berbew | 41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4f

Analysis

max time kernel
96s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4fN.exe
Size

94KB
MD5

dc0f4338f8b9c11cbeaeac5133be5db0
SHA1

d05c5ae4f9be93042c5c1fd5ce6ba5103e164ba0
SHA256

41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4f
SHA512

91280b40e3dabc0dcdb0d677e553a04532a6c471f47d46fcceaa88c49c26e714be28f01f14a1aff1716c95ee49a1d73039984434ffb7cc8b36e7026d971c5c14
SSDEEP

1536:K5LMQaAHB2Oaylj9N+0XsNFfTMI74Rt6s0s86CE2gL7BR9L4DT2EnINs:kE0oOaYq0XYFrf0RtabgL6+ob

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nglhld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chnbbqpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbphg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcidmkpq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chlflabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbjoeojc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Illfdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kncaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfaohbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlqqcnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgiiiidd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnbbqpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flfkkhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmkigh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcnpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkahilkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imnocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
836	Cdlqqcnl.exe
4468	Ckeimm32.exe
3712	Cfkmkf32.exe
624	Ckhecmcf.exe
540	Cnfaohbj.exe
4864	Chlflabp.exe
1560	Cbdjeg32.exe
2168	Chnbbqpn.exe
3360	Cbfgkffn.exe
3800	Dmlkhofd.exe
4776	Ddgplado.exe
5052	Dkahilkl.exe
4184	Ddjmba32.exe
2592	Dnbakghm.exe
4480	Dfiildio.exe
3664	Dkfadkgf.exe
1928	Dndnpf32.exe
2452	Ddnfmqng.exe
4116	Dkhnjk32.exe
4376	Dfnbgc32.exe
4888	Ekkkoj32.exe
1696	Enigke32.exe
208	Ekmhejao.exe
1072	Efblbbqd.exe
940	Eokqkh32.exe
2540	Ekaapi32.exe
2448	Eejeiocj.exe
4624	Felbnn32.exe
748	Flfkkhid.exe
4420	Feoodn32.exe
3420	Ffnknafg.exe
4608	Fpgpgfmh.exe
5000	Flmqlg32.exe
1400	Flpmagqi.exe
2348	Gfeaopqo.exe
1204	Gpnfge32.exe
5036	Gifkpknp.exe
1800	Gncchb32.exe
1604	Gemkelcd.exe
4300	Gpbpbecj.exe
3752	Gflhoo32.exe
3132	Gmfplibd.exe
1964	Gbchdp32.exe
396	Gimqajgh.exe
2044	Glkmmefl.exe
3668	Gbeejp32.exe
1792	Hmkigh32.exe
3212	Hfcnpn32.exe
736	Hmmfmhll.exe
1092	Hbjoeojc.exe
3436	Hmpcbhji.exe
2716	Hblkjo32.exe
4388	Hmbphg32.exe
516	Hfjdqmng.exe
2212	Hlglidlo.exe
3400	Hoeieolb.exe
5084	Iikmbh32.exe
4612	Iliinc32.exe
3480	Ifomll32.exe
1748	Illfdc32.exe
1340	Ibfnqmpf.exe
1332	Iipfmggc.exe
3548	Ipjoja32.exe
1524	Igdgglfl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gefklj32.dll	Hblkjo32.exe
File opened for modification	C:\Windows\SysWOW64\Lnoaaaad.exe	Lgdidgjg.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ekaapi32.exe	Eokqkh32.exe
File created	C:\Windows\SysWOW64\Ekkkoj32.exe	Dfnbgc32.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Nfcabp32.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Gceegdko.dll	41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4fN.exe
File created	C:\Windows\SysWOW64\Oclknk32.dll	Flmqlg32.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Onahgf32.dll	Akblfj32.exe
File opened for modification	C:\Windows\SysWOW64\Bacjdbch.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfaohbj.exe	Ckhecmcf.exe
File created	C:\Windows\SysWOW64\Gimqajgh.exe	Gbchdp32.exe
File created	C:\Windows\SysWOW64\Eeccjdie.dll	Klhnfo32.exe
File opened for modification	C:\Windows\SysWOW64\Nfcabp32.exe	Nagiji32.exe
File created	C:\Windows\SysWOW64\Iikikigb.dll	Cbdjeg32.exe
File opened for modification	C:\Windows\SysWOW64\Gpnfge32.exe	Gfeaopqo.exe
File created	C:\Windows\SysWOW64\Mglpdp32.dll	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Jbofpe32.dll	Nagiji32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfiplog.exe	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Chlflabp.exe	Cnfaohbj.exe
File created	C:\Windows\SysWOW64\Gmfplibd.exe	Gflhoo32.exe
File opened for modification	C:\Windows\SysWOW64\Mnmmboed.exe	Mgbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Dbdjofbi.dll	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Bcbbjj32.dll	Dfnbgc32.exe
File created	C:\Windows\SysWOW64\Iknmmg32.dll	Moipoh32.exe
File created	C:\Windows\SysWOW64\Hilpobpd.dll	Monjjgkb.exe
File created	C:\Windows\SysWOW64\Dannpknl.dll	Nadleilm.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Egljbmnm.dll	Dnbakghm.exe
File opened for modification	C:\Windows\SysWOW64\Ibfnqmpf.exe	Illfdc32.exe
File opened for modification	C:\Windows\SysWOW64\Nflkbanj.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Pfoann32.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Hbjoeojc.exe	Hmmfmhll.exe
File opened for modification	C:\Windows\SysWOW64\Kncaec32.exe	Kgiiiidd.exe
File opened for modification	C:\Windows\SysWOW64\Ffnknafg.exe	Feoodn32.exe
File created	C:\Windows\SysWOW64\Ghndhd32.dll	Mfhbga32.exe
File opened for modification	C:\Windows\SysWOW64\Lobjni32.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Lcimdh32.exe	Lqkqhm32.exe
File opened for modification	C:\Windows\SysWOW64\Lgdidgjg.exe	Lcimdh32.exe
File opened for modification	C:\Windows\SysWOW64\Lqkqhm32.exe	Lnldla32.exe
File created	C:\Windows\SysWOW64\Oanokhdb.exe	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Bhqndghj.dll	Bajqda32.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Chlflabp.exe	Cnfaohbj.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cnjdpaki.exe
File opened for modification	C:\Windows\SysWOW64\Glkmmefl.exe	Gimqajgh.exe
File created	C:\Windows\SysWOW64\Lnoaaaad.exe	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Jlllhigk.dll	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Ppjbmc32.exe	Pmlfqh32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Knqepc32.exe	Kgflcifg.exe
File created	C:\Windows\SysWOW64\Gpnfge32.exe	Gfeaopqo.exe
File created	C:\Windows\SysWOW64\Hfcnpn32.exe	Hmkigh32.exe
File opened for modification	C:\Windows\SysWOW64\Imnocf32.exe	Igdgglfl.exe
File opened for modification	C:\Windows\SysWOW64\Klhnfo32.exe	Kjjbjd32.exe
File opened for modification	C:\Windows\SysWOW64\Lfbped32.exe	Lcdciiec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6556	6356	WerFault.exe	293

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekmhejao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Felbnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gifkpknp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjlopc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flmqlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgiiiidd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbeejp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjblje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnoaaaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmmboed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqkqhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkidm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlqqcnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdjeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpnfge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Johnamkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcpjnjii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpfgmnfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcdciiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfaohbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddnfmqng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmmfmhll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koodbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lobjni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npgmpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gflhoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfcnpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcgpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lopmii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkahilkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbakghm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eokqkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbjoeojc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgkmgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgflcifg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnldla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflkbanj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmgelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll"	Lpfgmnfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckhecmcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfidbo32.dll"	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll"	Iidphgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfcabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll"	Igdgglfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcpjnjii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbbjj32.dll"	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjlopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onmfimga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkhnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icinkkcp.dll"	Ddgplado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbeejp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqlhmf32.dll"	Hmbphg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbloglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcnla32.dll"	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbcih32.dll"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcccepbd.dll"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iipfmggc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akblfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclknk32.dll"	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogigdpmb.dll"	Hfcnpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmmfmhll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imnocf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 836	3084	41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4fN.exe	82
PID 3084 wrote to memory of 836	3084	41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4fN.exe	82
PID 3084 wrote to memory of 836	3084	41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4fN.exe	82
PID 836 wrote to memory of 4468	836	Cdlqqcnl.exe	83
PID 836 wrote to memory of 4468	836	Cdlqqcnl.exe	83
PID 836 wrote to memory of 4468	836	Cdlqqcnl.exe	83
PID 4468 wrote to memory of 3712	4468	Ckeimm32.exe	84
PID 4468 wrote to memory of 3712	4468	Ckeimm32.exe	84
PID 4468 wrote to memory of 3712	4468	Ckeimm32.exe	84
PID 3712 wrote to memory of 624	3712	Cfkmkf32.exe	85
PID 3712 wrote to memory of 624	3712	Cfkmkf32.exe	85
PID 3712 wrote to memory of 624	3712	Cfkmkf32.exe	85
PID 624 wrote to memory of 540	624	Ckhecmcf.exe	86
PID 624 wrote to memory of 540	624	Ckhecmcf.exe	86
PID 624 wrote to memory of 540	624	Ckhecmcf.exe	86
PID 540 wrote to memory of 4864	540	Cnfaohbj.exe	87
PID 540 wrote to memory of 4864	540	Cnfaohbj.exe	87
PID 540 wrote to memory of 4864	540	Cnfaohbj.exe	87
PID 4864 wrote to memory of 1560	4864	Chlflabp.exe	88
PID 4864 wrote to memory of 1560	4864	Chlflabp.exe	88
PID 4864 wrote to memory of 1560	4864	Chlflabp.exe	88
PID 1560 wrote to memory of 2168	1560	Cbdjeg32.exe	89
PID 1560 wrote to memory of 2168	1560	Cbdjeg32.exe	89
PID 1560 wrote to memory of 2168	1560	Cbdjeg32.exe	89
PID 2168 wrote to memory of 3360	2168	Chnbbqpn.exe	90
PID 2168 wrote to memory of 3360	2168	Chnbbqpn.exe	90
PID 2168 wrote to memory of 3360	2168	Chnbbqpn.exe	90
PID 3360 wrote to memory of 3800	3360	Cbfgkffn.exe	91
PID 3360 wrote to memory of 3800	3360	Cbfgkffn.exe	91
PID 3360 wrote to memory of 3800	3360	Cbfgkffn.exe	91
PID 3800 wrote to memory of 4776	3800	Dmlkhofd.exe	92
PID 3800 wrote to memory of 4776	3800	Dmlkhofd.exe	92
PID 3800 wrote to memory of 4776	3800	Dmlkhofd.exe	92
PID 4776 wrote to memory of 5052	4776	Ddgplado.exe	93
PID 4776 wrote to memory of 5052	4776	Ddgplado.exe	93
PID 4776 wrote to memory of 5052	4776	Ddgplado.exe	93
PID 5052 wrote to memory of 4184	5052	Dkahilkl.exe	94
PID 5052 wrote to memory of 4184	5052	Dkahilkl.exe	94
PID 5052 wrote to memory of 4184	5052	Dkahilkl.exe	94
PID 4184 wrote to memory of 2592	4184	Ddjmba32.exe	95
PID 4184 wrote to memory of 2592	4184	Ddjmba32.exe	95
PID 4184 wrote to memory of 2592	4184	Ddjmba32.exe	95
PID 2592 wrote to memory of 4480	2592	Dnbakghm.exe	96
PID 2592 wrote to memory of 4480	2592	Dnbakghm.exe	96
PID 2592 wrote to memory of 4480	2592	Dnbakghm.exe	96
PID 4480 wrote to memory of 3664	4480	Dfiildio.exe	97
PID 4480 wrote to memory of 3664	4480	Dfiildio.exe	97
PID 4480 wrote to memory of 3664	4480	Dfiildio.exe	97
PID 3664 wrote to memory of 1928	3664	Dkfadkgf.exe	98
PID 3664 wrote to memory of 1928	3664	Dkfadkgf.exe	98
PID 3664 wrote to memory of 1928	3664	Dkfadkgf.exe	98
PID 1928 wrote to memory of 2452	1928	Dndnpf32.exe	99
PID 1928 wrote to memory of 2452	1928	Dndnpf32.exe	99
PID 1928 wrote to memory of 2452	1928	Dndnpf32.exe	99
PID 2452 wrote to memory of 4116	2452	Ddnfmqng.exe	100
PID 2452 wrote to memory of 4116	2452	Ddnfmqng.exe	100
PID 2452 wrote to memory of 4116	2452	Ddnfmqng.exe	100
PID 4116 wrote to memory of 4376	4116	Dkhnjk32.exe	101
PID 4116 wrote to memory of 4376	4116	Dkhnjk32.exe	101
PID 4116 wrote to memory of 4376	4116	Dkhnjk32.exe	101
PID 4376 wrote to memory of 4888	4376	Dfnbgc32.exe	102
PID 4376 wrote to memory of 4888	4376	Dfnbgc32.exe	102
PID 4376 wrote to memory of 4888	4376	Dfnbgc32.exe	102
PID 4888 wrote to memory of 1696	4888	Ekkkoj32.exe	103

C:\Users\Admin\AppData\Local\Temp\41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4fN.exe
"C:\Users\Admin\AppData\Local\Temp\41a48232a96b682553027ca8a8fbcb584bf69769831aeb33003abdf344a17f4fN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\SysWOW64\Cdlqqcnl.exe
  C:\Windows\system32\Cdlqqcnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\Ckeimm32.exe
    C:\Windows\system32\Ckeimm32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\Cfkmkf32.exe
      C:\Windows\system32\Cfkmkf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\SysWOW64\Cnfaohbj.exe
        
        C:\Windows\system32\Cnfaohbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Dmlkhofd.exe
        
        C:\Windows\system32\Dmlkhofd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        23⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        25⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        27⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        28⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        32⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        33⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        35⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        41⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        43⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        52⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        56⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        59⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        60⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        62⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        67⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        68⤵
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        69⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        70⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4632
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        73⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        75⤵
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        77⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        78⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        83⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3680
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        89⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3960
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        94⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        95⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:840
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        98⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        101⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        108⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        110⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        112⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        115⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        117⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        118⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        119⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        121⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        123⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        125⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        128⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        132⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        133⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        135⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        137⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        138⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        139⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        141⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        151⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        153⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        156⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        158⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        159⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        162⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        163⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        164⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        165⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        166⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        167⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        168⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        170⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        171⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        179⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        181⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        182⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        184⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        185⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        186⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        188⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        189⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        191⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6276
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        193⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        194⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        195⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        196⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6692
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        200⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        202⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        204⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7120
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        205⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        206⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:6356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 428
        208⤵
        Program crash
        
        PID:6556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6356 -ip 6356
1⤵
PID:6496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
94KB

MD5
e61125c6779c65b586e40b13e5b247f7

SHA1
1397574348ba87675af5415046563c404fe7b4b5

SHA256
97c9dd03f97bdd5d047cb860183d6f41971ccc71ac1267cc107db8a3ef9f49fd

SHA512
128f7c8b2415500ad190cc437448c073c803b8fc65a4e9d293bddadc5f6882b32c67beabd18a0fa8b5e15bfe75e9054b168e8c6c5ca82bdbd65bd869d4f3fa04

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
94KB

MD5
f9c41da997a2284ce5c21b030c37860b

SHA1
d08d5973215bd7debba8fa9cd82ebff4a229c7cf

SHA256
b84a562dd1ebfc682590c6a21a641011058dbffef771339e97137c8d041c1c29

SHA512
a33cfbe92c984c3beb850115a153379c3b33bde4fe6047531ebdbc76f65cab1335eca10e168cb53e0cce9897299a6d0629ad77ea1068459406a7c1626111dafa

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
94KB

MD5
4ab060feb3d476c5d48e826400a524b0

SHA1
e3af1e2b5c78575e469691b36d45a4e02b9e2a4c

SHA256
1e9af684b6a2c2a7dd69bfdddee16e0e23472f32119145e33bdd7f2b434451fa

SHA512
6859f347269d396a69c0a083041022468398c81c7e60d5efc7e6fec6a068d4a6e8520582d82166ab45de2bbc0267db6025016ee347cbcd8e8aab08c065a5321c

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
94KB

MD5
f13c352b86b21a68dd5d1aa477ab9d72

SHA1
3555cfa414a759969288297eb7b3c231361e8df7

SHA256
8d5772b33e1a6badbb065b173b0dcea6499ab3d0c73aed495c316fd79da437e3

SHA512
0b29c4242bdc0fb1493c7e15d4f5bd34c2d3065ae5480472b641251c0ffc8b8b0848d16b47a517e715beb3120a6fbe16c6bc2d678820587b9fd8f4c2e3229f19

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
94KB

MD5
504204c83b731822397c98d369aa2ce9

SHA1
8ebbb73ee200a1b3ea54422d489d383ad3398d2a

SHA256
3a291f69b0334c0e0a40d705d62f80567cd7f06df7fb772d2c47c79e6f78e1ce

SHA512
63116946a56346f40cd1b05ebc55e13a8ddfb064e13830dbb36b50d06cdf8e7e3b860e68e078f307098ec2f869b8e3f54102e4aec6681b7fc5f1435d598063ed

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
94KB

MD5
162d5d034428d28ee5cd22668a8443a4

SHA1
caf148bc9d82218a4bbbad9a7b6e22b067868a40

SHA256
c2bfa747725f5b086271d9b7627677ef907f7512615d9baf1d2ec31720e27af1

SHA512
780eb70f665ea501df8a166c53d945f0a29b50421adbbd866c60f98857ffe4948ba96d85a18f680f52d64c0ae989880274b55bca2c66aa1a434d1157d6f3f19f

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
94KB

MD5
11ed960d417f2dc92aa4ab8653b55e0b

SHA1
021f74fdb4b552f862a60656b626eb729e5aad43

SHA256
2f871b66a63382019488ac9f27c88cff70d52eca7b2977fdffe7b9d5fb896c4f

SHA512
1cabedfa01f86db1adf69956054a7f96935a853953b1f4e7dd58e25c676656e515243da1224098db29bc6cf4b190a21568223ea8015334804be2e206e652d403

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
94KB

MD5
aaf5532850b84c7b41c80fd0a44d48a5

SHA1
0d018786c58289f781e8733dca84b4b6c2a45c36

SHA256
10ff25faa5e474fff50ca7da8874f26be3a6878a575e84178de7fa7a8b905faa

SHA512
60387bb5d0a39bef36baa55cc37dc9ee121def462b5e2b93eecaaac2db5c23f03063a74b99f1311af86f0136cae3d6cc5c68e27f565b0b6c94ff5380c8bafb6d

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
94KB

MD5
5642f152714a61bf7a6bfa054c8220c0

SHA1
b2091e1340c7a84b2d05737a8370e0162ffbe2ef

SHA256
20d8d8c394fe792c3eb145a28150133ca6214b21ec4eba42f1f7430c4e28e37a

SHA512
9863f062340d1b1accd42beff445dc2e0bbd115ffde44b67ccc714406ea2a271ccb43a8f88aad597c93646c7cf2aa9a381f372c2e61dc503537d753c46059c99

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
94KB

MD5
df12388e6649a6bf6ae3596f946564a8

SHA1
3ac5b382af9b3acd8e6e11fbb8fbe28d7d65ec02

SHA256
d59218ea6ece7a6518ace2f4738577ccaa2dbfa17b95451e073ddd2ead51113e

SHA512
01fab608778ee1fe6c17387b48cc0458358ca16f51030dc8dbc0fab3f5857d31e04d54e55c4edc5e97c17a4b1f3aef2148157e17fe0771eacc7802d5cd1d7a98

Download Submit
C:\Windows\SysWOW64\Cdlqqcnl.exe

Filesize
94KB

MD5
9920a1af47cce06408387fe53ab4be77

SHA1
e93a0e1937fe709c5ed26ebd6491ea8fe55d1ad4

SHA256
90f32f1036caccc7383d8e083e30897935e310cf00bbce121cd7f7eab4100940

SHA512
ae3ed52095fe62f38e4ce697295176cdcd5222642578dc8b4eea7a0aa8bfef514af0f2d1d0267ed45f9dd65f90f763f18b0731e03045012562c1d08b14e50d2e

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
94KB

MD5
10df52f6766b792e4c79c4a0f5bd2943

SHA1
c0abc8c64dbc2392c3d3aa0dac03d2fc6ff3e177

SHA256
225e5c17ec09173e6d0de8918c8fd2ac1f3fcfc7facf19a61532eb170b817d20

SHA512
94bb8d44f1ca4eca6c56d1e4a15b44e08ec16a709098c8ca29a7179ef202150463250e6c40e5270f444f797696075b3e4558cf8c14e23ed6828d4275d0ac500f

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
94KB

MD5
6590e5356679f6b8863d838143210369

SHA1
0ab1b2a8b329cbca617ab5ce0065cc01f0d634e7

SHA256
d76fe6474397861e135212bbea58f8ae23a0f15d3cb3fcde4316d558fb859994

SHA512
825c67b7eb8abe5fb100acd9f0ce172da8b28358d2920e9feb631afc7b6e9400b19b881b93e96b0439f88cc9e248b19d538f79b0e84af3466d82e6aa50145ae7

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
94KB

MD5
0981d5c631a30092ff4d7b7ce1b6c9e7

SHA1
2b93d384d2a548da9800ddf6e72b38ed8a4195c5

SHA256
d416b36a1198a4d20cb686cb39ec96515ee3638a7ae79d0e0c805f0d4386dd86

SHA512
1991f8fcce34d3728638ea3b12cc822ac07fb8d73792f8e81f650231dc05827f8250b42fe67bf7b2e7b91892ecff5c0feef8b80e88ff4f0eef1887b78acf2d85

Download Submit
C:\Windows\SysWOW64\Chlflabp.exe

Filesize
94KB

MD5
5b2e0ce85716dd446851992c37ea771f

SHA1
a434a894b92b9930324f1c6ba2699f2b443c6706

SHA256
c722c43336f3f7ed17dc8ba1fe2bde63710873d13fd06a9dcff50649423453fc

SHA512
7c663c9eb9b6bc3f9f3b61acf462fe22438256715f0fc2ff3e16b6048747b3900f741b137b389929c5a0a5b9ddeb71ae235336f4bac7716ee047197c03b2f4fe

Download Submit
C:\Windows\SysWOW64\Chnbbqpn.exe

Filesize
94KB

MD5
9473d9810ed28c7ae048d9f436dc0160

SHA1
d2186cf8e35e2759ae60b7d671bf1cf670443373

SHA256
294ec8cc8298bf76783938d20ca3a7d212e2eb09358932d23c05be06469bf3fd

SHA512
3059d71eb15add297d2aa84b25c26cf6401ab28956339932f816a6e94f5821d2fb629bbd9a49d310e4487a490b4e63677a91f82ce100c5a0f25ea88fb9d18527

Download Submit
C:\Windows\SysWOW64\Ckeimm32.exe

Filesize
94KB

MD5
dab2fe604081dcb3c81e536b07a2d1e0

SHA1
79abdae7bd1bbecc6598bcd946e2d2745bc7a723

SHA256
341ce9d501b5eee07f0b0a7e80bc498045ae883556d5069c13028ec492c702d4

SHA512
4c8f39efb3ba04a3b8b479647643d9d1dff872c7faacc33513a03d13941a298392ceec665ad109bf4a3e402f6465482039a1a4d978359ffe86a5a67d3ce89160

Download Submit
C:\Windows\SysWOW64\Ckhecmcf.exe

Filesize
94KB

MD5
3fbe91c0b33d2c3a972ff132f0edc91d

SHA1
282466c5d7bb2e8078e49eb87baa713ce38e5363

SHA256
bd29097fe81950f8da0d78b6235953727874e96300c649766efadb2ff9da9968

SHA512
7654b9b38136de6adfadae05b8823679350644edb7c3ef34ef44603c682c67d4ab004d4a087a88e9957de9df831e2adbc815f6fabe17d8bed1d50fa442f57c50

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
94KB

MD5
0536808bb25aa9491de686a18d300775

SHA1
59ef27e014cfc71fedd9a36dd13e59d6a16528fc

SHA256
8f99fe101f1bfb2554f5b257ce074885af19f8f69e8f715475235d8876850cf0

SHA512
6d2a700025d946b8d0caae91f747c64c792cd890d9a3b86d957ced2b47f5ff7a94877f84f20be8242f337d690359ea9d3291a6c5c986a365a739cd081efcd0d0

Download Submit
C:\Windows\SysWOW64\Cnfaohbj.exe

Filesize
94KB

MD5
add13b50c3c8b571bcfac164b98bacb5

SHA1
883025652d2dcc2b133f676432c22eff3e7fd5ee

SHA256
4ee82124728f5cdbd38515806842a49bde5f655b7e89dfa37e0a1ca68eef5d4a

SHA512
4bbeed31e36b2bc58fe34cbcebd532bcce47ea26566f9b6d4204e7bafc41685b05aabd8f5f58f565d38b963f28a7d51c1979d2bf0ddb8ed87ef7811df2e2910d

Download Submit
C:\Windows\SysWOW64\Ddgplado.exe

Filesize
94KB

MD5
1d1c2c9099929d1dd9ac6ac29a5a3e8a

SHA1
8dd7b4b2dea48794bf8aa8e93bfeb292f3183a1b

SHA256
226994515a59b562fa99d222b2fdbd28ea0e81f470261036ff8fd9c6ae66f7cd

SHA512
8bf8d4ccbfd25b396ecad6ffc3d3cc99e212dffea433d9db3af8bb72d209d7699d61481ad44c92dfdc520b9bc33ef195b303ca89b9c88c51c2bdf9325c530815

Download Submit
C:\Windows\SysWOW64\Ddjmba32.exe

Filesize
94KB

MD5
8520c7029671c5209a278f3aea0d9639

SHA1
f767e9acb0324dab23df855d148ba7904fc031df

SHA256
11db8615f0cc60d1bc7aaaa997b9ebabff8fde6fe642bebc7c34fa58ca7276ec

SHA512
8cee933cb5d83b9b32f45e6b5aa923a17d6dc991a975105efe48cef1e7a3845892e230bb9b26a84d6ee7da603132a67596f08316ce4c0522e4472723f439f0a7

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
94KB

MD5
623710e59eebb9360aa7eb15cf53da5f

SHA1
0e6e6716a6d40a77844b817458d6a97c054580ee

SHA256
fa53a0b8c8efdff39fcfc11332c54786439a6cf2ad6816d01b6eaa953ed7477d

SHA512
b50242d403a1bed557fac54dc7bcbedc25e9e8769efe98d4d41d2333f8c5735c83fad1887ab03c7ea81fa31b415de0cc95eb86f65acc3fa531f02f849cf9ef17

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
94KB

MD5
c129b90762d3eda7dcd0489e730616af

SHA1
0168027aef4de236ad25c186dd20ba21c7cbfbde

SHA256
14cae34f3c88292008515ec451f2906c9f269f8df3f2e2bd27079749e0b28e6b

SHA512
cacfeee4e970ce12f9de05e2bebe905a4d8f8c6c6db4e65ee6a22b746d240dac82c7c5e41249251c0073b35577f2351b217a3a287c86555152b94368d73af9cf

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
94KB

MD5
84a3468b747abbd9140b785c4042a609

SHA1
292e08c1b9c329e4d055f78483e0f0ae90200682

SHA256
0216d6f2176e51561c7ecc84ef0d1c6293598059822bb417f3e20dddde166289

SHA512
53fc0337ec1c4725def51726507adb0f787a9976c889478538651843dc0cbf1dfd8bd43399173ade15bed77512fce5d8b9247e18ab55c53f52532fbe98c7aa1c

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
94KB

MD5
69b4126150d48859bae8bbdfca51ff05

SHA1
076647c944794fc27bf7e4429641e74ecb222f77

SHA256
afc3f1fbe99cb3ac1802d0621d09f956ead689f3428d65388303ef2272f8eda7

SHA512
5e73cc51cb1501727de0c2a3ec11f424fe89493dd753d8b2f56348909a73b5477acbf131f4517e605fa9850e882b3258fb8691d96e0b32114d775f4864970211

Download Submit
C:\Windows\SysWOW64\Dkahilkl.exe

Filesize
94KB

MD5
9a780d1ff41b27e8cc8f6b249885798b

SHA1
1c7ac29440d18309e5d4f33c2bebc4c72c3dd285

SHA256
9f9b9c1de0dbb76844182cbb842483105c8ac85f01612561191cac5fa8615f99

SHA512
4c313871c0eb6aeb6c8e96165b0b5dc5a6a710cde958ff1530384699afa52b90a506d84ed5ad3fd97c64bfdd1076af8c33748ec3149f4318c164010d9dc625e1

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
94KB

MD5
7af965219963494e8c9bdf8e40afae23

SHA1
f2908e8e6cb75038ff83811153ff824c2980c73a

SHA256
f500761bb6ab5fe9b58dad7a32564d990a7fe52a2a4ad135763dea21a39482b3

SHA512
fab0b61c4599112099fd949d291e0a404379b5e9c17639555c853cad7160521f1a9164e72cf3b9069f5e39a232c0a494e0ca63a2e4ef5374eda663ecfc54a3da

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
94KB

MD5
0fc3c8089c176ce0ce213425d5ab361d

SHA1
a7924d60945796d8b60352f69c5d3be071a0562d

SHA256
c96c676016f3ee97a5e2dca6402bc2e461ff5d999ef03ad406f519743fe70e1f

SHA512
cd0df0b495161bb0d1651f359835dbacd6c662e08afe3675a9fb0fc7f7712ff1e2737c3913cebc36dbcd81ec6a78d7e195cedcda9e20bc6f24d8eff61a5002ab

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
94KB

MD5
f488193308409c35e0cac79ed9df2ec9

SHA1
32c860c4095312080b463aa08e86ffd15ade25c9

SHA256
175d858a626430c2e045af40a4c4210b9170955f38f8c2bfb5bad5fae1211e0b

SHA512
371c844be803076c63cefc74d5b282651e58095a2807e42c13a3fc51855706fc836961fdd6ecdb2188b6e230a80f751131c8976ad2d802603ae0cb91eaa5986e

Download Submit
C:\Windows\SysWOW64\Dmlkhofd.exe

Filesize
94KB

MD5
0862dc452ab2194bac77caf1432b79a7

SHA1
410a33be27ac51f55076ea9b3e29f131f73d4ec3

SHA256
631d5a9e9c28360a5af769e49bce7261a643f543de217a8ba5e4ed61c78db355

SHA512
5f4a6ddfb86e91ad8deaccdf4ab833eadc027d694c3c9f906e567a6e99c2e5b9f892faf055d8c4db9ac581957b9dd3dd86f07514dce3070de61a2c2d2662a2df

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
94KB

MD5
8910bf8f25c22e203410fba5a5e72987

SHA1
4394aa9dd17457032c3576bae062f5fd77dfd193

SHA256
14c11448d5372556d88bbae9e37d58da9a3cc5e61bdcd5263a3fde70a793cea1

SHA512
3a60e674f36fbd2617ad1dad77bc7832353b5eab52350d9cf8fbf4fea9ac8ddf75c5489dd287ff960f71c08b9a4cde8813c26edcc79e70f121ae93059975bc7d

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
94KB

MD5
b37054c08681e943d43457a03743d2d6

SHA1
773cd5035d5eb5f3653292eb149e3cd16bd4ddf0

SHA256
87245689fd568b27c4684a525f62b3c9572af6724cdd413fd7c27f6da65c6fa4

SHA512
af3c94daee53adddcf164fffa55836a4bb30ea4728c7bfae1841f24839b3890f8b0756bf93cf5b74ac17e410275a98daed1c0530c29eb0f064623c6b92c716a5

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
94KB

MD5
26a2b7f805d4f0b002602d02ad2da963

SHA1
121d1162f0a255610da8a7904c28ff8aaa70af31

SHA256
c9c5c0d104730f205df0d58808b58e196f9acc5339186f3753db3f7e830f643d

SHA512
39515be02476e2c5af0a0239b3a291c9a9546ef968194fc5acbc279c3ff039eaaea7339df7de9305486a602574345dcdfb697e50719fa5bc355680995ef651c0

Download Submit
C:\Windows\SysWOW64\Eadhip32.dll

Filesize
7KB

MD5
4f949f06951e57aa367d6fc9372503db

SHA1
2fed0c3d2de1e0383027207dc221f77254e1e332

SHA256
358feda93f243133fa7df20165ac1536c5830b2023c223cdcf077bb85106296d

SHA512
b2f608e888541aa359e5156d4146f84bafdc3c928ebe79a4c52ae04dbaa6243c19c047367c1745dddca09533e089b57aad36eb6641998ffa8ab141aa351e6d34

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
94KB

MD5
cc72caa837abc667820fee165b3a11d2

SHA1
07cde55e2f632c734504c4d57dc8ab56f401fa1b

SHA256
33fcbe04cadaabc73c6e6477eddfde861303e2efb7ffa113f0ff352d2ad2b62f

SHA512
e0da0121edbb6ecdfa97de628fe1155b9b986b37eec41f89717f1326906109db52d887ef648d45381ec2a2797e93ba621d9f37832dd52782b4e08da3f4259f96

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
94KB

MD5
7d483a07ce8974b72a60e12a80dac7a2

SHA1
cab88bf61c375cb5b72b1e2a7b33e6b202971b03

SHA256
20b3b66137dd4998a2f1acccf877c03a69204e8bac35d83b549e058d63b31735

SHA512
efa4944bfb6ad9bcfde5485a9720e202edb4494ced613de4a3f1b5be2e48cf7a0e7774f2dca460be7675a0dfd4705251061803e64183559be98801ee433442bb

Download Submit
C:\Windows\SysWOW64\Ekaapi32.exe

Filesize
94KB

MD5
41107ccfcde082e6f6ab12d08787c141

SHA1
5e391816b5b95ef6104500ad7f11141ee03e3cde

SHA256
c812a4334a342239f016495dbcd019ad9ea72fa99a205e52cc72e23b2c7e9295

SHA512
d8f0b94e0e938d98e6ccb4b858d15870aa541dcffd7dbdf27f6cc0b9f1d5f693d5a487e872fd1a6d08d1b305b18349f2f12ee728e08d0a91c3383f8d60563746

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
94KB

MD5
7e9f3d290c27d9091073797728f43014

SHA1
fb46f1d643c8e780fa1531f70af856298df649ed

SHA256
2d6f1184e2aa8c02f6a2175559cba5e5d9292c922e44dffbb31ab9306e3f11f6

SHA512
d642a8d240b7bc21b4188fb86ec860f349205d3ecfee1dbd738509a797f3e0b889e2bf3140613114c7ab84e986051e7342e98dd89dda4090be0caceb3cf0e956

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
94KB

MD5
b0de999e7f3e8a4e6e9c6648a41a830e

SHA1
5b947daa6ea508e935ec944da012d2680fb1479f

SHA256
560dad94e5233019c180638ab32efd7ba50370f3ac9e6ffe73190f638d5182ee

SHA512
3a7d76ffa11f0371332373f36da50c26e134edbdbc1cb8311cc6630d21dc46b9c9c92bc3e268b931463b477d96c754e2fadb39abd2bc55d7828079c5d7d6ada1

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
94KB

MD5
6248974d98d563856fbd00c6c95a03cd

SHA1
1b4964cc6dbf8890007dc3811cd58f39ae5207b3

SHA256
6f316459b199326f2b5f99c9e20fcc0d1ad9cf11839a7cfab784155c733814f9

SHA512
8b43a09362997712347e3ddde4e7bd7e6c18d8dce2a4dd1988fa714b19731adb00771533b61aaed84c727ff422571cb8663705a2d7be7923431849db97ec2aff

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
94KB

MD5
a4754914405b35aa2304ee60173abed0

SHA1
409073796a11c1211b45cf4c0525069c78557e52

SHA256
169eb6b8beb959efdda0d23655c85c259b6f21bcb028fc6a1111294ec7bea643

SHA512
2e7f4217d0f94d5d22cf5f78dcf89fcb7b0654e099516a857b3f7834907f6ae13d590734125f0b8d9f6d74f413a44a35e0545d42817364727b20acac9cc23f95

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
94KB

MD5
6a67c6218e784bed0e5ba7424bd52a6f

SHA1
aa6956f223ff2ffb1468352c06bd3e5a5339c57f

SHA256
30f698f7d26b2794ce13a1d3898039593780d4fecc46db7689954676491bdef7

SHA512
389c28b0cd835d5bcdcba5ff32bdd084edf8bd33c5cd0cbcd2ffdf44eb4c5ab721ebb5e291e395014c057ad1fc060a06139825061a19f8a8470e0f8292987442

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
94KB

MD5
7b20e20924e57d58543aefeca7e01a0b

SHA1
88485d6ac3e4a324a1748f0c5c15ad5ca2c1fd26

SHA256
158379774aabe28d7486e648f0b23e2007d96cabcb1cee2028e988f490c92779

SHA512
3f8d94b1929e010ef8d88051b191b5ab68291e564ae1b5510a630ba2a77fb3a08591ca0a64afc39c314b4dd3900ca0adff460b46b90e7905e1ec835d5c4485ab

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
94KB

MD5
7676fa647383171557362a0898fadeb1

SHA1
c05f5580a3096d48b54ec854d721a9aca8d419ce

SHA256
17f8d1b56111edabe787a52661e6842e862fd963f4d1467b19fb9cd0b9efc68e

SHA512
5d73c6e3cd345f88df592db2d1d07150b9a2587687c4820855c04de43e4a90b921cb2342fc9eec81ab1ebb039b6a85011bbfab1f302f63ea21012e87a195cd1b

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
94KB

MD5
fba0b8133700570339357e4818a16af3

SHA1
22dd91d09bcf1807fc4daaa8e3195919b24dc048

SHA256
8b8dc80cf3f939a1fe0a2d6d7ab77fcd8330a30ee303fb117ee30529a7973478

SHA512
742a8eae65d29d54cb145e1bf5b1c3ce956fa313d5fd7105582716aca3f4ba830f7d8ab5851b7548221466502d6fa32a6c6c105495c0b321458c2058fd4dde7e

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
94KB

MD5
f43615a166b4ef9a2badd8c319b8b0a8

SHA1
ad5c1024f871889b5ff4d159fb59148aa6a87a07

SHA256
f743797db5a9116d38739f5ead5f98d5430cd2b9c3f0e3a09b86bff0e8af1d27

SHA512
d9c7ee6a9e8832dd62a744e5f1822deb5d5f582371d3aab5042dbfa9319b9bb625e98c3d27262caff12b4341825d619c76e6cdfc020907c14b5fcfa4b9813f21

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
94KB

MD5
726ad225fe02b2e54acffb1fb0ac21fb

SHA1
3a2ad9649439422d167b63809a832c113e776c7e

SHA256
4bf3fb0286cb7092456f05c553e4a1f989b3f91a2bc5c9e789a25feaf7586d63

SHA512
229a8390cfc5d7f3ffa8eb0fa603bab5efaeaec719cec84a2f58ff1ed875a83328ff57d98b579ce8f65e2872b7c228936522602cbdacc669e93c8ffd893614ea

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
94KB

MD5
760bbb5245ece4da1525280e32c4fa32

SHA1
a575a55b3d19559a70ddeda2012a495acaf953c3

SHA256
71082b5a1063272f6c39036dbf7004d102f390256f051280f52cb072b2ee8410

SHA512
79e40c5a022231e164bc5189eef9d4326eb758137547752a2a5dbfe9044b5eba8e8d7b05a11ae1483237f6e91f4c61f62113b925e96df3abe37c29b3345d4e8c

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
94KB

MD5
f9118474ae178a3a9b0d969b6b958b7e

SHA1
9320bb14d9c6fc83f9d7927c856b120b104dabc7

SHA256
f9546f3d881701c9153237550e299eaeba21e9483b6838720f2f1052e049bd2d

SHA512
65f22504de04df9b259a0e38aca5eef47d21551362eb4d80b9c0b24953952c1928490e9f294fd5a8f682dd01d85af6c729caf369a21e6915f85d9af7a1b03bf8

Download Submit
C:\Windows\SysWOW64\Hfjdqmng.exe

Filesize
94KB

MD5
aa16a7e342920a17252c3f1de0e8dde9

SHA1
b7691af241eabd9cc6b78498ac954434de248ffa

SHA256
236025ff0a8fd4478284df066ee93b1d3178061992a4dd4de80be3d38bc791e8

SHA512
2d043349ce1d9079031222e8d41d88d62804926233f56e29cea243c94ef70602f90de4fa298e11e49b681765486cb0341cb20b7a778d6ef39508a11c0afd3082

Download Submit
C:\Windows\SysWOW64\Hmmfmhll.exe

Filesize
94KB

MD5
3580b30fd77e5bbd7b9339b42d23f960

SHA1
dbc105aaf030eb2881e1a3a4a5c2c0f77f4be58c

SHA256
7894768d1c7eefefd37b212761614ec37964d8665884efced9f0aa159ef52daa

SHA512
d0d72a4db707bb975f98ce8dfaa4725a6892d27bf3fc24aae392db3907936fc3a1a4bea85a6b1dc2d0a116d764f623e80558f917727230805f5bc7ce9cb1a974

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
94KB

MD5
e24c9f102cb7d4c78b2930d3ace5d21a

SHA1
f436b083c2e33a88a61333faae29bcf803bfa6e7

SHA256
84b485f0761dbb1a0d6ed4cb36dda51379b042f850ef485d69a8aff43e5400ba

SHA512
3b6ace0c8b3784cd62be4f34dcd48cfa3421f79e10bf7f1fc08f75e8f3a2b32e0650fb0f8937728f566448ec4fcf42ff4f5582d7d2c11682affb5ba42b588354

Download Submit
C:\Windows\SysWOW64\Ifomll32.exe

Filesize
94KB

MD5
6fe2c05eca0af037a7f40deb88fa1e16

SHA1
92be0b21940c1f2ad7678affde8486396f2349df

SHA256
39051512b99f259167432b0c42b5e7b65fae68a3f70ebfc77c25e192a9d52499

SHA512
ac38ef93c8fad527d11036ece034ca865f973e77e3f2ea40476583bb6126e8bb305279114476558695425905d9bf0c2367f3269427bb147147bd5c6129184945

Download Submit
C:\Windows\SysWOW64\Jcfggkac.exe

Filesize
94KB

MD5
43ed0c3f59e0d8307bdc308c4e3510ad

SHA1
ddc4b9f5bbece685a9dd794a9014dcc4f6b03c38

SHA256
68caa18d02c4641c450774ea824b9a9a206c4c6118d26222010d55c73f67d7c7

SHA512
0f027f5748380850258e9ee4b43ca62c79feb0de4be91fd1b3c4451c575ec31abbdfa01fbd5c966540aec107bc5a54407151be181ea87427f54098691b98b262

Download Submit
C:\Windows\SysWOW64\Jebfng32.exe

Filesize
94KB

MD5
4f5d1aaf650227a1480907ffb1e451a0

SHA1
b4bb26796dc9ddbfeba8a65b4173b5db6ba9ebae

SHA256
28cb2f5d4341493acfbf5d9c3edb265c59696ddef0e73190ecca64eb1b7bddfc

SHA512
c3b4b7a104029233f6ccd71b5ee95eb696a090851e3a844326921d5a1e23fab0c37428875d9f2886cf8ec024dceb12691dcf0b282d89c9c0ae180194710a88a4

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
94KB

MD5
522e47702652155f5f5b85dc0368a6fe

SHA1
9b148e35b6c0c23cc0ea7969e5e45448eac083a8

SHA256
af658d3ab5f1545395e0406d1c70f33633eb9596caf95f6e11c6dec40561187b

SHA512
c56ec8d88084d3a4160d8467142d5e567c95664843d973be243814249908f783de0f559d3ddedbace6a6ec8bbee7fc476f2ef18fc2f9477afbfa122e53111675

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
94KB

MD5
a0386b863143afa72d3ed85a225c56ad

SHA1
558fa82732829cf5e3bf1e1edaff9f3ee5a712c6

SHA256
a0dcc92d23ba62c5f3ac4ef814aeb2f4a68f17e9e422b7ac432f8d523c317211

SHA512
7eec3630a6a782c81af29e9689dc3653cb1e65154bd9199303c7818c77e476944350b71bdb2068e045a8499249dfd2cda946b25af2d87df0d8a238f945191068

Download Submit
C:\Windows\SysWOW64\Kjjbjd32.exe

Filesize
94KB

MD5
6b3a23f2453b7b249a2b87d659f5db89

SHA1
beb90953c79910d72296d5a0e163fa51b4dc5f22

SHA256
14b3a347e75d0a517ce2f8a958d724de85a37db0894b8b0bc8137d1d1ef3626c

SHA512
0a15b267502ca1351a11c2fb4dd1400e2e883b0953744e1ebe7903443882612dce680ab9264fef806c3afc3ec3d77b444b295b7118ab649979efd97b89ea8abf

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
94KB

MD5
01ebc5d15592ad1c9b5d209fb5d11fea

SHA1
2c6b8058ca840cca4763a0e1489177c8b64f01a0

SHA256
d3f462328662032640f6390fd5bbd36d2994a027f7b47665047fc5be83057e31

SHA512
91955bce7600dea6119b62edf0f88666e11f05c2a716b64edc81bb1376cb7ca189c30fac377e14f0b17df64308f59ce222809661a85b68347744729fb8857897

Download Submit
C:\Windows\SysWOW64\Kpjgaoqm.exe

Filesize
94KB

MD5
43a9bc1f47b7001a130b7c4cc893e349

SHA1
5253a30926046fd6bfb39dad442b6c8c0b645d09

SHA256
ab71c3cc4384ec284f6b0e28eb1004466e6418cc94cd8779bfebf7e4dd96d4ea

SHA512
26d6a9707b795f1f6fcb5f4f9be95da8a5fa117db5ed8ab2898c985ced54623b6137be98e6e9786021d8a5eb790809da1f9133707fc7d9ab02ba2ec915404ad7

Download Submit
C:\Windows\SysWOW64\Lobjni32.exe

Filesize
94KB

MD5
900681d4f1881783782aa1fe3c212ad9

SHA1
99f601e03275a1a2dd8040a01884c13566780750

SHA256
36e77a3627a89e4ed5857e4c3282d0dade956b7050d563dd193563a689574e08

SHA512
5573a6c56d1f87967c6e74cef00feddfc58c01beb5a3016ad68105da249ec2f8735a7ee0d419a5267f97c3c8579aa88ed58e58854d56380f1cda2dffe82892b3

Download Submit
C:\Windows\SysWOW64\Lopmii32.exe

Filesize
94KB

MD5
2c18657558c9b66b999f743deeaae015

SHA1
fc90e273759f68408eeff1e5a7d5338ee875c2cf

SHA256
585d9fc383aa2c8e87d47fe62fe5c48bae6962362b2e498e35eaae5efceaa15b

SHA512
669d6f73afebcab7c4340a8bc4be260b622f8d2761d2dd482dc4e923e4c00ba978ddc86eaaf3b7288b28053629fabe10707739cc823294297fa3f2c9c45f96aa

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
94KB

MD5
d9f4033c1173ce050d9b53cbd55d5c3b

SHA1
7eb2b5827dbdc82078a5bd1dce718c6097c830d7

SHA256
073e585665e3f5f629d7b91eff507d5351292b66321e96955d38f8859ea7617a

SHA512
08a2a843b9a56ca09b0c7979c6eb72fb661e1036141a32d41ef4f6126b4b2bb5c396729e6fafbbfee8d9c06d1b4ef947bfcec6b08bf019e14644dc698da4009f

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
94KB

MD5
fa6b762c167c79fe6ec668e01a31ceec

SHA1
00a8aaac395189df22fe37ad452e6869174b7a34

SHA256
ff7dd1e26dd0c3b003225783bb0b088df6228ee3a62f0939339f041d5ec87681

SHA512
f39a6d289e60e08e697d9aadf21df1c8df6866495d4e6643fc69207e36abd45462141fcb39a41a4f51a36accec0888f2f332f7f1f4422e595a13220b5154bc48

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
94KB

MD5
2eb9c6a9bb5753b1725e04f23a433db3

SHA1
0b9d1a2684856683287be8d5446cd761be747a5e

SHA256
fc874dee1ae8abc8ae16d9b0d9e2323c9e88a09c4032db82d07adfbabb999ba4

SHA512
45170b6ab9d1c253e5a247030cce9fc22a320709092004fa917d5b98567921e1583c25ddf69e3d4ad6538265076b3bb852acac0e44c1ae4df3328b544859cad1

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
94KB

MD5
456ce89a5cff55c95bfc775c100135a6

SHA1
37199d921e4aebfeaeb1fc66143269be0848ead3

SHA256
39ea17ab2cdb3286575e82cc22e8765a892bbf7c2433865b934c11359a2d21e1

SHA512
aa54548a763fbd228c7c4c55fd9548cb04c4528c070dcc08f8cfea841a25ed650fa235b82ef14e6cf9ed244321bc532929afd100fd02f5809292991b2a158e9c

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
94KB

MD5
014e2e024c160f8f4795b7568d8d03c0

SHA1
40e9c9de3d12c62e26a6017af84cfa08cd2adc7b

SHA256
b19fef062d13be5cff90b590037b897a67a1377ea2fa3741cc953d1f702f7b09

SHA512
5cc27eafee6908bee658ea436d599dbd3bb132489b1e055bd7cfe39c6a03a975094daa31691405c518670f9884b173398f2df5ee0bf6bf4f98097c1160c3dcdb

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
94KB

MD5
ade037bc1aa1cdd3ea2c61f6e6c7bccc

SHA1
e20de42c4553e141db2d3efc887bea5bac92ea6a

SHA256
448c3ea02aeb2d610d9fde9d553cba5cb1d4f6b09d048addfa0f12d84a0d695a

SHA512
85bc2d056b16cad63f10aa037e5565cfbc29117c73260cf7a6fab5ff75189da9e344d587127756210d2c5f223844e0c721127f3666cee61beddaca03adbaabe5

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
94KB

MD5
2f29287157b9725643e43e1d3b97c7f1

SHA1
14e8f6eed16e0e614f28ba2055a6f14c498f5272

SHA256
de55bf545deabe3c660976a99bcd02b508a75ca05f3a7c6e5d7b96ea5c2630b3

SHA512
0b678c6320bd9eb5f634a0fe30a5296d95873b5fb85fd9113e0bc3fcae8fb8aebbdd6d4492e6c295e446ff0d244c42054a97ad866e63c18d6bfe91a1ef673879

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
94KB

MD5
8e6a61b85195043ccec9c0706ffbe10d

SHA1
2365d34ff2ecefd1bd7d6a82589d741a15f8d1c1

SHA256
bd521ec4432c743bedced1db9a7904ddbc14ce08bea0af9620ca99ca3b210bc9

SHA512
dafe45cbf60b2eb14869ee62f9707aa917070d0c692aa22dfb9cac99dc8a6e1792e5cbba0044d7111350375e9fdecc547dfba2f6e9d9f1ab3be93d5fe65d564a

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
94KB

MD5
4eb3b808e0f059e0a9513aa52203c3f4

SHA1
11a23ff999177e7a28af52b45b6f62a6953219dc

SHA256
73503f367299167a87d5a2033aa160b6060ca55343734ff4f92d650e8637c9cd

SHA512
44ce7619a74342c8ae8d14deb2fa1231989bce12971f661e1ca3db5d190c635627d166b3efec86a62c6a6f7da2751870774084b3dba8083a48be28fd8fca000f

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
94KB

MD5
fe587cdae17d48aeedee096f66d0153d

SHA1
920dcd73da6dc35b553b7407ad62ff208cb5b6a6

SHA256
8354ac6549d60a8786448c4b88de2c4dc4ba57a6dc92ab5e25398719f010e089

SHA512
920d09b1321cda99f5d00b3d50521e843282bb73b0cfa99a67a19522bb31bd4bce6d34486b2ae6952a5768f02ef294c8e78f2e5dd5c383c214e7fbe1a817b291

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
94KB

MD5
e169ced95938608540a5746fd4930c12

SHA1
79a24c92b9b203f8ff8c38213257e420486ec230

SHA256
31d77ff3c9681ae61e2ef5cd4551511d38eaae0308df969b5e267901b52f4b89

SHA512
99d39638a434a341e7f53d75fea3d8903e15621e337336f10c9504d80e4b50dd24e6831350470fd72bac3353f7459ac1eb5de9cbcb76a2dc39c7bb3271324c2f

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
94KB

MD5
75d0c5f2785fb662ce3ccdd58c18f305

SHA1
c926913d5d273c3b22d80dc5dcddc69c6a4321af

SHA256
7f60b33c172f85febe4c7265a6530d4d29c3b4bb48d7d4fe64579495706ddb5c

SHA512
0c61a2d733e61ccf99ca0efcf9c75540a6a1b0b0aa40faf1f2d44916c57ccd4fa45f3039e5465a119fc0969cb2590cc291ff9ee42bb18beb0512ece833b462db

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
64KB

MD5
0f10b975a275ce90c5c28f3829b3050b

SHA1
c1fd74221312fefc79ae02f9ce409fdb1e7d8da8

SHA256
c82a79b9658b263598ffaf0eb7a6aed126dfc5157b3aad254d43fb58c18d8610

SHA512
952b58dd4fc52658712edc629be0ac3752b30f1338f8513dd6eb9544ca042efc71e25c616728c845d2df01a58bac78e40c804fc40bf44bb44ffa5284655d0fe3

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
94KB

MD5
415c24a63527d4ca09a381b2878c2bb7

SHA1
1d2173cc413b2367cc3cf4186b450fc09b1d030b

SHA256
2dbad756d23429367a52b000f1f6c06442b2a42b02b6e0f2c6e1566bccca5bd5

SHA512
f0251e8fa526dbf86e6d13dd833e86134ccabb5e9037f63bf2fc9d88cd610cb7db6c1b327276f42131c9d9df3679906e871e6a836202feff004ad2617a80e972

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
94KB

MD5
4493f5e21a92359df5df2f1917ea09fb

SHA1
900b4578824df95c042bd9bd6fb0b37accacfdc7

SHA256
b14b2adfedcf435877a975cba79af93aeb07f17585240872a08f9923e79a51e4

SHA512
4bcd28c7cbc8e01c181e3d9df626d9115416838e69b9c62f2948acd0f18f3eba909d5ed99767dc3d74dfa965d05545b15767b25a83f2458d794b20b293671f44

Download Submit
memory/208-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/768-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/836-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1092-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1332-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1400-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1476-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1488-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1604-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1748-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1792-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-535-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2448-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2540-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3084-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3084-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3132-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3360-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3400-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3436-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3548-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3664-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3668-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3680-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3752-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3800-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4116-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4184-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4300-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4480-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads