berbew | c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca.exe
Size

96KB
MD5

4333ab0c58a4dddae2abe838ffb78723
SHA1

d4811f7df530ea0227814bb6136d96922cbd30eb
SHA256

c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca
SHA512

7292cf4448d73c0045973224854924f0e43e6a5659fcdf61a98ea39e45f126dc2ce1213caf39224a2888b92c494f1e278ded9dc9be16224ecc1a89311acf616d
SSDEEP

1536:PrlTGnk4hAfpzP8J3ToI2Lp7RZObZUUWaegPYA:Bh4hAfpzPgjepClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Helfik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kikame32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hopnqdan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Immapg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hopnqdan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4640	Gmoeoidl.exe
2860	Gcimkc32.exe
1748	Hiefcj32.exe
2644	Hopnqdan.exe
3400	Helfik32.exe
3960	Hkfoeega.exe
724	Hbpgbo32.exe
4460	Hijooifk.exe
3576	Hodgkc32.exe
3328	Hfnphn32.exe
2024	Himldi32.exe
2788	Hbeqmoji.exe
3728	Hecmijim.exe
4568	Hoiafcic.exe
2300	Hfcicmqp.exe
4036	Immapg32.exe
752	Icgjmapi.exe
3364	Iehfdi32.exe
4484	Ikbnacmd.exe
844	Iblfnn32.exe
4500	Iejcji32.exe
2772	Ippggbck.exe
3116	Ifjodl32.exe
2248	Imdgqfbd.exe
1616	Ipbdmaah.exe
1096	Ieolehop.exe
4628	Ilidbbgl.exe
5016	Ibcmom32.exe
2760	Jimekgff.exe
1460	Jpgmha32.exe
1396	Jfaedkdp.exe
2212	Jmknaell.exe
2028	Jpijnqkp.exe
1180	Jfcbjk32.exe
4144	Jmmjgejj.exe
3900	Jplfcpin.exe
4772	Jbjcolha.exe
4352	Jidklf32.exe
2448	Jpnchp32.exe
4996	Jblpek32.exe
4412	Jifhaenk.exe
2480	Jlednamo.exe
4424	Kboljk32.exe
3676	Kiidgeki.exe
3396	Klgqcqkl.exe
4880	Kdnidn32.exe
2292	Kfmepi32.exe
4556	Kikame32.exe
1636	Klimip32.exe
4816	Kdqejn32.exe
3972	Kimnbd32.exe
856	Kmijbcpl.exe
2692	Kdcbom32.exe
3204	Kbfbkj32.exe
3176	Klngdpdd.exe
1424	Kdeoemeg.exe
1576	Kfckahdj.exe
1004	Kibgmdcn.exe
2904	Kplpjn32.exe
324	Leihbeib.exe
4468	Lpnlpnih.exe
4436	Lekehdgp.exe
4060	Llemdo32.exe
440	Ldleel32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Imhkcaln.dll	Hopnqdan.exe
File created	C:\Windows\SysWOW64\Jifhaenk.exe	Jblpek32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dndgjk32.dll	Ieolehop.exe
File opened for modification	C:\Windows\SysWOW64\Jplfcpin.exe	Jmmjgejj.exe
File opened for modification	C:\Windows\SysWOW64\Jblpek32.exe	Jpnchp32.exe
File opened for modification	C:\Windows\SysWOW64\Kimnbd32.exe	Kdqejn32.exe
File opened for modification	C:\Windows\SysWOW64\Kibgmdcn.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Jidklf32.exe	Jbjcolha.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Jfcbjk32.exe	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Pmdfog32.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Inpocg32.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Immapg32.exe	Hfcicmqp.exe
File created	C:\Windows\SysWOW64\Kmijbcpl.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Pacghh32.dll	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jlednamo.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Jpnchp32.exe	Jidklf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Helfik32.exe	Hopnqdan.exe
File created	C:\Windows\SysWOW64\Elogmm32.dll	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Jbjcolha.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Hecmijim.exe	Hbeqmoji.exe
File opened for modification	C:\Windows\SysWOW64\Jifhaenk.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kjqkei32.dll	Ikbnacmd.exe
File opened for modification	C:\Windows\SysWOW64\Jimekgff.exe	Ibcmom32.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Icgjmapi.exe	Immapg32.exe
File created	C:\Windows\SysWOW64\Iblfnn32.exe	Ikbnacmd.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Hfgefhai.dll	Hkfoeega.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6512	6316	WerFault.exe	295

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikbnacmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hecmijim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkfoeega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimekgff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iblfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoiafcic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaedkdp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll"	Klimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4640	4820	c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca.exe	82
PID 4820 wrote to memory of 4640	4820	c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca.exe	82
PID 4820 wrote to memory of 4640	4820	c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca.exe	82
PID 4640 wrote to memory of 2860	4640	Gmoeoidl.exe	83
PID 4640 wrote to memory of 2860	4640	Gmoeoidl.exe	83
PID 4640 wrote to memory of 2860	4640	Gmoeoidl.exe	83
PID 2860 wrote to memory of 1748	2860	Gcimkc32.exe	84
PID 2860 wrote to memory of 1748	2860	Gcimkc32.exe	84
PID 2860 wrote to memory of 1748	2860	Gcimkc32.exe	84
PID 1748 wrote to memory of 2644	1748	Hiefcj32.exe	85
PID 1748 wrote to memory of 2644	1748	Hiefcj32.exe	85
PID 1748 wrote to memory of 2644	1748	Hiefcj32.exe	85
PID 2644 wrote to memory of 3400	2644	Hopnqdan.exe	86
PID 2644 wrote to memory of 3400	2644	Hopnqdan.exe	86
PID 2644 wrote to memory of 3400	2644	Hopnqdan.exe	86
PID 3400 wrote to memory of 3960	3400	Helfik32.exe	87
PID 3400 wrote to memory of 3960	3400	Helfik32.exe	87
PID 3400 wrote to memory of 3960	3400	Helfik32.exe	87
PID 3960 wrote to memory of 724	3960	Hkfoeega.exe	88
PID 3960 wrote to memory of 724	3960	Hkfoeega.exe	88
PID 3960 wrote to memory of 724	3960	Hkfoeega.exe	88
PID 724 wrote to memory of 4460	724	Hbpgbo32.exe	89
PID 724 wrote to memory of 4460	724	Hbpgbo32.exe	89
PID 724 wrote to memory of 4460	724	Hbpgbo32.exe	89
PID 4460 wrote to memory of 3576	4460	Hijooifk.exe	90
PID 4460 wrote to memory of 3576	4460	Hijooifk.exe	90
PID 4460 wrote to memory of 3576	4460	Hijooifk.exe	90
PID 3576 wrote to memory of 3328	3576	Hodgkc32.exe	91
PID 3576 wrote to memory of 3328	3576	Hodgkc32.exe	91
PID 3576 wrote to memory of 3328	3576	Hodgkc32.exe	91
PID 3328 wrote to memory of 2024	3328	Hfnphn32.exe	92
PID 3328 wrote to memory of 2024	3328	Hfnphn32.exe	92
PID 3328 wrote to memory of 2024	3328	Hfnphn32.exe	92
PID 2024 wrote to memory of 2788	2024	Himldi32.exe	93
PID 2024 wrote to memory of 2788	2024	Himldi32.exe	93
PID 2024 wrote to memory of 2788	2024	Himldi32.exe	93
PID 2788 wrote to memory of 3728	2788	Hbeqmoji.exe	94
PID 2788 wrote to memory of 3728	2788	Hbeqmoji.exe	94
PID 2788 wrote to memory of 3728	2788	Hbeqmoji.exe	94
PID 3728 wrote to memory of 4568	3728	Hecmijim.exe	95
PID 3728 wrote to memory of 4568	3728	Hecmijim.exe	95
PID 3728 wrote to memory of 4568	3728	Hecmijim.exe	95
PID 4568 wrote to memory of 2300	4568	Hoiafcic.exe	96
PID 4568 wrote to memory of 2300	4568	Hoiafcic.exe	96
PID 4568 wrote to memory of 2300	4568	Hoiafcic.exe	96
PID 2300 wrote to memory of 4036	2300	Hfcicmqp.exe	97
PID 2300 wrote to memory of 4036	2300	Hfcicmqp.exe	97
PID 2300 wrote to memory of 4036	2300	Hfcicmqp.exe	97
PID 4036 wrote to memory of 752	4036	Immapg32.exe	98
PID 4036 wrote to memory of 752	4036	Immapg32.exe	98
PID 4036 wrote to memory of 752	4036	Immapg32.exe	98
PID 752 wrote to memory of 3364	752	Icgjmapi.exe	99
PID 752 wrote to memory of 3364	752	Icgjmapi.exe	99
PID 752 wrote to memory of 3364	752	Icgjmapi.exe	99
PID 3364 wrote to memory of 4484	3364	Iehfdi32.exe	100
PID 3364 wrote to memory of 4484	3364	Iehfdi32.exe	100
PID 3364 wrote to memory of 4484	3364	Iehfdi32.exe	100
PID 4484 wrote to memory of 844	4484	Ikbnacmd.exe	101
PID 4484 wrote to memory of 844	4484	Ikbnacmd.exe	101
PID 4484 wrote to memory of 844	4484	Ikbnacmd.exe	101
PID 844 wrote to memory of 4500	844	Iblfnn32.exe	102
PID 844 wrote to memory of 4500	844	Iblfnn32.exe	102
PID 844 wrote to memory of 4500	844	Iblfnn32.exe	102
PID 4500 wrote to memory of 2772	4500	Iejcji32.exe	103

C:\Users\Admin\AppData\Local\Temp\c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca.exe
"C:\Users\Admin\AppData\Local\Temp\c2b959453cdac32c0287f0654b2ed22456718d53bea302660b5f2142cbfebeca.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\Gmoeoidl.exe
  C:\Windows\system32\Gmoeoidl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\Gcimkc32.exe
    C:\Windows\system32\Gcimkc32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\Hiefcj32.exe
      C:\Windows\system32\Hiefcj32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        23⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        42⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        44⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        56⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        60⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        65⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        66⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        67⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:228
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1720
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        73⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        74⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        75⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        76⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        79⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        80⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        82⤵
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        83⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        84⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        85⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        87⤵
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        90⤵
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4536
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        92⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        95⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:224
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        97⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        98⤵
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        99⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        102⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        103⤵
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        104⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        105⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        107⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2264
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        110⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        113⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        117⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        118⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        120⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        121⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        122⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        123⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        125⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        129⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        130⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        132⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        138⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        139⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        141⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        142⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        143⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        145⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        146⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        150⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        151⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        152⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        153⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        155⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        156⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        159⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        160⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        161⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        163⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        165⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        167⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        168⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        170⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        171⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        172⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        173⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        174⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        175⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        176⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        179⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6436
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6480
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        184⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        185⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6652
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        190⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        191⤵
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        192⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        193⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        195⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        197⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        198⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        199⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        200⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        201⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        202⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6648
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        207⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        208⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        209⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        210⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        211⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        212⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7128
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        214⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        215⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6316 -s 396
        216⤵
        Program crash
        
        PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6316 -ip 6316
1⤵
PID:6432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
64KB

MD5
97b6d89eafbbf15a4b9484e10d3afd1d

SHA1
42dbbc8bbc70334cc11bc8a9810489c48aabd3a5

SHA256
b6217ced42a3b3ba3681247ae3ee13b8a6fafc81fc807b60de575eafbd7d24d7

SHA512
a81c51b9c3e185559057b4d9c4e9d24295e5dc31de8454233c7c0c7385b3e80d2bbc40ac69ce427ff9636843b4e64a2b9c0e62fff2cfa8b14b6c70a552ead1ed

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
64KB

MD5
c42e8a8a8724c993423788d734f11659

SHA1
8219ddd9ae77c980f4597e2cc86059fe44784967

SHA256
03ae3ccba1efd1239931388c12bebff793e30a6595c695d9cdb23d06793e0ef2

SHA512
e3ca9f4bce8ac023d51174bb0e0058469681c8682f038ce333e43da60a84a8f261b169483283ad197754e45db6bf0804fbaec0124041e3b2c86f0e63ae51cb9d

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
898807a9c8ba9f0192c6237244b48331

SHA1
3547b57dfb42d4e462d406039bf1044fb2334c2e

SHA256
2be71243c1b3c6b430563ac074c0fcec7cd240136f638bfd4a016b2e6db7b3e5

SHA512
777dc9e296e03dc5ca3b85a8dbb65a6aabe8b09f599785da227a531a710bbb6f3e66146f02484db7dc52a1a67f971ad6a925a95d4293a35389dc4b2c9ee58dfc

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
116e511e045962ef41176bd3c700cea9

SHA1
40b2480b2cdfec123740da74723d173b6848a2a6

SHA256
beeb341c4fe169b1bbe44deb84a4b7808001a8ffdc4e4d1a319ae4b1ad49b217

SHA512
e5189c48ceef8cf20ee631ccd0c2d9513c7d4e04afabf7877b71ba240d6142a9ced382c01f1b4f27a90278f3fa48f3dd57b33727d343c5730c2bb815df9fc3d7

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
7ca0ac67ee8635caae19a646cfa317e5

SHA1
6245677514a4e0a20d8c318eb26e10c2f20480c5

SHA256
692eaeda92758555903aeb446291682ae3eda28effe16d051dd2f9e3a2176656

SHA512
5c0d631f31ae5d2de77dcac5e72b93bc4dea1372956e9ae722dd6f66f1f27f189b4843a567210adac7980fc16f91566fd8b7bbf6d901247da6972f9c68deacaf

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
96KB

MD5
f2ed7ec09d767184078163a6298c5185

SHA1
d7cebe8b06a6ab7cf4f8bae8ce12a27f49f4d3b0

SHA256
eabe34672a4aa158f9a88918c7dce77ebdfd9a2aed56b54eea656807f3f454c6

SHA512
73a23477e2f963a15d8f471ee3f561acf364a051e9c1720bb180f90c5205fd5363b0f1bf1e6a2eb12441f2b7b251ce8c53091ffae78e9795c5d18c13c8a866de

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
f387658314a3353b3b4129cb1670bf1b

SHA1
7b434e0d8a9ce1613dd47d26e9946290490e22bb

SHA256
787198fb694ced72b267281f780ce2fe9dfb5faaee16c4f26dff6ee6e852d8d8

SHA512
dbec91600d901e5596ae486412e1e45fb4df825a5ca580dbfab567889e6974c5b6586fe1396b8f92e03b756884d4b5c558365f4b8a85528c935991e0f47ccd3c

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
36c689cfec142dba08f8dc659fbd8a90

SHA1
7136274eb09170e5a6fda054e342fbc8a482d39e

SHA256
cbadc3350964c73020b2678057c9e36e5970a38393e9ac37af51552095602f68

SHA512
dc857209e755d89a7339045b20838f75db89be167817599b97431bc8f93148b04c6455d6f47940df4afa71327bce429407ca062eb052a97d5315f468116961ce

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
96KB

MD5
ea7530b6ae106f98fa55d8c4658a00ee

SHA1
d13d09a7068af2b23a697a234e8762f1ea602530

SHA256
f3a5989c278aff8bb8e3340dab6774a78cd8648e2b99dbe006d62c6e9d1d24c9

SHA512
77494180cbadb53f0b9ac71a14ec834f4ebe1c1bd1ba223e62c6934c4510edca29e42c92a148c2647e6a7936158525bb4199c7ade6403d7904b8281c99d27506

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
39f97501f47afb0bae48f4ddf2b9370b

SHA1
035a7532951226c42bd07f78ce98ac8d2f580377

SHA256
2a13f4b64c72314af98961e08c9ee4ef53324b9fb35fa4ba654cc8b1d7c32fa5

SHA512
f0ad81dc5b2cbf07e3c42da1c2cf7d20b608d45353da0a114172a63219a3951e85582efb959999204c653cc27ceffc2e2c130e08c3ef7f88a3294864f2974c8b

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
96KB

MD5
af7fc54aa5495a0589cf11ff12c3d6bb

SHA1
7a003d074ebd690b1e600ad344b0ba95254c746c

SHA256
40a74f3f3dda06098177afa287994efaeda6a4fac0e3997a041d081ddac8fb6a

SHA512
078d8e962a2486924625f1254aa402c06810bac1c744923c94afe3be51a74816fa61d003977b4ed2143ada6e080b8eaa74191fc55109191aa5afedcefab413b3

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
19fbfaa5866e67ab7c96e8b92ffae6b5

SHA1
3e7fa2cff595c3292ebb7b7413e69d7305039675

SHA256
328219287cebf73668ae1886e51d41e96c562a15c458d79c471d7c4b382cb910

SHA512
d6c314c476e599ce1b9a4927993b1cb56529739e537a48fbcd75a650710c73804c69e4e8ffc11228240a71e5725bccd44e39c4c1e83bfc04352543bcfcd3b859

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
27f6abb143745966a88b909008def5cc

SHA1
f95c86704e711ec3d64a68ba8b86550e55b9e924

SHA256
d3f32d93e36fbb6a29ab75c38530fa2e02c7fcbbe1d01ceb07feb0821289ed55

SHA512
eda8bc3de6bb5ece3c20dbe52a9b232b8d62bf7e990f38619c63ed37ede23394cf75b1ef85d4c4706cf00de8196590bbfe8501f670e4c3cec7263503b6cec361

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
3ad55be55fe0288c795cdb09f2e352b9

SHA1
e6fc4f3b66c66dd92f0d26e83168fb513fdc6967

SHA256
0a2522b30eb8f7b4cd0e5e9886b3a859b50a93d9b67a30fe7054f4c550420bb6

SHA512
02d8a4f17f23388e45a4d3b6f97aa9b0efd7e8b20d5f2eb5d5b3dc181624dca42c5ed515ecaa4474323b75f425b240532c423e41a6733500b7173ba2ce38d60f

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
cfe630bbe690f9f2be9d3fdc3fbfb241

SHA1
852eb27004dbd76e2dddd197806a0de9696bd7e5

SHA256
aa25f96babbac18d76713d94eafe5f3e1d2173efaf2edf8e1798789d71cb13ba

SHA512
41258a93656318be319e4ae49b3958aeb7cb801f3c1115ad7f83f498eef749b49af6e88978e52d6fc849dabf08786206adb32bcbcc27106fa5575b27b17fd8bd

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
f2e5ac4f60d1009eae8cf2019cbbcdaf

SHA1
e7017309070fd6cb1a71e355eb59b5b7d22e7e4e

SHA256
14d369af1668fe6a9cb25fd0b67644f0176c3fb84d122e392c4fd1e7cb625b95

SHA512
fd85a8c52c06b6fabc4b917f2bf8a15e9b47aa61e621b9d8134bb7bb1facf0c40e3c268f5bf3b6258e77139203b78fb77f931e1da14c0bbd175b0d7d640aae0d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
6b9552ad206d293c09b241ec1e239aff

SHA1
cb1eb9b1533fa891123d558e84c0de086a3d2bc0

SHA256
cb52cffaf7e60c20f6cb24942b43641b7b2e3520bb45f5a0b37ea769f813f65c

SHA512
306376f555b88aa8c79dd3a25f11b3ff55ee51f962a3249ab6e2cf704667f0b35e41aa7640130b66242da163b26cb63134f11504c3b297cf2e700e4fd0ca6a12

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
96KB

MD5
d3fb886e76f381089250bdff9ed5c3bd

SHA1
312f959aa3ef1a437956f50509013e89eb9e6a50

SHA256
524da834840b0dda90f30c9387b06cb09e4cb7403bab3c465cf581073fecb265

SHA512
f9afef170b40857192f847c6246fd8fc2d6ae797ac15ec299cb26bcc457854abf7a70b2e79c937bf8d410008a3274aa4c87a5c0a99801403106d92626d948a12

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
f8c16b90cc77f85460a2930e45c677e5

SHA1
cb106456aec8359f371489eb0d959af54831c068

SHA256
46dee22c1e27f76dc8f8dbbdf0b141369f3d027448441c1ce926f3a074534df1

SHA512
3943bff9c65ad44d102d5bf5a18836487a0029d7366d33322fcf829f4d244f9349e87f35771ab1d41fa04a6dae302edef716e16e9e0f6ac5c2da90dedb5de7f9

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
96KB

MD5
cea11997dab3519a89bc3c27301de999

SHA1
195dbf37f4af8ca2584efdbefb3aa84e0642cf58

SHA256
daad2e9d2ddf7261eca301f208f3d7b5651ab81f9b6b752f5083182c0f25cbeb

SHA512
287faa58d29a5cd5d55b235c5477e850c4ffa537fc6ba54ec5b84dee9e9c4c1308bcc5aebc451bf289f6bf160087ce1e51a4d19560bfd91d75fd0c077fd8251f

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
96KB

MD5
6ca6dabacef5e90130c2fad7b2d0d23b

SHA1
0f18cc38807ec3de5c8ef6c2ff17df4bc3e823f7

SHA256
e3e06fd4b3d4e38940207ed53c211b881fab4ad80e77af97ac41608542c001e5

SHA512
376a269b16b860c0718771239e98edc2b3c971060e70591d3ade30006ba6276e264749889895f4029acb974710590fd601b557308722f43212201a251ddfd2d7

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
96KB

MD5
51eb13b7579ab169e61be5ce1b861374

SHA1
fde612f0f1e2d4772e2adde952cb43810253a1f4

SHA256
38ec7681cc806e7f1f5e9a08a1dae32f6629dceeb1bc97982def17ff7b2b0c0f

SHA512
22534e54d73eac537f22241fd589e838aaf2758f13d3ec447a3d59273102e3f593c3e484994e4520571cf76089d967a495898168d3776258e1d42261d65267e3

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
96KB

MD5
4145304fcf220d3e5e918b6b0f982dd8

SHA1
ec85d45f67921468766c3aa6059042fdc41383b8

SHA256
f1adb41b01a62beb10346de8c229fef1327dead42ae6b551321f3547207c0c0c

SHA512
74cd60678e2a259e0ab34fd326137a276c94551254f8e1fa273f50ae468cb60bee517d3a62b9985d5e78e74f3facc1fb1f2648fea4c1108ebbd73a9b7c6b9a41

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
96KB

MD5
20b4ffdc6dacaaf530c3c85044aee4f2

SHA1
4a4e3a51db55a61989760067f6aa32b4936bf6e5

SHA256
e654dbaeca93c460b46311c54d47195720c2b2c3f87d62b836795c9bc5b54508

SHA512
ad8e9b4ae64693da5176f9af20fb246a63812907a54c77051fc281514cf94e4fff6cbad27a2f6530cd5503361f72d749599d48de4e00747addda47591c49695b

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
96KB

MD5
ba6491225e73b554d6dfdb96bc1dc2fb

SHA1
aefdb4eeb05d4e6b21d8a0eb6a438d6eafbed47f

SHA256
8262e38a9f61f6f9c1f83092a73e1c81c40cf60f6d852f3060f11193ca0b1f6e

SHA512
168e6b0ba9f1bcf1b9c46adecc43c33c2a0ca63dbe68f62f9dcfc7c84fc195e3711adefddc9caf14f5296b4fba546859c2655ad25fb3ea9c019f546486aa5570

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
96KB

MD5
6d4c83e97c535830ad341c0cfeb2bc6d

SHA1
482e729937a8603966b7dfeee91479a888099833

SHA256
0c5eeb443dc3ac2bf9d11115c40160b8a29aa12532075905b4d482a6b44811c1

SHA512
6201c57bd4c1a311a03c6a4bfe2e22df0162d3fcf563511202391d5017e5edb5e829ef6776935e6f7b9c1e665a3ddaab944fb157ee5cd146e3ca0e1681e1379e

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
96KB

MD5
1028ae42377cd5365a5d5e6ea05aa488

SHA1
dd9565617b4fa936a76357d608d3d65bdcf6a69a

SHA256
40aef1aef05ec089385dd3a8a1e823c5e8b0f38e58444887aaeca6be26317a31

SHA512
79a886e788c36ac4c538a5bf1b2f19742237db42d2eef935828b273063dcaaf1b0e1a6ded0eff790701cb8d31bd7fe6c1818f03e546cb9e0a0fa7cca99c7d0b9

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
96KB

MD5
11a22b61c338da89f6ee81f06cf1844d

SHA1
09b77e2f9116efdc00ee014457c0d86ca0594087

SHA256
ca420589e0e144dec63c53fcbfc98754cdbea2fc3eb72d4d777cbcdd422d0f05

SHA512
df897a39ccae2b092d7ade608463dbb74d4535c48778210f2ba1df95a79ad515f4466f7af1f7551f487c40e05d778d576c134039f8d59776c7707f192691fcb8

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
96KB

MD5
fb9f05f41954eebb88b83b5f3096f417

SHA1
70d54ad064dfe7f02945468cf56afdf0c308d439

SHA256
7db0475461b6b7c8c49630f31f5edb28c90a575f929e3f89f9a4a3ea9daee03e

SHA512
3dfe067363b201349fcccbec702bf40546b097331736d76c7b31778cf88e07903451090e0e6b5d74f9211bad92d579e330f15d03ec2f6c76fdb81f6d2e591666

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
96KB

MD5
b01e31175ad7a436a27a2ade1d8b0d88

SHA1
a781b9a7eef08df7ad63d99e7168f302931bf7fa

SHA256
997c602a088b28f19d93d0b98995431f2dc5ac0f490408d4f24bb9c4e92bd939

SHA512
e09bf217ed8840c97c611a8b7c6278ebf9c9e11378c0d5409137258383edc7a850047d1170e76785fd73dfb761a5936a515dbba766b9cb482a49bdfcea423ed8

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
96KB

MD5
315ff256620c1bace4c00f681a4624de

SHA1
f69ae7129a81116f1374492572bbd2a54f5fea17

SHA256
06a41173e3c1d776f75d81c7bfc809798228e61df0a6b894ddcb330f6e30a821

SHA512
bf4c0fec13d549b1bad19bddd4dff8b220e12ff8032606060dce9c8af86d32827250f4e4859e0fd4b20a7e9bf294340fad7e90c6ae1b934c49c0dea831810bcf

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
96KB

MD5
fde961a01bc111992428f55d01244d45

SHA1
27571473574f053c93621857c777c520f5c18976

SHA256
a6de868b55eb9c9347186cd95874e4b1423c27d7f58f81ced5b0cefee4ef55b2

SHA512
1fe36f79dfcec0a4a6536434fb75d7ed7809a9aa40ef210e059e5af22b0ca91e647e0d406055b26986d5729d4bac82311a3db0b941f6da34f00ec743d775bf88

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
96KB

MD5
bdfa6823fa96c893ba0da37aa5a00d95

SHA1
1443ef796c735b2df699dd09be1087adc120a8e8

SHA256
62b95ff461063ac088c4baa1472dbc4be329348195ff90f6124de2a3e9d978c9

SHA512
5e82fe0e6eaa14c85e0c6863c8af047a80a9b90d4bc4a2cd482270b895b259f91bd4ba950099a3f18ef02a575018736b45a81d5bfbd896f7836b260ad7f32a05

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
96KB

MD5
83bef2e9eec2ee24a26255abbdb781b1

SHA1
28f18f19e100e61fe88460b795ada69066ffe04c

SHA256
53a1ce5b06255592ae8153242836fc9c87ce5b2be012341a9ecf00db0c590db3

SHA512
eeb29bb760576cce7c9210039810bcb09fb04bd0c352d2e10bcb6bb74b7964e566d0bb02a2385d5d0f9110e327e0bf824fc80fdd57df651bebcb7109253a30da

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
96KB

MD5
ef7b7c793738d1e666daa5cd05a33d18

SHA1
7d4ec018aa9a92a352a0e57df0dc3571105af447

SHA256
80eeded318bb65abc8b97d00a296f16dde50dbd21a43fe97df335b3f47a6c0b8

SHA512
564303ff9da1a6f41e98016470cf0e34a3bfe48eb30b1d070c857a88ff7f39651712a9c55d96f80c053fd220939ac69d3e4226dd306aa48fd383d19155b7509e

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
96KB

MD5
f474fcd84c002c535d80398571268cfe

SHA1
bcba9121675e695c712e8d547d2f1a880c39a475

SHA256
9a86e0f9abfe77249c3c0ca35e183ccbc7c8e1ced4ee8337f2bb60e02f264a79

SHA512
78695220bac7ab42256e01f7dcb2477146cff63de689247557f14e42aaa4a485582c7e07e164a984c8d1af13b87745ddb20663ce93308b94925939838abd2ea7

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
96KB

MD5
1d899749d280190ec127dabaac3b7b96

SHA1
eb1a3e772a7c4180f87a0d98d3a3b24e620b04a4

SHA256
c4622dc4d53becfe7290045ae9006de0f13b7642096554f5593240d448a75e7a

SHA512
7623fc7f1deaa66f4d740903a31b980f3461b6c4ad8da545ac718103300d513de77b93fc9b603934bdcd619095b4e5f7c4d4d93fca56af813da8f2992d5c92ee

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
96KB

MD5
f593424a8f0a7aa80179a52bdb2229fb

SHA1
0834d91afead1470ba861e91bc3fa4cfe4af8d16

SHA256
99d2b2c37909a1386bec8364574b5006f309c71c4f6c73ee32ce022b5e124447

SHA512
ed343908deb6a055009eeb34e51801c2fbfd45397c8ae5bd55dccf264b8b73352a240ef62f58da5b55a5575b952aa3aa2398f2fb06cb11a2b5c66bad7b9cdf62

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
96KB

MD5
02886a5ec1616259a01007afa113aa8a

SHA1
77a0f6571b71706aeda19cd1b43962401f5447a4

SHA256
0d6e55f4a741d881a45a79875685ea7bd5c8f3ba1cb871e31ed165030c917c0b

SHA512
8505b437b55c10df39df156ebd3a5934014fa23b3e466c343a729e67e4a8b25a0956d4ee16ea0ca77a4575b893df5a142ded1da05e1db963fecc77527840a584

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
96KB

MD5
3005cac5b5cf2038e5eb899507f5b24d

SHA1
e5c2fec78666efaedad5a019b32632d7c8eeae31

SHA256
25745ca30e7d1832cb99db3795004972143c11798b88388e45b1a0ccc172f9a1

SHA512
0d86f2b5eba13aa4cdee30aa41118869b35133a50e39c139e071560346a9784d93c2346140b6e70fe66f67964ed05196df180495358446e86f896b7ca3e62839

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
96KB

MD5
bb2221dc69f94ec0ae007979a9b207de

SHA1
25f235161acf6a232cd126ddebad11ec0561a7cc

SHA256
c78270f2bbaf8301dc96d4dc9c2b5da0059581e81b2a764187dc694976628a84

SHA512
cc72145beab976c6d6a47632eeea9b973fa171f70bc7942b045d3d136065e30c90f8b0e513efff0422e1382dd61783a41249925215bbddfb6e8442b31aa0187f

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
96KB

MD5
a09891e2c409d6d4fb20c078fd458f4b

SHA1
04cad491815ed68ef01eff052a560a836f2036ef

SHA256
bd427070261ff349a2da2acc619a5aca202f4e440430bc69be7a230a0879e2b5

SHA512
96ee18f52f36e6bf1d947d8aa22af86953845cbb9deed9ce5d8cc2e9392faac40b879fa1d341f9a02e6f7c98511baf4b7d4c48d2698330079842c7c30ac1968f

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
96KB

MD5
812d4df4cb054a1de696ffdde7f5e808

SHA1
786eeb1bf71fd779ebde096669249c04c480d4b3

SHA256
363923fbdb2ea2184baa63bd553067e5614cc44578e1316da01d747677717670

SHA512
449b71f42692a3735b7c2d6a91010250476299f75ffa784ef6fd9c11325bdd5a401ebe0df7298efb139beecc699df469ee4432e12697c1eaa8b2661a5eeeba08

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
96KB

MD5
2717045d93b0c85c333b94cbb5623dc1

SHA1
4b2014e4b1eb02c726fa723a3522bf250f35db63

SHA256
9635a628fb5f8d5566ca14517ea3e5d9c9e817feeccfa9dd6dad116d0eb386a3

SHA512
94d13c66384b98417800a8d5978cb197dd547e8cffab472b217157a4b58c8e099781f01228a70fe45edebffd92106d408106d9d0cb57a306414d534f0414f55d

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
96KB

MD5
8b678896ca7f753af34b134663f6330e

SHA1
b18354c2a098470941259aaebcfe91c06297e1e5

SHA256
5356b1b99115d04691113cf54a3e7a9a45866d85191536a815c608957b411d9c

SHA512
0c20f04b30ed2cc5acbbea56736b4bc6ee5ca4323fd271c38802628e0893016bb1966fa295df80baa9a5986056d981c7682cdb72a957154b933e19b39038a3a7

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
96KB

MD5
3dc33521efc519a310385f9292a3286c

SHA1
e61c2254e6391e3effac040b63a2f8a446df32fb

SHA256
06ed658256507da8d6fa5451402b7778ef51bf65af512f96b3e7218f6d4735e3

SHA512
8f28f9acf354a7a9b395c2610ae7ef43585ad186abd9d8391465ae5a8eea96ec80bb14e9690d1bbdcd63452b64ad57f904acab1d7015cc67c13f10fdae433aef

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
96KB

MD5
a4fa038c958d06ef75c59cce68301568

SHA1
ce30ad0a9f733b115eecaf6e6445f4792a3b1a8c

SHA256
0875caa3a89952c3f76febaa02af869a1a335c4d6b488e5d60aa29e6c720f35b

SHA512
04f9f8dbc9d7f9a7fb88b0bbcc56ac356c66282ab2ea67e5a3667cec7d9bb388b8e6394d01cf728b76bf110383611141b7a8fe08e09dcce9d6c7c1d009fb86cf

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
96KB

MD5
4fbd33d835ef1837406c1dbdbe5bd849

SHA1
3de595a085131e30a90e31ded79c540137a5ffb2

SHA256
b41e1095fa2a31d5c4f95827eee59695517f7d53e336b3a28792272510c357f9

SHA512
9eac4b0e225ef62715f71723bd0df7acc5067f4aed247d17daf46ee0c6c910678ac39eb0f24e2c83a55d0df859af63996fcf8b3084165a26756905932141ca72

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
96KB

MD5
b040544ad770883318543fe1748f9924

SHA1
d7315b274bf792175af385a7afe05478164b6719

SHA256
387028b06c4d933c165e994954a41189709f327ad1ca9d710450a7e290229984

SHA512
f9f7665796a061573eb0fdbc37aca6cccd957b26a680add74f17a3dd9d69191c823afefee0d0a172e076021ca0e66b65a9b05f558239f41844acdc769eab96b7

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
96KB

MD5
ef96dfd2cf85b17985f8a885b6aca0be

SHA1
ebe4ffe3bb74307f3dd8a659602c267e2fffd127

SHA256
29513fbf7e143546932d98f0959bbb0aac5835daa5d4590a34af811f2473a374

SHA512
13208dad54e857581c7621f095e2fda98eea67fc041049835ee4ce526983345519ba04a18fced87ee611bc3c972776a79af269a8523cda5880762ec9354596ea

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
96KB

MD5
bca7783d1ddb47295f7b8a52f58e7b03

SHA1
145b46b498fbbc651e82deab59096c95b82c633d

SHA256
7735404c420305b6c08c6a665f8b3ff1a86d4f3c75e60160a52454603b1d258a

SHA512
045c636ea64e5501d71afc314d3032ae8ac16ebca3d80bd807f7a06f7ab43ba05b41068ba8e007a891f7dbe33eac23cb85c3a4a62719e146aa98a3cd192e78aa

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
96KB

MD5
6586b581df4e6e43c13f3bcddb7ba8dc

SHA1
13bfd2ac7f48135e0da566221cbea1b9ec9f4750

SHA256
7635c619615a0ca0b067ef939d6093810870b564497eac8b9bda0eb709632b80

SHA512
27df7e949cea881d585d7d3f9cc418c8f0a164c2c2eb70d08aefc7928be3ab17c604acf5614d05ff32252438f06e7fcbfd81c6b0b76ca0d006d5d28d277c3408

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
c892ee3f4cbad9f14fd18d0d98041759

SHA1
a08a3b350aa24e4b882d340fa7cbaed7c14187e8

SHA256
49b538a41f2e11051316410bdf8cc8d0fdc235e2e4089c23af377edc70cd7f2a

SHA512
96f25cff7125886bb5f23baa452ec6d1fdadc3065c70ac363050b74eef5da1610fd7b65044c7d2b366f01b997fbf4c7cc86bbfcb5719c95cb4a34b708ceff246

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
96KB

MD5
f1657547370951adf0b9ebbd01fc70ab

SHA1
ea97763849357a931ede54ff8dc29d42e9fa9e3f

SHA256
24ec7dd9b1210fa448d0615ac9a62c0a717b9043e11c20d13c7c208239879cfb

SHA512
59667ef50c3df8a2f22a06984e87a60041916e525d334413c320dbe4f10cab2cb6deeca9fc8b8f3e6f5d3d39691ad7e1cd6fc218ca53d77a2354b4272ccf562c

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
96KB

MD5
8b762ac391daf9690554d536b6a77c0e

SHA1
9825cfe5f242e270d2ed07b7f88dacf86446a2fd

SHA256
f42a2f27850d320f94ce218710ecc549d0af0887c8fbc6c60201d87b815a08c3

SHA512
8927b3fc7a71dff33d1fd847c88ac85f75070d8f3923c7c887d80291d3dd7c0a9238a1caad658a04d6734eba98f0a546a51735478ffee318b6139425000229af

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
96KB

MD5
61de424bc5b4082ae6e28b9b9f2e3c43

SHA1
1973df01a22b887e736bcfc24647144de75389c0

SHA256
6e4b7667f32f8f12294440e82d4490466fad7c5546081ae95e26a46784821a3b

SHA512
1d0d3b1a8bd577e45975b95dbe027df38a0d5a2cdde0b62a8d4b566a3887084b90df1de0b3b672df03c4c0ab7c8612e274fa3781ac1f6023e9aa15e0e8c6dac6

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
96KB

MD5
21b0f5440a193a04bee4372ced1f8cf2

SHA1
f3eaa8fa2cb5ac255916e7f6aa1d8d381d7beb90

SHA256
d5127e78d86e6f22ccb3afc11605ed1da33adf3b06f3f2ce41ad10d48b2f1ece

SHA512
5158372b04a20d51731aa17315f5198c49d8a280c10331da9d6da0a0203628942da1fc8c3a9e67f2992674cdb632ce3f94de381b1bf231d3834c2e26726bcb0c

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
e25907b872c4c4a06b328e503e50650c

SHA1
c0f5b550cc44d520d0d12207335f4dd61d2a10cd

SHA256
b2c631822757ef261c935eddaa650e7199dd9a17266dbbcadc3b755bc96dbed7

SHA512
d9e9bb7c348545e39adfb3ecad436c25119c60a08e34a3b57435c9d6e9785e849baec1062f76df04916d97c5fea7d3eac6d37cf3af2607f3844c8435142d0244

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
73e1f550df76c787acb0f0025e89d9c9

SHA1
09bb24d9dab15f48f3035f7e071d3a73af579f4b

SHA256
bd1c3f93f0fad67a4cd0640f1109139cf4e77fc17e06b2476bf0ef8cc0f50501

SHA512
398e61cbe1527510e2b34974837a453ed9bc7026ddf14de034faad84be3b9f023ccbebef70ed027fce632a9ac8d48c24a4db5f91ffc01549e08dc3988c2b5620

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
96KB

MD5
88a16b6aa0467098606ce3f167cbbb1b

SHA1
3503c486d3a4dc70e2ba690085594f38e2f45fc4

SHA256
9d4f82850317ebaa8ed97bc87d6e371073565d9d76e8eb077545edff9056406b

SHA512
766c66cb723a43fa265097cd692f099ec73cf66c79056597f4ec4a1223e2a6dbcfb577a84005555aee741ed954686829e25011935ae9f24679c2077e628a509a

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
96KB

MD5
3bf15864e5ee4729ab2208257521f2b0

SHA1
4a8ede596ce80a28093d29fbc5ee1a67dde22ba3

SHA256
3e8d1f8946625e4a5cff5fb72e36f6f4ea43a7f01b0e8fb85edb4ad463529031

SHA512
a84c0815ad98abccb702104a6f76aed1e8ff836ee212e2d9a4e6ab08b6ed219c27ab166534e911a501d6eddb9e4609306f5598fd640e00f0ea534604aa25abc6

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
c8c2c2206017d9e42272b3a37f3b660f

SHA1
016a9cd8e69b64c751ae99f3a21c361f8c838494

SHA256
2bbb8e1b336ea4a67b35a5bd03a3ad03ba5aa597f309a853a210f6e4b8657022

SHA512
4e73fee3560367feb42117666e52aefa741a76fba6974849e6bb9f7de81daf6f5bf66f54002989e9680f99fce4cf801c4d1c0e0b3decf0df55fdc6e8c303d821

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
96KB

MD5
f15f677f064c6858b36e5ecdc6642d8d

SHA1
9d18f8ab32f9cd5443dd9d7265a2ece5e233c59d

SHA256
6fac6ea7cae9df2ec63e0d22adc997e3c0dc0ccbae783fb7463b21caf5c76559

SHA512
41b233ae137d88e5d254563af1a25afec5b99d09cd89bbf45de34025970bb02ac6104ab51ed7ae5b8d86a764d5df614e22d03bab995a15ccde9a37fe8764ab13

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
4323f591adf8dd497e79f9cc153ea21f

SHA1
ee098323108acffadffbca63b26430d68249e553

SHA256
f6154e7a4f08590ac68d0c8dccfb9db6604988ffe24b1c0c88f5ac875308171d

SHA512
87f2e7415f0d071f907da2159fb97ba82d89f3a5db8d72f9b8a3bb8d69effbed235dde9c245bd0dbe1bcbb01209504d3f1283660886e2d5c1bc1ba27a7ab59cc

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
186f6662872cbe3bd998e90159a84989

SHA1
72e629e022e9d5c410749a0321630de111af4483

SHA256
c777f91d432756572c1119913ac28e09f6250c536e513e36e93758c39d93f818

SHA512
18c93127372d908be615b3f755b97496243c6a0bdfbca1ff5d76a9a59a98c3d683762b1d5da4c0dc421d422929bc8916627afa65b4a05cec96cd58c9b400dda1

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
ec4c130db8ba7af78d8a3f29d5e712ba

SHA1
f222149d3762671bf1a6de5858955fad03458519

SHA256
2f732a8217735e7f9befcf6a998e5f3e7dde255fdaeb6b859cd69af95a147b99

SHA512
709d7121dd3e1c19baf1be360dd386e143120b4a1c404ced2ebac7dd3bd39e227401877ed8cb6bd36d7878c3de9845d0262a3c820cb2618d99b65a48cfcd46e3

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
96KB

MD5
79d35a423db6bfef184a984b517bf132

SHA1
0c2154cb2db8d16c85357147260d5e6e9dbed0aa

SHA256
c85421178ac7dcaf7f7aa63d29a19087b1c88b6c2bb5428f9cdee7d7d4e5baea

SHA512
b0c4ea3b1fa2be2a2659646a6957dd97b2d4bbf099e56e41d85c81925b67cf1a37da0c459302f3eadbcbbb74ec3c9d1692f707fff0dfa9057f3408693573b50f

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
96KB

MD5
005ca84fa3b7d83b0ee3d18020f8de53

SHA1
815f052c93fe69f0dcb14cc462fee4fe81d1bdb8

SHA256
8a6ca0383bbde1a97e04f2081dae88d4509c79fb558ed6cd0388b1cf3b8ea4aa

SHA512
cfb3c9ad595cce13b80b33345560ea68f9235c6840d6d032ded4b83884ba9806e1bc205d25b3b4a0fda30baf6313f0dff1cc7c5fe29522503f3224c3e44efd58

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
96KB

MD5
2bb63f0191171546ae52689d59987e86

SHA1
e5e9c35c2390a28d22c2caaaa3efe999a7e0018c

SHA256
35b2a12e13323f65974e5f2e7fec4e811e3d8ce681efec5ef8b9e75295c7c6af

SHA512
ed39f6c9e3603e4472faefa763ff39795c1d431af7440edaac2eaa52a8fae0827852003b7d8ff24624f950396baf389bdef23e1b41478beea8a7905d88db8f74

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
96KB

MD5
48fbd6ed3bbc28863fb5f286bcc3235e

SHA1
457cbcf6262b35f82d85b892bcad661960c9f6cb

SHA256
9eb68fc36d298456f7ab83298135935b0ac85e2b445cd12e6bef3eb5fcc878e0

SHA512
bc172c27329fd92d77a52783b22d7c5f1cb263b987b87d693d47f40848c62452887d10e68ce010fd83171dab5ffc28ab4a37b93e5ecca35e1957f7da2d02b624

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
96KB

MD5
de6fd2682f418cddf9a2727192d25bd5

SHA1
c11331ba284e7b05ac05255ca90bcbf9b46d2a06

SHA256
10b80c18d91c08729cb0e363eda411c40e1dd38f6772b12d093eb99fba6fa0f2

SHA512
85b50504f05757e1b92981730229011b477680d5f975b778a0f95f26508de2b363c2dbd3990b8aecff884983cb520f083a3ab68365bdae60d0035b46d6cfa58a

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
e5191d3c041232f32457d1d8cc21f5bb

SHA1
478056cefd2780e33e227eaaa26c6845afcc9419

SHA256
ba5dfe16a39502708c81cb9a73a2019833e51eb70a9c24f19e62816a7aa619b3

SHA512
4ed9c3f9910e580c20a1d60f199a459a871cf021caec6aed06f2b6a666cf63d4eae537c6900a04a35761af92ae8b749375437eebd0e72c2cd86ea2e3faae53f4

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
932a692bb228eeb28b6cec214c13c5c7

SHA1
0fa43290530661c5516aa60ded240a5bade4561a

SHA256
e4ab2281d7a77bbd423a7c34181dd4579948eeec9ecaf049bd40bcb13033deec

SHA512
c58f4527b9da139c047627a83b180ff1eda0d0dbb740f11f6fd029dabddbefd18fa888c026254a4a229e1158088be8d781ec60fe098fa5d4cddbf1bc2114f79f

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
b2e4a3fe5cbff07429549420c855f541

SHA1
1e78f0d6c098bc01a74d923042033975c7ce8fc2

SHA256
19a52314ba95f4429f34641f3dda18bb9f357e8744599adb6e05b182eeff8e3b

SHA512
407d86e42fa0b6ecc6da46b6f4fe983d5c22cfc606d861478b90fb6a6da87cf490393c73c3be8df8c67ff36c11eda44d6e94930b01ae24a907799989af92118f

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
a1a5e2aba66170ee8adbbf37ae3cb8f4

SHA1
049b7dccb2e98dfd5422e048b9b10393688a8eeb

SHA256
b4f423107987570261d018e441bdea35cbe47f1d2ce609e86a26900bd7df6d67

SHA512
50231477cbe489bceda9e3fad29823c54a0fc5020a157a6a94b3646246b8be03668e8c9a133b1ca2e2d310391146e08414c294e098408eb64251d35c1ed299ff

Download Submit
memory/228-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4820-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5564-1562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6256-1550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6696-1531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7092-1513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads