb89847a8c48ec59d7d6d7784762afb35c16dd4c1ec7165919b2cb6be101ff7fc97c75047a871133fdb3d8b56f0fd431c49a846486f86ccaad6
SSDEEP

3072:8UjEH1kbFKYmRSy/OG1r95JDoeAk7DxSvITW/cbFGS9n:8UuxY/y/v1rjJPAohCw9n

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fniihmpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoepebho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkhpfbce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbagbebm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doagjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhfpbpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehbnigjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haaaaeim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidinqpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkofga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbejloe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlgoek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccpcja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkcndeen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glhimp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnkfmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggfglb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciqnk32.exe

Executes dropped EXE 64 IoCs

pid	Process
3944	Pjpfjl32.exe
1984	Paiogf32.exe
4768	Pdhkcb32.exe
3520	Pffgom32.exe
5028	Pjbcplpe.exe
3484	Phfcipoo.exe
912	Pnplfj32.exe
3320	Ppahmb32.exe
4312	Qjfmkk32.exe
2880	Qaqegecm.exe
4320	Qdoacabq.exe
1224	Qjiipk32.exe
4964	Qmgelf32.exe
2540	Qdaniq32.exe
2016	Afpjel32.exe
3216	Amjbbfgo.exe
4124	Adcjop32.exe
2684	Aknbkjfh.exe
640	Amlogfel.exe
3984	Ahaceo32.exe
4084	Akpoaj32.exe
4652	Aajhndkb.exe
1904	Amqhbe32.exe
3228	Aaldccip.exe
2752	Apodoq32.exe
60	Akdilipp.exe
4176	Aaoaic32.exe
5044	Bdmmeo32.exe
1140	Bkgeainn.exe
2424	Baannc32.exe
2004	Bhkfkmmg.exe
1776	Bkibgh32.exe
3604	Bpfkpp32.exe
452	Bhmbqm32.exe
1520	Bklomh32.exe
4924	Bmjkic32.exe
3364	Bphgeo32.exe
1500	Bhpofl32.exe
2396	Bknlbhhe.exe
2576	Boihcf32.exe
2916	Bahdob32.exe
3400	Bdfpkm32.exe
4760	Bhblllfo.exe
4108	Boldhf32.exe
1736	Bnoddcef.exe
1284	Cpmapodj.exe
4604	Ckbemgcp.exe
1640	Conanfli.exe
1368	Cdkifmjq.exe
2132	Cgifbhid.exe
992	Cncnob32.exe
2960	Cdmfllhn.exe
392	Ckgohf32.exe
4660	Caageq32.exe
4484	Cdpcal32.exe
2224	Ckjknfnh.exe
2764	Cacckp32.exe
2212	Cgqlcg32.exe
3276	Cogddd32.exe
4168	Dpiplm32.exe
4440	Dddllkbf.exe
468	Dgcihgaj.exe
1064	Dnmaea32.exe
2648	Dpkmal32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pdhkcb32.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Bfcklp32.dll	Fniihmpf.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Doagjc32.exe	Dgjoif32.exe
File created	C:\Windows\SysWOW64\Nqgnfcmm.dll	Egcaod32.exe
File opened for modification	C:\Windows\SysWOW64\Galoohke.exe	Gbiockdj.exe
File opened for modification	C:\Windows\SysWOW64\Ganldgib.exe	Gnpphljo.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Gicgpelg.exe	Galoohke.exe
File created	C:\Windows\SysWOW64\Gacepg32.exe	Gpaihooo.exe
File created	C:\Windows\SysWOW64\Hmjbog32.dll	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Dlofiddl.dll	Hhimhobl.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Qjfmkk32.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Lpmkebjc.dll	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	Nfihbk32.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Ommceclc.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cncnob32.exe
File created	C:\Windows\SysWOW64\Nnckgmik.dll	Fqgedh32.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Hppeim32.exe	Hhimhobl.exe
File created	C:\Windows\SysWOW64\Jojdlfeo.exe	Jllhpkfk.exe
File created	C:\Windows\SysWOW64\Fjoiip32.dll	Mcfbkpab.exe
File opened for modification	C:\Windows\SysWOW64\Hbldphde.exe	Hhfpbpdo.exe
File created	C:\Windows\SysWOW64\Jhifomdj.exe	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Kabcopmg.exe	Kocgbend.exe
File created	C:\Windows\SysWOW64\Bmjkic32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Geoapenf.exe	Gacepg32.exe
File created	C:\Windows\SysWOW64\Egopbhnc.dll	Lomjicei.exe
File opened for modification	C:\Windows\SysWOW64\Mpapnfhg.exe	Mledmg32.exe
File opened for modification	C:\Windows\SysWOW64\Hpkknmgd.exe	Hlppno32.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Nmfmde32.exe	Njgqhicg.exe
File opened for modification	C:\Windows\SysWOW64\Oikjkc32.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Fkaokcqj.dll	Mfnhfm32.exe
File created	C:\Windows\SysWOW64\Mlhqcgnk.exe	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Pjmnkgfc.dll	Ibcjqgnm.exe
File opened for modification	C:\Windows\SysWOW64\Klbnajqc.exe	Khgbqkhj.exe
File opened for modification	C:\Windows\SysWOW64\Lomjicei.exe	Lpjjmg32.exe
File created	C:\Windows\SysWOW64\Mcoljagj.exe	Mpapnfhg.exe
File opened for modification	C:\Windows\SysWOW64\Bkibgh32.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Ghfedh32.dll	Fgoakc32.exe
File created	C:\Windows\SysWOW64\Gpaihooo.exe	Ggkqgaol.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Pcbkml32.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Geoapenf.exe	Gacepg32.exe
File created	C:\Windows\SysWOW64\Gngeik32.exe	Glhimp32.exe
File opened for modification	C:\Windows\SysWOW64\Cdkifmjq.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Hokomfqg.dll	Ihmfco32.exe
File created	C:\Windows\SysWOW64\Kekbjo32.exe	Kapfiqoj.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Cnokmj32.dll	Momcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Akpoaj32.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Jafdcbge.exe	Johggfha.exe
File created	C:\Windows\SysWOW64\Mfkkqmiq.exe	Mapppn32.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Aaoaic32.exe	Akdilipp.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Gicgpelg.exe	Galoohke.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8544	8064	WerFault.exe	395

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgoakc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jojdlfeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakmna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieojgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjoppf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqgedh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feenjgfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibqnkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbgeqmjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofefp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbcncibp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gicgpelg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbjfjci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnhfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdbgncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbcplpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hejqldci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibegfglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaajhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcaipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojemig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpaihooo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihkjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opbean32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foapaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhifomdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keifdpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfepdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggbcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkofga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapppn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgdcipq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggkqgaol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilnlom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kolabf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllagh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglkoeio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gihpkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemooo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Filapfbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbihjifh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjjmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgklkoc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fijdjfdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodlgn32.dll"	Gbiockdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmdfp32.dll"	Doagjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kplmliko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gnblnlhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Filapfbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemfc32.dll"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll"	Finnef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dqnjgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbiockdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mapppn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll"	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjiffif.dll"	Iamamcop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqlfhjig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkiongah.dll"	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Johggfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keifdpif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Nodiqp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 3944	3952	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe	84
PID 3952 wrote to memory of 3944	3952	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe	84
PID 3952 wrote to memory of 3944	3952	d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe	84
PID 3944 wrote to memory of 1984	3944	Pjpfjl32.exe	85
PID 3944 wrote to memory of 1984	3944	Pjpfjl32.exe	85
PID 3944 wrote to memory of 1984	3944	Pjpfjl32.exe	85
PID 1984 wrote to memory of 4768	1984	Paiogf32.exe	86
PID 1984 wrote to memory of 4768	1984	Paiogf32.exe	86
PID 1984 wrote to memory of 4768	1984	Paiogf32.exe	86
PID 4768 wrote to memory of 3520	4768	Pdhkcb32.exe	87
PID 4768 wrote to memory of 3520	4768	Pdhkcb32.exe	87
PID 4768 wrote to memory of 3520	4768	Pdhkcb32.exe	87
PID 3520 wrote to memory of 5028	3520	Pffgom32.exe	88
PID 3520 wrote to memory of 5028	3520	Pffgom32.exe	88
PID 3520 wrote to memory of 5028	3520	Pffgom32.exe	88
PID 5028 wrote to memory of 3484	5028	Pjbcplpe.exe	90
PID 5028 wrote to memory of 3484	5028	Pjbcplpe.exe	90
PID 5028 wrote to memory of 3484	5028	Pjbcplpe.exe	90
PID 3484 wrote to memory of 912	3484	Phfcipoo.exe	91
PID 3484 wrote to memory of 912	3484	Phfcipoo.exe	91
PID 3484 wrote to memory of 912	3484	Phfcipoo.exe	91
PID 912 wrote to memory of 3320	912	Pnplfj32.exe	92
PID 912 wrote to memory of 3320	912	Pnplfj32.exe	92
PID 912 wrote to memory of 3320	912	Pnplfj32.exe	92
PID 3320 wrote to memory of 4312	3320	Ppahmb32.exe	93
PID 3320 wrote to memory of 4312	3320	Ppahmb32.exe	93
PID 3320 wrote to memory of 4312	3320	Ppahmb32.exe	93
PID 4312 wrote to memory of 2880	4312	Qjfmkk32.exe	94
PID 4312 wrote to memory of 2880	4312	Qjfmkk32.exe	94
PID 4312 wrote to memory of 2880	4312	Qjfmkk32.exe	94
PID 2880 wrote to memory of 4320	2880	Qaqegecm.exe	95
PID 2880 wrote to memory of 4320	2880	Qaqegecm.exe	95
PID 2880 wrote to memory of 4320	2880	Qaqegecm.exe	95
PID 4320 wrote to memory of 1224	4320	Qdoacabq.exe	96
PID 4320 wrote to memory of 1224	4320	Qdoacabq.exe	96
PID 4320 wrote to memory of 1224	4320	Qdoacabq.exe	96
PID 1224 wrote to memory of 4964	1224	Qjiipk32.exe	97
PID 1224 wrote to memory of 4964	1224	Qjiipk32.exe	97
PID 1224 wrote to memory of 4964	1224	Qjiipk32.exe	97
PID 4964 wrote to memory of 2540	4964	Qmgelf32.exe	99
PID 4964 wrote to memory of 2540	4964	Qmgelf32.exe	99
PID 4964 wrote to memory of 2540	4964	Qmgelf32.exe	99
PID 2540 wrote to memory of 2016	2540	Qdaniq32.exe	100
PID 2540 wrote to memory of 2016	2540	Qdaniq32.exe	100
PID 2540 wrote to memory of 2016	2540	Qdaniq32.exe	100
PID 2016 wrote to memory of 3216	2016	Afpjel32.exe	101
PID 2016 wrote to memory of 3216	2016	Afpjel32.exe	101
PID 2016 wrote to memory of 3216	2016	Afpjel32.exe	101
PID 3216 wrote to memory of 4124	3216	Amjbbfgo.exe	102
PID 3216 wrote to memory of 4124	3216	Amjbbfgo.exe	102
PID 3216 wrote to memory of 4124	3216	Amjbbfgo.exe	102
PID 4124 wrote to memory of 2684	4124	Adcjop32.exe	103
PID 4124 wrote to memory of 2684	4124	Adcjop32.exe	103
PID 4124 wrote to memory of 2684	4124	Adcjop32.exe	103
PID 2684 wrote to memory of 640	2684	Aknbkjfh.exe	104
PID 2684 wrote to memory of 640	2684	Aknbkjfh.exe	104
PID 2684 wrote to memory of 640	2684	Aknbkjfh.exe	104
PID 640 wrote to memory of 3984	640	Amlogfel.exe	105
PID 640 wrote to memory of 3984	640	Amlogfel.exe	105
PID 640 wrote to memory of 3984	640	Amlogfel.exe	105
PID 3984 wrote to memory of 4084	3984	Ahaceo32.exe	106
PID 3984 wrote to memory of 4084	3984	Ahaceo32.exe	106
PID 3984 wrote to memory of 4084	3984	Ahaceo32.exe	106
PID 4084 wrote to memory of 4652	4084	Akpoaj32.exe	107

C:\Users\Admin\AppData\Local\Temp\d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe
"C:\Users\Admin\AppData\Local\Temp\d2aa6223364324e69784314ba7d961faf2018cdda11e385f0481933b3d59ec18N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\Pjpfjl32.exe
  C:\Windows\system32\Pjpfjl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\Paiogf32.exe
    C:\Windows\system32\Paiogf32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\Pdhkcb32.exe
      C:\Windows\system32\Pdhkcb32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        23⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        24⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        30⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        31⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        33⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        35⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        37⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        40⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        41⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        44⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        47⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        53⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        57⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        59⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        63⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        65⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4900
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        67⤵
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        68⤵
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3632
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        71⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        74⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3212
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        78⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4416
        
        C:\Windows\SysWOW64\Eoepebho.exe
        
        C:\Windows\system32\Eoepebho.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3908
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:64
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        82⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        83⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        84⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        86⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4816
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        89⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        90⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        91⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        93⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        94⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        95⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        97⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        98⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        99⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        101⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        102⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        105⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        108⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        109⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        111⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        113⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        115⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        117⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        120⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        121⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        122⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        123⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        128⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        129⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        131⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        133⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        134⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        135⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        136⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        138⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        140⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6568
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        142⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        143⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6696
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        145⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6784
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        147⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        151⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        152⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        153⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:7148
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        156⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        157⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        158⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        159⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6760
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        164⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6912
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:7036
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        169⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        171⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        174⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        178⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        179⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        180⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3168
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        184⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        185⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        186⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        187⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        189⤵
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        190⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        191⤵
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        192⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        193⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        195⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        196⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        197⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        199⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        200⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        201⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        202⤵
        Modifies registry class
        
        PID:7260
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7304
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        204⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        205⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        206⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        207⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        208⤵
        Modifies registry class
        
        PID:7532
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7596
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        210⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        211⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7704
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        212⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        213⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7792
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7836
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        215⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        216⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        217⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        218⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        219⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:8100
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        221⤵
        Modifies registry class
        
        PID:8136
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        222⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        223⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        224⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7328
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        226⤵
        Drops file in System32 directory
        
        PID:7404
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        227⤵
        Drops file in System32 directory
        
        PID:7480
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        228⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        229⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7684
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        230⤵
        Drops file in System32 directory
        
        PID:7764
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        231⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:7908
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8000
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        234⤵
        Modifies registry class
        
        PID:8072
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        235⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        237⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        238⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        239⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7288
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        240⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7524
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        242⤵
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        243⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        244⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8040
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        246⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        248⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        249⤵
        Modifies registry class
        
        PID:7380
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        250⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        251⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7916
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:8088
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        253⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7332
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        255⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        256⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8108
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        258⤵
        Modifies registry class
        
        PID:7256
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        259⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        260⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        261⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:7472
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        263⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        264⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        265⤵
        Modifies registry class
        
        PID:8308
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8356
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        267⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:8444
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8488
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8532
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        271⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        272⤵
        Modifies registry class
        
        PID:8620
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        273⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:8712
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        275⤵
        Modifies registry class
        
        PID:8756
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:8800
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        277⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8888
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        279⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8932
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        280⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9016
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        282⤵
        Drops file in System32 directory
        
        PID:9064
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        283⤵
        Drops file in System32 directory
        
        PID:9108
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        284⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:9200
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:8208
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        287⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        288⤵
        Drops file in System32 directory
        
        PID:8340
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        289⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        290⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        291⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        292⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:8628
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        294⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        295⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        296⤵
        Drops file in System32 directory
        
        PID:8836
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:8908
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8980
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        299⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9120
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        301⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        302⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 412
        303⤵
        Program crash
        
        PID:8544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8064 -ip 8064
1⤵
PID:8044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
128KB

MD5
020fe77a0aa6bcd63209836bb5adceb1

SHA1
3a55dfc2ce8058b71a768956affcc015a280fe4e

SHA256
1e5ec65892b36f1b471b000372027895cb909e23ccf558fb2e08e3d202a7e9b4

SHA512
91c7d066bd9f6e7e2ad14071d16862f4067fab547babf03fcc66258c5f3b536cc3515e19dbea7c02d6ae89f490ed709721bd3ee0f021b7b92516eb1135510471

Download Submit
C:\Windows\SysWOW64\Aaldccip.exe

Filesize
128KB

MD5
9a920f7a79e8c41233ba64883795b7ce

SHA1
66981d6a66eee39fa10f9cf4617745cac5b89752

SHA256
0de75ca6bd3397e0b2ff0663f277c80bc6eaf9b8c668e4309db06ea320d0acce

SHA512
02f18172b0bdbe7f0e5b0d3b6dabd6629bcb426b7ae7b3f2f82ca0f42c88f10c9d6332e70ab68d2f42dfdc36d39010668db0d8c8e7da9cbe7867bdc503f51f69

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
128KB

MD5
95bf01fde8b5342a4cb65f180bc51c62

SHA1
d0b2224fffa827e86d34168113d8f4938356452a

SHA256
9af98b9694a849b697b1ccbe83b184b1e35b63a2eaaf38518467eda4080ff85c

SHA512
436fe889bfc562a73711e565ee21682c15df8b1b7fcc15fec1f4b170695ca15afadf9436b2756006e76e1fae3f37195137983e6d006837c017a9840f50803abd

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
128KB

MD5
a6aff7ab7b55dc1a1e37f29af2eda242

SHA1
b92bab3498a89da1d981f297ceb4800401e16c7c

SHA256
3b2861b25dada48f53f48a8640fc213c66b93ebefc9b18c6d09c88e04aeb4f85

SHA512
7ddd5e9c23d857c51727944b71df15ae4facbb843c281f6e3b68ab68c1d7f26ef5810f27263e0aa7f04ff6144d07fa8d3ae96cfad1271b2a3d81a775faf0921b

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
128KB

MD5
6a61f6f4b2d17e3a48f887b061ba79d5

SHA1
ff5d56e8b68d73a8830da2f1ddc20047ebcfb0b0

SHA256
28836e1874e1647ee79b23e7fbc205b29743d1862c3d9e48f53db8e3ab1379dd

SHA512
3ad9be3a5b7f598e61d92d3c9ef7409f6d2ac8ac2bd43e81e19a0a914114ca8e48df43120b000b8a389827edc00666e8c55315fc1102b9de75f034bd916800ce

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
128KB

MD5
837b875500158c1389e13e82be40b6fd

SHA1
d1ec369ef52ad2f7ca6e06dc7cd78148e907b5da

SHA256
8942eedd58494586defa8cae611baa7befc77a1c4f3df3568e67c92027153745

SHA512
44aee4a17ee16174e17f92c6be033050a2a77ccff42c2bc8de8a1d2cb3132c9a2b0fa111aeffae63f243c08afa91beecfc8a654713008193cbe8e02b04f03e4a

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
128KB

MD5
53bd2a0bab24b2c9bb5c86ea1b2c527f

SHA1
09a6807452d7090e3c35dc6c6694c821c81a1fa5

SHA256
645af06540161576024de0707a3ae8386be548f539cced878cb9b9baa94ab7a1

SHA512
3457e582f1790d4ea7b5820c7f75114c39225170df5f53bc2229ddb43d8e42d13cc32a54723fae04ded8141e255d563a6a517a42982a646888393934e80e9cee

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
128KB

MD5
5d1585da2eafee40d5d8bd84c353ff42

SHA1
a5b4b1581512072bab587b00d51e4ff82edd3edc

SHA256
43a6dd9710356ab068504f2954fa5373a48166cb133abe16be94504cad343d5d

SHA512
6cb5367f6189c7ab13e2849efbc7b6b190496bc128829d6bdbbe62272c73ca5e8c22ba89817ddfd0104df8a220ff5e961eadbcb9e7e63308f8462ec4c73162dd

Download Submit
C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
128KB

MD5
eb97f01283688e40eef033610fa0b46b

SHA1
ec125256442e08526fec9bc10384f0a32e324263

SHA256
378326bcc67308d06d47c0b66575fdc7207cd18d6e3aae92eaacbebd14798cdb

SHA512
a4f40307a7a98b149b750cace164f8ad56720a03e4121963fb3f66b01ab2e4c37182f97b558d9493ba73631fb599e216c92ac825d20c5058936021850cb0e4a8

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
128KB

MD5
f7fe948280f749559cf0cbbdf6787601

SHA1
4167b46229269cbc31eb07cbacb410807f58cf77

SHA256
b5114421cda2adb569f2ba51e1a956a2ecf923130fb1b2a57850c8491f01c44d

SHA512
d29382df90af5863287cfa46daaecd33b6f2d816bd69859722253b3773f725cd995a76a415f17192eab75a94c1ce7a5e9ff1c30327ba30e36106077df8ea6ded

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
128KB

MD5
eef405870a312aff4c7038ee39a89ec4

SHA1
be835d7943fdf362f37348004839abb8d402c8b6

SHA256
1c770d8598fd8be9feee5dc593346b65a6faee3f9cffae875592b4f9de70b85b

SHA512
ecc9f7bc448f645e52a6f844c885d8a9b671d8777b914c59e623b27130c14263d5a6d7eb7eaf068db0f11ee178d0911bf0dce1f28d2b005b9643d215218a07f7

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
128KB

MD5
f91f62359316ace2f7aaf9e612e32fd4

SHA1
3a3ade53544ab47c2ac4d75762e5abb116948122

SHA256
4b238b5e9835ff86bd2dafe3607ce190a185187dd42f646e2c3dda7ba6369dfd

SHA512
299878b6087d197370acf0b0370e8701d15d58dddf07008da7e737946d64a53eaa476ef90fb04e82bca9eaafb49cb967421f8e319ac1b9c7c26a812ee4349f0f

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
128KB

MD5
b4069ace653825f1dee3b0be1c79e284

SHA1
29ca6a57fd26ece958509a96d80a8dfea6be592a

SHA256
84b7d1685d356ab2a6c4ea2bac4de90c23ccd0d4ecb363efe61ccb1495e3629d

SHA512
6ab78330786c5bc883b390ae1da9b016697b78ee4e5233b5a050a25d8f0960e7cb3e942612d6866980ec688dd8c24fa7439c525e870c85d97e1ad2ef5af4a057

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
128KB

MD5
453d4b7313b93cfeae8f65507fcecc24

SHA1
0d81c6173ec4930c840156753756c76ca0e47f30

SHA256
22df046f58a454fd4ba171a1be77d8e5a57e7e697b1fe9f2d6aa4a52af4c7c19

SHA512
38d24f0b89619f171cde063bb8017254e6a8fa91bd85e25ffa2d84248d68de46fd14c5b94e3595e0bd84cc5ca8c83857e8f2fe7e9dcfc657e533bb1407c9248f

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
128KB

MD5
22492b4afe95271db15c254cfaf0b18b

SHA1
e5656dd7a6a4658f4181814e3a1d39b6e8d59d38

SHA256
20d36f489609eebecfc92ad6b1c6af247edf817070ac621afaa2da5551c00157

SHA512
6b1b82fa28f534bdb618c2d00a1c80d71f1f57c422a798be5f472967ac85949a8e95479187708787764a283967131fd8fe500b0e3e4586e951cbc7a424d12607

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
128KB

MD5
94520bd55f76f16ed698ac89b68a9b1c

SHA1
00abf2b207f0c1d9079bf6805c27c4408c16ae59

SHA256
7569a11a542e425cd0f0c73b6bf80c494f379305177f702ae6c6ff999a94b67b

SHA512
0f460a22f97ca4553cc48ef6773810fea6c4e01b65ffa1a86155f2423629874e84fbebdcddfca362ac09d12c51d69fa36b6fbd01165fc0b5e3f9bd7504b8d25b

Download Submit
C:\Windows\SysWOW64\Bkgeainn.exe

Filesize
128KB

MD5
aa491f255f6bf6e4e0d68458353794f6

SHA1
b92b34ec359362696648fa145aa9ae46c867b607

SHA256
2f748fd34d6ac7c562137b55297a74259f469ceb9bf9c42f524a37885204013b

SHA512
e26b5b9731af0ea5969c0f78c0871553a0b8325b0d8fd82608850189cbdbea54291029cdbf8ebb85178e45226a80f7281c1bfe1a54893a1922582a28719442cd

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
128KB

MD5
4b455369291aef7dbda16c770ba803d4

SHA1
672917dd790d2a7889a073a126480fdf3dd4aa2c

SHA256
90956b0ec588f7c00c806f4c5d1ed554d9ebb36c5cf4de14303089738ec7e654

SHA512
f7b063b8c0dd0bf2464cb61e53b9c17a3ea671aadec2d00fbca9cd3c920f668d420e94f4a77c089be281e85f26871b5634c614659e928992a6544eef11e33ecb

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
128KB

MD5
c45c447db1dd82a74a9b60c8556165a8

SHA1
f8955ad7c3f8af435f03ea85e2e83d065ebad749

SHA256
81fbdfcc7ece2815372d1bce77267a53d8e6e681a54e6605416a2c175e0d3c0b

SHA512
059f74514b5078b8618c46abdd6c230e1e5476a2c291365bd5df03a3b40fac1fb0a7a0ec0c71ef36c0b05f4db6619810b9e7477600adbd7dd7f796683c6a5a65

Download Submit
C:\Windows\SysWOW64\Damfao32.exe

Filesize
128KB

MD5
f5fd12f2452981dd4fd598686f5bc39c

SHA1
278666dcae91209caf43278d917580af3c6cedb7

SHA256
f5e6d9793dc0b9c635ba8ff7fc954a6e8c463801a45f50cd9254dbd2129bc63b

SHA512
1d7d0ec7e1dadb723b5b84d8729459cab6bd9a570c6eae545609dfb15657de943aa550e89dc3d2f4c5a26c3fd0b55cee135f7c38b622a8bd71ae8085042847e0

Download Submit
C:\Windows\SysWOW64\Dhikci32.exe

Filesize
128KB

MD5
4bcc2541a390a5c1ffa775314e797994

SHA1
6464bd87806907fd90edac3541150bf891cc3305

SHA256
6a281c9e7ad263593193faf5d8224814de882a9226cb1070d9fd8aac85f779cf

SHA512
1d78897047f0eb9093de98cd5af4e0111901482ceabf0cd8ab19842d54109fa6eeaabb5d3bebcb83921e99d486580ca4942eaeb992fd490c1dc6cf254826d6be

Download Submit
C:\Windows\SysWOW64\Doccpcja.exe

Filesize
128KB

MD5
59d863990707672de38d1b36565890aa

SHA1
7b226abafb713598b915fdb1908f896f2c9518eb

SHA256
e7657f6f84635656324182775a11b7e445161a3140ed67eb58d9215c74d54d63

SHA512
c694e2ce1a77769bf33c2b4464c1054a7f9c15320ee49d1a33015131f9ce9f7628537accb571b159c88ed2314f6b860e22305fc63e889266eeedef32b38cefae

Download Submit
C:\Windows\SysWOW64\Edionhpn.exe

Filesize
128KB

MD5
6f1e98246f309e766f7d47f4c02da197

SHA1
f6a2f4932e0e468e6dbe8cad77777ecc1fe3a128

SHA256
b5a89b6f530ff5d37ec84710fd2313516e7604b8d6062c0ce12b19d617aba4aa

SHA512
652a8bcef259610a6788653a7a4f7766672903de9ee8649e22645ea9fdc105b3f59d80ce6b8689eb2ecfa79f9ca49319210e070fe6cab898a6ef11ca27d5126d

Download Submit
C:\Windows\SysWOW64\Fdnhih32.exe

Filesize
128KB

MD5
17aaca9f177a01319886aa506619a0df

SHA1
45f0a5fc854c4404881558403c48236526b241c6

SHA256
e18193bc38c3030dac306eeb2baa4a0ab8f331817bd49a7ae2756efb5c8a8f9a

SHA512
5a093d354592ed6605d28c4dc425275306d85a7947ba8ea7d8c1fa1b1b847d9b2c7c3ac11ac2724e26d970af4a0620b65ffc60dd17349dfcb2f6d279a35beb4d

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
128KB

MD5
94d39c6208ccdf7e41b1c22ce65269c6

SHA1
2516ea255a8ec34b525c3bfbc98a93d561b651e1

SHA256
4166e5aa39d3670a9ea2956d329afbf83a95ab805b2561638b58db524b3847df

SHA512
e74ec84213e404d5388a96bdb6d3b099394c4ec7b816ca39e16ab9a6884030abc84705eb823daa8471e8aeb3e407b36b004e3d3a7bd443c1256e440ab2e12e7f

Download Submit
C:\Windows\SysWOW64\Hhfpbpdo.exe

Filesize
128KB

MD5
d4b9fdd74767b2d832fffea563bf0a74

SHA1
4fb1e1ea73879d246360439833c2486ed3470ecd

SHA256
66d955c07b70c4701282934fd11f3d46fbb80fc3556c464c483044b00ea15cda

SHA512
6ff75bb2f31d4013daa045f6cb887c0fc3894d430facacc2f181873f011d154e367c9a0c7a0f88bf4d53440a21ba74c16140ac8bdd4f6daf173b22f6dc45eeb8

Download Submit
C:\Windows\SysWOW64\Iefphb32.exe

Filesize
128KB

MD5
ec558cae0e9e5927462646cd74e76c95

SHA1
a31764eaa92e3a5962796fa900ea3bde23805f28

SHA256
e21e232d6751a6963ce5726b881c7fb8b526a785b4d8325173b9237744d475d2

SHA512
cc45aaf0ada5b45a8d9db73ad0bb6486a4bd716515f8779d2cd0c4cb7d1de9cab1674d60a2fc45b719c0891c9f58e24df1598469b70134bde1850a5b7028fcf7

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
128KB

MD5
f1974adb6a3b3f48b16c0ceb1c544539

SHA1
7a8ac474d95544434a5f76abeae1f4476a340f72

SHA256
6d51a3248a8224dfc7fd27b8d2cfad59250c5585cc0e9878fba1de80ca4cccc4

SHA512
6b3ff4ec344bdda2285af48a4d373ff3a2df62a86b6fe9c8e97eaa9cf05f13184078f33848483c2a29423765c9789f663a0452cb76c179893ae8212feb6403c9

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
128KB

MD5
2279a38f56d787e873ec0ea338ff85da

SHA1
d60c4dee70a50e8a329baa7c45658f44801cde2d

SHA256
8995190a91b06b431e8a249eac5289b4721103b0cf9e604d01765d267b5959da

SHA512
cb738f55576e238d2904723693325bcf21008b161f3467325d371c6928934dee8ebfa411a3455838bdd2ee7073f095e85d68c063bd58f6b6c9a9b2186932595f

Download Submit
C:\Windows\SysWOW64\Njedbjej.exe

Filesize
128KB

MD5
46654d9b505e34b7239d4d3063267530

SHA1
9d685281e56a2cf36a502996f62d4e2edd379687

SHA256
1b0c4bd706290a68752b8f3198b61392556a3a84e3c83e031b16e97154e2c8a5

SHA512
47ee3c45d46ebcf484367a8e380dc39b989aeb4cdbbe91d4549295bd6f04a65b88604f520af10a697d407942c6acb1fb3598bb9b1c4bbdc7f6e910bbdeb6a305

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
128KB

MD5
fdcf17379030a364c1754441dfcdf9f3

SHA1
73f065c5acabc97bf600bd7f32dc28eabb223a78

SHA256
f889419e73fca89350411c83f5d187417c703aad7c47fd1e27d4538b16c0ee18

SHA512
53d0192920dd51ca29832185ebf074d579ce6fc1f743913bc3ff8a200512f32b0d557994971b46e562e2e97aeed6956e13dc1c01177cf60a593393794a558b76

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
128KB

MD5
1a2897ebf7af6d22c7e4752e4d1616ae

SHA1
1222b47779912b5d25237dbdedf06808a97ca027

SHA256
dcd41c0885afc673d494d3ef7ce0bebab33ea89ad9cdd904f4645a8c5c04a8de

SHA512
8c0b203311f33c6f24381e5e90e295e08c34f428b5e8777a454a1306119e8cfbe03b0dd9fcdffd77f521e6c35daca1784d3ffd1a7841bd3cc1f350e48e144266

Download Submit
C:\Windows\SysWOW64\Oonlfo32.exe

Filesize
128KB

MD5
d58859f7ff24c9919cfdf4cf7518bb26

SHA1
12fce9f89b5a3ee21307259310572f51babfbb10

SHA256
aaab5ff0300bcb7cf52e53cffc55977344440a9fe9da7f1d294ce2ab43d1a068

SHA512
0c820c490bb9aa48835864c57379a6a364a4bf9a222ee43983c521d573a518bfc010aa72f68e30fe277b4a81f67e3021bda2160e168e012c924e3482acb6cfd2

Download Submit
C:\Windows\SysWOW64\Oqmhqapg.exe

Filesize
128KB

MD5
1eadb133e0c4ec9f3193b15258099a3a

SHA1
d263e1e19613ccc74dd3292253e690919c50de18

SHA256
3297b0f08cb3afe1c37068bdde901bb94e5aea2c49221853d7219a3ea4011255

SHA512
e0703d7deddb7add84ec4fdfb7b19440d32a3176f7623c3e2460ab7a512d63682c7327ca565794a1105cf874edf26efd480db41d451453359f367a864d07084a

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
128KB

MD5
ce54bb909d19e7e096acf632bab2203d

SHA1
322fe71e92021ecbe577ab5f26cf3cc788c3c53c

SHA256
371487c58c14ac2343c285dccb1e829e4f6786bd375c5024eedf182d5c97a0a6

SHA512
e7f70118e35db116711e4708c8e67d1e25b861e37ac914a3b239c60a94c69210a2384f9bac5605488bb86a5307f3c08984048e32d2014df38e32febec8ffd2fe

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
128KB

MD5
01f80dd33c693416e2ba567ce5231677

SHA1
221a0c0e6f4de70f3d72800b1538d505622229d9

SHA256
336e3af13f9cc1c2a47f822e59e732a794314ee4d8853cf3855a6bcc79545758

SHA512
860ed6273a2de4f9278e68af5d3d5efb465894a81dda64393d46b4468e33f022e1cb747e1b3c6fdc74b57e2496e8b4433b2fa7485699c22f29f1c3eb910e7788

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
128KB

MD5
ca84f9684c41c5697d72dde6d89ddcec

SHA1
940d686e654c8d20b46550bdbbe423a3bfc0f30b

SHA256
0929352ee5bd783ab9d8921a4032fd2e4e209e2bb71d07779fbfb8574f652eb1

SHA512
0a32d5bd9d6b9e0683af44cb6e8d9d45bf74f59636244d1f4ae6781a1742d8baa3863a74b9080b6be5fb364b409717d4ffbcef620f6e2de3a855bb08022af930

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
128KB

MD5
52d7ecbd2a5eeb9ef9377056ea8d5311

SHA1
abf8a1b58d362e7b5df275c50a884fedfbdbb726

SHA256
eee0e63e483bc5b9055ce4309ccb7ae93c2ae47fc17654dc5f3584a583d7bfd5

SHA512
ba052b57701899fb4ae385b57b07c2e7548603f315901fc029945648e0d1141899fc33bb7a345b23e20709f08ff26cd9d64f3401642b66d18bb796b417567b00

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
128KB

MD5
a03f1f97400034d7c6fb9d6e59f7273a

SHA1
b894124f8de7fc6cf14b9aa5e75cadb07843c07b

SHA256
a0a29b93e00f374e12389a46578ff6a3f55ec824554587fbf8a86265b46eae5c

SHA512
820d22053592f77ea10a03afefe6d5706ccac61d9851dcad4fce51e5653a2503bb263747072a2185c620fee65e3224f1a698c210f30e9fdad438978d337ca7bc

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
128KB

MD5
801df004239f814f3ecf9007f97fb3ca

SHA1
42d763313f5e766a3c3e381f515340694064a463

SHA256
26cf32d0b288bb869948c27705e9458f8cae6daa7f3e5b9d13c81155e1eb96de

SHA512
d934f302f18b59eaf201006b351a71e9eb4af2239c3d36f5bcf966a38323f4a6f356839e8641a939851e3c00464081168b74cad82f780a720b278a62013c270d

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
128KB

MD5
d9eea927d288eb8b9e00f102c034f295

SHA1
56bb07ffb9148fe48c3625f14aca33c9f9254ac5

SHA256
714832a29180c5d06e7e080954a923badc97a66a16dcbfa8c3f021d20b9a0e01

SHA512
a12627791ddfbf8dba33843edb1f59addb65e02533c6f110818225f8c55a93b9ce64de134eac6d45de2f5f2d62a444e2c3d5e41cfa346fd8107337d76f65aa6d

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
128KB

MD5
e40414b4dd8af3bbb873ed294f7e449e

SHA1
5ef6a78a1bd56b10d1bd74740c4e5d5a1da1129f

SHA256
13cec718f53b5f345627c7120bfccf159489de426bb5b3b2a3617f50e7fb134f

SHA512
787b192a03c869788d2bfc0ffdc653c834be25e5b59885813a2051c163f4c91847372f37798bf22d1540932490d6ba96d60cd200e6689c70c52995a188a6bb8b

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
128KB

MD5
696f10f9e4ded59571a96d820ef1b413

SHA1
b49d2c87ba1b9bd2d0216e1511989e793ec58d54

SHA256
351116068d4a34ea64e89df5b2cc3b739a3f96beda7074f73fc7e95ce521b752

SHA512
4d02eeb39147c0138f3a8c6df948cce1c337a953b13a5c478def0c45dd6afc78d9557a8fd96c021535764635df19a8225e8cc7fac33b375fd60e59e2eb960ee2

Download Submit
C:\Windows\SysWOW64\Ppcbba32.dll

Filesize
7KB

MD5
f9bda2da634b4c218d922eba4fdfaafe

SHA1
3ffad4da612df41af08a90c2f32c728db0ba4c6a

SHA256
51bbf99df891aeb255683d7b8c1416851d9688bfaa59268cea624afffb2ac106

SHA512
7a4a58379f46251e65c29e00ade203ba6b4668b1adb4747a5267e34ac04ac812955264a5709f9f994dd61dcb4732d7ee5615e1eb0f5bc0004820e796d0af490d

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
128KB

MD5
90e9db404948c369b88ab4b617f064b2

SHA1
3a734f5c1c00e58b382368e451b6659c3407ef34

SHA256
7a3c86cef6b9ef233bfb273e3664b2bd7740d617b50eb1ac10e959ab4a580d27

SHA512
df883cb970a4a1201af4e1bc9991d1975de43839d1915959305c63a97b53d794312626f4ad549ddfc6fdc565aad46e99156f5a4352c776dc2b01289030fc4144

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
128KB

MD5
3903ffb179b4a3596cb7145d3e680f83

SHA1
fe0c8a1a55b9f31955dd343abe01dbbd786198b9

SHA256
eb2af40e6f212d5056d7af1908198cb12ce6618e5de0bdcc61c6a4f5cba7b6d2

SHA512
cc8bed874d4cf69de5c759d59ac8bd36f7183e37931e96e849cd923b72ed821057b426e9c1c12beba9d326e812691ffc986997a1862342765e0fc0b1b82f96e4

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
128KB

MD5
c17b89e6ac13c6275a82d0723b8a342d

SHA1
a3d68811c9059513360d649b7e55948b8b94ec6b

SHA256
aadb4a21a6de239801b30d2a8a4a736385cce24019ff4376bd7ddc9b8e2e7bcf

SHA512
c410bfe8c66b0846306558baeb1f198c8ff29fe65b4673e192c8eacd51cb7258b6fa486e90ec55e7a0cfda045ccc77a1d08ab5af07ba62ee00e6fd53b3f66978

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
128KB

MD5
f793b43fed8bd5f1930c64320c9a3c35

SHA1
c5ac8de41dd86aaf0392262f6773d41a25408dab

SHA256
e1b8e234bca6944b0ff07b1b7dacb954b6e67aff7e93d47052601d09ba4676ba

SHA512
ef6c5178ced1b68679fe9051181d3c779fbfead057e2438b5a2741e0a9507dfd321655544d85b67aef0180c1bc188be22c561dedee5c2865f099df960b61a09f

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
128KB

MD5
e20769a44481eef340a4a697f2e2453a

SHA1
6d0629682f4865f9cfe7084f3c1198f6269bd32d

SHA256
6f2b0709b9825e14ede21c0a5cb3f0867c4aa07f16590d4dc04cde195c2ac363

SHA512
295b6508f241555d6e5dc790d5116f2162b664a6540f71836f996a17fae45004c9b04c2525639c931af6bf3f5a9106d8443affa2c0a7dbfe350d937b161c0b21

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
128KB

MD5
9be31771a42348b24ee1aa6c94d41489

SHA1
b340276cdfe92ecfb6eefae6c269518192ddd021

SHA256
1a99614af87eb872c3a7967e42af9315de8aa495254042d7815f2a4c7454e8d9

SHA512
faf0797d313188a65a0844ce229d5ed50d7da90c563a180e15f71ebb91293aa978c1e8df90776045b5fc946e25b2d33287f67fc142a23bd7a8fb1b9049570cb4

Download Submit
memory/60-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/64-545-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/392-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-592-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/920-472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/992-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1140-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1208-502-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1224-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1328-559-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-490-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1520-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-552-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1736-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1888-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1904-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-558-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2212-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-514-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2396-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2540-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-496-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2564-584-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2576-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2588-508-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2648-452-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-565-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2868-460-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2880-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2960-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-520-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3216-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3276-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3320-599-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3400-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-585-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-571-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3604-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-478-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3752-526-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3908-538-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-551-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-544-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3984-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4084-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4108-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4124-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4176-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-586-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4416-532-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-434-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4484-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4652-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4660-392-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4760-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4768-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-593-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4964-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-582-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5028-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5044-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5048-572-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads