berbew | a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe
Size

305KB
MD5

cfb5c5f332b026736fa23a92b4ca9dee
SHA1

69775728393ee9818ca6c1e0a139d41d635f09c9
SHA256

a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080
SHA512

df2687c43783052b6eb979f547480cb1a2e0da54511da6d033c094afab96849f564404b48908451fbe3f9f0d582cb8c22bc22241b698e118ac443d6b53b73165
SSDEEP

6144:sqeHAHceuvUYn4enqlc85dZMGXF5ahdt3b0668:sqeHac7vN4ZLXFWtQ668

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edplhjhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amkhmoap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbnhoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hehdfdek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkhpfbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbebj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4692	Ngjkfd32.exe
2508	Nqbpojnp.exe
4940	Nnfpinmi.exe
4072	Ngndaccj.exe
3556	Nagiji32.exe
3868	Omnjojpo.exe
3988	Ojajin32.exe
3220	Ogekbb32.exe
4484	Oanokhdb.exe
3992	Ojfcdnjc.exe
2844	Ofmdio32.exe
4844	Opeiadfg.exe
3956	Pmiikh32.exe
4276	Paeelgnj.exe
3912	Pjmjdm32.exe
4680	Phajna32.exe
3216	Pjpfjl32.exe
4936	Pdjgha32.exe
4460	Qobhkjdi.exe
3660	Qpeahb32.exe
4884	Aaenbd32.exe
1440	Amlogfel.exe
3320	Akpoaj32.exe
1536	Apodoq32.exe
4352	Aaoaic32.exe
1604	Bmeandma.exe
4828	Bacjdbch.exe
4712	Bddcenpi.exe
3292	Bahdob32.exe
1124	Bajqda32.exe
2404	Conanfli.exe
2420	Chfegk32.exe
2744	Chiblk32.exe
3752	Caageq32.exe
2680	Cdpcal32.exe
1504	Cacckp32.exe
1700	Cklhcfle.exe
3692	Dafppp32.exe
4960	Dkndie32.exe
3056	Dhbebj32.exe
704	Dolmodpi.exe
4748	Ddifgk32.exe
3944	Doojec32.exe
2756	Damfao32.exe
3584	Dkekjdck.exe
1208	Ddnobj32.exe
2100	Doccpcja.exe
4160	Edplhjhi.exe
2568	Enhpao32.exe
640	Edbiniff.exe
412	Enkmfolf.exe
2236	Enmjlojd.exe
396	Eqlfhjig.exe
2912	Eomffaag.exe
840	Ebkbbmqj.exe
2292	Fooclapd.exe
3136	Figgdg32.exe
2328	Fndpmndl.exe
1228	Fdnhih32.exe
3264	Fkhpfbce.exe
652	Fbbicl32.exe
2148	Feqeog32.exe
3152	Fniihmpf.exe
628	Fecadghc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dkekjdck.exe	Damfao32.exe
File created	C:\Windows\SysWOW64\Jldbpl32.exe	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Gohlkq32.dll	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Gnblnlhl.exe	Giecfejd.exe
File created	C:\Windows\SysWOW64\Kpiqfima.exe	Jahqiaeb.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Pmbegqjk.exe	Pblajhje.exe
File created	C:\Windows\SysWOW64\Caaimlpo.dll	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Ebdoljdi.dll	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Aaenbd32.exe	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Enalem32.dll	Ilnlom32.exe
File created	C:\Windows\SysWOW64\Jemfhacc.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Ablmdkdf.dll	Kibeoo32.exe
File opened for modification	C:\Windows\SysWOW64\Mcoljagj.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Kpikki32.dll	Oihmedma.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Ieccbbkn.exe	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Lckggdbo.dll	Ieccbbkn.exe
File opened for modification	C:\Windows\SysWOW64\Jhgiim32.exe	Ibjqaf32.exe
File created	C:\Windows\SysWOW64\Djkpla32.dll	Pblajhje.exe
File created	C:\Windows\SysWOW64\Opeiadfg.exe	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Edbiniff.exe	Enhpao32.exe
File opened for modification	C:\Windows\SysWOW64\Llnnmhfe.exe	Lhcali32.exe
File opened for modification	C:\Windows\SysWOW64\Noblkqca.exe	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Mjhjimfo.dll	Ddifgk32.exe
File opened for modification	C:\Windows\SysWOW64\Fndpmndl.exe	Figgdg32.exe
File created	C:\Windows\SysWOW64\Lplfcf32.exe	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Faagecfk.dll	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Mnpofk32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Dkekjdck.exe	Damfao32.exe
File opened for modification	C:\Windows\SysWOW64\Eqlfhjig.exe	Enmjlojd.exe
File created	C:\Windows\SysWOW64\Hehdfdek.exe	Hlppno32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqaf32.exe	Ihdldn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mokfja32.exe
File created	C:\Windows\SysWOW64\Inpoggcb.dll	Qjhbfd32.exe
File created	C:\Windows\SysWOW64\Dicdcemd.dll	a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Fdnhih32.exe	Fndpmndl.exe
File created	C:\Windows\SysWOW64\Jcdihk32.dll	Fdnhih32.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lllagh32.exe
File opened for modification	C:\Windows\SysWOW64\Mfkkqmiq.exe	Loacdc32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Akeodedd.dll	Ebkbbmqj.exe
File created	C:\Windows\SysWOW64\Kpqfid32.dll	Gnblnlhl.exe
File opened for modification	C:\Windows\SysWOW64\Lfiokmkc.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Nqmojd32.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Oihmedma.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Ppdbgncl.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Polcjq32.dll	Abfdpfaj.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Gnblnlhl.exe	Giecfejd.exe
File opened for modification	C:\Windows\SysWOW64\Kabcopmg.exe	Klekfinp.exe
File created	C:\Windows\SysWOW64\Mpclce32.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Loacdc32.exe	Lfiokmkc.exe
File created	C:\Windows\SysWOW64\Ngjkfd32.exe	a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Eomffaag.exe	Eqlfhjig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7268	8172	WerFault.exe	310

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojqcnhkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfogbjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feqeog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jemfhacc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpclce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddnobj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjqaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlppno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnenlka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abfdpfaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmcpoedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdnhih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnakk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbagbebm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doojec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjidgkog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piapkbeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pblajhje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loacdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmojd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfldgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edbiniff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipbaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kamjda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkbdmbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fndpmndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimogakj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajohfcpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfpinmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fecadghc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjpjgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpfjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbnhoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekbjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakfeodm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafkgphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhanngbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqhfoebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haaaaeim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qppaclio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnjgdn.dll"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebkbbmqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fniihmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koonge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpphjbnh.dll"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjaaljm.dll"	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iefphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcpfdbd.dll"	Eomffaag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onogcg32.dll"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klpakj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll"	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll"	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elekoe32.dll"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnebo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfkp32.dll"	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjbdk32.dll"	Damfao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll"	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feqeog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4692	2444	a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe	89
PID 2444 wrote to memory of 4692	2444	a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe	89
PID 2444 wrote to memory of 4692	2444	a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe	89
PID 4692 wrote to memory of 2508	4692	Ngjkfd32.exe	90
PID 4692 wrote to memory of 2508	4692	Ngjkfd32.exe	90
PID 4692 wrote to memory of 2508	4692	Ngjkfd32.exe	90
PID 2508 wrote to memory of 4940	2508	Nqbpojnp.exe	91
PID 2508 wrote to memory of 4940	2508	Nqbpojnp.exe	91
PID 2508 wrote to memory of 4940	2508	Nqbpojnp.exe	91
PID 4940 wrote to memory of 4072	4940	Nnfpinmi.exe	92
PID 4940 wrote to memory of 4072	4940	Nnfpinmi.exe	92
PID 4940 wrote to memory of 4072	4940	Nnfpinmi.exe	92
PID 4072 wrote to memory of 3556	4072	Ngndaccj.exe	93
PID 4072 wrote to memory of 3556	4072	Ngndaccj.exe	93
PID 4072 wrote to memory of 3556	4072	Ngndaccj.exe	93
PID 3556 wrote to memory of 3868	3556	Nagiji32.exe	94
PID 3556 wrote to memory of 3868	3556	Nagiji32.exe	94
PID 3556 wrote to memory of 3868	3556	Nagiji32.exe	94
PID 3868 wrote to memory of 3988	3868	Omnjojpo.exe	95
PID 3868 wrote to memory of 3988	3868	Omnjojpo.exe	95
PID 3868 wrote to memory of 3988	3868	Omnjojpo.exe	95
PID 3988 wrote to memory of 3220	3988	Ojajin32.exe	96
PID 3988 wrote to memory of 3220	3988	Ojajin32.exe	96
PID 3988 wrote to memory of 3220	3988	Ojajin32.exe	96
PID 3220 wrote to memory of 4484	3220	Ogekbb32.exe	97
PID 3220 wrote to memory of 4484	3220	Ogekbb32.exe	97
PID 3220 wrote to memory of 4484	3220	Ogekbb32.exe	97
PID 4484 wrote to memory of 3992	4484	Oanokhdb.exe	98
PID 4484 wrote to memory of 3992	4484	Oanokhdb.exe	98
PID 4484 wrote to memory of 3992	4484	Oanokhdb.exe	98
PID 3992 wrote to memory of 2844	3992	Ojfcdnjc.exe	99
PID 3992 wrote to memory of 2844	3992	Ojfcdnjc.exe	99
PID 3992 wrote to memory of 2844	3992	Ojfcdnjc.exe	99
PID 2844 wrote to memory of 4844	2844	Ofmdio32.exe	100
PID 2844 wrote to memory of 4844	2844	Ofmdio32.exe	100
PID 2844 wrote to memory of 4844	2844	Ofmdio32.exe	100
PID 4844 wrote to memory of 3956	4844	Opeiadfg.exe	101
PID 4844 wrote to memory of 3956	4844	Opeiadfg.exe	101
PID 4844 wrote to memory of 3956	4844	Opeiadfg.exe	101
PID 3956 wrote to memory of 4276	3956	Pmiikh32.exe	102
PID 3956 wrote to memory of 4276	3956	Pmiikh32.exe	102
PID 3956 wrote to memory of 4276	3956	Pmiikh32.exe	102
PID 4276 wrote to memory of 3912	4276	Paeelgnj.exe	103
PID 4276 wrote to memory of 3912	4276	Paeelgnj.exe	103
PID 4276 wrote to memory of 3912	4276	Paeelgnj.exe	103
PID 3912 wrote to memory of 4680	3912	Pjmjdm32.exe	104
PID 3912 wrote to memory of 4680	3912	Pjmjdm32.exe	104
PID 3912 wrote to memory of 4680	3912	Pjmjdm32.exe	104
PID 4680 wrote to memory of 3216	4680	Phajna32.exe	105
PID 4680 wrote to memory of 3216	4680	Phajna32.exe	105
PID 4680 wrote to memory of 3216	4680	Phajna32.exe	105
PID 3216 wrote to memory of 4936	3216	Pjpfjl32.exe	106
PID 3216 wrote to memory of 4936	3216	Pjpfjl32.exe	106
PID 3216 wrote to memory of 4936	3216	Pjpfjl32.exe	106
PID 4936 wrote to memory of 4460	4936	Pdjgha32.exe	107
PID 4936 wrote to memory of 4460	4936	Pdjgha32.exe	107
PID 4936 wrote to memory of 4460	4936	Pdjgha32.exe	107
PID 4460 wrote to memory of 3660	4460	Qobhkjdi.exe	108
PID 4460 wrote to memory of 3660	4460	Qobhkjdi.exe	108
PID 4460 wrote to memory of 3660	4460	Qobhkjdi.exe	108
PID 3660 wrote to memory of 4884	3660	Qpeahb32.exe	109
PID 3660 wrote to memory of 4884	3660	Qpeahb32.exe	109
PID 3660 wrote to memory of 4884	3660	Qpeahb32.exe	109
PID 4884 wrote to memory of 1440	4884	Aaenbd32.exe	110

C:\Users\Admin\AppData\Local\Temp\a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe
"C:\Users\Admin\AppData\Local\Temp\a3313345e8e6c4e5a9599f89ee135963af5eb575014f5f65355267e549fd4080.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\Ngjkfd32.exe
  C:\Windows\system32\Ngjkfd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\Nqbpojnp.exe
    C:\Windows\system32\Nqbpojnp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\Nnfpinmi.exe
      C:\Windows\system32\Nnfpinmi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        28⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        30⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        32⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        39⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        43⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        47⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        49⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        53⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        58⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        63⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        67⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        68⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        69⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        70⤵
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        73⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        74⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4092
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        76⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        77⤵
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1100
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3144
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4992
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        83⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        84⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        85⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        87⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        88⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        89⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        92⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        103⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        107⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        108⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        110⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        111⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        113⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        115⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        117⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        119⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        120⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        121⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        123⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        127⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        128⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        129⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        131⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        135⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        137⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        139⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        144⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        153⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        156⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        157⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        158⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        159⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        160⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6176
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        163⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        166⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6788
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        169⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        171⤵
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:7128
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        175⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        176⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        177⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        178⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        180⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        181⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6312
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        185⤵
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        187⤵
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        188⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        190⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        191⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        192⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        194⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        195⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7248
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        197⤵
        Modifies registry class
        
        PID:7292
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        198⤵
        Modifies registry class
        
        PID:7336
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        199⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:7468
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        202⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        203⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7608
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        205⤵
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7696
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        207⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        208⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7824
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        210⤵
        Modifies registry class
        
        PID:7860
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        211⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7912
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        212⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        213⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        214⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8044
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        215⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8128
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        217⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 432
        218⤵
        Program crash
        
        PID:7268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8172 -ip 8172
1⤵
PID:7232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
305KB

MD5
6339e99e583309b4075cfeef498db43d

SHA1
b4c49aaeac00d727f0b4fd136d31ad203abab579

SHA256
73bf1ad569279c38024f17ce7038493e67530b23759d1db8ff3d60c7e28946a6

SHA512
a5f805a1ac0d86c6f1d559316376ebb257dedafe451e0ed34ab74641900842334d4b9782743dc171a9ff0104b181483f6dac8e2ad19bef01a835a8ce2299b24b

Download Submit
C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
305KB

MD5
fb85d786079dcd396a084eefa6d3336e

SHA1
0d0d32db1fee5766237df732f30de9425cf7b57b

SHA256
60e29fd20145b4c41d9a0d2c974290c24e7c7f262763db12617c52d9a72ff9aa

SHA512
c471167fffb345ce466f3d923d1aa8575b687fedddeafbcb6a329f37d392e19ba1be6042d38261edb6e7ff5e71af81a5383907504b753afc68b4496dc59bf3af

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
305KB

MD5
99b9eb67363031df7908c0ebb0fc0a44

SHA1
35b1bd1eef56d6124e1d17dbb2c2e8f63fb7f9be

SHA256
487de748ae8491fc9d640520c0fb5e0c2af99b70d62e9872b6f5c6cf1a91c82d

SHA512
8792ddb034e17fa3422eafd94e9351f8e6dfe4c3d399419b99278093c80ccf58faee6ea550909b5eccaac835e04ff24d0c13c2f6b0193e9fab1566cc4ba2b70a

Download Submit
C:\Windows\SysWOW64\Abfdpfaj.exe

Filesize
305KB

MD5
6011033aa7fb1682cecb2a5aab531842

SHA1
f2bc37c1025f1d8d31c0c8963840625b4def7a14

SHA256
bd80168a81a41f42d6d28d4183a0cab715c19a28b6a140a8510cf7dc5fe64792

SHA512
a9167c54fc6e9b8281f9bc4882e95082409403f96b903c372a3b1e6d664c9d727fb680f211d95928b4c8a35ced4871af010ecd9b3b3a7d8f77a89dea07fed01f

Download Submit
C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
305KB

MD5
da1a1128bf80a1622bfbb38c4a6a3408

SHA1
1295a4646a9e3f55b7c11fc2953e9f9b9136f0ad

SHA256
811cc6da80160a11e173ea03846e7b5088c9681e27c1d602104ef6a557074a40

SHA512
a6fce37b9cd4c17c3d6dccae55f4df2cb742f58534779ed9108521807f435cd2d39edfb2d10bfeaa3bafe03ffd4118f040128be3090253a1a9add1e69738ef68

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
305KB

MD5
7865d6341bdefda65856d96c02db0063

SHA1
3558c9e803b6e44b099f07df105c1856952b06a2

SHA256
342f1d8f07319108bc8f4ec472b268bf4775b4543d6e001fe440c63bc73468db

SHA512
0fb982323326cbd9fe34adbdee8088ed4ad4712d2465a6e0823b05590f0b23739fda83673cac0b7f0987f9e9c7fe0dc3bc851a30d2542eef5022483c97fab5f4

Download Submit
C:\Windows\SysWOW64\Amnebo32.exe

Filesize
305KB

MD5
ba07db583f5bc29fe8d872e4486735e5

SHA1
e9cb2b7ad8d8425cbd76ef806aa3d55a2e8e33fc

SHA256
10f53a7d1ecd5137c87cf9bbfa9b452e5b46c853f1e1aebf75e6b5353200e919

SHA512
f4e4965f9141fcc5dab8d7457ec33803770ab118b1d37365b39fc3d9c947586095c1b3baa25b3f0a7de1b14e832062f50bcd8d3d50a3293f46c5f5462f81657c

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
305KB

MD5
7e3e419d51e0d069a86ec9c0f07c12d1

SHA1
4759f89e56993eb06b49fa3b523ee5dfd3537d54

SHA256
f5a35ca66a0fa9d23cfa2a2b7eda648af8a0b222804b15a685c81bd29eb6c145

SHA512
06b1f4a1ef75aec3bfbb26025950bd2c43a17edb896c813d9162690be9ead7fb833eefc875db9a66e6a9262bfeac2f7335c70d08574670128560ee7edd821b5d

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
305KB

MD5
69780a50a370d9efb0d869f5b9272c79

SHA1
2b1207c96f4059c4583692ae0672cdf59adda4e6

SHA256
036857d9b24c477849985228b25e3d80b568e9682569a889b7be37d28b00b146

SHA512
b56bbd660be164788a61d419eb13961e69d55ea12a41ec1026f95cf0b336da5c2d956ed3ae67a81c1bb1d152944e42dbd55cd9e87e796d44f1c054f53d0a7640

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
305KB

MD5
33e8dbca6327db777a117369bea1075f

SHA1
58452228644354964f948b92b0621d0ec46a9172

SHA256
48a332396287221696f92529040aa3fcca362aa3b61eb3ba3b9ce117c596f236

SHA512
5993da229ee82a147597866b00499a3ba87d4dc323ee0e932a1a7fea6f41f78f690fa09a530fff827c9d9cf872009a70d6cd414c891caac52243e158e94cf1f5

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
305KB

MD5
cac7a33263d5fdce01079ed6f49e7e6f

SHA1
3b28414841e4716f7509b95b68d11edae1c33e4e

SHA256
d4b4a0f0f899a2859281251d874b917ec0400120a1395a571df6f5b4b439dcad

SHA512
d3e77ad9dcb9a1930bc3215ab9f18746cb9ac6a8edcf15588a63a85aa5b55916074c5ba9fb3b1c376b09494b41ba65ff6e0d556ac28c146e3ba40d3914c6d9b0

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
305KB

MD5
3d648a886e8f5a32155c1722ce1f03c5

SHA1
7af87ceb347b696fafc742a2459d82d9ea4aa5b5

SHA256
7a0cebf5cc31ad531a4cdb38442746ee92b2e6bdee784086028ba787289bbcbf

SHA512
8179c03f6f4bd8ac4919a812a3e8eb5185ea61aa8f96be5e777516e59351f68734b671ae67c279709ff07b9fa113d0d88168a3ddc0e6d9d7267c232c6878ad43

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
305KB

MD5
57194abdc51587bdf3d2427470e4694f

SHA1
88e6640920f629e12f31a94d009de1da4b36f764

SHA256
6b31bbfedb94a8e2831b3e5f757bd8be3f4be0610bcf2247ebbfed63c079de55

SHA512
95265c39f9219d12ff9fb987b8d4bea7728be158a702b8e603cd8bceac1913e3d916b8c229021ecbcd3599c132740db17870cea86dcc69f1798a142323f6fef2

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
305KB

MD5
edd6d65538587d01cbd3e8ae82226e5b

SHA1
8ef1def69ef07d587d9a63f4a4359cc79f0409e4

SHA256
9a80e4f896dfc805985b042eb6b4c8b9b8baf02cf383745ade29e4ee9db2ee9b

SHA512
dda87986bbddb5eb9b729bf8b4d6373acf70abcb82c7ff5e21933ad333bf58d05af3822c6d37ec6ee75b19c40e4126be5a0b50d89146adc682f432cefebd1827

Download Submit
C:\Windows\SysWOW64\Bigbmpco.exe

Filesize
305KB

MD5
af4e9199af46fd3e3c26cc4ee899498c

SHA1
40ce6b6a2bd4c11739bee5828c7e00ce198dcc83

SHA256
848308c8492a18b80b3b60dcac921ba7b6de78c86796082a644186fa7dcd2ea4

SHA512
bff03c8f33f29e3521da32cc0528c5e39000c32d70b70ae566295217cc14b57cdba050fc0b00d6a35c1a95036d03cb1897dd2f1e0d9b3077e638b82744cff4ff

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
305KB

MD5
b11bb0a543fbb627060e3fe9b91dee89

SHA1
7b2b19c2fb406cf6b64513020593fc8c8e149217

SHA256
331d1e8a45167210b928e78c5853dca1411b581fc77e085db2bef29ba80c48b4

SHA512
eba06e9e3fa5780537aa90ce388185ca2f8a7312473c7c662411c0a02c29fd7382ca96fe016600ccfc64989b21ac512db5c297dcd5dc2871a24e4d46fe967db6

Download Submit
C:\Windows\SysWOW64\Bmeandma.exe

Filesize
305KB

MD5
4d7f558f927b894d9891c09fd335be1c

SHA1
748752b015f83d6898f75b35ef5748e704fa9c99

SHA256
c555330c6cabeba5d8f6db906183f70ae2c88c87f74938954bced2c83be135ec

SHA512
853556e43f78cb69020c3c4aab385ae4bed871443a74cf1aff715f37ea00f907b8b75d82338ddca4da9059477b57037dfb9a031d16a4b62f93986dc250be93e5

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
305KB

MD5
a7ca5c83158173e765898dbe7b941c54

SHA1
286c2fa2f75eedafbc2c11ef022962744201f746

SHA256
9972660fbaa3b2142264b2560dee95005b6f544a504109037fb5a9312a567966

SHA512
d79e5acf6191e90bdbde39c0d1fa971bd990dfd002f74ff187eb9045e2c8ed2b4e77fcb9a167da4e498e2f27ac58064b66ec81ccca9bdd63ed0dc3d55502bb1c

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
305KB

MD5
8bb3586b5b8e0da196f7ec8cadd75a36

SHA1
b2ea4fa254e13ac92b48910001d885cce53146f2

SHA256
ab73cdea38bf92d481cab7f570bcca766a57f2b05e33b95cc1f13ca1aa21662a

SHA512
1c924cded92b8e338699d278768d966c26318f57c21ded4924788e3a8e66a79a406f23fcd9e3fd7a58142adf309b1f53812881ac3c74c2fade7a6c1bb91b61e4

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
305KB

MD5
a687ccb9c61a5e7037768a1a062e4509

SHA1
026d191cd6bda1ab9fb414c2dd473c6de1a7c0b4

SHA256
369f74c2578de502192204563d03d6404a391cfad1bb9f608bbde529ce478b0f

SHA512
2733b93213d29ef49e73dc14da8b6e8edbe8509eeb0c1c90dfbed4a522d88ebcc1d4bffebb5c6d98c48d0039eea554ebadb8c9224a57cae2cb448cdfb9db2cc2

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
305KB

MD5
8f68b68a7eba5f6f48a5c56a5a506eaa

SHA1
dd324fbcb180b175dd9129ebddfe47535d52b2c7

SHA256
05aa343347355486f8e19b5b036a231fd7797e32c6b1312ede446a0d4bbe1afc

SHA512
a89ff060715b8330440b1f0888e7157254942561197f7822e08bce9607e2ae8b1691b46f2c16e5c2560df63e7150199e72d7c49ddc2990d16fca94396896dcd2

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
305KB

MD5
875b17e03a21274c6db4f22765abb2b6

SHA1
c4236b6fbf2caa74d73c631d30a28e09b543384b

SHA256
ed15a16bf37b4d17d67e7de5ddf186426a6dbc26e1a9ee274d956232186f46cb

SHA512
fb0a2bfa2dd3c0771b5a3a67f1e4adb8bc918cd39363956a81c29147b42dbc49a9d6d54b2292786c9084674b6b8b3cdf9a3e500ac9d7d4ec18baf7e8ed3c6dd6

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
305KB

MD5
b4d4414f22d018d2c52e323a21e9380d

SHA1
4fbe842c5ecfa52e1bb53eac6d96694c012a42ae

SHA256
bcf619ac8977a4f44398d8455b5e5303d4d4a1f4e0b2b62dab3d35f91641ce28

SHA512
5e749bded421269ba82414eee3185bea7fffca45048268e161cf3ad93a27a723b9e4a01f90c4cdc4cc32645719c38704b98803fb88ee8667374d12aadea3314d

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
305KB

MD5
d48ac467fae40adc885f4b72ae95b24e

SHA1
9c8f47f1d6ab77fb8ba4eb7c86d50ece003168f7

SHA256
aa6e3dcbda1753156503eabe584ba0cfd22b17a8a93143e3fc52a79ac3282ecb

SHA512
f8dfa4a72d72bbf24b464838ade7e51b0c63b55c12c4d169ef9877f30a864337c508f6cd16941ee870bf7ff5b9498447716bdfcc179f88e1831ca735d5fabb51

Download Submit
C:\Windows\SysWOW64\Dgfnagdi.dll

Filesize
7KB

MD5
5532c991104276321490040b5ad3079a

SHA1
dc687b679b88f62da4e6f98aee2d8cd5a7da5478

SHA256
c726e314a5842327a8b122e328c8e5c5986868802bb4065356abf6e0954e20a5

SHA512
74109a815c8e1c9ce841a9d649eec56371c52cf2c70de4b622f29ef70cfe080b1bd3bfac305799d22f41a5d66b0d7a72be8cbc44cb295acda904456d611d662e

Download Submit
C:\Windows\SysWOW64\Dkekjdck.exe

Filesize
305KB

MD5
408a68e5ea92a9cd5f601c134b1913f0

SHA1
38f04abe8e3506d4bdebcbb39fe4e3c6dff95ec7

SHA256
a635cf8ea71deeeb2cd344bcfb0b0896d6fa68b807c2bd6cfe3b2fd3d912165f

SHA512
0170e03f273e7bd41b70a9aad7077196f83658a0639a2e8068fa91d75a1973766a11bbc4ffbc15ea032eafe1f112d6d47bc16db0c82f498af7a54fa28076ccd1

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
305KB

MD5
49a724a72382b76ff066ac667bf85070

SHA1
a9f4f7cdc8818ae13db278353db046701909e118

SHA256
bc1fca2fc2cad253ed5746acc3a6365f4c908dd9477a11b0fc1426e1aa631e9d

SHA512
4b1ae101f4343a698a0d9f0f96746db2be72787caec78124aa8819fc91d123f56b882dcffc7b0d0fb21b72bbe4a22fed4a61411fef1bdb32e1b234323982abbf

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
305KB

MD5
1de202ba07b9efa266e791efa2338b55

SHA1
b08bda8077798d07510706cd1923dbeae59f0543

SHA256
133a93b7105ded1148d8679296d99ff05f214b2c5cb60189c2569260a8c5cc93

SHA512
6a5ff00b691d06449b247498bbd169f6a266d2be07a5aedc3b0d79578804e955be8beb954b265a2ace16690f8de39defd5eab7c2264dc7c7f4d6894d849661e5

Download Submit
C:\Windows\SysWOW64\Ebkbbmqj.exe

Filesize
305KB

MD5
ca09c0bc8cfc6c512b8e1252014eb0b6

SHA1
b317e2bc9a160d45468ab5005338f500ef79ffa1

SHA256
f1e34ebbc4c72e78f76a57fdf1f153164aadb710c9e25bbe33f62e2d3703ba68

SHA512
4bd03ae78f688b5440e4983786508ff27f48dc93cd02ad9efc4194285d5d778ca152a2dae56e0c5d62f17d2013ad690b75c510f508d3f639eb0eb4fa5eb7b610

Download Submit
C:\Windows\SysWOW64\Enhpao32.exe

Filesize
305KB

MD5
e9410e91b2679b656a6986d1984364a9

SHA1
0d374e54676671439ca52d6b8b111e6fcf3498e5

SHA256
dae14b27f70f837f335c96fc9c4763c844dd4007a91765afcf002cd4c61fec70

SHA512
8bec6d2ce1da61e15c21184e007e17127ab0b56a3e8b88919566f3a0b7160e4fb272dacd83fd1269cf755dc194b0470d415a678b27954216705a5a64e36c8b25

Download Submit
C:\Windows\SysWOW64\Enkmfolf.exe

Filesize
305KB

MD5
49c0e3abcfdc8344a969e40751cf735e

SHA1
589028c55e46d8d14ed99e147f17407d452097f6

SHA256
8bcdfa955c66eb1b9bc5161f39f3adccba8c0ed7975f0110a84ceb1fbdc28c3b

SHA512
85ea4a791f3a03da79c90f31b537aa3a269d8b986d8d0646f7c70d655c69bcc8c435189b539f10bbf36b5595d218f27785843c7a71bd1737ae5930862041bb9e

Download Submit
C:\Windows\SysWOW64\Fbgbnkfm.exe

Filesize
305KB

MD5
36ce6b9129c15c121acb7e6576e31e83

SHA1
f943a7b59ce9b0d163e64883fe14f26cadc2d650

SHA256
de8550196df704749ba4997291087fbc1762d182d7e921d7222b37d8d774ffcb

SHA512
c9e1fbde2cb30fa5a66980f2666c502643f142e462eed3bf081e214573fb6693e35587cf096044bd62776d30f4bc1ebe83917a61fbd6561774bab3b8088ed2f4

Download Submit
C:\Windows\SysWOW64\Fdnhih32.exe

Filesize
305KB

MD5
9c0138084794819e0ddbfd0d0f3d623f

SHA1
b87f1cbc225075a81100d5d35aa5e458f151e764

SHA256
5a2f912e6841404df804866baf60fa7689c98d5778541e12fc39197c751581a7

SHA512
62149031ad932eb1329706bc40b803e43e089fe5f6203a46cb626dca5c91b8ecd1cce22133c7d986d428d0e00f5f501b1079f474cc3e2f3bdb1dd11d02959143

Download Submit
C:\Windows\SysWOW64\Figgdg32.exe

Filesize
305KB

MD5
b9ab1a6aecbbec35f4c651bece966cf3

SHA1
79cb72ac2057e6d324b7794734f5f2ffe97b8144

SHA256
cdea35fe7e4e16450914d6c9571a95f3b9a9e17bde29f89f90b9ef114b7e05ed

SHA512
c471d95891e90385ff8e27c123f2c8f64a345224fabe6754fac94afa2ef062f5fc1cac292f84058ab7e01973e47a1396436620337f500b3fc34c8e2c499cdc9f

Download Submit
C:\Windows\SysWOW64\Gijmad32.exe

Filesize
305KB

MD5
e8a755579e87e19abd9d882d3bdf0ed8

SHA1
833f3045b85da424caddffc49e0aea892a34df9d

SHA256
bfe802f022035c356a86b1b591c18c4891414a0516e62c702a98f23410eadd64

SHA512
85cbb86364740d4ce9c6de33c9613e8da1392331a26dec0521fd517714e2415932f5ce83a937f3be71074a3b07259a56197598a17ddcfe504da1f1d22022c129

Download Submit
C:\Windows\SysWOW64\Hnlodjpa.exe

Filesize
305KB

MD5
97ac0240007dc6685da95ac15da628d1

SHA1
f2a4b807683e4a62f96be2f4513cbc4c88b790c4

SHA256
2e51117701641172cba6c2f57746fa426ac4b3b0a1fd7e4e5a30107624373b17

SHA512
c9ac529aff963dd05d6d778c620106360ef300162626e340e90d19fc65ff04d2f88281f3b75dff01c1755e0100ee688b3f95b072f8182a660b1a47e079420dae

Download Submit
C:\Windows\SysWOW64\Ibjqaf32.exe

Filesize
305KB

MD5
cbc34afcbf2868b5fda3205deaf422a9

SHA1
370ac38722f89337cf9ee883d868590b930ab10f

SHA256
72c87076562e22d0af0737d3dd2f596a2b669e0127bf4decc38196716e89b998

SHA512
f3c0e7086a3b070551fd3ec19ece0a0e15aea55aa40a8591292f43b70b3f61ffbae8d7d42069511c427a8e55123b272b6a4c2ff1db84b5409dde28f370716e08

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
305KB

MD5
0641d57fe6f72a2467430bda7f7afee9

SHA1
7b1d2cf516f1a8105c9df49634a44328b9595520

SHA256
ab6e9fe8da69d2d7f442d005c143da2d0d57335eadcff4858fbfe350bc87cbdd

SHA512
17b8b6247a33a73e0cad34fd9ed8b02773348522cb880e8bd1edede62359d627011e2d47d23512758e32e461594d28560fa70a62978925e26b696ac2b48f9ba6

Download Submit
C:\Windows\SysWOW64\Ipbaol32.exe

Filesize
305KB

MD5
c0a2acf852cd57aa877c8b2c09e51a55

SHA1
8d4df0239931cd20f1fb778c7eebabe9683edbc8

SHA256
329fdbae60deb8d825000cd64cf2257b4519e3d7e88c73bb73e8054d0d8ae8fd

SHA512
cf2aa3527a681515ae7234762c5cf536ee87a1aec99b9e412fbafac3071ee61bb0f751d8b62bd2698233bcc78243b38207bb1ae7a9ca338c0918d747059ccc3f

Download Submit
C:\Windows\SysWOW64\Ipgkjlmg.exe

Filesize
305KB

MD5
496d738b01a5774e0ac89975b8b78a2d

SHA1
60aeb1e1d42dd3c7bef7330adaea9ba5477c57b4

SHA256
13dee92d3c6f8a8d2d7db8d8fdcc9b1466446df01d22f1a2ca7aff2130965645

SHA512
6cea385ff384c701875f459e95d139a3066f1e37240373ce4017a033ad8704cf2eda3041cec96a6ebb7a8ee2bcbc1ab61a8de817c7138f025562c2b38878b587

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
305KB

MD5
290a35ebf41c1c94da2eb4e217fbf2f9

SHA1
703f8f39ff16f753b3b0e3a3d0240b5a97a67161

SHA256
2ebd9e18ad89a8af8b701c8f4af1c10f34692263dcd353d6f779173d7c79e662

SHA512
c1fd56b3ea33cbf27465337423969c7ab58c17ead3f7eb6f06824117fc4c25efb639e740dd3008751880b2a890646ab99d987b3d8d3113d5f33a3cee61c1bf5e

Download Submit
C:\Windows\SysWOW64\Jldbpl32.exe

Filesize
305KB

MD5
a8f3fd87f869de90c935fa5eb3312c8c

SHA1
ca9169a46e4d27bf1d34d9dbca623f210b9c699e

SHA256
b100ca771cd18bb72d9219ed5463c0020cf8778672327cd95b9cb6e1c7199d01

SHA512
e72ce498d4ae646434e16eaad31e1187c4e71e6268939bba51bb0b820ba98a5fe6072a1f05f67fd5291c9a7c71b7c0e15bc77bb3772915508760ac90883af83c

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
305KB

MD5
0f3df7f092391958d1f7bcffcc3e88d1

SHA1
97f7b2f2cb8bf17b6be37f03ef8adfa4832ec49f

SHA256
b4c0fa1d58a39642f89991578e1197f329f6372536f99ead4a81ab4d89554c39

SHA512
e86c76f3c1ec8527fa52b4e3d6a06e51be5447573d33fec24bfc436f064f4c66a55917ae442ff8bc585c8906405ba900c4478955fb0297d95a6797f8be5d36c6

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
305KB

MD5
f675289832a305a99e052023a0c7fdb7

SHA1
311fc50c87c9c1724f0dee82f296b8f115eede7f

SHA256
6194528ffdb5b5c7ca895dde15235598ee9c759df5dba35f6051c3b560f8f52b

SHA512
cac4d97eb79c30d0fd6a4052ac747a675425e1928fcaf0b7f928c2bce6ab836797931fe68dcb7aafea1a1986018917656ac914603a077e6b877f7fb17bf60301

Download Submit
C:\Windows\SysWOW64\Lakfeodm.exe

Filesize
305KB

MD5
b151225784f0f16536ad402d616003c3

SHA1
4286dfbfea6911acb54d81b679c06ecb8f24d2dd

SHA256
90468cbda5d64aa4562cf07c7164be02e9375b2176b4b1b062311466ba27ede3

SHA512
0af03cf3d85b0c83025825d9dd5160963d52224fb41125a21afc161492f9f59d2f26643335185e25b673d4622c868c6454ca7a827c92db93fbf32094d43d5d01

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
305KB

MD5
7e85138cca072be2bed5fa18ff7ab07f

SHA1
0e26e5df4d0353a40cca7a62525244cdf50902e9

SHA256
67ebf62acd49681df788e3922048aaba6afb05d781ddbb22535b19b6ff4994a0

SHA512
ff1fcd0d0d33be6f22c224560d735824cc3a34511c31a840488ab059dcb513a2cb62ea1938f02ac3dbfd75d65e9681ef88606b7d56e280cb26267c33bc3a89fe

Download Submit
C:\Windows\SysWOW64\Lfiokmkc.exe

Filesize
305KB

MD5
05cfcccc028c491f900549c11f8ba568

SHA1
2083e789f0950a8867cc99d08cc7bf2f962ffb56

SHA256
c2159eb1667f8e65505612da5c2ae18de60bfcc68650ed0ace834c6818469414

SHA512
a7afd45dbf4f15c380bab943bcb375d89a8a5fcb98b97e1bcf78d12105a1cced34e60075bebb5610124a9e4f1c8c7375450c971e3ce95dd9c54b427df154cde0

Download Submit
C:\Windows\SysWOW64\Mfkkqmiq.exe

Filesize
305KB

MD5
b642371961b937cefc7f2d75d10f8e95

SHA1
dda9fc388a7a9fbb9941c6161ca5e5fde9ce2cdb

SHA256
5b174e274d539b50d22d8d30b85bf9786e33258d300beaf84268465981fe1a96

SHA512
8a9997786688c180832618c89947cd7323144a5cfa379d78c39b914c917c010317f19fb2e2a92ac337abef4825ab8407d6af0ba9631791eb086f3b653d94472e

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
305KB

MD5
887b565798bd71ee991b73c1b5965bcf

SHA1
e0e6f434bbed495a2672815e6783a553a7c2ad1f

SHA256
ee99ac6d7103efff77a1f40cc148344eb5b62ec1a96a52b0e1e0bb98eeeba9c4

SHA512
c5d51727a949221bcc2d5e4bba347d972a87a6d7e84edafcc6c5201109e802f234440ff843cbc4dbb79aeaafee3ccd9172948ca6fe94dd67c649e97a7cf36350

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
305KB

MD5
2bc9b50ac674c83c3312bdfb0a123557

SHA1
947638815cc8aa143e7737859aee8601d31a7b75

SHA256
3f0aee3a35a5faa7a82153551286920465262282cec5cc4044ff12475f7f8b7d

SHA512
8d55207689ac744ee581cd3f0319d397070dd08bd6a02535e7736bd82f7217040656929248b5f1af01fc04c2069e2b8fa3777e83e952586f28ec79dbb3fbb763

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
305KB

MD5
49debb3e33c539a448951b166e27b590

SHA1
4ba9c68522016d567b2121063f68edfbeb21ead7

SHA256
0a7b8c0a8bcdf4f30120275b44fbceba651cfdc0a8d9cc1c572f1e5dbb16c19e

SHA512
131cc5894593dd9ab5f4518894a6b49ece1d976a64d6d6de215d0ce2ab3af6fe782fb06504ad4f67fe892ddf3cf267d4beb93a2a580403853cd61610bc436cf4

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
305KB

MD5
1a6974718ab765ab096c319c06aff575

SHA1
0dabeba31230766dc4737bff799caf53162170e2

SHA256
064befc2640a489e39e0e147dc2e42f20d94daa48d3bbf41a413549a9e9383b5

SHA512
9fcb356fcedd95ed4b851b421cf8be3ac58257f1948e4db13140080f9dd943d179716125332b2025a5ef0b788ed2555376a64f9df169f06ac34eb7ccc760bb26

Download Submit
C:\Windows\SysWOW64\Nodiqp32.exe

Filesize
305KB

MD5
769d9b9eef9d79508233d466661687d3

SHA1
1f2e3c3820bf947cba64a17b16f4e3592de0991e

SHA256
7a67346918182ef37f9737bbf6ea20f3106ce8485ec2f17fa5611bd886045619

SHA512
09c8025e215356dadc7bb35da4f7f44efafff75e74df58ef3be3ee0acc149133e8650aed4142ef970e0c9f887b6b6c778e04cff878b707657c2ef217d2233982

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
305KB

MD5
8800e46cee97d116b1afb08a25e87cdf

SHA1
c314830f55a99d6bb298c30e7df8bf6f88c49c8d

SHA256
2c5ae82cb5d42371d7f03da4a81bf635638deffdfe3829ae6c2546eebd99b63f

SHA512
fb5ee966f061d6d6e3714b013f13ff7696600541a0abfa9494ea6553ac2efe221796671ff1c888c29ec316d7588f361022ec46d348058518946967bc3ae68ef2

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
305KB

MD5
1f0730dc009d7202e980bbf518bb9608

SHA1
358dee3804f4a87f4e2571081128e36f21ce10a2

SHA256
0e394f93613235c32b4bd605b3811e3dbabab7acd6939766a58e6909a963605f

SHA512
e6f81de103122bb8a351ad842e8de6d708195c5f2a614ed065fa0018bafe24b836153ead502f941c0b845cb5f5dcb6cbd31eb43ede72dbe8b01e059c5269dba4

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
305KB

MD5
ec6f5ff2278174cd3ddb831afdb090ec

SHA1
58e32ff3674b8db2dc8cd26e9128629eeea8472b

SHA256
6e88c24d7dc49299d7d2c01f8fd9e5478b68720719bede73e506edb65ae5bc27

SHA512
ab863c1c7291b734157ded70f724ca3fe30f8642de4b78f4b095612ac6470b6922fd50982772647dbcdd5349b6ac5c962512ead97f76fdfb7111fb9b499f958a

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
305KB

MD5
a36ded289bb22eaf8c80556dc2f6141c

SHA1
90e31e994ca601b25280d5cc53c34f3d6003c30c

SHA256
cb3a304cdf090854707b53cf605a44b89a3e91380d0d7e2c446e665e31719c58

SHA512
1163e55e47469dc6470caebbb7104c7a9e8d49da4c725311f950b96ffe300270cfc0ab386bb5773c79a6060302cf863169806fbbc322c0b7c5f59b14d340c8f3

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
305KB

MD5
00c3b87bfca209bd4aa7ee7323900432

SHA1
6e0e598690b4071c73843c5535d648ed161ee31b

SHA256
2e07ea069b7131a701557703cb503bb44e5f15c1e798cbbb5ff60999d8f48d2e

SHA512
b79bc139f4cd68046991669270517df18fa80f6df183ac9a2afccde3a22aaf24e2dd62477653e010b8cd6da7417f71cc402a9c40d4469ca9f300a16bf61246c0

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
305KB

MD5
8d1efa55df2c12f6daf5c7520542d244

SHA1
ea4db6b554121534352f094c9181814bd0908277

SHA256
2733015ae4c28ae5c10f76d0f03f3dc15f19656d488eb9f3d498f4d3a16567e0

SHA512
eee07140d3594080e5a60c4059972d88168f8d36512b2ae8fbecb89929a387de69c1bbe2d8d65c09f40a7c5cd10ebbbd9beab6424157b669ed4cd2e06d49128f

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
305KB

MD5
261b2a4fe7c7c028a420c70247ec6861

SHA1
b2862868921fec25f55545a016c8d2d90b1c9495

SHA256
91ca768cefc2559ca9e94cccef512550330d674b84b757212a7cc09e4f06df9e

SHA512
38d1c776c3ea8525329a588e401fdfbbd381577bc77f0409f3e87ec4eac7488b29b1cf97368f7bd069692799454896ef42ce65dbd2ac4ae26286ecb0a12a7287

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
305KB

MD5
21c44c770b5dd1fad7198057e7603735

SHA1
a48a1b5e6c52521c0f60a39ddbae244966858d40

SHA256
cf01e145a5846b5e679a66f895802d899d4c8d702e25120a3fbc6ec02fc7e27c

SHA512
725e5a16761dab3ad949beea3495fa5f212a477f54314fca59149ddc4ebe4756d906c4192e5092284c2456581b3fb7ef9b562dbdb3ded656a237504d0e8864a4

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
305KB

MD5
6ea1faeddebef10355a82eb7ca61b125

SHA1
539d6945b184117275f2177e99217d958b2afcd8

SHA256
796106c25cdd7f0faa45c4ba1764882e9c4ebeb977de28b470524a3a16a19a47

SHA512
ea8c1bad85ecaa21d2376a6bdd78730609cf69ebd3964d72e8fd866057af4ffdc026e8ab91c30ac13833de2279250c624cfa0e5da0b94638dd530d950b089bf9

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
305KB

MD5
ff0b09e4fe244a0104f62ff09ade8fa5

SHA1
906c8c225d74029b582dc404f831818327f64d82

SHA256
80447b50aaac8bc71b797cc9df6dc0952e84903d7a2498f745bde2b45a72883a

SHA512
df2ecb8e21710ab824d06a472efb6c0c47ed0b6f223d598f94e7bcbbafed84a948eb74f440825dbe89e7fa23b6011b8b331233f4995fbe40ff2041c633feafa2

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
305KB

MD5
785d1d9934456a45d18146dba51d7681

SHA1
6ff6f6f0cdb43ec65c69fc7ff3018939ebce1a52

SHA256
f6066b24874629585cab0d7d1d3cb8f812b2785ebced09da815f5bfcdc6ce9e9

SHA512
600fdb418c99a1dcf079a323e217995663d9d004134a835c3cdf65563420e45cde9a51acf357dff0215aaa343b9b6e248fcd77f7af00f7bcdc17a7c98e14c2da

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
305KB

MD5
95677c87912e6e7e3ca8b0e0197ea36d

SHA1
521177fcc932327f175dd8cecea49443526f7364

SHA256
4db1c160cea8cc9a758c9ce374fb14e7dfa3c6eac9b7368f98290be7baf861bf

SHA512
652ee033bb8627526033a806a4cddd9d73aca2165bdc68d2a4670f5f0780598c8c88aab42e1e5cc0adbe5bb80117a0820c371b3dba30cc37dfabf25805ce9e50

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
305KB

MD5
0ea017a8ee285b0ed48bcb00a79a3e99

SHA1
06ab3b1f1ff1a0b1c714da07cde374d5f485f8ca

SHA256
f08219ba144e675124426073b6a188e0d90725a9ec832949aa263f56753decad

SHA512
3e2b75a42639b38371e2614e1fd10f37c0648f7a7cb89a1506901a64700ba55a659a66493bfab239194b068ae80082ba0d7d538dd746ecabbb5bae7c80435382

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
305KB

MD5
e4110a664b1f179473818cc3b109eb74

SHA1
27744e00e0d490e43465c17b1a589c6a2961d9a0

SHA256
4281e9e08d3ad90560afe50835cd35c8ef17d3596295cd9c9ccf8aea12d95cfd

SHA512
e49422b3c88d8e949774dc0e4d7f81c3eb5e8ff704a18a5455f561aaebb889a80a057ccffa752dcfa1b0b4ab199f3aa6239949b13e55321491c4223081a2b7c1

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
305KB

MD5
f6e77136152b8fcfeaf68a6d678ead3d

SHA1
6ae51fe7cbfde3ba084b9f9a4423088c8c10729c

SHA256
d14b0262ba208da1065196ef57558f97e3d08ffc54c532e56845185f5f0f8b48

SHA512
952f949c68c943579c62b2a11f7eaf33722fc0c94774fbbb4317865c171d38626b7a17ad95bd0f4ccdf3af0217314aa105419ceb47913599685cd794a3daf7bc

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
305KB

MD5
dcab934498c4c8a091f71d62a27e2f71

SHA1
3b79d3dce792a7fd542d5cc13c0d4cba012ff6f3

SHA256
dd5856598b02c2a5f35748d356bb4bec57b7442f57adb63c60bb9e50b82db784

SHA512
9bbabfa1ebd2e066738fc261fbf7df775a388840cde22adf5a281fc310ed5c40057bbf7f3e9bd87964998d3cf668ab96f2b6940cdd79353746c18ece3c554c27

Download Submit
C:\Windows\SysWOW64\Piapkbeg.exe

Filesize
305KB

MD5
6268c2ffc1fffa90a280dedcd7dfbcde

SHA1
e964fba6f275e1d73c1295ecd7a2643a67f94e7c

SHA256
450cacf4b6931617083ff41a6680179855e8716db3179602811c6905682228d4

SHA512
4cdc5e20cea2b0628852e7bcae40ea088ec7ca883b413f4841c6a6abd7626e945bd3509473c7d644feaa252208495f14b5007bc8f28dd040d52b2ed5f7cb44fb

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
305KB

MD5
11fdad54890e60cfb0842115cfe8fe1d

SHA1
f1a81cf2146ef4360e8914a3b88f7f40746dcf29

SHA256
6bb6f807062e56943d9006f6b97df788d2c4e896b1957abcdd19544a7a1bd5a1

SHA512
11916b4d6ec45f85fb872d58d2e6de84bea01ff078dc7edcb941b412e7a3872534957d2588b2036d765a16b1403da24e6a7ba3ecbb39c85703c669a967a283eb

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
305KB

MD5
f3a5b0203966b37cbfb0dcc30cd156fb

SHA1
8fa2917a7500506b405d726ee0596e78b559b314

SHA256
3385d764714b97555cbd7aa9ff119ec743531c2c729e32abf02b8fe371e4838c

SHA512
1f7488953e7a5d5b24f29df87b11261d8efaeccddd3a2816f60b64aa1d2a0d91dd8baad027291dfa774a87d6ec095f5930b254035ccfc5f501500b976c15fde9

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
305KB

MD5
3ba3773dc5ca4193e90638c41e40ec97

SHA1
a53aafcd21375fdeef8203e87cc05fcb63a6dc68

SHA256
f92913d8b1431b073d5abab7082bcd4d9e64c3072e3826d2b979a3ca9654ae2a

SHA512
0df916c1230703100c6f80ca3e124ee2837c9d7b5daa44124881a438565c4b53091c16b45c5cab0edd015dd18f23a38086730ac119462d9e6183d47b5c0b2a4f

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
305KB

MD5
e5dae3d6127943858d3363b58be2e836

SHA1
16b08bdcbfd55e06845aa7d579b4ff4a1add58fa

SHA256
1cbd3a3ce59bdf6f77f42528021344cb8215f37e43142e040d221409410d42f4

SHA512
325cfa470d742a94645c7b2b7b7d84253a47949717b80245f61f41b9087f645c10ccea8031e0b3828f232a83ceffce8200a9e6127aafdd967e681440569cff15

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
305KB

MD5
b3d79e3017e8ffd80cf7b6b484bee3ba

SHA1
d5a00e2bf9efeee8ba4b4c3fab0d026d90a36a05

SHA256
84e8b3aad4468ffd6f147bf2e124762e13295e1d78c290e4672ae47db17e7d44

SHA512
b3263b3f171abf819944f18f5e5083a5648fb5390421929f422f5b5cffd7d1c26c7c20668f4ad57388c564a0d3b29281922e008a0e04f3e48ab3a5e2e00a5a63

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
305KB

MD5
3c764be8f1af3c92ecd653b2e3c66146

SHA1
dbd2f6237ca5def392ad5582be3f85e72b0529e7

SHA256
0eedd2ede702f95cd4d7de13a1ffe2ed020ec66f8a819b9609be27b57e73e4b8

SHA512
2878acb71cc1bf538e1e619289a59190f12929017e4bd658dc110f121733bc8767258aec255f91066b4240da4dd27bf70310f30c7b8f1ead907abbd2e4057d91

Download Submit
memory/396-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/412-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/628-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/652-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/704-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1040-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1100-521-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1208-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-516-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1504-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-540-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-539-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2508-553-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2508-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2744-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3136-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3144-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3152-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3216-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3264-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3444-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3584-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3660-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3752-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-581-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3912-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-567-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4092-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4276-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4352-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4440-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4572-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4680-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4884-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-560-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4960-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4992-547-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5144-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5188-561-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5232-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5276-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5320-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5368-589-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads