berbew | 7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4N.exe
Size

337KB
MD5

ed0eba22c4f2f13ea667653c28242160
SHA1

293883c049553bdedd4cc2b49b9245c6bfe77118
SHA256

7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4
SHA512

05f534c3b62c93640d94351545ae50d7b46bf1f9710fbd68031fdaf746a59230b0ca2ae8cc886d8e98d7c9fe623dea04efb44c4cd70d84fb679dd89fcadd9604
SSDEEP

3072:309MW5r8zGKahLbWdB+gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:FWPwdB+1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbkaako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glhonj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1592	Ekhjmiad.exe
2308	Eabbjc32.exe
4512	Ekjfcipa.exe
3224	Eepjpb32.exe
3172	Fkmchi32.exe
3940	Fdegandp.exe
1844	Fhemmlhc.exe
2440	Fbnafb32.exe
2256	Fhgjblfq.exe
2336	Fcmnpe32.exe
1472	Fdnjgmle.exe
1056	Glebhjlg.exe
336	Gbbkaako.exe
1708	Glhonj32.exe
1704	Gkmlofol.exe
1232	Gfbploob.exe
1516	Gbiaapdf.exe
3812	Gcimkc32.exe
2968	Hkdbpe32.exe
4340	Hfifmnij.exe
3192	Hobkfd32.exe
4308	Hijooifk.exe
4268	Hodgkc32.exe
4992	Heapdjlp.exe
3660	Hbeqmoji.exe
3928	Hkmefd32.exe
1964	Iefioj32.exe
4912	Ipknlb32.exe
2648	Iehfdi32.exe
2208	Iblfnn32.exe
4664	Imakkfdg.exe
4344	Ibnccmbo.exe
4984	Ilghlc32.exe
2684	Icnpmp32.exe
808	Ieolehop.exe
2612	Imfdff32.exe
2272	Icplcpgo.exe
3600	Jeaikh32.exe
1772	Jmhale32.exe
928	Jcbihpel.exe
4896	Jfaedkdp.exe
468	Jlnnmb32.exe
3932	Jcefno32.exe
3332	Jefbfgig.exe
2680	Jlpkba32.exe
3160	Jcgbco32.exe
5092	Jidklf32.exe
3444	Jcioiood.exe
1300	Jfhlejnh.exe
1672	Jmbdbd32.exe
4572	Kboljk32.exe
4044	Kiidgeki.exe
4060	Kpbmco32.exe
4316	Kfmepi32.exe
2280	Klimip32.exe
4424	Kfoafi32.exe
2240	Klljnp32.exe
2860	Kdcbom32.exe
2480	Kipkhdeq.exe
4356	Kdeoemeg.exe
3520	Kefkme32.exe
2628	Klqcioba.exe
2092	Lbjlfi32.exe
5036	Liddbc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jcioiood.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Gbbkaako.exe	Glebhjlg.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Gkmlofol.exe	Glhonj32.exe
File created	C:\Windows\SysWOW64\Bkomqm32.dll	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Jefbfgig.exe	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Njohbh32.dll	Ipknlb32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Oijgnaaa.dll	Fbnafb32.exe
File created	C:\Windows\SysWOW64\Nabqkgan.dll	Ieolehop.exe
File created	C:\Windows\SysWOW64\Bagplp32.dll	Jcioiood.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ihjahg32.dll	Glhonj32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Fhemmlhc.exe	Fdegandp.exe
File opened for modification	C:\Windows\SysWOW64\Jcgbco32.exe	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Fhgjblfq.exe	Fbnafb32.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gfbploob.exe	Gkmlofol.exe
File opened for modification	C:\Windows\SysWOW64\Hfifmnij.exe	Hkdbpe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6984	6780	WerFault.exe	284

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfbploob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilghlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imfdff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkdbpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heapdjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcimkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehfdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbnafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcefno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glhonj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Heapdjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docjlc32.dll"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodgkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcefno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieolehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabqkgan.dll"	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophfae32.dll"	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1592	2160	7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4N.exe	84
PID 2160 wrote to memory of 1592	2160	7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4N.exe	84
PID 2160 wrote to memory of 1592	2160	7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4N.exe	84
PID 1592 wrote to memory of 2308	1592	Ekhjmiad.exe	85
PID 1592 wrote to memory of 2308	1592	Ekhjmiad.exe	85
PID 1592 wrote to memory of 2308	1592	Ekhjmiad.exe	85
PID 2308 wrote to memory of 4512	2308	Eabbjc32.exe	86
PID 2308 wrote to memory of 4512	2308	Eabbjc32.exe	86
PID 2308 wrote to memory of 4512	2308	Eabbjc32.exe	86
PID 4512 wrote to memory of 3224	4512	Ekjfcipa.exe	87
PID 4512 wrote to memory of 3224	4512	Ekjfcipa.exe	87
PID 4512 wrote to memory of 3224	4512	Ekjfcipa.exe	87
PID 3224 wrote to memory of 3172	3224	Eepjpb32.exe	88
PID 3224 wrote to memory of 3172	3224	Eepjpb32.exe	88
PID 3224 wrote to memory of 3172	3224	Eepjpb32.exe	88
PID 3172 wrote to memory of 3940	3172	Fkmchi32.exe	89
PID 3172 wrote to memory of 3940	3172	Fkmchi32.exe	89
PID 3172 wrote to memory of 3940	3172	Fkmchi32.exe	89
PID 3940 wrote to memory of 1844	3940	Fdegandp.exe	90
PID 3940 wrote to memory of 1844	3940	Fdegandp.exe	90
PID 3940 wrote to memory of 1844	3940	Fdegandp.exe	90
PID 1844 wrote to memory of 2440	1844	Fhemmlhc.exe	91
PID 1844 wrote to memory of 2440	1844	Fhemmlhc.exe	91
PID 1844 wrote to memory of 2440	1844	Fhemmlhc.exe	91
PID 2440 wrote to memory of 2256	2440	Fbnafb32.exe	92
PID 2440 wrote to memory of 2256	2440	Fbnafb32.exe	92
PID 2440 wrote to memory of 2256	2440	Fbnafb32.exe	92
PID 2256 wrote to memory of 2336	2256	Fhgjblfq.exe	93
PID 2256 wrote to memory of 2336	2256	Fhgjblfq.exe	93
PID 2256 wrote to memory of 2336	2256	Fhgjblfq.exe	93
PID 2336 wrote to memory of 1472	2336	Fcmnpe32.exe	94
PID 2336 wrote to memory of 1472	2336	Fcmnpe32.exe	94
PID 2336 wrote to memory of 1472	2336	Fcmnpe32.exe	94
PID 1472 wrote to memory of 1056	1472	Fdnjgmle.exe	95
PID 1472 wrote to memory of 1056	1472	Fdnjgmle.exe	95
PID 1472 wrote to memory of 1056	1472	Fdnjgmle.exe	95
PID 1056 wrote to memory of 336	1056	Glebhjlg.exe	96
PID 1056 wrote to memory of 336	1056	Glebhjlg.exe	96
PID 1056 wrote to memory of 336	1056	Glebhjlg.exe	96
PID 336 wrote to memory of 1708	336	Gbbkaako.exe	97
PID 336 wrote to memory of 1708	336	Gbbkaako.exe	97
PID 336 wrote to memory of 1708	336	Gbbkaako.exe	97
PID 1708 wrote to memory of 1704	1708	Glhonj32.exe	98
PID 1708 wrote to memory of 1704	1708	Glhonj32.exe	98
PID 1708 wrote to memory of 1704	1708	Glhonj32.exe	98
PID 1704 wrote to memory of 1232	1704	Gkmlofol.exe	99
PID 1704 wrote to memory of 1232	1704	Gkmlofol.exe	99
PID 1704 wrote to memory of 1232	1704	Gkmlofol.exe	99
PID 1232 wrote to memory of 1516	1232	Gfbploob.exe	100
PID 1232 wrote to memory of 1516	1232	Gfbploob.exe	100
PID 1232 wrote to memory of 1516	1232	Gfbploob.exe	100
PID 1516 wrote to memory of 3812	1516	Gbiaapdf.exe	101
PID 1516 wrote to memory of 3812	1516	Gbiaapdf.exe	101
PID 1516 wrote to memory of 3812	1516	Gbiaapdf.exe	101
PID 3812 wrote to memory of 2968	3812	Gcimkc32.exe	102
PID 3812 wrote to memory of 2968	3812	Gcimkc32.exe	102
PID 3812 wrote to memory of 2968	3812	Gcimkc32.exe	102
PID 2968 wrote to memory of 4340	2968	Hkdbpe32.exe	103
PID 2968 wrote to memory of 4340	2968	Hkdbpe32.exe	103
PID 2968 wrote to memory of 4340	2968	Hkdbpe32.exe	103
PID 4340 wrote to memory of 3192	4340	Hfifmnij.exe	104
PID 4340 wrote to memory of 3192	4340	Hfifmnij.exe	104
PID 4340 wrote to memory of 3192	4340	Hfifmnij.exe	104
PID 3192 wrote to memory of 4308	3192	Hobkfd32.exe	105

C:\Users\Admin\AppData\Local\Temp\7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4N.exe
"C:\Users\Admin\AppData\Local\Temp\7c5054944d2de23dfbda9b3e72f6e3c8110ebb9a0ee3be4589518cbff5c97ac4N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\Ekhjmiad.exe
  C:\Windows\system32\Ekhjmiad.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\Eabbjc32.exe
    C:\Windows\system32\Eabbjc32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\Ekjfcipa.exe
      C:\Windows\system32\Ekjfcipa.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3224
      - C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        31⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        40⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        42⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        43⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        45⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        54⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        56⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        57⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        58⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        60⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        66⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        69⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1520
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4680
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        74⤵
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        78⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        80⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4564
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        88⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        94⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        97⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        98⤵
        
        PID:984
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        99⤵
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        102⤵
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        103⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        107⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        109⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        115⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        116⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        119⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        120⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        121⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        123⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        124⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        128⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        129⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        130⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        131⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        140⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        145⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        147⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        148⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        149⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        151⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        152⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        154⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        158⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        160⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        165⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        166⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6772
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        169⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        170⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        171⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        173⤵
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        174⤵
        Drops file in System32 directory
        
        PID:7036
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        176⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        179⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        181⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        183⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        184⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7044
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        191⤵
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        192⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        193⤵
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        194⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        197⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 220
        199⤵
        Program crash
        
        PID:6984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6780 -ip 6780
1⤵
PID:6936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
337KB

MD5
0368579f7c340a750c1b522c4747f4c9

SHA1
58210288b4c5fe7d09f7f52678f70110a4caefb9

SHA256
e9653eb3639229b0f8df44de9effc04962d7f172689d4558f29a45641f345927

SHA512
7b8508e5ed8aa31f88bcfb57752ecf3e293aa58bb50f687fe05de1a2bdf5e174340446422eb19dfab7b417793ba12702743c595e7fc7eb3822e161d0f48e9261

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
337KB

MD5
51a43e2b57814255c881c202872daafa

SHA1
49abf1dafc55d0a3282da5d95198eafd92db5be6

SHA256
9acc5dd657083772e061013311c95bcbf28e75224a7dce2a33ea1d2437a9a1ea

SHA512
deab91932cccb527ffff248f285e034381f70f8bea95f9f811cdbff7a60f1154a9e4ef784b9b418cff2471ccb54afb683a4cf69765e01eba31d88a7fd13af5b3

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
337KB

MD5
f84a97c875d5210d253058fabfb5024b

SHA1
22156010711a0d1dee607edac13d1c7849dbb23e

SHA256
0ada9e161e6c2f405790fe56f3e286ecf9301ce9525a13377752fa148b7409ea

SHA512
0a0547cb62160aef9714805511f9ea8117203f508a7c750a9a8da6552188d009dd3c765ee0c8c6bfdd0d12526f37ba07cb60ad350d49de1f101df07a90ee6e0c

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
337KB

MD5
fe1b856e2af4041066600f9e51838e92

SHA1
bdd249a4b4ef0b071f61bd61d80033d34f000aeb

SHA256
c7c8fb5d3d0d56d0e9c3be52adf8a1ed3aa5dbc05a91fadb19484bf65420a0a9

SHA512
2c67735d9bf5b5073c7d7cfdb55396ed77e70f6f7f1f0c8631a685bf966cb900628f28dc1c9ff862d675d6f5911c8879171cc80aff9894ea867b5a14e8c5d785

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
337KB

MD5
700c1c536d78b45cedb94a1e1df944c2

SHA1
2542e919fffded28539b965f6505a69f58287f22

SHA256
7c9ce926dac9a20c2493a69d8510cc8ecea1b08e31529f1764a16ce16c4caaf0

SHA512
bc32a47c4b7d1113d5140dd615cbed687b1ff668faf0df2abe6cf0d6ccd86e59aa629862ed8424d12193ff16d47f7d90a1491f1c43edc4b93886819aeda28f57

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
337KB

MD5
183cffe070bde97dfe79eb590ac986bd

SHA1
e8d081d27929001996b26963707208047cefd81c

SHA256
88ad114e25cfa47f3c5c7602f2c70b97648f40bceb04e0dd56b4fe22dfb04db5

SHA512
0845e087ee36b02b7d23f3b18434b953be426970b0a4a07ad7022dba7a94b13f89f30b40f4944e8599989d2fb4af3031a601f781a98717bd3f248c897cb4f2c9

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
337KB

MD5
88a5ac6ebdc7d2c6cc718305b4ad0352

SHA1
caf8f36c8216a8faab22b4b06d13a85911e58daf

SHA256
3c3635b6cccdaceb22372765897062b33c7de617fb38cb240d37492c343b0706

SHA512
9bd40a175a06ee05d8e367e681abcceaca0d83b1e43b9b5b240dbe877cb742edc0f2939fa2acace17eef164e30d6dfdc5d2fd0dca26a945ad135908b45e34ab1

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
337KB

MD5
a78114bc778b45919c065f0a2b2c9960

SHA1
cc6e40de2cec4bf95c71ee091744275511edc2bd

SHA256
b0300baf4631800ce744ea94c3724087fdb0b127825d90c844590ec7cdd8d773

SHA512
0aa6d274842a8fd1b4439b4a3b88fb21f1c041e63da6db2c5dbbcf0f366cef3857b5dd859a6eacd2398d949cebbecc42ea8f4fc8c4f3d56b9d2134697c4b0688

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
337KB

MD5
0fae20b1d73d622b4f33cc689e970e21

SHA1
661b0280d76380f095d8dae54166609140060746

SHA256
00c0dfdb38ba49ffda450e827750806def33788013141dfe15fa8353313b638c

SHA512
b0faec218dc52e17b891ee107d0c86a80ecca306d87220aa61ec3c3b618ef16356c25a1501ce8eeda1f85cae7479a99b5e0a839b12150042730c477b8b86443b

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
337KB

MD5
81b366ec18689826acdd074d9ea7bfdf

SHA1
5752f1158f6c5a45c446692ba2473e95080917ee

SHA256
63ba38b5b85d413bda36a66e0da19ef3f0808cabe7a9ab1b0d1f1b816e10d03c

SHA512
9ca2f08f51e35d211a3b4166aec5d6d75e413c71ff8e5a55f08f66630f91b1aaff38bfd46d7f56393df06f5d93f75f2cfd8f0d664f07c6457c302f30456ca84d

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
337KB

MD5
e19c8accf0b62450094eedd1c8f0fd1f

SHA1
73874f143e071b648edd46f6e8b062763147b773

SHA256
e14ace63d52f7c6544d41c2013b221d31307d286cc3308df743398934021b68e

SHA512
1bad6cbf65b69774c948d8aae0417db190785935afa9c87c10271a601717f724b3667ff4c2a118ba8d08338927daf9c58558f54813291bff04ef08d2e40e80ab

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
337KB

MD5
238a9c36ae83652f6d6e73b037e7c678

SHA1
05d1adc86734548dcd34a416ec8277b10c5dfc05

SHA256
8b8363503eb7c76bd3559fdf63e52fd9c347a9691ca62adaae5a4522789fb7d8

SHA512
0ad93a57d29c4059dd8df5fba160fcdc758db25552815dad5b4d51cc054a3f3529ad70ef6b3b29f7ba83d76e585ad63d35a8227c0dce45f08672e52da947a8a3

Download Submit
C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
337KB

MD5
80dcbe03c3848a17b6c5a7547f8b33b7

SHA1
92a89e48543aa2fa387b4a7a62e2e6b79c254635

SHA256
0270db38db0cf73986d962267ade7db223f2a01e7f011e78f4889b75f45a40d8

SHA512
e9592ee826b0e228016b1637419a2e4974f5e682aab73da1d9b3a65ea41281699031724cfedffd9dd15c7cfac864a2b267a6005cb23cacae3e39b74c2f416b71

Download Submit
C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
337KB

MD5
1f2238d511e9596ef759ea21a81ebd3d

SHA1
40cb86d012d076ed563e6d5f9246d79e6327cd76

SHA256
ff43fc1135a2e5553e5b69929a1a521693ca05cc80bb67bb0e57a7eec4edfcc1

SHA512
f302af3ad0192509a99784ada0aa3f8ccac72ca185070c9a5804e22501d2cdd554a98e49bc27822e8b2488d15f82cc8cf6782a8af1246fc589c37d52a9b3884a

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
337KB

MD5
d3dd44745bea66ce3866363a45191b76

SHA1
19818f4738b1e3ae5cb15c8a4df1ac81de3e2b89

SHA256
dd1917fddaff91b1405f94d0e4bc1281c0a599fba7fac008f6312a924b89dc68

SHA512
d690f8181d876c102d5b5ba31724c2a6ad4aec210b098aea4b5f06679d9f6ede6f7e3eb50aa953fcd1afa6e128a2df15d1065e94908108a8f952c8d6382ff5e7

Download Submit
C:\Windows\SysWOW64\Ekjfcipa.exe

Filesize
337KB

MD5
079c4e6c6144fd55658b423d009b8e8b

SHA1
d14f3df7f8eec43cd2d2b20a912d04b6187af1eb

SHA256
2fb81fc05b3092387ae0fecdd9744796b6a95f06b8dc2334402f091b2ce44a72

SHA512
dc15f15e44720e3c4cfb0101ed3afaacf68e79cd3da81d9d5e0508330316fe22bb67ba961e6307f6810c2c46de6763ec8d34c7935c7e1419662ee81bf6d30bff

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
337KB

MD5
d189694094e8dee58c2177bb1d2eda9a

SHA1
f070da247d90109e2d41299d5c352f74faffff11

SHA256
7dbc74634d656364ae29f25d2180e1454d3f3b483ef0c7d9f431c6a9499a9b5f

SHA512
b6cda9473a3c279ae1fc3556ae19c146b3c3ecef3af5493e4f71f6163bf2be6d9acfdee2bf306e7c7a9f10036db9e602b4cc95ed012cf8e94fb61cd59d6aa495

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
337KB

MD5
44b6bb9ce98bd35f49f710a855073729

SHA1
e2c0f68c51390cf936858fd81fdf166bb1ce9f6e

SHA256
514002cb6d624530df54ae491ecbfb2fc39a2853e80ef1dbbd1b259cb9bc8c2c

SHA512
d044ec9cb5a97d129573a037b3fbf171753b1cbff39e00a72fdc337abd8d666f5553fc7ac0585f55e6328168a650b13e476c5f5d9d8c7933b9f0a0e28859c64b

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
337KB

MD5
443d8fd404dfb37775ed11468c458940

SHA1
94ec801c4899d3289d32c4a83a42667938c79109

SHA256
b472ff3c86b597b09b330d903329494627c979ff12b43cb2ecae55ab74c746b5

SHA512
7eb96d10f0864d676e389933c51a7191dfb0f59c0da6ef54ba59b5efa221c5a0f1612515c212768688a7d77d3cd23f2c15a1647a93f96971defa0cd027dc65cc

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
337KB

MD5
3b0f232faf146da0b0aac404f7103a98

SHA1
54202cc019b566470da641411a0392105ae808b6

SHA256
57c80c1fbe06387800154a6702068ec3fd5c3cfc0d5542c8d90500310206af35

SHA512
0cca7ea6ca054ee930998cb2ea1c6b7c0dea9dfe98c3127bce5c8e7d9e66e51392ba6be85b7cf2844e76e850c576b3bf3d4e9f3c57881069b4311ca1f640b235

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
337KB

MD5
c4ab1f52a5f705c4af4980565397bca6

SHA1
062e11f022da53adaf9f51454e91a943ccaee384

SHA256
076e76ee6a8f02590f0307874cef1bd4cc408b9203ac4c5989712b9acf8b29ea

SHA512
4e4f1da1fc042fc31497db7a9ff47fed2e4581816142f8d24a9f863ac5b7f419f90d2ea0054ff2463a0c0a69ef91dededfad811f97b78215a3e2155e9ba3352a

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
337KB

MD5
d1ecad7006a7128025a180dc4f5e5dec

SHA1
a51c551988bd7a20ecae395ed9be674260c981fb

SHA256
462d3d01604b18bd5f401b11b1cff8a1ac60681fa886348cb0afa1c97dde7929

SHA512
8003cf2eded2a12e2aafbc3462f720ca74acbe305748b32b5c04bc2219bd6c3b443b40eb56471de2c2c644e782539c31f85c8fab6d8c80fb340bc80c2c7b54b9

Download Submit
C:\Windows\SysWOW64\Fkmchi32.exe

Filesize
337KB

MD5
2c8cc48c1248c455d2fc40bc6b4e19d9

SHA1
9dc966e1605af63d2cc5d657ea7647df24d6b672

SHA256
d19d331ab867cb691ec9366e337824c0a155498a80543b8bcfa3fa9873f18f91

SHA512
2320f0dd6a2068f3e8062d34fc8df5b4a622e014d75afe2176cb3b6b00d7d8c68b32cd65350031adb98c898778d8849374d164c76e4753c288a5072d7e28fb9b

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
337KB

MD5
282163024311a00d1c3526ab423a98db

SHA1
cdf30db1a6f520751c13de0892cc606586d0110a

SHA256
dd7d242ecc74f5055e3cdbb9ad28faef6c8e07cc34afa163ae8f4a02f703c9f0

SHA512
e29169f1953b4cbc6c32a331f77c632803343dc68521ba4b3c6e22391dd26f8f1972f13b5f22cf9aaae7ef50951d93f398d6b19199430087b72bf406b1e6f9aa

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
337KB

MD5
28d5a7c4722d150751e67e54ea9bc644

SHA1
d36440ae0cc92d336698913c2c120ba3d18f9fbf

SHA256
524e165670e2c380e7602b0653ce8b36d56cb64fe5cd336fa40d3ca748e2b674

SHA512
c422b86ac7351d5784f68b4eb09353fd8f87ae0c045d6991e0509516cac777c2243d8fbe443af8e99a0129a1993dbbd0e376af1144d73c6b23704e312a6b86f5

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
337KB

MD5
09e7223e530a0b640059cadc2118387a

SHA1
50aa67e964d473548c9d9193dc54dce0762990fe

SHA256
713bc16e086512b92859a67c98f212b9042605fcc30544f289f626157b6728b3

SHA512
cab561cea918a226ed6c7d7d96b5cc06cf76bc123db92116a590cf150ffe8f56a2a89ad9bbd22650fe661508fdeb17eb08221d69902f4b5565daf839be5b9f7e

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
337KB

MD5
6818a9e455d6672719280d6a73c4588f

SHA1
af1c989c7e24f4d7125cae6d77b1522a54bd8e31

SHA256
e1dec42e0c500e149bcf586891a1b557d9599cc5eec84b3e9110e3a48eb944ba

SHA512
5a941807b3ce399641dcdacb3aff814f5f3c914df90d68a9401d085e626773c99b45eea7db0297a26c2e1906eb6b9875ba301c2025b48e10cf614f1c312c1baf

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
337KB

MD5
caf70008572326136b985823630cd38c

SHA1
8c3c72c33eb71b53707c84cd497a2d716219ae43

SHA256
6139216cc7adb1dc7bd3592ef96f123e3f270e0cc1706e635e3a2b957165f77b

SHA512
9c2f063df61b6837aa22332899ae82db04b173e0ae57d0139bf4653f5f6aa85e2a34cf156d30fd9ceb911035faa1a9b1abad3a87742f345711c48ebf8f5d5ffc

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
337KB

MD5
8f742d2c97d7fe7cd4887b0e3a931199

SHA1
c109dc62b65258c0eb3f32269dd743a177d75624

SHA256
85044242f5367bf0feb40afc63bbb8f8ef234a8a35a38b50914892d132614a66

SHA512
f516e708b803aa93cfebfe57956c944b8d5d939bef26446c29d0e42156bdf1990d4b86897fc1aaca2d646f634bae446d13ec098252d72ff8f0f1bf87ff433261

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
337KB

MD5
d92318e3b3708a0e1a89ae28b7f7ffe5

SHA1
2135a0009755eda2205ffda0fe09cfefa1764a2f

SHA256
1a01d3325bd6fba21ba260227d5fb2ad6a029391fc041ca5cb3a4ae1ee93892d

SHA512
3b6f5fe30d424053199ce67337e01cb05ca31e3a57da5fb66d6daba083c38568d1c87a6f9c63b86a6535a1dd4bb750a07c37176d7b729a40f4824635926d3edb

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
337KB

MD5
72047c266e38a07e1314243b048428fd

SHA1
1144c7ef0cdbe30018547e7ee8728a4901e6656c

SHA256
b23945bb200d7cc46f971de4f945084d898ed1fc0983bf4e8197cfe013316065

SHA512
bc352742e001fdf9a300d3806783de61d1717a53be6121f9ccb93cd03198c4b2f45922a36c331c14f21498162085dfe15e11f533380467dba21fb3e428c9c5a5

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
337KB

MD5
2acda9b0aef74e3fae5f6e075a48e924

SHA1
fb7e6408912fcc96c9fc8137af0c53b69dcc2e8c

SHA256
2543dfcf6c1c3eb52e808683355afef204d0fb8af888e2788680e52df65da3e7

SHA512
bc86d200d0950546e55aa66da1e15d08da49aa221b3bfe9df1a3c1606d8b4f0d2caa98b912f34359cebb11f17d5fd69fcfc6135c2ab09530fadab7c3fa9e6803

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
337KB

MD5
67a634c29ca374799bbb7165d9f300c8

SHA1
c659631923aeef71e0c94df2b135effb12006c9b

SHA256
8036827c442c29642a0298043401a33cfb5ee8d07c49755fb129dae86d899022

SHA512
5013b7777dacaaf18f089f708ff0905447adbc0f2ed7b64d4bb89db8efc197d24c12b0bbcb3cd874851d44c963f58e36d5a2daae1283f3ab27dae79888a09264

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
337KB

MD5
17147b2b5b7f73db09bfafd34a373bf1

SHA1
17a3822d19514ac908690fa43a1144513e1d8122

SHA256
ced6317b1840976125e2627e24dc4dc5beaf9a342d038f8dfe80ea12c94790b6

SHA512
f15fff9a18fc36ccb3e168bda945d05681e492e83f9a7cddfb307c4cc5d224d47f201def19a5f6849436a1fe8588574fb89251d97b766d2d7fac8153dd49ec8e

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
337KB

MD5
207beba35df1c7606bcf50645e4f51a0

SHA1
8ea9162c9275da078af81bccba3b2327b10d96dc

SHA256
2307b0eea40076b967bff077a66fdae852bb3f611e9775cdd449d3cf0735c6ff

SHA512
17ba14d315a8f32bf9b0d75e3076089d521c2e47f1bc179b88c9e57d2e315d7120302d125697827f90ac1a230c45e794b6f90e60f04a04f950bb8733eeab4eb5

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
337KB

MD5
aae7387fa1a0c71c6054adf2e2e4e775

SHA1
a5702d0859d6ce1ca313981bed74671cc43a6490

SHA256
072600d9e162fb91429e361168ac34edc8486c7c88a53f5da87910a831616abf

SHA512
a2c8d412b433812dfe2d34741951c31ba5da8c67e3c7d2f09094f93af559cc487775ffd554d29bbff6e93693d820bd7611d3c9038d624929ac041c0994e40b83

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
337KB

MD5
22c708cac520400fcce18a597ed52954

SHA1
82b975da32eb5d95db3b9854b4c5bb44248a2497

SHA256
a3343d349e0113fbc0f16ff74f2082c85d87ce2d3676498d96a3461a86fc4110

SHA512
c6f7adde220b499b54408e019660994f668132354fc0cf014a43c4bc9a32f6103509696869fe9fe4cbed19ea21595e83e55630a69fb2a5f485158b49f0b7a8bd

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
337KB

MD5
5fa925f51753f0c6dd30a3f00a7719ad

SHA1
8049ffccdf6781ebdcf3c9385be4b91974a57221

SHA256
abbc248561f40982e8f6be33cac986eefde05277460c20bba4bf78ed03a42dc8

SHA512
07e188454811ff9d0d0524b8752ea6b5556fbd47fd6cf09eae66d0b4441ae255e45a7bdb6134884200fb43540bd6a507e2c453c4254782cb1004ddc33e6ccfb5

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
337KB

MD5
4b21f6fe53880cb8e36c9f8a09b85857

SHA1
1e750c9d3aad3fbcdf3d1bde8709475708e5767f

SHA256
3f51f961230aade65e10caec0d225f11b635b21437a46d6792b0ccbb0e3e76e0

SHA512
21a193e736f5c443ea6ad30c503ed80e76fce132146a34993d74bbc7e43a0dd60e372fcc98802444a006534b75f51dc88e0f74872d2eaa9735133214a03ed4cb

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
337KB

MD5
40ed6fe2664d0ef308e8b2e7ea377032

SHA1
4c76433684a4a034ec5e261c1482f0bbab279dd4

SHA256
b823c06bd708702bfba21b301fd1a6ae5534121b658622d48353eee7e3b9e1f6

SHA512
45bf218aa052151cbf7a91684a7207074ead622aad63ed2e7f3bdc38baf3da8a582c151ec1952c907fc27f676c890b31f9613fd62f7851fee6f233c792190dde

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
337KB

MD5
a0c393db0a611dde3f05e6fda4767c78

SHA1
510624097ef26db84b0652088d8c552ee9e77a15

SHA256
1c5ea84414e2547d582f11a9f1c8893c95ff8600d6c5242b50e3ef1d49b8553a

SHA512
642557c88c0e0b10a60488b8929653c441b2c4970651e92f60105eec78c94560558d08ce682a1cbbba86e58142279299297f6b41a2075d5c9c3702b75033efa4

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
337KB

MD5
93d1c074135b9893216976528135710a

SHA1
18001373fc484c931085edc86c31562dfa720faf

SHA256
e3cf8f458468d749f5a697960a2f0edc4388b40b559e5be33a90f72778572984

SHA512
ff16a5523e01ced654165183e7ca999dc683a3d5240a7be564fc3d0aeabe9571012afa34f64d9302680db4232a03b9516b05ee09851276e59fd5e1ce0b254299

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
337KB

MD5
87fd8a52b2a746b00900366084f8fd71

SHA1
34e65ab9e602eeea6e2e7f1b3e701da6ae64ffc6

SHA256
dd2e8e228514ed9db2d9c56382c0414966664942cf38a881bd63c4b5e8b5b165

SHA512
29839a40851310e88d7a24154e23ed3015c8d10dee46d291a8a0f8e8b62fe4f593fd72f50eb94c7036c7d9223b3baffca8ebdd20e87dcd63ce994e916a1e4b92

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
337KB

MD5
b35c36d31d13b3cf4e10d8f447336cb0

SHA1
eaf027ab9986e30f95d8fb6ba7c07d2b35738568

SHA256
0d66d027729a081aa6bc1c4fcb6723583ed1ee4c7db9b34735f876c825adcdd9

SHA512
c9fbbb08c0d7f316a1eb526d1232ba4f9700d748d787b9f55c14fb3096f3174b11d2d6398c619a2e0cfe95099fbfd1ddafa257d9569e5859062a48f4fc039536

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
337KB

MD5
cffc81c47f1ecacd1adc52d128acddbf

SHA1
8de2e5e2fdef132c85373b184fe936f1a2544f66

SHA256
0c8eab8bfef1e0cd45e7224729b190a2d9813d1f5b4034046216e6b33b02486b

SHA512
aa0e52d80a6065b934b0c64bd9874cb2db6078895070635533b68c0e22fd6bda1e5950906336714ca1c0fca6551a6ecaa301da455df65d1fe2ab560ed61a7a5d

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
337KB

MD5
13a277798dbd7e286ce0aca2f1314f7a

SHA1
42ed7c6447efae95fd31c5fbd005e2efc1350e27

SHA256
8a83777efca1b22e3ea2eb9bc092061dc3a7bb0af4e7917f34ed463f0745c66b

SHA512
82f0acf7854752c4848c3bacec3327f7d78ee569230cb609b699bf6773d60bb1ca27371441bd20aa29277d16b96b294a729a50ce1e1ed717c8216afdf0c63a3c

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
337KB

MD5
c654ee136b8ae28698cb04287469cef2

SHA1
93f2f2c0fef1550d68aeb833245bbec142967dea

SHA256
81a3795840fa6470b59aed49f3903649b76e6530ba2b8cae39378cfdceee09ab

SHA512
73a856081b7c08e827c401f3d23ad14e2720a0d8965a1bb37f6e51aa73103f69534f024f87b9c9766a41d21ee0379674823f98671772ff650ca3122618346430

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
337KB

MD5
0614d365e64ab844d3ed2806c7579557

SHA1
4d1963bd476693657a5e6e1772166c67b2e07a01

SHA256
8232148056ea2be184226882ba3555aee10f47de8a77f5d135914ffbac14032d

SHA512
2b7ebc64840db96e581cb8990be682d8013e1509eb714dbbc75f838591e9e7c4d64b01b8126388dd0829f7d67ce0bc84b7f3249cee463f503be9686146330395

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
320KB

MD5
805a598d6c87c950b9a400cd652f37b9

SHA1
e26b52ea19cb9e2f41017dd186b2c3c692d5d0ba

SHA256
0aecbc9162dba166dcfd353ff26e2753b1b6aca9d18ebdfa1909ab8465b36502

SHA512
9486096be2e7df88bf01de8a355736c0d9e897e4fbfc601f3b09dc44883608af5fe4a60c7d6e95c8021d7fc0578fa4f4f8e29288800d23aa1839c76361c213c8

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
337KB

MD5
9e057c373c2df67e9498506f7510d513

SHA1
b6a4dfa47c0ffb247c138cad3ddcb4fef2c45ef1

SHA256
f458b014cd3cabcfe8780d8d204f4010ed4646ea2e0cd1eceea15cf6377c5ae9

SHA512
cdeb3c5660c79ae5c3dba504ea5dc919650fddceb1454c3791f30728cdcf4cc09298f4dd8953002d55d6bea957d974a499cc3b01cbffffaed9428e593bc1ad42

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
337KB

MD5
b964dfef6bb9969b8a46deb569285e31

SHA1
7d64c7ba49c8193d92ee154b05f0d6ed4831e341

SHA256
2d945288d921b668f040e2ec6c0774927aba0de1a274f43aaca2bf9d578a6405

SHA512
2ccc9ada341c1b3a00689a05524fd8495be52041dc7d70350fe8ac8855d5304e1432a1350d11765b32c50998ce8becba3074da4cc2e8056d14811364d328dd3f

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
337KB

MD5
2a77112ec51daf81809dfc8162c6f376

SHA1
6461ce3249db77a9b11408f0388597c348a65889

SHA256
c8fd052547091095cb1cc54fe324de056581f07c2b69c9e8d1090ccb7b42c7ce

SHA512
38d489f06663ccd06ce29c04a348a04d1c01bb7c05ccbe3090ab5bd82563d5251c435745b8053cfe6a4e1bf17e83d2a2bcd077cb94b3c3b8da594cdc87bd01d6

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
337KB

MD5
efce3b1e8cc50660abd5c1f5535dd48d

SHA1
213a37d7a444c77e83ba1e898482dc0f315fcedd

SHA256
610f0d72b729b531d5a6eb5f155558de3ef1096f2aafb5c0a946b64f3aec9011

SHA512
121d94acbded0a9079df6851dee2d89021311d3b51a892e39d6656bd2d824d0c8580905383325dd1e024e4e1623eb36c145c369ffc8bcfc3aa49ed1b33740c35

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
337KB

MD5
eccc48d80cabd898689a984daf83f4d2

SHA1
ad8df9dd41ee879d5d4c249a5d13fe9e5984bbc8

SHA256
57c2098f4f398bbaad92b5ec887b0262152a6e9c8e76815bb04650d55b194f56

SHA512
c6fc39ad9b2c8288eb36191beaac49a83aaa5fe6c9b75ceff9574c57abd1843f797cb9ccd0cdb14533705a257adda62c545b8e7bb4eec2b81a21dc2879a4ee5d

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
337KB

MD5
8afb124157b8dda58c965b0e22481e3c

SHA1
28706c546915386ec76c0f1322439da295eccc03

SHA256
1304c2aa1198b0432d44f8d5d6410ec9a658725558e6af920590b3e7b916eba0

SHA512
dc7e718c36e78a9186f6f7a7c16075f7a1471c3329907f6d7c91a04ee59eadbfc784ca1472f747143b624481c2721042714e542b2a5e1f6579b6c9166318402d

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
337KB

MD5
129ed8b8d6c7fe79d11ecd0db431f7f5

SHA1
e4e014416897f210c5db425246fc293830925efc

SHA256
3a39fe50164a56da96f8fc481eaf6a7c6853ddf929b64bdd3580c4c1fb8bf331

SHA512
3653dacbb97db010aad295bba71125de4df12acb9db1b88d8356db77fa29a76b93a759b70b65cc58aa4c0d88e72c954ab07f903b7da186fd3544b2a4c2ee492e

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
337KB

MD5
463de7020c68758d805f800500fc7130

SHA1
81a87473b0d0a9288ea3a480176c2576e50b3a00

SHA256
ecb69af148cb77f89d72ff027defbf499c4e67531985dc543ab5764434f273b2

SHA512
01ef1b646a782597efb5d915a02ad81aa5d8261c3f366605cbeb9a4390777e7d3adf54fdba3b505c5a571eb3f1e2caadf1e29cb01f7b0ff808fbd4842ad0ad3e

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
337KB

MD5
a1eea79ed1e2d08138a3e8390b75d70a

SHA1
169b055dc8f478b753a16d9080b6ed801fa85164

SHA256
0df346b48c33d46608b3779a5705d3b2020eadb29db36eb3f672533cca952f23

SHA512
fae74fd24b99bdc22c268c907564ffefbe0ed57821a8c554ebef3a2ec0a46e644c5d2773462e3872c42ae4f133700b2e4298dd7ac3ae68cc8c0231ddbf3f1dfa

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
337KB

MD5
e3b744bef3f5b52779c0c50f2aa03125

SHA1
81a78bb355706cb4e74571ca404d100b5050fc6f

SHA256
61726400800a51805637829387488f842b1ec19f81f1c6040dfb081f686bd3d1

SHA512
679015a6d18922ddb80e1032de9f647e8643a809a92be5f6423829d4ab6381345a0c07d46984224d94da6df06d91d33029ac3f83cf76437d0a2b9535e946f675

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
337KB

MD5
3664f29bd586996bbb792664c48169f5

SHA1
4f8917d71791acde7da0d7f63dd300af85c6dd35

SHA256
9c5227c178e8cc06e036764a8bf56fc6707d58713014cad103868462db69a0cf

SHA512
ab406e12830329d28c092b830c4c5c4384339d40eeeb406cf7068c8dfe04d41dc11ef763e5a5dda87f8c84171c896b677825d11dea5220e7a6d9f618ef17b591

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
192KB

MD5
eaacf3084703e8c25722013f2394d0e6

SHA1
915a48dcf12e1d437caa58fe2bb8d65e7032b6b2

SHA256
809a1abf578834f31fce23de77c8ee52457f1f54d6acfba484539d99f5bfb773

SHA512
87a60d22ca71f552ead074700418eaa55504810385c92eb4ba6c4552b1f9a0eade8e08bcf7c6f50c88789c9a6fb4b14eac068dc1bd048f64023ae38901c56709

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
337KB

MD5
aa879cd1d35450a311bcfcf3e27bb2b0

SHA1
11af6160563d07972a7269c58b244d6c3674d2fa

SHA256
a911f6b438db560525aa02f0cf3d87cf760b8f45242a7c0696cd176173414856

SHA512
913cf76da833d750db58620e4235bf070817adb180c5b5261f4daa4fccfe06ebccacf2bb85f5a6c83cc1009e532a62569308b9439c58ffd21ed5ef61c8251eee

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
337KB

MD5
560a0381b13e2a0f5e52030823cdf616

SHA1
ca97893c177a800a55976ff00372fe4df7340a63

SHA256
f5604ace3c50f6ef2bcbc548ea3da31550688ab4de0e37de6328dfebf5c6da2e

SHA512
dfd4514231c1ffd92df60a61c366893490496397adaf8c380fc9dff19926b6d5650990f82cd6ece5a6f56c017e4e55083d96ad145f3fbaf4066e472b5b979158

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
337KB

MD5
9d5469eb3d63d81439dd4e964c9b6692

SHA1
0ecd8f109636c648b4464c28b7e140933ba2a8f0

SHA256
6fdcfeba0d98dc5cd044426a5ed5625f71a8bc9e175a6531b62a5986508fd059

SHA512
b29a7fe839c6d17d61d8568248efe47df11d92c77f15d268d1a77c43721293848b2b01f1511dc44c66d0552e3553e9722be0e4697031f23b9f870148b96bcbbb

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
337KB

MD5
5aa6d901821eb330d442032202550a14

SHA1
9be7f4912512c2ca6ae1ab72c53062f7f6d4089a

SHA256
03086e89f1b95ecaf36ea28bf57a6ba306332c1cde193ffdfece64a6e31fc925

SHA512
8366dae9cf8a99e2ebee850db5216cca77164093653e8e7b10978db0b859bbaffa986d464fff088d15a43741819c996e9cf2602e707d8eb9d5cf94693fac55bd

Download Submit
memory/336-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2208-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6020-1470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7044-1389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7080-1417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads