berbew | 2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73

Analysis

max time kernel
93s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73N.exe
Size

63KB
MD5

b9ac0c460142cc104a41b241b2dd7b80
SHA1

6d6262198879ab60ddd1fa47857deaad689bde99
SHA256

2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73
SHA512

ee009fb8ea9c1db3e354e2334ad37cb7d79df303d72a2a25bc8ae6214ca05c4ca163a7eb77052fbc221adb53a719c526de021c26ec8b4f40d338d1ce19067380
SSDEEP

1536:lg1yCsq/ajBnvEErbzSNriA29cxmDu0nhzH1juIZo:G1dCj1NDIriASfDu0hzH1juIZo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilghlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcioiood.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1560	Hbbdholl.exe
656	Himldi32.exe
2464	Hofdacke.exe
4840	Icgjmapi.exe
4420	Ifefimom.exe
4472	Imoneg32.exe
1816	Ipnjab32.exe
3472	Iblfnn32.exe
2040	Ifgbnlmj.exe
632	Imakkfdg.exe
1208	Ickchq32.exe
3196	Ifjodl32.exe
2012	Iihkpg32.exe
4588	Ilghlc32.exe
452	Ibqpimpl.exe
1916	Ieolehop.exe
5072	Imfdff32.exe
1396	Jeaikh32.exe
4868	Jpgmha32.exe
4956	Jedeph32.exe
4592	Jpijnqkp.exe
4568	Jfcbjk32.exe
2904	Jlpkba32.exe
2884	Jidklf32.exe
4532	Jcioiood.exe
4988	Jifhaenk.exe
2336	Jlednamo.exe
4400	Kemhff32.exe
3336	Kpbmco32.exe
2484	Kfmepi32.exe
3512	Kpeiioac.exe
640	Kfoafi32.exe
1780	Kmijbcpl.exe
3052	Kdcbom32.exe
4548	Kfankifm.exe
3224	Kdeoemeg.exe
3792	Kefkme32.exe
2680	Kmncnb32.exe
4028	Kdgljmcd.exe
4140	Leihbeib.exe
2280	Lmppcbjd.exe
4940	Ldjhpl32.exe
2008	Lfhdlh32.exe
1448	Ligqhc32.exe
4244	Lpqiemge.exe
4952	Lboeaifi.exe
3152	Lmdina32.exe
1460	Lpcfkm32.exe
2920	Lgmngglp.exe
4504	Lljfpnjg.exe
2396	Ldanqkki.exe
2896	Lebkhc32.exe
392	Lllcen32.exe
4064	Mdckfk32.exe
3532	Medgncoe.exe
4268	Mipcob32.exe
916	Mpjlklok.exe
428	Mchhggno.exe
1920	Mibpda32.exe
1824	Mplhql32.exe
1956	Mckemg32.exe
1044	Mmpijp32.exe
2480	Mpoefk32.exe
4292	Mdjagjco.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hnmacdaj.dll	Icgjmapi.exe
File opened for modification	C:\Windows\SysWOW64\Jlpkba32.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Imoneg32.exe	Ifefimom.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Lpcfkm32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Kpbmco32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Bgpmhl32.dll	Imoneg32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Ligqhc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7120	7028	WerFault.exe	270

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iihkpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifefimom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgjmapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ickchq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Himldi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glccbn32.dll"	Ifefimom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmacdaj.dll"	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himldi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1560	4960	2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73N.exe	82
PID 4960 wrote to memory of 1560	4960	2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73N.exe	82
PID 4960 wrote to memory of 1560	4960	2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73N.exe	82
PID 1560 wrote to memory of 656	1560	Hbbdholl.exe	83
PID 1560 wrote to memory of 656	1560	Hbbdholl.exe	83
PID 1560 wrote to memory of 656	1560	Hbbdholl.exe	83
PID 656 wrote to memory of 2464	656	Himldi32.exe	84
PID 656 wrote to memory of 2464	656	Himldi32.exe	84
PID 656 wrote to memory of 2464	656	Himldi32.exe	84
PID 2464 wrote to memory of 4840	2464	Hofdacke.exe	85
PID 2464 wrote to memory of 4840	2464	Hofdacke.exe	85
PID 2464 wrote to memory of 4840	2464	Hofdacke.exe	85
PID 4840 wrote to memory of 4420	4840	Icgjmapi.exe	86
PID 4840 wrote to memory of 4420	4840	Icgjmapi.exe	86
PID 4840 wrote to memory of 4420	4840	Icgjmapi.exe	86
PID 4420 wrote to memory of 4472	4420	Ifefimom.exe	87
PID 4420 wrote to memory of 4472	4420	Ifefimom.exe	87
PID 4420 wrote to memory of 4472	4420	Ifefimom.exe	87
PID 4472 wrote to memory of 1816	4472	Imoneg32.exe	88
PID 4472 wrote to memory of 1816	4472	Imoneg32.exe	88
PID 4472 wrote to memory of 1816	4472	Imoneg32.exe	88
PID 1816 wrote to memory of 3472	1816	Ipnjab32.exe	89
PID 1816 wrote to memory of 3472	1816	Ipnjab32.exe	89
PID 1816 wrote to memory of 3472	1816	Ipnjab32.exe	89
PID 3472 wrote to memory of 2040	3472	Iblfnn32.exe	90
PID 3472 wrote to memory of 2040	3472	Iblfnn32.exe	90
PID 3472 wrote to memory of 2040	3472	Iblfnn32.exe	90
PID 2040 wrote to memory of 632	2040	Ifgbnlmj.exe	91
PID 2040 wrote to memory of 632	2040	Ifgbnlmj.exe	91
PID 2040 wrote to memory of 632	2040	Ifgbnlmj.exe	91
PID 632 wrote to memory of 1208	632	Imakkfdg.exe	92
PID 632 wrote to memory of 1208	632	Imakkfdg.exe	92
PID 632 wrote to memory of 1208	632	Imakkfdg.exe	92
PID 1208 wrote to memory of 3196	1208	Ickchq32.exe	93
PID 1208 wrote to memory of 3196	1208	Ickchq32.exe	93
PID 1208 wrote to memory of 3196	1208	Ickchq32.exe	93
PID 3196 wrote to memory of 2012	3196	Ifjodl32.exe	94
PID 3196 wrote to memory of 2012	3196	Ifjodl32.exe	94
PID 3196 wrote to memory of 2012	3196	Ifjodl32.exe	94
PID 2012 wrote to memory of 4588	2012	Iihkpg32.exe	95
PID 2012 wrote to memory of 4588	2012	Iihkpg32.exe	95
PID 2012 wrote to memory of 4588	2012	Iihkpg32.exe	95
PID 4588 wrote to memory of 452	4588	Ilghlc32.exe	96
PID 4588 wrote to memory of 452	4588	Ilghlc32.exe	96
PID 4588 wrote to memory of 452	4588	Ilghlc32.exe	96
PID 452 wrote to memory of 1916	452	Ibqpimpl.exe	97
PID 452 wrote to memory of 1916	452	Ibqpimpl.exe	97
PID 452 wrote to memory of 1916	452	Ibqpimpl.exe	97
PID 1916 wrote to memory of 5072	1916	Ieolehop.exe	98
PID 1916 wrote to memory of 5072	1916	Ieolehop.exe	98
PID 1916 wrote to memory of 5072	1916	Ieolehop.exe	98
PID 5072 wrote to memory of 1396	5072	Imfdff32.exe	99
PID 5072 wrote to memory of 1396	5072	Imfdff32.exe	99
PID 5072 wrote to memory of 1396	5072	Imfdff32.exe	99
PID 1396 wrote to memory of 4868	1396	Jeaikh32.exe	100
PID 1396 wrote to memory of 4868	1396	Jeaikh32.exe	100
PID 1396 wrote to memory of 4868	1396	Jeaikh32.exe	100
PID 4868 wrote to memory of 4956	4868	Jpgmha32.exe	101
PID 4868 wrote to memory of 4956	4868	Jpgmha32.exe	101
PID 4868 wrote to memory of 4956	4868	Jpgmha32.exe	101
PID 4956 wrote to memory of 4592	4956	Jedeph32.exe	102
PID 4956 wrote to memory of 4592	4956	Jedeph32.exe	102
PID 4956 wrote to memory of 4592	4956	Jedeph32.exe	102
PID 4592 wrote to memory of 4568	4592	Jpijnqkp.exe	103

C:\Users\Admin\AppData\Local\Temp\2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73N.exe
"C:\Users\Admin\AppData\Local\Temp\2a7263ae9cac46fa67f887cfaa9d96eaa54d3099bf19eb5d82f4edd1fdf48b73N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\Hbbdholl.exe
  C:\Windows\system32\Hbbdholl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\Himldi32.exe
    C:\Windows\system32\Himldi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\SysWOW64\Hofdacke.exe
      C:\Windows\system32\Hofdacke.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        27⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        32⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        37⤵
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        41⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        42⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        43⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        44⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        48⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        54⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        55⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        63⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        67⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        70⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:628
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        73⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        77⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        79⤵
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        80⤵
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        81⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        82⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        85⤵
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        89⤵
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        91⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        92⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        94⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        95⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        96⤵
        
        PID:772
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        97⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        99⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        105⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        108⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        113⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        114⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        116⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        117⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        119⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        124⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        127⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        128⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        129⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        130⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        131⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        132⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        135⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        139⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        142⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        145⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        146⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        147⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        148⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        151⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        154⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        156⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        157⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        158⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        162⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        163⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        165⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        169⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        171⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        174⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        175⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        180⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        183⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        184⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        185⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        186⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        187⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        188⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:6988
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        190⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 440
        191⤵
        Program crash
        
        PID:7120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7028 -ip 7028
1⤵
PID:7096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
63KB

MD5
16b59a799936cc99c11f0e12f25b269e

SHA1
48cabd6b262950dd166b4141e9870cfe5c92bca2

SHA256
e19f291f36d8e5360a0c713344e6286b3a41a6a25b394d9ab8b7e424523c243e

SHA512
152b0c623bae21d5b2519fd02c8771842007bb519d0b718fb0be95a560211215cb141f32d7c97cce13b5eef3300fd0755469bae6854070513058e0b3b5ceffd6

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
63KB

MD5
bc9813a1b16e9479b30e0d9322fe6ce0

SHA1
93243bf2718678e1f4714338643f1c4b7a8714d6

SHA256
9ca71f8384a1afd6e38734dc586a1dc41cae149b22f88e1ef65c51452ebe7ef2

SHA512
4e77686f1e82e2d03d6eca0fd97aa8515869582f6c6c1dfdf2e8ec1f8e40c812d827a3720a8dde24c891e1b38b9e743ef0331e613182cd58c3a03b15b4f1a6ea

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
63KB

MD5
c4cd7a8733fc6d5fd4ce2aa918d2c5ed

SHA1
aba189a0734588c1823fc0ca2a395b59e56f6719

SHA256
1f87ee60cd319fd03170c06263c707b72ae5aa8a60d12b6e59b56f2ae95cead2

SHA512
9ca9ee33ee45aa3dab835b5f2eab6941a2a66064bf6cd0b65537376ec1e19eae8b8edb66eabf4d9d2c1781ce273d3825ffc77c9148cd6aad0b5a5ff7dbb6451a

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
63KB

MD5
19cccffaf7aef8180987b2c690f20f0b

SHA1
1f6cffee09e43eb81d7522ddc7dd0077621a7012

SHA256
445edc8aaaf6d5dde5db1137684171305dc6cf791f4cb26fd05c822ddd75f153

SHA512
4e6081db8669b4d6260e2d797bf4d7cb6100d4ee581fb8333ae7bea0ea9037c4d46264216abd3fbbebd615dfe7d351a165dc31e363ebd69f82a4ba6df5d494bf

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
63KB

MD5
4e311183d330dc6163350e5fb22f08f9

SHA1
9822d187ca52a8fb500baabbcbf7dc68140234a6

SHA256
f01982786610985e1e46798fe5600615544ed6e3bc008f8f74dc0e2c9d3acf79

SHA512
6f1a347bc3bbd4db0fcaa55d24cc2376b7aa999a77a1138bc48c08c393b767f3d7ef7b50f354a26401481b9fd3c85fe386ad932ecfcf9427c91214aca5e38f7d

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
63KB

MD5
1a794ad2cf3e8b1bb38a6e60cd23a4c1

SHA1
477528ae79ead374cfc7e8a5d0c0648540afa64d

SHA256
b13d99c9163f6c05c5e36fc57ea902ce5a6bc2a6f4684e78073df4d38e540697

SHA512
828a32f8717c5be97e854cc6609cba5ce8762bc260dc60cfad5a8c4e2268a48f516292de305428f7cfe49cbd3a93ba3418d0e0c819a9d79084208d101bc4a2c7

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
63KB

MD5
b4fdf710b5d5ece811dfe4c4bfc9cd15

SHA1
2b2e2a6b8852277d36e447afaf5fd0461d9f9757

SHA256
57d1564b9cd24c32fdf0960b09084c3a624859f9f5e6e3a89a35747fcf85320a

SHA512
a308a935879cfd0deeee5b133c8999f3693c574618e3c2cd1010f12e2db8ad14fbd75d9c5ca8e5b234489240a3e3c246dc56d3e91ece74b716db31daa569d073

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
63KB

MD5
7751e85dd099083dd53eda184dff76f4

SHA1
ed4e3f63a24e855fe9e448e154fad1c9c21e54c0

SHA256
ca1d6d69c7159bb97f616f9c33f5e52296045f2e02fc445eefa96864bab35fcb

SHA512
00bf94085cb014330401fe6565cfc123a828953df3be4f023e7d6790c1a2d79d0d61a2e24d338fe3aa8daa737f22f774a9836d8d33edfd57de9611c9da168114

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
63KB

MD5
e4814ab212f89fa48de15f6e0ea9532a

SHA1
3ccf98a1ebfa35120a43a0215f9b77714c479503

SHA256
05e0003a338a1f142c2040b23c8c8042231be3f285cf93b274a697b5db444c2d

SHA512
e994cd556bf3b200e71154c938d6caaa09ee39dbd1dd056e6e85270e4a650ea15a3c141243954303ff129fe55c838eaf082da57f65bd2a68a021f613dd52ce51

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
63KB

MD5
efebeb000ac23d924e9ca90e3405eaa4

SHA1
5749495703d2150d063929437e6ec449ff6d05ce

SHA256
32e40c767606b0eedf96879487df9e6e705acbfe98ff8c576d5a5e5a39822d31

SHA512
0066005d35b45e308a7dba870859a9de8938f780e05cdda4c4a330a1d246c15c6ccbffb3994aa647fa252d63f4e72aae9d57f03d392c63cb0eccc898cb768259

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
63KB

MD5
cf92f103b0cafa91ff52c1a9137c53d7

SHA1
b9b53daeda5368192e5b33cb94a15576726987db

SHA256
8465096f4e2c4d2c2549252498cea87d0f2204d916879635518ad00934a09b03

SHA512
934106005716ca46fd997b562e9a2d86d9336dc2ae45f3c07605dc82cb292d763867c5797a0dcf65ab92bbafaab2e3435428cb39799edea645d9696bbd2e5c43

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
63KB

MD5
70fd7903d7a89c16b0749b91006f47e3

SHA1
2fe2f09c43d89914c5282413f99dfeb6ba2db0f8

SHA256
a40e19f4b41a8a33a5e14ea7e7b4b7b1c580d89e673d1ecfc79531048127606d

SHA512
cb17ad37c693cb3ebe59f8022090b25d4e07216f78659a2f796fcd18e3c26475b9f5d57ad728b29e4a04b88471f318a1bb5ca786a9b156e4097993d314a63c33

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
63KB

MD5
d3e7e36d84d854f11f2ec77235ca3a87

SHA1
03589d722b8f7cc42cedbc12b2792859dab0f14b

SHA256
16dff03202aa4d4ad3c70194f54867c1fc07ef21d08d99d554db0c835ec00f47

SHA512
9f0a4fe42cd9d82be9baceff2e3b0298b78cc2339adda31a75894b233edf40b974f523b9b3ae5a4b28b7ff4f5af0d1197dad637eec5d8310ff949335db026f5e

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
63KB

MD5
17d530521e83b9181300e62d85e475a7

SHA1
fa4df602d8877b88bac1f52f5c8e21da937c56fc

SHA256
f004a85bf61982cb243860c3024ff674d94473daded8f74c8e4ee883ad18d689

SHA512
4fd6600e7ecd57e5987c1c9a56c21c6eb36e4649765020b8a7334f7ed23bf786b7e2d86e573c7a78bf71a21704f2a92cf7c34595048d6852bdfc01f05909fac0

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
63KB

MD5
68ecbbdeb84000a94477c0344c2e59d8

SHA1
82c7dc7d308fc3a5f6715a910d0e2c10754fc79b

SHA256
41574d68d1bdfcea5fd041752b5fc089eb3fe32055db7e2d341a24151bb05926

SHA512
dae02f86681b4c8fd7344471550548749399d65e59a9a172af03592617a0a0fa1f3eaa1b23d8c7b8eb25e8d8c7874ca0fe93f5c62f158c71f2569c1934c9b6e7

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
63KB

MD5
51d08de6c87fd3566713985d26ae8fcd

SHA1
fd90030c83ae0b0ee27e05617f1aa36154ede13b

SHA256
9256575dd812805536bc0cec24e402349c768aee693003ce47ebb76090bd9dbf

SHA512
56e0495b2c7399fc13f23a2ce00b9b8e00ae210b7c5521c3d770fda1fe139753fc7041506478d490daae4a99846895ab76bf40950afcf9f26c0b7f2ae82bc0cb

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
63KB

MD5
7b66a5d4c167fe814535c61eb8db0f19

SHA1
e3fd8dba498aea60afbbed66247aeb0053c6d34b

SHA256
962683082480cc2a1b8b5f02a35ff8c633ad921daf55863d0c2310835339ca17

SHA512
7d4249f85691c94e5d73f0bfa1f51ae9534c9860f4c3f58c5bf9ce57fe9bf6251c56163c3b853da785605a8559ee67e2d720eaf7b780e441cc5f87644f3e6ad0

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
63KB

MD5
c7bbd455a6701b3e3eaf7157bad4e0ab

SHA1
536b43e8f3ecf070699e54a40462be867b437631

SHA256
5983f1f6c039ac3fe16ce8eb2ae1478cb976eb2e1399e16b072f62526c0d4301

SHA512
f0ec0cb90f64c6a94909b8d73a6e8318c168be0906750165aefa772e1c5793928bf328c29c16173ac2525c7df7adef253650d2907b78c508e752e3fd76391d5e

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
63KB

MD5
dbbea5d85872d73e113b75c99c14d03a

SHA1
c1e0f25ad27d6a655108f99efa3735bd7b984b9f

SHA256
ebe522dc61ca56807c14e4950898cb9a42e94a022963c748e9d2c1be23d77e95

SHA512
dd53d6046299c0cdd6a66333356f2fc0c6cfa24d42e1b922a18d7d91b6e4e824677eeb9e3475c43a1a43dc42e4067d1181a26b3fa520b34031013abf50973ed5

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
63KB

MD5
d938a913171ab3d7d125620b29d0efd3

SHA1
f808f9745da25c821db54711bb7e17e76aeb117d

SHA256
11dc7aab71055342f9dd3280949bd1c788d300171ba363a0903313d1ff9fedc3

SHA512
0461022ac8124c46bc7738b87aa51f159654b618deec6666f1d59c33a4b28dce3914590980251f40b387143f71e04a64ec40e35500f6cc8c45208767270f6d52

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
63KB

MD5
24d91a6e230ab43597425f87d5784c37

SHA1
b506d76ac9fb86a041497de3ef39eb747877d0db

SHA256
ac1365df6410b408f5c880c36f5676d0880eec514c35991e6f168b4d87fa144d

SHA512
31717c723c8d6e95c7ccdb7111cce5de35c2d70202c46ffdab442f2da4d22b17e0178dd405769e44314f37975d60ddefd10f617fe2b58f3f09352c79de0be5a8

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
63KB

MD5
c9d81b641c9298ce7aef4a47068c3e3d

SHA1
4047b0fb3b10b9518c0f3d430954429484db40b9

SHA256
18efb3c81ce447d833e1cc7e0b1ce52a42bf7b24d1fdc96b8c465fa16818f08f

SHA512
b80669a943d224fd2f412db88670b6dc73258f92ff86746febad2e19e39b44100539b1e8b3e30fc0c302a93e47d132c563a5172b4b919cd5b204cd14fce9a31f

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
63KB

MD5
8da919a8d168322f564374302cddfda0

SHA1
9e5c395976ad5fffad82cd55c4a077b30ac8b548

SHA256
f752e9825067b4bcdd61d2752b11bc69691bfd4746733a861cb927f70449802d

SHA512
3bff506c7af310d7ccc6f57db1dd1183e3caf406fb87f0d7646b4fb4db7cf317a93f5a573abe18d42b99b3c7fcd1733f95aa0b49fa8d0570fbe458132caa3050

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
63KB

MD5
9ab02b2ef2926d545ef49dc0c366154b

SHA1
6b7657f1a9971cd74fb11aafc87e4c58efdae427

SHA256
bb978de387d2fbe5d2489c17342e2aa61b61a7ff741f283011ce07f29b9ec8df

SHA512
0c98a898389f0c2173286f17aba0dbdf9dd4bee31bda49d6686f08c566a6039be95b8592c2f6115a373a0b8cb5766f67f1a9271f0dffc45a8d0c2fa81944c717

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
63KB

MD5
2ad99ab147d254c2b53a57d53cf866c4

SHA1
81c373ee323cdde1bd8288eb5cff8bfe5ca55ee3

SHA256
a235a5f389fa793b614e5b6c3d0d16a0efc00fee4ea1ccf9d543aaa353d56ad6

SHA512
61eb248a7618fe737ca866b362c38ab32fc6dc06ba58ccaf0bb78f1831329daefd97960dade689302456b074c32061740d9dcd095a477edfc52fc2920fe7231f

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
63KB

MD5
134b78fbf3db77f92bc6644f9ce1e0ac

SHA1
325e10d8d517f8d0e29d24f33491aa30521aca57

SHA256
73302ba6cb5e9d8c4458e7794fd5a3cf5fb442a6184d70ca3bbb3b4fdf291e8a

SHA512
8a7f3bb0fd315af6d901578a6e67202184c3936ab58bcd54b16aaae15131ba2a6e929cae2e7b54236801fac6f8c47c610dafe4694362602b58811bf5f78f9de5

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
63KB

MD5
eae1e810ae286267d68d9f896259d424

SHA1
62ac99d967c2376dc9e0175c8ad90379a2a2455d

SHA256
b781082a59daba9d2df4a51c3991c93d7dbca64474ca19297ff67236ada0b493

SHA512
7b5372500c34cb543337e8398bf46835e4bcf501074582e900e3fb31b36f39ff0c32b70a7922ddee2841cf22f364832ffccf2dd60eea9750bbd291a954008296

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
63KB

MD5
ab00ae688b8e85ed20ca0b00ebaa16b1

SHA1
df9696c9c1077bd2d2199314dff90cefdd6e5bae

SHA256
4a0fe63a808eec480368a7e5a6d0f593b6c44092db4fe08c98236ea3cbefe9d3

SHA512
ed67af5267fa71b80d3a14f96f225ce7b45db2f0d27898632464e3439543529b8ed0e8098e1ce9e1b8b0f150e5528f242716e63f1447bcd207f7b17bb6bae37c

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
63KB

MD5
b70d02f71763092427da67c53323fe26

SHA1
0cb684b97628c8021f7aa53d2421f0ae5c39711b

SHA256
e1b6903f017d9c6fa58a774d49d74953519d682de80917c93c13ca41ebad73fb

SHA512
fa96b6639ab1779b4c48640a094e5e9d05890399811e4ed15249d6616360c6e866ca52b6a9af56db2157dc498b862b95ef677656b8646b3fbf7a5ca9d7907342

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
63KB

MD5
e42dc256b6a02fcc46b2435b3f4016c3

SHA1
5b1271494ecef4977e6e8366f26ca8ee2530c33c

SHA256
1015452711b2ee0e7c74cbe60dfe0d5fcd08ef2605502dc725f48b6062a7963f

SHA512
2262ca936fe2bb5b827bf64e3c2491080308907ba2fc41c4157e2e8872d10820ddedb61c52219885d667e9f8d3664aad53e0a7357c3c2b899fbafc1558d7f968

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
63KB

MD5
7539dab9712490f019f658be68c89d1c

SHA1
0ded299c3ddb7ab42b4598bfae4df31501609adb

SHA256
779c9c5aa9e61374267947de64dcedd3547e4e78069d2d2af9af55bed2dc0b8f

SHA512
014b18f3530978ee668d6277c57a43fd80da2391558b0289fcb91a3b89695d5cb667ddf877ee6ae409c4324306b8c046131c881607fbe9ec899964029c320603

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
63KB

MD5
3ea26b4724114f50ad599d7d4ab2a047

SHA1
468ea9f42856ebf22d1048dc653eef1973af20ec

SHA256
77f5d297d425292c88b2887e1857c33790ba3d71967722d9ea03f302d5e199b3

SHA512
efe85fdccef40b858f7d4a681a71daac8274a95aa8ee0564f8e76afc18ae48c550a6826122fd68d2511eef79e9f903e1ccc44c5f96e30233061ac9c336a6b052

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
63KB

MD5
1097ad058e77c7421adb2bfdbb39991a

SHA1
ccb0401ba93e73ebd2e875c2a644adbb06a58c1c

SHA256
f9d8245464849269e06597e37d03e5ac1bc9f7e1f50d7a48aee55afbe671ce4c

SHA512
71c7d631acd46ba8e9cdd9a0603d5641f71fa8308e5c463c4606d5847afdd0c3d0dfd231780cc1d4a44edca6786ef04e5837b91e346f8de869786370c4e8abaa

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
63KB

MD5
e33f90616450586149fd75842ca4430a

SHA1
e5881e0e9d946912cd5671bc2dbf8ae6e4cbe1fb

SHA256
c3eb07a12a2f3b9ac4899ada2504429377e511505ec7191cdc0e87bda262ffab

SHA512
4335ca4149b02e7a069cc9798c26fe48a40fcbf7d84ad4e507e97f656ed826df7aa088a0562e27a7226a88d3db7a65edbdef35a268906bce16c58f6027cfd27a

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
63KB

MD5
4fd6f97939a622b81d2406a0210e8c72

SHA1
dd704bdd797a16835d5b10b679e6101ad948dd8c

SHA256
71ee73c6fc135edfc7384d33992286009265bbbd865e238173ec8b360bbcbe61

SHA512
aa05b10eecaa157b918cbd4f979b3037a21c940df1c9d6bb5fdc66f320480e2e561b8dda38de4c89a5e666076471ca8adbf19d21f6bd8dd93dac09b107c1fd13

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
63KB

MD5
8a8e642fc279a93412c126f1fbdf3b55

SHA1
1c8962a1d831ff52b8be89e210ba63b454e988aa

SHA256
e12d728bbb0dad8292ecb18dee0f11788d785c800401e326ae34e710d0dd9809

SHA512
093ac09ef2bc3d989f6a4df9b31c2cfbe61578cfac12e9d42eb3047948aa354803ca19b61358e127b699cb63a65196ab8ee01bf9914aabb3428e892530791b58

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
63KB

MD5
3917c6df95872cdad869373385512ae1

SHA1
9850074615f81f4eb22be7b358d9a0ee0561f3cb

SHA256
c1d3894f8054149e537ca0bb91a5348da95079db683bb7b4f39d8290205c4101

SHA512
2b95d8bef787bc5bb68167f3305d65ee3f7040f7d3219d00ae6809347173881f04a2743543a0264a59e058fb05cb3e1463055fb9fc0ba76b8441b59ee7137bcc

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
63KB

MD5
877b2b2d5cd3f5a6a45f0ba1f73010d8

SHA1
2b5d86ba200d5e2ee9a7396039eec42211d9ff2f

SHA256
d0c22bb81f6411fadf409ab07aa031cc84496f7e88282e9c1afbb48e442e4b26

SHA512
3221b7865aaefc4c55c326ec68701be74791f8155595217a60b42785078947c37f273688749ffe8252122f1ca3f580f0b12b1c3ebeb14f0ed2f0fca0f9eaaa98

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
63KB

MD5
a2cc3ba1158740d35abdff67b94b882d

SHA1
f02e7ee1c36b43a0fa572320d51d6ad5332bde53

SHA256
6eb46dc090f9739640160a5519971fa48de149b4dc8a4075c591fb7b48a1c854

SHA512
29134a87b14479e10c4a7d8f29411b6912d0a3696929b969333dc35926af7323193891450ec4678bee60b4c5bb6f7ec22279899b378f08e7f658cdc873291f51

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
63KB

MD5
52ea697eca8f18c6a17e9a7b121339d2

SHA1
45f4d98816fc2c72301be5d85105735b2d4b1fd5

SHA256
f388269b2461fd3dae2e074ecc280cd373978a2db19690434670fbc351be924f

SHA512
89ff22b836be0cc610cea0cae7aa84bd25c7d984da9712b9b1c402698285cd0857fc597e1492a562556cd4a5a92dee86257346a0c6f1fbba59562ad0a6f0e675

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
63KB

MD5
4b48cb271c5c2e72dded656b85fcd57d

SHA1
0a848bc763819cdab5130dd602cd17678cc6eb90

SHA256
401711f74ab1101407f498a8273681201b7c9c26e463a1f687229194c502b6e8

SHA512
97f1991adccc96a86e50d4e615aa0187feb302edacef38d02815c52894698681c4a290e1b059df3dea5789e00227f3074b2efe56a2bd438bd000d76dfd5e6c76

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
63KB

MD5
704e0438a178504b2f472f3849805554

SHA1
dc5e6a54bea0ae4ef834fe02ab05637978c18d2f

SHA256
36e80a72166dfd859dc9002f940024111cf014d616d86120515e5a2894cd4fe7

SHA512
d18c4a89fc2438b3fa384c43b21b5fd4357339782473cd5544f095ea91ddd5070bbd4a6881312b772b2023a43048e23de5e493c90b1a6055e60d8b7ea0a5c310

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
63KB

MD5
1fcda9d45c73903d8b9380bc8103bf65

SHA1
fa272a101ec35ab1ef68019168a5a321756b8826

SHA256
9ba1c27418746c150206f0502287f8be486a624eaf61731529bfec52662df06e

SHA512
3cf2e0cf4ad330af5c1d6a0bcca2790b5467d9702fa500ce096132ef80512524ffa990c06723283e630fb9406d38ce0d4d3d5a6a23c7cc8bd5b814e053b2f05d

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
63KB

MD5
63ed34ba89fd6840cf55142219c26510

SHA1
89a8ef3483e87c46e7ba3326541a529c06919533

SHA256
77d51aec92d67db9e4a514ef688c4b3ee946408eeb5d29b3b2477bb60edc3644

SHA512
595634c2c373deb33cfdb8aed687c3fc3bf461508ce429c6bd9b3ce865d8cb64cf4e41686b2f00dbb76e36615e4b92882fe903c04e2279e17a24599824aa2c59

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
63KB

MD5
cff23e902d395d8a5d005e4044687520

SHA1
6b8bf3fa040e7fa9cc7738f2bfa45fad5a39e94d

SHA256
67ebfc5024c488e1e485a9d6bc0d4e8d7b45d1cbd1ff7ad111ce54442117a44e

SHA512
fa5652e64fc2cf79fb3c51d2550330e91a26640311e9996387fdbd8e63560b64cf5c730e0d99bebb2af257f57afd962cfbb259502ce1d4139866420f72d3e682

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
63KB

MD5
855aacc637f121a7bfce2b27c525f2a2

SHA1
2e9326fb05eca09070e912b49a0ad7da8e1ed0c3

SHA256
a45078be976140214e9947a12ac3a60ad81716d3575acf64e313a80c3fcaf14b

SHA512
e8c7195a9ee74d59672c150d1f0d8245c29c41ca1198ddbd4eba1a13f3ce015ee31d6f7bf905ed2a9a18ef452f6a50201486c9846631d8c625185f08a1b38095

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
63KB

MD5
22e2d92be915312be28f749538037387

SHA1
a380f1bc7a248e3b3a8a8fcf4163039e378643fc

SHA256
009a30fc641549f04a758098487540a1dff15bd0a7d533c3a6f65a801656fb76

SHA512
48f7274f9592821d7cf49592d98e62efdb40f941c86ae64b83d812f9433441360c77d18618e27c4bd2cc37b61544bf7e114aa814829cf40829cfef897134acc3

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
63KB

MD5
0ca9b76c2fc162bd946e188cd1277709

SHA1
4d4e6c3f5fb2a951ad7ca3cc5fd1573028c433ae

SHA256
b61c2fcf0e2441869711d97d8ca85ba7e8a77f1dd29bb96af89c5d45de416861

SHA512
8a6c6c5b253f74fe789dd66e710526fc73f5b69ae39755d64682edfad2aa3f99d09c8ad3c1dc62e8241a964cf4df01f51b74621cf9afcd7f74bc9fae66f65cab

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
63KB

MD5
c9c0b40c3acde54e8f75f85209295408

SHA1
f502bca16a69239ef835c4e1578cb1e47b9f87d0

SHA256
3f65ef975dd3b10a0bd367abec3b9da4a275dae8813ca02f8bbac399d81b199a

SHA512
940eb7418a28fa70fbb544d40760ffa2aa027ca5c85595076a3a249a610a90ab3bf70f447abd81a94e11f7a7b52b49d1dfe1c3922f7ae7359300f2a9a1e8248c

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
63KB

MD5
779d181552dd895626d94b6f7ba02b1f

SHA1
739a8ba1f5f838374d2b16203debbc87424f3b2c

SHA256
b63a1fd217b186d8a1ecdb4dd6266e3c064988db979622f1b78544a5854b1d0f

SHA512
4b59fe67ae918d811c106f629d227287c65972ad157b11ae9a94b4ed33b8b25b026b1cf0370985aaa0e60f80c47989e490b9ca73450d6756978bc89ae64ecbfe

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
63KB

MD5
320ccaa1c27a72932246debc82f0a83d

SHA1
8b9ee64a8b537e9527a364cd43c5aa635a52a17f

SHA256
0d5a05a13b4f429d858262ce959ab9eddfec881badf123a8824dc6d50e1bf27f

SHA512
1a5b5c74ccb64e7b4494fee354c20883a543b8e024b67994530bd3a055fec158321b3a5b4eb75264834e9f9971b5f6319fe50fce5ef822c29d17b316cbb2be01

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
63KB

MD5
dfe11dca6aec26b78ec621619467f8b4

SHA1
6906ade154f0c5ce2772469c2f80276bc4a8735f

SHA256
665bcf45cf0ef11bbf884b56d10716b8bd6b4d58ce10537dafcc3cc4575aec4d

SHA512
3717d3de0a076d6642fb6e90545ffa4c3dbf792fa59b8a3d03cfa60331715f1bf554b12f043756f8d70c8beb8d9a59bcc74a8ee8314577b87b1800fe56c643f0

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
63KB

MD5
385a3477f4b8250b59d6d1db556c195d

SHA1
c843e6fa15416221a53d6124a6ce1245a6a72fb5

SHA256
efea88be483ba27c4df06f89e7bcd1b09e56fe842a4b74545fd37c4227304495

SHA512
0d9747862f6df0e4c83e30a62c7eb2d1b2984c542acdec5c232b3f237e8547a0ef36e246a30a520f1dae1bc0e3690ab4fd5f53928e2db0cbf940ec59b36c850d

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
63KB

MD5
027818940d2bc7920aa25c8034ee30c9

SHA1
4e275ba629e300577c6401088ea30c8143fa4cd7

SHA256
e80cee3cba8ff0aaed753d2f424f23120e8d5a1a52c3fa9cec2216044119d231

SHA512
9e62fd3217278ac7cfa5cd70b00ce6736dc4d50f35f84900dcd69ac86b7e6903852054394e65904fa17ac25e3130200cde500e144d81d141bae7fa16c4386e02

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
63KB

MD5
c6d67ae5b8e79ae5b250bb59a6fe1096

SHA1
cc20c7f34d10c65271b755b61dd4ab5a1c8d72f8

SHA256
719831c77dc71e2999a8f22c006c2dc35e392be59e98f3497b9dc8cf5ad3d3a3

SHA512
0ebc810775de47f3efc07ce969095b994e5b50c455f3bc85135444aa43e72e27094fca346083fee9f996e9cf9b42245dc5caeaf7170aca47d7d63de703fb5ac4

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
63KB

MD5
6f42ce21e08c901a961f0d546dc753eb

SHA1
55fbc3f31c30501a22158f868bda8d996580991f

SHA256
5b8b75526ac6e5286a96b52f7cd9cd2aee22c35cc404c53981120dbc43a12c90

SHA512
4fed10809fd5e1bca3960ca41f4a9e9c6549f99478d5c307ea099e44f88004d2e567fd59a872f010a856efb5ae1375d39747b57568935870b0127ec643f8d4a6

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
63KB

MD5
299fb310f7a830e0afd6def0b620448f

SHA1
2da4c4208ee1fb9141fe0f6704e95b9f86d5d7fd

SHA256
2ac1d5b27f763d3c15dd8ca680d9d62460201498bda3b2908a0e09478bec1096

SHA512
ae7fd3a272631c50ad2ff71078239a184e845703d05004057fc105d32265dc0570235ee2489d1858407734815813d5612fb33548717cc03c2f03b730e842bcd5

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
63KB

MD5
52711c4716127d5119aaf8323020ae17

SHA1
7986a4f22675c15b4c38dfaa4408817516cc5753

SHA256
53368420396ffb0e7f30dacec90722be0d258f87763f0383fd3bb3b019468fda

SHA512
50de4d0684c7be03f047bd15b109b40bc08722b4af4491093d3e8b8c9bee12fb8b913bd1c88e2a049dcefdbee1355307a5d19a6138a345ce02f804cc9b1d485d

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
63KB

MD5
58a04d09771100a6da556bdde05a59e5

SHA1
4778e65273d24faed70ac7e8de1169b24caec19d

SHA256
87f4038cef012f75ce928b2e8d8582819dde17dfd361e26e990f24ef09210715

SHA512
57771a5f820e846b668ab88d439942a254cc8947896afc83d169daa55d2a78bb887955f042cdc140482cc9e850147e94e64e59bf5ab1554bbbff26cc6994d9bb

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
63KB

MD5
ecb422cf52cb779f9167b5a6d752d843

SHA1
f8a7d36588e5d862df84d705dd0edbc6dee9d272

SHA256
3bfa495c7ed030a00deebc4bfb82cbebc20679707bf578706f7eebb1dd92c4ac

SHA512
bfc74f830a746040ccc1f7537ceea725c87f48b4f45a2e553e17ee20da631cb92e6a31518f0dc709e2b07dd725f143f4f16ff00929216a1c9b46577460a07e14

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
63KB

MD5
0bfdb253256403096d9bd6e51c0644d1

SHA1
26490da67539db709a65c2b8601f1937596059be

SHA256
e303e9c6587965e7a1927da69a78e856f8e73b1090cfe7c29b859591ec66eb6e

SHA512
83894879fea4f73788d579b7d4548fcbf2f05b1e938c0565b47bb72df41cc8aaada8f3bed9a31c305b4854ea4cf8468505e64c1c3fa49546b2d7b9d1a8a32902

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
63KB

MD5
55a4e165f011bd9cf7a33cc665a38df8

SHA1
f5f85181e1d4c53996f2914319a943403aebdb3f

SHA256
fe508cf762dbda0a2e758a2efdbf0466e0f2cb691da94e9da0a5e3ef7969c502

SHA512
55bc62c7b876b427a6ad07848969f2cf714f635715a5d81a4f11611ab99e0f89224848d8a270d8bfad11fd5065b2679cd29ba9886909d1b6e914635a7cc4ee7f

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
63KB

MD5
a9d31532a0062d91b2f42b592b90ac2f

SHA1
4fd16144e42f833cade08678e7201115dd7f87b8

SHA256
db694d2e69e3f15d6fc1a631f1d3669fef3423e85d6137e43f750e50a7972bff

SHA512
3ba091531092200affe82273cf1afbadffa2c22aada78aa6473d6780b943639204d2d71f14f3c54eb9bfe42929f0c8003ea2d9ba6cd61a8a54f94d7fd544ceae

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
63KB

MD5
04db5803c1c3a0fc760288b02001185a

SHA1
78f1224a4ad5126fd9869872a54bff0849e01296

SHA256
8ef61fb8b61a54f904889b1ef78f2be3370a0758d9a9ba6eb11fc0850da3e570

SHA512
60d2c94973c336a3833a6293d4d5675ca53baacb12eb10339cc6791515c640013112ae9c04130acd4ccdc5c07f67af16ab39f94b6992bf22d28856d127e33d68

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
63KB

MD5
9a861f54aa79db558f4dcfffae4388d0

SHA1
67b18adfbf3e8efa70f24d6a5a376c754a929885

SHA256
c6c51a32d1526a66355808720a87ebafbc747186b63d57be1ecd353cd8013757

SHA512
48236d8b9ce012744dfaa3c77540d4b37ed0aaf9819fd079bc58720a3ec02f3f24171f8ecf90ed292c49bfee307d4c07c6e0ad57ae07d9e58ac1418d86b660bf

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
63KB

MD5
6a01092f835b365655bede94750160e0

SHA1
29110e47a0a12cf9529f3b6d390685c7ae4790a1

SHA256
1c45ae7a18861b5c9da252e5618b2b53f830534e2d6f4f15bc52fd78bac0d364

SHA512
04aabedbfa28c43c8b79c7acccbb3c0a1a4153609c4ad02b4e5fd40dfeb89f3c007078e1b2b06ff63e458d562df6767ed08c5366245e98aad9adda7e215e0ef7

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
63KB

MD5
eeb64fe1cefe4ccdc072217351612f91

SHA1
e4877eb18e42565014da1b9045bd28a9ebdbedc5

SHA256
310b567c13bd12a1b93af67d141cd47eb07e070876e235a2aa8151a302f9c974

SHA512
19f374e01e7b499c8d8cccf799b669a9ce328a10613918f24849ccbe0e3ab81897dfce0291b7434dc70ad0ddf13ff8dc32a09bbb7bb4284fa2aaf44f544f5979

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
63KB

MD5
1a3b0f830f2a36511b2a3ee2692fda62

SHA1
7fb86187e99e4daf2b8d0d186e70066b2f48f009

SHA256
fb0fddf5ba6b5725ea6d074dee77daf73b52fa7682c321fc4b8975b6fb7b0a38

SHA512
10f066efb12ec30f3f43be1b3c9a436e691673282e577f02c92d53bd1964839c822677fb1b5146613c33c50808c1ddfba72ed6ed232456dfb7003f713a27acc0

Download Submit
memory/208-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/640-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/964-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1044-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1056-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1824-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-576-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-562-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3196-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3232-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3532-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-541-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3792-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4268-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-498-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4532-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-535-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-528-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4988-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-522-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5116-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-1414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5524-1338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6240-1334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6856-1311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads